12.15.2006
EMC Clariion array - using powerpath vs pvlinks
From the powerpath admin guide:
EMC recommends using LVM alternate links (PVLinks) when you
boot from a storage system. If the primary path fails, an automatic
switch to the alternate path occurs. If PowerPath is not installed,
using alternate links increases availability in the event of hardware
problems.
PowerPath uses alternate links as part of its boot/root failover
strategy, but not for load balancing, path prioritization, or other
PowerPath-related reasons. Thus, EMC recommends that you use
LVM alternate links when booting from a storage system. Otherwise,
EMC recommends disabling PVLinks when using PowerPath.
12.10.2006
powerpath check force: "Cannot remove device that is in use"
$ powermt check force
Warning: CLARiiON device path c13t2d3 is currently dead.
Cannot remove device that is in use: c13t2d3
Powerpath is pretty darn smart; the last port 0 linked to a disk device was part of the same lvm volume group as one of my cluster lock disks. It wasn't even listed in as the lock disk for my cluster (in the cluster ascii file), but it was in the same volume group that the lock disk was in.
I had to stop the cluster services on the node, then powerpath allowed me to remove the connection. This node of the cluster is currently the failover node, so I was able to bring er down without any impact.
HP codewords
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=647238&admit=-682735245+1165692579832+28353475
/var/adm/sw/.codewords
#CD_part_number Customer_Id IdType Codeword
manuall set speed and duplex during ignite
http://docs.hp.com/en/B2355-91049/ch05s07.html
12.04.2006
vgscan not working / ignite not recreating volume groups
12.02.2006
gig card on hp-ux 11.00 doesn't keep speed/duplex setting
HP_GELAN_SPEED[0]=100FD
11.24.2006
swinstall and rpc exception communications error
* Beginning Selection
ERROR: RPC exception: "Communications failure (dce / rpc)" 11/24/06
17:27:01 PST
ERROR: A Remote Procedure Call to a daemon has failed. Could not
start a management session for "myhost:/". Make sure the host
is accessible from the network, and that its daemon, swagentd,
is running.
* Target connection failed for "myhost:/".
ERROR: More information may be found in the daemon logfile on this
target (default location is myhost:/var/adm/sw/swagentd.log).
* Selection had errors.
fix by restarting swagentd:
/sbin/init.d/swagentd stop
/sbin/init.d/swagentd start
11.20.2006
mkboot complains about logical volumes when none exist
There appear to be non-boot logical volumes on this device.
Overwriting them could destroy all the data on this device
Should the logical volumes be overwritten [y/n]? y
solution:
because PV isn't marked as bootable. pvcreate -B /dev/dsk/c2t6d0
or
PV belongs (or thinks it does) to a volume group already. (tread lightly here!):
Fix by using the -f (force) option: pvcreate -Bf /dev/dsk/c2t6d0
11.19.2006
upgrade vxfs online
vxupgrade -n 4 /mount_point
vxfsconvert -- offline version or to convert an HFS
11.17.2006
my favorite vim settings
set ic
colorscheme torte
set nobackup
set showmatch
11.11.2006
dmisp daemon on HP-UX hogging CPU
ps -ef | grep -i dmisp
/sbin/init.d/Dmisp stop
ch_rc -l -p START_DMI ; ch_rc -a -p START_DMI=0 ; ch_rc -l -p START_DMI
11.10.2006
HP-UX support timeline
http://www.hp.com/softwarereleases/releases-media2/history/slide2.html
11.09.2006
HPUX support matrix
http://h20338.www2.hp.com/hpux11i/cache/324537-0-0-0-121.html
http://h20338.www2.hp.com/hpux11i/downloads/public_hp-ux_systems_support.pdf
11.06.2006
Google Toolbar shortcut - firefox 2
The History Menu used to be called the "go" menu, so use the #go-menu keyword
11.03.2006
AVG free anti-virus
requires update to Roxio Easy CD and DVD creator: http://www.roxio.com/enu/support/mserr/cdr4_7.html
11.01.2006
NFS / PCNFS / Hummingbird Maestro problems
http://docs.hp.com/en/5991-1153/ch02s02.html
If your PC NFS client software is assigning user IDs smaller than 101 or greater than 60002, set the uidrange in the /etc/pcnfsd.conf file to allow access to a different range of user IDs, as in the following example:
cat /etc/pcnfsd.conf
uidrange 101-9999999
then:
kill rpc.pcnfsd
/usr/sbin/rpc.pcnfsd
10.28.2006
difference between autoboot and autostart flags on HP 9000 hardware
From: http://docs.hp.com/en/A7137-96003/A7137-96003.pdf (rp3410 rp3440 operations guide)
When the autostart flag is off, autoboots will be interrupted if a configuration change occurs
which causes reduced performance; thus requiring you to intervene prior to booting to the
internal system loader (ISL).
The auto boot will halt at the BCH prompt and you may continue booting by entering boot.
10.27.2006
cron - run command last day of month
Solves the problem of running a script on the last day of the month. Put 28-31 (for days) in your crontab and put this little section in for date determination.
