Solved

aix ibm patch level and remaining support lifecycle

Posted on 2014-02-26
19
4,758 Views
Last Modified: 2014-03-04
Can anyone explain how out of date the following software levels for AIX IBM are:
5.3.0.0 (returned from oslevel –s)
6.1.0.0 (returned from oslevel –s)
Also is it the same as MS software whereby products are only patched if at a certain release level or service pack level, subsequently, are these products still under support, and for how long, or if they are out of support, when did they go out of support? Especially interested for the older version (5.3) which I think is now about 10 years old since it was first released…
0
Comment
Question by:pma111
  • 9
  • 7
  • 2
19 Comments
 
LVL 5

Assisted Solution

by:Dave Gould
Dave Gould earned 150 total points
ID: 39888415
Check this thread out:
http://www.experts-exchange.com/Q_28361828.html

It contains a link to IBM Fix central that is very useful for AIX admins.

Here is an extraction from AIX/5.3/Best Practices -- Upgrading from AIX 5.3 to 7.1:

Why Should I Upgrade to AIX 7.1?
The answer to this question will vary by customer, but one of the main reasons is AIX 5.3 will no longer be supported after April, 2012, unless an extended service agreement is purchased.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 350 total points
ID: 39888452
oslevel -s should show a bit more than just "5.3.0.0", even with an old AIX 5.3.

The basic format of the output is

<version/release>-<maintenance/technology level>-<service pack level>-<service pack date>

e.g. "5300-12-04-1119"

The last value tells you how old your OS really is, "1119" means "week # 19 of year 2011"

You can see the software lifecycle of a base product  here:
http://www-01.ibm.com/software/support/aix/lifecycle/index.html

AIX 5.3 had a general availability date of "13-Aug-2004" and an end of support date of "30-Apr-2012", regardless of the installed maintenance or patch level.

AIX 6.1 had a general availability date of "12-Sep-2008" (Enterprise Edition) and is still under support.

End of support means that you can't open PMRs anymore, it does not necessarily mean that there will be no more Fix packs!

A Technology level update (formerly "Maintenance level) is issued once or twice a year and contains new functions and features along with the normal bugfixing, a Service pack contains fixes for problems that are critical and can't wait until the next TL.

Attention: Service Packs are cumulative, but Technology Level updates are not!

The lifecycles of given technology levels / service packs can be viewed at Fix Central:
https://www-933.ibm.com/support/fixcentral/options

Select Product Group: "IBM Operating Systems", select from IBM Operating Systems: "AIX", select Version: 5.3 (or 6.1), select Fix type: Fix Packs, click Continue.

At the bottom of the following page there is a chart showing the lifecycles of MLs/TLs and SPs.

The page also contains references to all MLs/TLs/SPs issued so far including download links, with the latest (newest) showing at the top.

As you will see, the latest TL for AIX 5.3 is  5300-12-00-1015  which means: TL # 12 as of week # 15 of 2010, and the latest SP for this TL is  5300-12-08-1316 which means: SP # 8 for TL # 12 as of week # 16 of 2013 (they often ship Fix packs after end-of service).

The latest TL for AIX 6.1 is  6100-09-00-1341, which means: TL # 9 as of week # 41 of 2013, and the latest SP for this TL is  6100-09-01-1341 which means: SP # 1 for TL # 9 as of week # 41 of 2013 (TL and SP were shipped at the same time).

This is IBM'S presentation of their AIX service strategy, explaning the used technical terms and the general AIX service concept:
http://www14.software.ibm.com/webapp/set2/sas/f/best/aix_service_strategy.pdf

Here's another paper dealing with AIX update strategies, containing short hands-on instructions how to deal with TLs and SPs:
http://www.ibm.com/developerworks/aix/library/au-aixtlupdate/index.html

By the way, didn't we talk about the same topic in an earlier thread?
http://www.experts-exchange.com/Q_28361828.html

wmp
0
 
LVL 3

Author Comment

by:pma111
ID: 39888713
We did indeed (but I must confess the response was a little overwhelming), however I hoped it would be easier to digest if I had a build number to discuss. And that is definately all the output from that command. So makes it hard to again digest the service pack date as all it says is "0"

