AIX: Install and Upgrade with CLI and VEN CTL
The following topic describes how to install and upgrade the AIX VEN by using packaging technology commands and the VEN CTL.
Limitations and Considerations
General
AIX 5.3 is not supported.
See VEN OS Support and Package Dependencies for the list of supported operating systems for AIX VENs.
AIX native IPsec is not supported while the VEN is installed.
The AIX VEN does not support SecureConnect and SecureConnect Gateway.
The following directories must be present on the AIX host or the AIX VEN installation will fail. These directories are commonly present on AIX hosts.
/var/lib/var/log
By default, the AIX VEN is installed in the following directories:
/opt/illumio_ven/opt/illumio_ven_data
Installing the AIX VEN in a custom directory is not supported. Do not change the default installation directory for the AIX VEN or the AIX VEN installation will fail.
Configuration Options for CA Bundle and CA DIR
Note
The options trusted_ca_bundle and trusted_ca_dir in runtime_env.yml are no longer used.
Core 22.2 introduced new options for configuring the CA bundle or CA directory it uses to verify the PCE TLS certificate. You can specify the new options in the /etc/default/illumio-agent file. The options are:
TRUSTED_CA_BUNDLE can point to a specific certificate bundle. For example:
TRUSTED_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
TRUSTED_CA_DIR can point to a directory containing certificates. For example:
TRUSTED_CA_DIR=/etc/ssl/certs
IPFilter
Illumio provides a custom IPFilter package for managing the packet filtering rules. Before you install the AIX VEN, install the Illumio-provided IPFilter package.
Caution
You must use the Illumio customized IPFilter package with the AIX VEN. Do not use IBM's IPFilter package or the AIX VEN will not function correctly.
Avoid any changes to packet filtering with
genfilt,mkfiltand other such network tools. Do not perform any such operation while VEN software is installed.The AIX system firewall's state table limit is 65,536 entries. When that limit is reached, IPFilter drops packets. If you anticipate a high number of network connections, configure higher limits in the IPFilter state table. See "Tuning the IPFilter State Table (AIX/Solaris)" in the VEN Administration Guide.
Change Default Username Before Installation
Before installing the VEN on AIX, you can set an environment variable to change the username that owns the non-privileged portions of the installed software. The privileged portions of the installed software are always owned by root, and the software can only be run as root.
Environment Variable | Description |
|---|---|
| Existing username to override the default username |
Boot Scripts Installed at VEN Installation
As part of installation, the VEN creates RC scripts (“run commands”) in /etc/rc3.d to start the VEN at boot.
Illumio Support for IPFilter
IBM has discontinued support and development of IPFilter and has put IPFilter on GitHub as an open source project. Consequently, Illumio provides its own version of IPFilter for the Illumio AIX VEN version 17.1.2 and later.
Note
Illumio supports only its provided version of IPFilter. We do not support installing the AIX VEN with the OEM version of IPFilter. Before installing the AIX VEN, you must install the Illumio-provided IPFilter package.
Illumio supports its version of IPFilter in the following ways:
The Illumio IPFilter package will not be made public. Permissive licensing of IPFilter does not require that modifications of open source software be made public.
Illumio can provide IPFilter source code patches for bug-fixes and improvements on request to your Illumio representative.
Download AIX VEN Tar File and IPFilter Package
Download the VEN Packages tar file from the Illumio Support site. The tar file contains the AIX VEN in Backup File Format (BFF) format.
Additionally, you must download the Illumio-provided IPFilter package from the Illumio Support site. The VEN package does not contain the required Illumio-provided IPFilter package.
To download the AIX VEN files:
Go to the Illumio Support site (login required).
Select Software > Download under the VEN section > the VEN version.
The Download VEN page appears. The page contains two tables: “VEN” and “Other”
In the VEN Packages row of the VEN table, click the filename for the VEN tar file.
In the Other table, click the AIX IPFilter filename (
ipfl.5.3.0.5002.bff) to download the Illumio-supported IPFilter 5.3.0.5002 package.
Upgrade to Illumio IPFilter
This procedure describes how to perform either of these tasks:
Upgrade from the IBM IPFilter package to the current Illumio IPFilter 5.3.0.5002 package
Upgrade from the previous version of the Illumio IPFilter 5.3.0.5001 package to the current 5.3.0.5002 package
The steps in this procedure apply to both of these IPFilter upgrades except for step #4, which applies only when upgrading from IBM IPFilter to the Illumio IPFilter 5.3.0.5002 package.