#!/bin/sh
if test `TZ=MET-24 date +%d` = 01
then
exec command
else
exit 1
fi
pseudo swap on HPUX
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=103008
10.25.2006
gmail macros
Here's a google group that tracks the script and has some enhanced versions: http://groups-beta.google.com/group/gmail-power-users
10.10.2006
logins man page
PS 100506 7 175 -1
the last field is the number of days before the password expires to start warning the user. see the warn option of passwd(1) man page and passwd(4). The warn flag only works on trusted systems, so you'll see a -1 for non-trusted systems.
Remember that the system (at least on non-trusted boxes) will round to the nearest week, Thursday to be specific. So the report of when the passwd was last changed is not the actual day it happened, unless it happened to fall on a Thursday.
10.06.2006
Gnome / KDE keyboard shortcuts
http://www.novell.com/coolsolutions/tip/2289.html
non-printable chars in filename
ls -al | more
The file show up as a DEL char (^?); so to delete or view the file do a control-v and ? for the filename.
configure HP-UX kernel
Synopsis:
cd /stand/build
/usr/lbin/sysadm/system_prep -v -s system
make changes to the /stand/build/system file to add or remove whatever
/usr/sbin/kmsystem -S /stand/build/system -c Y driver-name
creates the /stand/build/vmunix_test
/usr/sbin/mk_kernel -s /stand/build/system
mv /stand/system /stand/system.prev
mv /stand/build/system /stand/system
updates /stand/vmunix and create a bacup /stand/vmunix -> /stand/vmunix.prev before.
/usr/sbin/kmupdate -- tells shutdown script to do the above.
10.01.2006
determine bitness of HPUX
Sometime you need to determine this whether to install the 32 or 64 bit version of ODE.
9.26.2006
password aging on non-trusted systems
At the end of the encrypted password you add char1, char2.
char1 is the maximum number of weeks the password is valid and
char2 is the minimum number of weeks that must pass before the password can be changed. The following is a good guide: Value # of weeks
. 0
/ 1
0-9 2-11
A-Z 12-37
a-z 38-63
so for example if you wanted a user to change their password somewhere between 11 and 2 weeks you would put ,A9. (man 4 passwd)
problem changing password on trusted system (HPUX)
Password cannot be changed. Reason: Cannot access protected password entry.
This means the auth files in /tcb are out of sync with the /etc/passwd file. Someone may be making changes manually to the /etc/password file (like adding user acocunts), but that doesn't update or create the appropriate entries in /tcb/files/auth
check it by running the authck -p (or pwck -s) command to verify the trusted computing base /tcb This doesn't fix the problem, you'll have to delete (from /etc/passwd) and add again (via sam or useradd) or use the pwconv command.
9.14.2006
HPUX trusted system
/usr/lbin/getprdef
or look for /tcb
8.26.2006
No manual entry for man
I figured out why the normal man pages don't work on some systems. The file /etc/MANPATH overrides the MANPATH variable when /etc/profile runs. So to fix it just add the "normal" man page locations to /etc/MANPATH:
/usr/share/man:/usr/contrib/man:/usr/local/man:
HP 9000 servers model numbers
http://www.openpa.net/systems/
ITO / OVO Openview java client
C:\Program Files\Hewlett-Packard\HP VP Java Console>
"C:\Program Files\Hewlett-Packard\HP VP Java Console\ito_op.bat" -help
started with the server hostname as the first parameter.
You can also select from the following parameters:
-user "username" ... "username" for login
-passwd "password" ... "password" for login
-server "hostname" ... default server for login (same as first parameter)
-display "hostname" ... sets display hostname for X applications
-nowin ... starts JavaGUI without a DOS window
-plugin ... starts JavaGUI as plugin
-trace ... enables tracing
-nosec ... disables secure JavaGUI
-help ... displays this page
My normal run string:
"C:\Program Files\Hewlett-Packard\HP VP Java Console\ito_op.bat" -server my_server_name -nowin -user myuseraccount
8.24.2006
8.21.2006
fsadm - fails with error extending file system
/$ fsadm -F vxfs -b 20448M /directory
vxfs fsadm: cannot open /directory/lost+found/.fsadm - errno 2
ls /directory --- no lost+found there.
man mklost+found
cd /directory
/directory$ mklost+found
creating slots...
removing dummy files...
done
drwxr-x--- 2 root sys 4096 Aug 21 09:34 /directory/lost+found
now fsadm succeeds
8.18.2006
sendmail/mail command drop_privileges error on HP-UX
$ echo hi | mailx -s "test" myemail@mydomain.com
$ drop_privileges: setuid(0) succeeded (when it should not)
$ ll /usr/sbin/sendmail
-r-sr-sr-t 1 nonroot mail 1339392 Aug 26 2004
/usr/sbin/sendmail
should be owned by root:mail
$ /sbin/init.d/sendmail stop
No sendmail server running
$ /sbin/init.d/sendmail start
drop_privileges: setuid(0) succeeded (when it should not)
451 4.0.0 can not chdir(/var/spool/mqueue): Permission denied
$ chown root /usr/sbin/sendmail
$ ll /usr/sbin/sendmail
-r-sr-sr-t 1 root mail 1339392 Aug 26 2004
/usr/sbin/sendmail
$ /sbin/init.d/sendmail start
/etc/mail/aliases: 7 aliases, longest 9 bytes, 88 bytes total
sendmail
8.16.2006
how to erase disk in HP-UX
http://unix.derkeiler.com/Mailing-Lists/HP-UX-Admin/2006-06/msg00035.html
I like the concept of destorying all luns, creating a big one and doing a dd of /dev/zero over the raw disk special file.
convert dos unix format in VIM
http://www.vim.org/tips/tip.php?tip_id=145
:set fileformat=dos or unix or mac
:w
8.13.2006
Install IE in Linux using wine easily
8.12.2006
synergy with PCs
8.02.2006
sendmail error sending mail on HP-UX
/etc/mail/sendmail.cf: line 691: fileclass: can not open /etc/mail/sendmail.cw: World writable directory
The permissions on /etc are incorrect - Changed it to the HP-UX standard 555 (r-xr-xr-x) by: chmod 555 /etc Ran a test: echo test | mailx me@mycorp.local Received email successfully, no error message.