I was hoping from the build numbers provided you could say its missing 2 service packs and endless security patches.
0
 
LVL 3

Author Comment

by:pma111
ID: 39888730
or could the ".0.0" indicate no service packs have ever been applied since the server was provisioned? Are service packs the same as microsoft, or do they essentially represent "bundles" of patches, because on MS you have say 2/3 service packs per lifecycle, but endless security patches in between those service packs.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39888764
>> the ".0.0" indicate no service packs have ever been applied <<

Yes, if that's indeed the output of oslevel -s then there wasn't any maintenance level (let alone service pack) applied ever.

Moreover, you're on a level which didn't yet know about build dates or service packs. This was the case with AIX 5.3 before maintenance level 1, means: with the very, very first 5.3 shipment. As far as I know this shipment was accompanied by a second CD set containing required maintenance (i.e. ML 1). Seems you didn't even install this accompanying service (a real malpractice, by the way).

You can check with

instfix -i | grep AIX_ML

if your system knows about any maintenance levels besides "5.3.0.0", but I really don't think so.

Run

instfix -i | grep "SP "

to check for service packs.

>> you could say its missing 2 service packs and endless security patches.  <<

No need to ponder on this. It's not missing some selected service packs, it's missing all service packs!

To get this system to a somewhat reliable state you will have to install all MLs/TLs, from "1" to let's say "12" - one after the other with no intervening gaps allowed (remember, MLs/TLs are not cumulative!)

Your 6.1 doesn't look any better. It's also the initial release. Here, too, we had a "required maintenance" CD in the shipment (TL 0 !), which had to be applied immediately after
installation (thus the term "required maintenance").

Didn't you ever use your machines for production?

What Microsoft call "Service Pack" is a "Technology Level" in AIX. Intermediate patches are bundled to "Service Packs", and urgent security fixes are called "Emergency Fix" and are handled separately (There is a selection option for these in Fix Central).
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39888831
Addendum:

"instfix -i | grep AIX_ML" on a "recent" AIX 5.3 must look like this:
    All filesets for 5.3.0.0_AIX_ML were found.
    All filesets for 5300-01_AIX_ML were found.
    All filesets for 5300-02_AIX_ML were found.
    All filesets for 5300-03_AIX_ML were found.
    All filesets for 5300-04_AIX_ML were found.
    All filesets for 5300-05_AIX_ML were found.
    All filesets for 5300-06_AIX_ML were found.
    All filesets for 5300-07_AIX_ML were found.
    All filesets for 5300-08_AIX_ML were found.
    All filesets for 5300-09_AIX_ML were found.
    All filesets for 5300-10_AIX_ML were found.
    All filesets for 5300-11_AIX_ML were found.
    All filesets for 5300-12_AIX_ML were found.
I assume your system will show
All filesets for 5.3.0.0_AIX_ML were found.
"instfix -i | grep AIX_ML" on a "recent" AIX 6.1 must look like this:
   
    All filesets for 6100-00_AIX_ML were found.
    All filesets for 6100-01_AIX_ML were found.
    All filesets for 6100-02_AIX_ML were found.
    All filesets for 6100-03_AIX_ML were found.
    All filesets for 6100-04_AIX_ML were found.
    All filesets for 6100-05_AIX_ML were found.
    All filesets for 6100-06_AIX_ML were found.
    All filesets for 6100-07_AIX_ML were found.
    All filesets for 6100-08_AIX_ML were found.
    All filesets for 6100-09_AIX_ML were found.
    All filesets for 6.1.0.0_AIX_ML were found.
I assume your system will show
All filesets for 6.1.0.0_AIX_ML were found.