To upgrade to Illumio IPFilter:
Download the Illumio-supplied IPFilter package. See Download AIX VEN Tar File and IPFilter Package.
Stop the VEN if it's running:
illumio-ven-ctl stop
Stop the IBM ipf kernel extension using the following command:
/lib/methods/cfg_ipf -u
Note
In some cases, there may be multiple instances of ipf. Confirm there are no running instances by running the above
stopcommand again until it returnsno such device.If the command fails with the error
Device Busy, before continuing these steps, reboot the system.[For Upgrades from IBM IPFilter Only] If IBM iFIX or ipfl is installed on the host, uninstall them. (In an earlier release, Illumio had recommended installation of some iFIXes.)
Note
Depending on your installed AIX version, you might have installed iFIX version IV89793s5a or IV89793s3a. Remove the version corresponding to the version already installed on your AIX server. Neither version is needed and must be removed with the appropriate
emgrcommand. The following command uninstalls only version IV89793s5a.emgr -r -L IV89793s5a.161102.epkg.Z
Change directory to where you downloaded the AIX VEN and the IPFilter package.
Upgrade the version of IPFilter with the Illumio custom IPFilter:
inutoc . && installp -acYd . ipfl
Proceed to installing or upgrading the AIX VEN.
Install the AIX VEN
Download the VEN package from the Illumio Support site. See Download AIX VEN Tar File and IPFilter Package.
Log in to the AIX host and become superuser.
If necessary, upgrade IPFilter on the AIX host to Illumio's custom IPFilter. See Upgrade IBM IPFilter to Illumio IPFilter.
Important
You must upgrade to Illumio's custom IPFilter before installing the AIX VEN.
Copy your trusted root CA certificate in the following directory with a filename
ca-bundle.crt. This path must be exactly as shown./var/ssl/certs/ca-bundle.crt
Make
ca-bundle.crtworld-readable.# chmod 644 /var/ssl/certs/ca-bundle.crt
Install the VEN package on the AIX host by entering the following commands, where
path_to_bff_fileis the directory where you copied the AIX VEN BFF file.# inutoc <path_to_bff_file> # installp -acXgd path_to_bff_file illumio-ven
AIX VEN installation is complete. The next step is Activate AIX VEN After Installation.
Optional: If you anticipate a high number of network connections, you can configure higher limits in the IPFilter state table. See "Tuning the IPFilter State Table (AIX/Solaris)" in the VEN Administration Guide.
Activate AIX VEN After Installation
Important
If you're using the GRE and IPIP protocols, before activating the VEN on AIX, edit the file in the /etc/protocols directory to support the GRE and IPIP protocols. If the GRE and IPIP protocol lines are commented out, un-comment them.
After installing the VEN package on the AIX host, activate the VEN. Use the Illumio VEN control script (illumio-ven-ctl) with the activate option to activate the workload and pair the AIX VEN with the PCE.
At a minimum, to activate the AIX VEN using the VEN control script, you need the hostname or IP address of the PCE, an activation code (called a pairing key in the PCE web console) generated from a pairing profile, and any other available options, such as the workload policy state, label assignment, workload name, and more.
For information about obtaining an activation code from the PCE web console, see “Pairing Profiles” in the Security Policy Guide.
# /opt/illumio_ven/illumio-ven-ctl activate --management-server <pce_fqdn:port> --activation-code <code>
See the following example command:
# /opt/illumio_ven/illumio-ven-ctl activate --management-server pce.example.com:8443 --activation-code <code>
Upgrade the AIX VEN
Important
Illumio strongly recommends that you upgrade VENs only during maintenance windows.
Note
If the VEN was activated prior to the upgrade, it does not need to be activated again after the upgrade completes.
For the supported upgrade paths for the AIX VEN, see Upgrade VEN on the Illumio Support portal (login required).
Download the new version of the VEN package from the Illumio Support site. See AIX Tar File and IPFilter Package.
If necessary, upgrade the Illumio-supported IPFilter package to version 5.3.0.5002.
If you are upgrading the AIX VEN from an earlier release, such as 17.1.x, you might be running the Illumio-supported AIX IPFilter package version 5.3.0.5000. See Upgrade to Illumio IPFilter.
Stop the VEN if it's running:
illumio-ven-ctl stop
Upgrade the VEN package on the AIX host by entering the following commands, where
path_to_bff_fileis the directory where you copied the new version of the AIX VEN BFF file.# inutoc <path_to_bff_file> # installp -acXgd path_to_bff_file illumio-ven