7.20.2006
X error running Openview
ovw: Xt Warning: Missing charsets in String to FontSet conversion
ovw: Xt Warning: Unable to load any usable fontset
fix it by changing the startxwin.bat file to add the -fp (font server) parameter to the run line. Point to the server that has Openview installed on it as the font server:
%RUN% XWin -multiwindow -clipboard -silent-dup-error -fp tcp/ovoserver.mycompany.com:7000
7.14.2006
what to do about dns outages - plan ahead
eth0 = the name of my interface. Since most of you are lazy and don't name your connections (like a *nix admin would), your's is probably "Local Area Connection".
netsh int ip set dns eth0 static 208.67.222.222
and where the IP is a DNS server.
Server: resolver1.opendns.com
Address: 208.67.222.222
Name: resolver2.opendns.com
Address: 208.67.220.220
7.10.2006
remote shell error on HP-UX
remshd: Login disallowed (audit error)
Do an /usr/sbin/authck -pv
Check for duplicates in /etc/password if duplicates are found, then remove them via vipw.
7.05.2006
flash format screen capture
http://www.debugmode.com/wink/
6.30.2006
sed (text/replace) in Windows
use sed for Win32 to modify text/configuration files on the fly:
http://www.cornerstonemag.com/sed
6.29.2006
Listing open ports and associated program in HPUX
netstat in linux has the -p option for listing the
program/application/PID that is using a port. You can't list open
ports like that in HP-UX, but you can use the lsof command to list
them:
# lsof -i tcp:200
6.25.2006
Ubuntu keyboard shortcuts / keybindings and other things
6.24.2006
speed up Windows XP for benchmarking
rundll32.exe advapi32.dll,ProcessIdleTasks
http://www.microsoft.com/whdc/system/sysperf/benchmark.mspx#EFF
6.23.2006
pipe standard error with standard output
first_command 2>&1 | next_command_in pipe
See the following: http://www.linuxdevcenter.com/pub/a/linux/lpt/13_01.html
HP-UX EMS alerts with EMC
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=405726&admit=-682735245+1151047006669+28353475
In HPUX, if you get serious severity alerts coming from disk_em EMS monitor on EMC disks/luns, it's because the version of OnlineDiags does not work with EMC LUNs that identify themselves as using HP03 firmware. Can be fixed by adding the hardware paths to the EMC array in: /var/stm/data/tools/monitor/disabled_instances like this:
/storage/events/disks/default/1_0_8_0_0.1.22*
/storage/events/disks/default/0_0_8_0_0.1.16*
Then run 'monconfig' and select 'enable monitoring' to re-read the config file.
6.22.2006
trouble viewing EMC LUNs on HP-UX
/etc/ioscan -f
/etc/insf -eC disk
/sbin/powermt config
/sbin/powermt set policy=co
/sbin/powermt save
/sbin/powermt display dev=all
here's a very thorough version:
/etc/ioscan -f
/etc/insf -eC disk
/sbin/init.d/agent stop
/sbin/init.d/agent start
/opt/Navisphere/bin/navicli register
/sbin/powermt config
/sbin/powermt set policy=co
/sbin/powermt check
/sbin/powermt save
/sbin/powermt display dev=all
in some cases you may have to delete the /etc/powermt.custom before doing the powermt config command.....
6.21.2006
error starting stm in HPUX
-- Error --
The UUT status file
(/var/tmp/stm27188/servername.domain.com/data/uut_status) representing the new device map from the Unit Under Test (UUT) could not be successfully loaded into memory. The most recent device map for the Unit Under Test (UUT) could not be built successfully. This means operations apparently available, based on this old map, may not be, and might fail. Please refer to the Map Log and/or the System Activity Log on that system for more details.
-- Information --
Aborting all open command files.
Solution: restart diagnostic daemons:
/sbin/init.d/diagnostic stop
/sbin/init.d/diagnostic start
6.17.2006
create vmware .vmx virtual machines
6.16.2006
comments in password file
3 requirements:
* 7 total fields - exactly 6 colons must be in every line
* uid must be numeric or valid
* gid must be numeric or valid
You should check your /etc/passwd file using the pwck command if you are in doubt of the integrity of the file.
Some symptoms to look out for if your password file is screwed up:
$ /bin/su - user123
su: Unknown id: user123
$ passwd
Invalid login name.
The password file is read from top to bottom, so if one account works, but others don't check the location of the comment/bad entries and where they relate in position to the account in question.