Right?
0
 
LVL 3

Author Comment

by:pma111
ID: 39889567
thanks again. Aside from the obvious security related issues in not applying service packs and technology levels, what other risks are posed by not keeping the system up to date? We work in risk as opposed to IT but some examples of risks posed by not applying updates would be most useful in trying to convince IT to review their current procedures in this area.
0
 
LVL 3

Author Comment

by:pma111
ID: 39889605
i'll try those commands tomorrow
0
 
LVL 3

Author Comment

by:pma111
ID: 39889733
and do IBM only release patches to AIX IBM systems if they are at a given technology level? And if so where can you see which technology level is supported. for example older service packs of windows server wont be eligible for new patches, therefore staying on an old SP is a security issue in itself.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39889846
AIX TLs usually contain new features, performance or usability improvements - why forego something you paid for?

Some examples of risks?

Well, no software is error free. "Every non trivial program has at least one bug" (Murphy's computer law #8).

I saw an AIX 5.3 run for months until all of a sudden the init process began to eat up all CPU. I saw a memory leak in syncd, which didn't show up before the process had run for half a year. I saw NFS mounts break due to some (allowed) change in the network - consequence of an OS bug.

There are many such more or less important bugs in every OS, where some people never get punched with and some people get affected immediately or maybe after months - it's all a matter of fine-grain configuration/workload/infrastructure differences etc.

Better stay on the bright side and apply at least the TL updates.

Apply SPs if you're directed by IBM to do so in order to fix an issue on your side, or if new software requires a certain SP level - or if there's spare time, of course.

Stay informed on the availability of security patches, apply them if you think you're affected.

IBM have a notification system for security bulletins, but also for regular updates, hints and tips and more:

http://www-01.ibm.com/software/support/einfo.html

https://www-947.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=listAvailableSubscriptions

(IBM ID required)

Try it, you'll be astonished at the amount of activity shown at good ol' Big Blue.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39889874
To your last question:

>> do IBM only release patches to AIX IBM systems if they are at a given technology level? <<

Well, I tried to explain just such things above, but it seems that I can't phrase them clearly enough, sorry.
So I'd really be glad if you could actually study the publications about IBM's service/update strategy whose links I posted.
They're really informative and maybe you'll find more and better answers there.
But, of course, don't hesitate to ask for more assistance  if the mentioned information doesn't seem sufficient anyway.
0
 
LVL 3

Author Comment

by:pma111
ID: 39889890
just to wrap up, if your version says 6.1.0.0.. is this build completely irrelevant of security patches? or would security patches be included in the service packs, therefore if SP's are missing, your missing security patches?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39892386
Both.

There are emergency fixes which would fit into several levels. There is no way around reading the patch descriptions in such a case.

SPs belong to a particular TL. So if you're on TL 0 (i.e. no TL applied) you can only install SPs for TL 0, if you're on TL 1 you can only install SPs for TL 1, if you're on TL 2 you can only install SPs for TL 2 ...

Moreover, if you just went to let's say TL 2 and want to install an SP for this level but you have already installed an SP while still on TL 1 with a higher build date than the one for TL 2 you cannot install this SP for TL 2, to avoid possible regressions. This is a rare case, but it happens. And in almost every case there is already a higher SP available which you can use.

If SPs are missing you're missing security patches - yes, at least in most cases. I can't remember an SP which didn't contain security patches, but it's a remote possibility nonetheless.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39901301
Did you notice that the link posted by "trappa01" points to one of my EE contributions, which, moreover, was an answer to one of your previous questions?

Rating my solution as "assisted" hence seems a bit strange, to say the least.
0
 
LVL 5

Expert Comment

by:Dave Gould
ID: 39901379
As much as I appreciate the points, I must admit that woolmilkpork is right.
Having said that, I have spent ages helping other people out only to find that the points were given to somebody else that merely repeated what I said.
If there is a way to redistribute, then I have no qualms about losing the points I gained on this question.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39901419
@trappa01,

I don't care too much for the points, but I think "assisted" is just an inappropriate rating here.

Let's wait a bit, perhaps pma111 has something to say ...
0
 
LVL 3

Author Comment

by:pma111
ID: 39901430
sorry geniune mistake, how can I reassign the points?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39901486
Please click "Request Attention" and explain your concern!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now