6.07.2006
5.31.2006
Get Phyisical RAM on HP-UX
grep Physical /var/adm/syslog/syslog.log
5.30.2006
Replacing a Mirrored HP-UX Boot Disk
Replacing a Mirrored HPUX Boot Disk
Reduce any logical volumes that have mirror copies on the faulty disk so that they no longer mirror onto that disk. (note: lvdisplay -v /dev/vgXX/lvol* will show the lvols)
# lvreduce -m 0 /dev/vgXX/lvolX /dev/dsk/cXtXd0 (for 1 way mirroring)
Reduce the volume group.
# vgreduce /dev/vgXX /dev/dsk/cXtXd0
Stop I/O's going to drive
# pvchange -a n /dev/dsk/c0t2d0
---> Replace the drive.
# pvchange -a y /dev/dsk/c0t2d0
Initialize the disk for LVM.
# pvcreate -f –B /dev/rdsk/cXtXd0
Set boot switch for no quorum and add offline diagnostics (if available to drive)
# mkboot –a "boot vmunix –lq" /dev/dsk/c0t2d0
# mkboot –b /usr/sbin/diag/lif/updatediaglif2 –p ISL –p HPUX –p LABEL –p AUTO /dev/rdsk/cXXtXd0.
Extend the volume group.
# vgextend /dev/vgXX /dev/cXtXd0
Lvextend the mirrors back onto the replaced drive.
# lvextend -m 1 /dev/vgXX/lvolX /dev/dsk/cXtXd0 & (for 1 way mirroring) Do this for each lvol on the system. The & allows you to run the task in the background. You can check on the progress using the lvdisplay –v /dev/vg00/lvolXX.
After running the mkboot and lvextend commands, do an lvlnboot -Rv to relink the disk into the
Boot Data Reserved Area of all the physical volumes in the volume group.
# lvlnboot -Rv
5.29.2006
allowing backspace and @ in login prompt on HPUX
See termio(7) for the default values of control characters: http://docs.hp.com/en/B2355-60127/termio.7.html
like this: stty erase ^H kill ^U intr ^C susp ^Z < /dev/ttyconf
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=430766
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=181001
using WS_FTP to automate file xfers
Many options in WS_FTP are now user-specific, i.e. the changes made to the options are only reflected in that current user's profile.
PGP support is now included in V9, but I'd rather do the encryption/decryption outside of ws_ftp and use the 'gpg' tool instead. By default, ws_ftp will try to decrypt and verify every file downloaded with a .pgp extension. This option must be turned off. Go into the options under the PGP section and uncheck the "Always decrypt & verify encrypted and signed".
If WS_FTP needs to be reinstalled, make sure you go in and out of the application and verify the options that you changed are still intact.
I had to connect to each site to make sure the connections were still good. In the process of doing so I needed to click "Trust this connection" on any of the SSH connections because a new fingerprint was generated.
Each user profile has a registry setting pointing to the application data directory. After the upgrade this initially pointed to the user's specific profile, so we had to change it back to the following:
[HKEY_CURRENT_USER\Software\Ipswitch\WS_FTP]
"DataDir"="C:\\Documents and Settings\\All Users\\Application Data\\Ipswitch\\WS_FTP"
Since we typically use the 'local_assigned' user account and he's not an admin on windowBox1, we needed to change some registry permissions in order to allow some options to be read and customized. We changed the security on the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch] -- added WindowsGroup1 group with 'Full Control'
The speed of uploads on SSH servers dropped in half in v.9.01. Add "sftppipefraction=150" to the sftp/ssh site's section in ws_ftp.ini to gain full speed. Without this, every lifemasters transfer failed.
WS_FTP Pro notes v8: (some of this applies to v9 as well)
Installation:
During the install it will ask about "shared" and "personal" sites. The only option we want selected is the "Allow users to create or modify shared sites". The reason for this is that it simplifies where the site data is held. Shared sites go into the "all users" profile directory. "Personal" sites go to the individual user profile, which means if switching from one user account to another, the ws_ftp.ini file would have to be copied over as well. The registry settings this affects are recorded below.
[HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\WS_FTP]
"DataDir"="C:\\Documents and Settings\\All Users\\Application Data\\Ipswitch\\WS_FTP"
"AllowPersonalSites"=dword:00000000
"AllowModifySharedSites"=dword:00000001
Directories and files:
shared sites (shared by all users) stored in:
C:\Documents and Settings\All Users\Application Data\Ipswitch\WS_FTP\Sites\ws_ftp.ini
Predefined Sites stored in: predef.ini
MySites are stored in: original.ini
Any folders created will generate an .ini file based on the folder name. The ini file will contain any sites created under that folder.
Log files stored (usually over-wrote each time WS_FTP is called from the command line):
C:\Documents and Settings\All Users\Application Data\Ipswitch\WS_FTP\Logs
You can copy sections of an .ini file from one computer to another but the password may have to be re-entered on the destination computer because of the way WS_FTP encrypts the password field.
Must use fully qualified path because the command line instance will bring us to the root directory. Otherwise it will default to /usr/bin on some systems.
File specifications for uploading/downloading can be wildcarded. ( * or . )
command line example
NOTE: Trailing slash must be used for destination directory....
cd "%programfiles%\ws_ftp pro" &
wsftppro -s ftp://anonymous:test@ftp.ipswitch.com/pub/msdos/vmenu.zip -d local:c:\
ascii
cd "%programfiles%\ws_ftp pro" & wsftppro -s amisys:~/bin/list.sh -d local:c:\ -ascii
binary
cd "%programfiles%\ws_ftp pro" & wsftppro -s amisys:~/bin/list.sh -d local:c:\ -binary
auto
cd "%programfiles%\ws_ftp pro\wsftppro" & wsftppro -s amisys:~/bin/list.sh -d local:c:\
-lower lowercases the filename (only works when uploading TO a remote host, not downloading from a host)
WARNING: Using the command line, be careful that when downloading, the remote file name must be in the EXACT case in order to download the correct file.
The WS_FTP scheduler is just another front-end to the Win2k task scheduler.
GNUpg, gpg, encryption notes
Public Key Cryptography:
http://www.wvu.edu/~lawfac/mmcdiarmid/digital%20signatures.htm - older reference, but pretty easy to understand
http://www.lugod.org/presentations/pgp/ - good introduction and beginners guide
http://www.linuxjournal.com/article.mydivision?sid=4828 GPG the Best Free Crypto You Aren't Using, Part I of II
http://www.linuxjournal.com/article.mydivision?sid=4892 GPG the Best Free Crypto You Aren't Using, Part II of II
http://computer.howstuffworks.com/question571.htm
http://computer.howstuffworks.com/encryption.htm
gpg usage: http://www.rhce2b.com/clublinux/RHCE-38.shtml
GPG notes:
http://www.gnupg.org/ - GNU Privacy Guard
If the --output option is not specified, gpg will usually write contents to stdout (the screen). You can also do file redirection to route the output to a file. The exception to this is the default decryption option:
gpg [filename]
The above syntax will decrypt the file to the original unencrypted filename. You can add other options to this command.
You encrypt with someone's public key, they decrypt with their secret key. Give your public key out to those that want to send you encrypted files/messages. Then only you (or anyone that has your secret key, which should be no one but you) can decrypt and view the file.
[name] = name, email or identifier of key. email addr is usually the best one to use because it's usually the most unique identifier.
files:
gpg.man -- man page for gpg (lists all switches)
gpg.conf -- found in c:\gnupg (see readme.w32), contains all config options
If you receive the following when decrypting a file, then there is probably a compatiblity problem with the other user's signature, usually nothing to worry about: "WARNING: message was not integrity protected". To prevent the message from appearing use the --no-mdc-warning in the gpg command line or put the following in the gpg.conf file: no-mdc-warning
On the Windows platform, be sure to include the following option in gpg.conf or on the command line:
--no-mangle-dos-filenames
The Windows version of GnuPG replaces the exten
sion of an output filename to avoid problems
with filenames containing more than one dot.
This is not necessary for newer Windows versions
and so --no-mangle-dos-filenames can be used to
switch this feature off and have GnuPG append
the new extension. This option has no effect on
non-Windows platforms.
NOTE: Any options specified in the configuration file(gpg.conf) should NOT have the double dashes at the beginning of them.
gpg.conf example file:
no-mdc-warning
no-mangle-dos-filenames
load-extension lib\idea
Generating a new key pair:
gpg --gen-key
The default way we have been creating the keys is:
kind of key you want: (1) DSA and ElGamal (default)
keysize: 2048
expiration: 0 -does not expire
"Real name": mycompany
email: mydivision-{vendor}@mycompany.com where {vendor} is the vendor's name.
comment: mydivision - mycompany (usually)
Displaying/listing keys:
list all secret keys on the system:
gpg --list-secret-keys
list all public keys on the system:
gpg --list-keys
Importing keys:
to import an exported public or secret key into the appropriate keyring on this system:
gpg --import keyfile_to_import
Exporting:
use --armor option if sending key via email or if vendor requires ASCII armored data.
to export a public key; don't specify a name if you want to export all:
gpg --output filename.key --export [name]
to export a secret key; don't specify a name if you want to export all:
gpg --output filename.key --export-secret-keys [name]
Always export any keys before using them. This keeps a backup of all keys in case you screw up (you probably will too!). You can use the following as a template, replacing {vendor} with the vendor's name, and paste the text directly to the shell.
gpg --output mydivision-{vendor}@mycompany.com-public.asc --armor --export mydivision-{vendor}@mycompany.com
gpg --output mydivision-{vendor}@mycompany.com-public.key --export mydivision-{vendor}@mycompany.com
gpg --output mydivision-{vendor}@mycompany.com-secret.asc --armor --export-secret-keys mydivision-{vendor}@mycompany.com
gpg --output mydivision-{vendor}@mycompany.com-secret.key --export-secret-keys mydivision-{vendor}@mycompany.com
NOTE: In some cases the vendor can't use certain algorithms such as AES192, AES256, etc. In these cases you will need to edit the key after generating it and export the key in order to disable or restrict use of the particular "problematic" algorithms. Instructions below:
gpg --edit-key [name]
setpref S3 S2 S1 H2 H3 Z2 Z1 (This string was used for Express-Scripts because of their requirment)
(do a setpref xx xx; or whatever algorithms/options you want included. Include all options except the ones you want to disable.)
updpref
save
List the algorithms/options on the key:
gpg --edit-key keyid showpref quit (long verbose format)
gpg --edit-key keyid pref quit (short terse format)
List of options/preferences to use on keys:
s2 = 3des
s3 = cast5
s4 = blowfish
s7 = aes
s8 = aes192
s9 = aes256
s10 = twofish
s1 = idea (if you use it, otherwise leave out)
h3 = ripemd160
h2 = sha1
h1 = md5
z2 = zlib
z1 = zip
z0 = no compression
Encryption:
When encrypting a file, you can use multiple -r (recipient) options if needed. To decrypt the file, the secret key pair that corresponds to the public key used to encrypt the file will be needed.
The following example will create an encrypted file with a .gpg extension.
gpg -r info@claimsnet.com --encrypt-files encrypt-test.txt (preferred method)
gpg --ouput ouput_filename -r [name] --encrypt filename_to_encrypt
for interactive prompt asking which key to use to encrypt:
gpg --ouput ouput_filename --encrypt filename_to_encrypt
When using a key to encrypt for the very first time, you will see text similar to the following:
gpg: checking the trustdb
gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/7
gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/0
Decryption:
to decrypt a file: (must have secret key that matches the public key that was used to encrypt the file
gpg filename_to_decrypt -- decrypt file and write to original filename (preferred method)
or
gpg --ouput output_filename --decrypt filename_to_decrypt
if you don't have the secret key for an encrypted file you'll get the error: "gpg: decryption failed: secret key not available"
signing a key:
gpg --local-user mydivision-claimsnet@mycompany.com --sign-key info@claimsnet.com
-- it will ask for level of trust. Choose the highest level of trust. (3)
after you receive someone's public key (whom you trust) you can sign it. If you don't you'll get the following message every time you try to encrypt something with their public key:
gpg --output encrypt-test.pgp -r info@claimsnet.com --encrypt encrypt-test.txt
gpg: C458F397: There is no indication that this key really belongs to the owner
1024g/C458F397 2001-02-28 "Claimsnet.com Inc. <info@claimsnet.com>"
Primary key fingerprint: 1254 FD28 5BF7 DF69 CD02 9072 4155 8840 575F 950E
Subkey fingerprint: 0164 29BF CEB1 96B6 91AC FF76 CE41 BAAA C458 F397
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes
Use this key anyway? n
gpg: encrypt-test.txt: encryption failed: unusable public key
After you sign the recipient's key when encrypting a file you won't get the error message.
marking keys as trusted (need to do this when we import our keys into new keyring file):
gpg --edit-key mydivision-esi@mycompany.com
Command> trust
Your decision? 5
Do you really want to set this key to ultimate trust? y
Command> quit
Changing the passphrase of the secret key (in case of lost/stolen key):
gpg --editkey mydivision-esi@mycompany.com
Command> passwd
Enter passphrase: ****
Enter the new passphrase for this secret key.
Enter passphrase: *******
Repeat passphrase:*******
Command> save
Deleting/removing keys no longer needed:
Recommend exporting the keys first before deleting them.
delete secret key:
gpg --delete-secret-keys [name]
delete a public key:
gpg --delete-keys [name]
delete both secret and public key pair:
gpg --delete-secret-and-public-key [name]
--delete-secret-and-public-key name
Same as --delete-key, but if a secret key
exists, it will be removed first. In batch mode
the key must be specified by fingerprint.
AUTOMATION:
to automate/batch decrypt files use the following options. MAKE SURE that the gnupg directory is secured well and keep the "passphrase-file" in the same directory or another secure directory.:
--passphrase-fd n
Read the passphrase from file descriptor n. If
you use 0 for n, the passphrase will be read
from stdin. This can only be used if only
one passphrase is supplied. Don't use this
option if you can avoid it.
ex:
type passphrase-file | gpg --passphrase-fd 0 [filename_to_decrypt]
Signatures:
Signatures are basically good for verifying the authenticity of message/file/whatever.
clearsign (good for emailing), example:
hp.txt contents (in courier new font) before signing:
This is a test file...
gpg --local-user mydivision-abf@mycompany.com --clearsign hp.txt
after signing it will create a file named: hp.txt.asc:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is a test file...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
iD8DBQFAfUxLl6vRH9ZI4QMRAtgiAKCLxmq7CTTsgmpd1EiZgpxgubwBTwCeO3+A
cFMS25BXJHSobsWcLql+sR8=
=BFyt
-----END PGP SIGNATURE-----:
verify signature (must have public key in keyring to do this):
gpg --verify hp.txt
in the case of a detached signature, by putting the signature file first:
gpg --verify file.sig file
Log of session running of gen-key (bold ours):
C:\>gpg --gen-key
gpg (GnuPG) 1.2.4; Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: mycompany
Email address: mydivision-mckession@mycompany.com
Comment: mydivision - mycompany
You selected this USER-ID:
"mycompany (mydivision - mycompany ) <mydivision-mckession@mycompany.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? e
Email address: mydivision-othercorp@mycompany.com
You selected this USER-ID:
"mycompany (mydivision - mycompany ) <mydivision-othercorp@mycompany.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++.+++++++++++++++++++++++++++++++++++..++++++++++.+++++...++
+++.+++++.++++++++++.+++++.+++++..+++++....+++++++++++++++++++++++++.+++++......
.........>+++++......>+++++............<+++++.................>+++++.<+++++.....
................................................................................
................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++++++++++++++++++++++...++++++++++++++++++++.+++++.+++++..+++++++++++++
++.+++++++++++++++.+++++++++++++++.+++++.+++++++++++++++.++++++++++.....+++++.++
+++>.+++++.+++++>+++++..........................................................
...................................+++++^^^
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/51CF3CC5 2004-04-23 mycompany (mydivision - mycompany ) <mydivision-othercorp@p
Key fingerprint = 9982 34EB 114A 6A4D 8EC5 9FB8 98A8 F30F 51CF 3CC5
sub 2048g/DF7989E4 2004-04-23
getting a public key from a keyserver:
gpg --keyserver http://pgp.mit.edu --search-keys dd9jn@gnu.org
Curl notes and usage
cURL notes:
official web sites:
curl: http://curl.haxx.se
http://curl.siamu.ac.th/docs/httpscripting.html
openssl: http://www.openssl.org
Curl is an open source command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks. Openssl handles the encryption part of the transfer.
Curl usage:
TO use config file ( _culrc ) the next line must be set in the batch file or scripting environment.
set home=c:\directory_pathto_config_file
Since curl will only work with PEM formatted certificates, we need to convert the PKCS12 format certificate:
openssl pkcs12 -in [original certificate file] -clcerts -out [PEMfile]
I believe some web sites use cookies for the session timeout (I believe a 5-10 minute timeout period). For that reason when initially communicating with the server we MUST run 2 passes of curl, 1 to authenticate and 1 to do the transfer or whatever other command we want to issue.
Using config file:
list directory:
curl https://this.secretwebsite.com/* -- will list everything recursively; lists just file/path names
curl https://this.secretwebsite.com -- is like doing an ls -l
download:
curl -O https://this.secretwebsite.com/outbound/SFT_Win32_4.0.39_Guide.doc
upload:
curl -T mylocalfile.txt https://this.secretwebsite.com/
files we get back: mylocalfile.txt_201706.NO_ADD_REC
that's HHMMSS (maybe pacific timezone)
Deleting files:
curl -X DELETE https://this.secretwebsite.com/mylocalfile.txt_201706.NO_ADD_REC
from manual-
-X/--request <command>
(HTTP) Specifies a custom request to use when com
municating with the HTTP server. The specified
request will be used instead of the standard GET.
Read the HTTP 1.1 specification for details and
explanations
_culrc (config file) contents:
#cookie send file (-b)
cookie C:\sys\temp\curl\cookie.jar
#cookie receive file (-c)
cookie-jar C:\sys\temp\curl\cookie.jar
#redirect to different location (-L)
location
#certificate file and pw for authenication (-E)
cert e:\curl\mysecrets.pem:the_password_goes_here
#display progress bar (-#) instead of default statistics
progress-bar
#Write output to a local file named like the remote file we get.
#(Only the file part of the remote file is used, the path is cut off.)
#remote-name
HP-UX btmp-utmp accounting
/home/maint/bin/acctcleanup.sh ;; runs only via cron on the first day of every month at midnight. It moves all entries in btmp and wtmp to /home/maint/logs/acct with a file name format of: wtmp-monthYEAR or btmp-monthYEAR
see utmp(4)
/var/adm/btmp Bad login database
/var/adm/wtmp Login database
/etc/utmp
utmp = record of all users logged onto the system.
btmp = bad login entries for each invalid logon attempt
wtmp = record of all logins and logouts.
acctcleanup.sh::::
#!/usr/bin/sh
# cleans up accounting files: /var/adm/wtmp and /var/adm/btmp Should be run via
# cron at 0:00 the first of every month.
#wtmp contains a record of all logins and logouts
#btmp contains bad login entries for each invalid logon attempt
#if not running under cron then exit
if ! /home/maint/bin/rptree.sh $$ | grep cron >/dev/null; then
banner executes "only under" cron
exit
fi
w=/var/adm/wtmp
b=/var/adm/btmp
fwtmp=/usr/sbin/acct/fwtmp
wtmpfix=/usr/sbin/acct/wtmpfix
log=/home/maint/logs/acct
#Since we are in a new month, get last month's name
case `date +%B` in
January) month=December;;
February) month=January;;
March) month=February;;
April) month=March;;
May) month=April;;
June) month=May;;
July) month=June;;
August) month=July;;
September) month=August;;
October) month=September;;
November) month=October;;
December) month=November;;
esac
wdate=$log/wtmp-$month`date +%Y.log`
bdate=$log/btmp-$month`date +%Y.log`
$fwtmp < $w > $wdate
cat /dev/null > $w
$fwtmp < $b > $bdate
cat /dev/null > $b
fbackup/frecover tips
Diagnostics: HP Library and Tape Tools (L&TT or LTT)
in: /opt/ltt and the main program: /opt/ltt/hp_ltt
most of our maintenance scripts are contained in:
/home/maint/bin
Our main backup script and associated files are in:
/home/maint/bin/fbackup main script: /home/maint/bin/fbackup/bin/fullback.sh
An email reminder to swap the tape is sent when the backup job is complete. Tapes must be swapped every M-F.
Notes on using fbackup:
fbackup -v -f /dev/rmt/1m -f /dev/rmt/2m -I /indexfile.txt -g graphfile -i include_path -i include_another -c configFile
fbackup graph files do not support wildcards....
graph file contents:
i /include_me
e /exclude_me
If media is write protected you'll see something similar to the following:
fbackup(3032): could not open output file /dev/rmt/2m
default fbackup config used by sam: /etc/sam/br/fbackup_config
fbackup stores incremental backup information in /var/adm/fbackupfiles/dates
fbackup -u option updates the 'dates' files: /var/adm/fbackupfiles/dates
fbackup config file : current config file used in production: /home/maint/fbackup/cfg/best
current config file | description of each line |
blocksperrecord 256 | + Number of 1024-byte blocks per record. |
records 32 | + Number of records of shared memory to allocate. |
checkpointfreq 1024 | + Number of records between checkpoints. Since the EOF marks between checkpoints are also used for fast searching on DLT tape drives, changing the checkpoint frequency may also affect selective recovery speed (see WARNINGS section). |
readerprocesses 6 | + Number of file-reader processes. |
maxretries 5 | + Maximum number of times fbackup is to retry an active file. |
retrylimit 5000000 | + Maximum number of bytes of media to use while retrying the backup of an active file. |
maxvoluses 2000 | + Maximum number of times a magnetic tape volume can be used. |
filesperfsm 2000 | + The number of files between the fast search marks on DDS tapes. The cost of these marks are negligible in terms of space on the DDS tape. Not all DDS tape devices support fast search marks. |
chgvol /home/maint/fbackup/bin/chgvol | + Name of a file to be executed when a volume change occurs. This file must exist and be executable. |
error /home/maint/fbackup/bin/error | + Name of a file to be executed when a fatal error occurs. This file must exist and be executable. |
Clearing fbackup header:
If you wish to clear the fbackup volume header from an fbackup tape because you want to blank out the number of times the tape has been used, use another backup utility on the tape. For example:
tar -cvf /dev/rmt/1m file_to_backup
frecover - recovering files from fbackup tape:
recovering files may take quite a long time, escpecially if they are small files. To restore a small home directory containing less than 18mb took over 10minutes, compared to restoring an 8.5GB file which took only 17 minutes.
Unlike fbackup, single files and wildcarded files(sometimes) may be specified and recovered using frecover. In either fbackup or frecover, the hyphen ( - ) can be used almost anywhere to write/read to/from stdout (standard output). This can be used to pipe commands together as well.
to export the contents (the index) of an fbackup tape:
frecover -f /dev/rmt/1m -I /path/index_file
to write contents to stdout: frecover -f /dev/rmt/1m -I -
to view the volume header ( contains fbackup specific info ):
frecover -f /dev/rmt/1m -V /path/volume_file
test recover (N option): preform the same options, but don't recover the files to disk:
frecover -xvN -f /dev/rmt/1m
recover everything (should only be done in the event of a total system failure):
frecover -v -r -f /dev/rmt/1m
or
frecover -v -x -f /path_to_fbackup_file
recover all files on tape to the current directory without creating directory structure
frecover -v -x -f /dev/rmt/1m -F
recover all the files in the -i included path to the current directory without creating directory structure
frecover -v -x -f /dev/rmt/1m -F -i /home/maint/fbackup/cfg
recover entire tape contents to current working directory:
frecover -v -x -f /dev/rmt/1m -X
recover graph contents to current working directory:
frecover -v -x -f /dev/rmt/1m -X -g mygraphfile
recover /home/maint/fbackup to current working directory:
frecover -v -x -f /dev/rmt/1m -X -i /home/maint/fbackup/
recover back to orginal file location. File on disk will not be over-written if it's newer than the file from the tape. Use the -o option CAUTIOUSLY to bypass this limitation.
frecover -vxf /dev/rmt/1m -i /home/maint/bin/showuser.sh
frecover option:
-m Print a message each time a file marker is encountered.
Using this option, frecover prints a message each time
either a DDS fast search mark, a filemark (EOF), or a
checkpoint record is read. Although useful primarily for
troubleshooting, these messages can also be used to
reassure the user that the backup is progressing during
long, and otherwise silent, periods during the recovery.
UNKNOWN TAPE FORMAT - extraction:
if tape is of unknown format you can extract the contents using pax:
cd to_path_where_extracted_files_should_be_placed
pax -rv -s'/^\///' </dev/rmt/0m
tar - tape archiver:
WARNING: Use -tV to list all the files on the tape before extracting, because tar will not prompt to overwrite and will restore to the fully qualified pathname that is stored in the archive. So when creating a tar archive, please remember to use relative path names and not absolute ones. If no file argument is given, the entire content of the archive is extracted. Note that if several files with the same name are on the archive, the last one overwrites all earlier ones. Wildcards don't work.
tar -cvf /dev/rmt/1m path_to_archive -create a new archive
tar -cvf /dev/rmt/1m -C /home/maint . -create new archive, first change to /home/maint and backup that directory using the relative path (.) Multiple -C options can be used
tar -tVf /dev/rmt/1m -list all files on tape
tar -xvf /dev/rmt/1m - extract all files from tape
tar -xvwf /dev/rmt/1m - extract all files from tape prompting the user to restore each file
tar -xvf /dev/rmt/1m ./index_file - extract the file named index_file into the current directory.
MAKE_TAPE_RECOVERY:
make_tape_recovery: makes a bootable recovery tape
copy_boot_tape: make a copy of a recovery tape
/makerecovery.sh is the custom make_tape_recovery script that creates a recovery tape.
Ejecting a tape:
mt -f /dev/rmt/1mnb offline
Obtaining tape drive status:
mt -f /dev/rmt/2mnb status --show if tape is write protected
st -f /dev/rmt/0mnb -s --limited to displaying if device is OK and ready