New AIX and Availability Enhancements

Rob McNelly shares recent IBM news and notifications, including virtualization enhancements and security alerts

In November IBM announced AIX and availability enhancements that are available as of Dec. 5:

“The IBM AIX operating system is an open standards-based UNIX operating system that has been the foundation of mission-critical workloads and databases for tens of thousands of customers for over 39 years. AIX provides an enterprise-class IT infrastructure that delivers the reliability, availability, performance, and security that is required for organizations to be successful in a global economy. Now, IBM offers the following updates and enhancements to the AIX operating system and products that include AIX:

• IBM AIX 7.3 TL4
• IBM AIX 7.2 TL5 SP11
• IBM AIX 7 Enterprise Edition 1.14
• IBM PowerHA SystemMirror Standard Edition for AIX 7.2.10
• IBM PowerHA SystemMirror Enterprise Edition for AIX 7.2.10
• IBM VM Recovery Manager DR 1.9 SP1
• IBM VM Recovery Manager HA 1.9 SP1

“Respond faster to business demands:

• AIX network throughput and scalability are improved on multi-core LPARs, enabling more efficient handling of high packet rates.
• AIX BPF performance has been enhanced to scale better with multi-queue network drivers, reducing the overhead -observed during tcpdump or libpcap application usage, in network throughput.
• AIX 7.3 TL4 introduces a tech preview for NVMe over TCP storage connectivity with physical networking assigned to the LPAR. Clients and storage vendors are encouraged to perform testing activities.
• AIX 7.3 TL4 adds support for a maximum of 256 cores and 2048 HW threads per LPAR.

“Maximize availability and reliability:

• The LKU blackout time, where applications are suspended, is generally reduced for workload environments with multiple volume groups and 50 or more mounted filesystems. Depending on LPAR configurations, blackout time may be reduced by up to 70% compared to AIX 7.3 TL1.
• Overall LKU update performance is improved for shorter LKU completion times. Reductions of up to 50% are possible compared to AIX 7.3 TL1.
• The accuracy of LKU estimates for total LKU time and blackout is improved.
• With AIX 7.3 TL4, AIX Live Library Update is now supported for use in production environments.
• Now the perfpmr tool is included with AIX and installed by default.
• AIX physical volume encryption is now compatible with AIX Live Kernel Update.
• Path fail-over times with redundant fiber channel configurations are reduced for activities such as VIOS maintenance and adapter microcode updates.”

IBM also provided a list of open source-based programs included with AIX that have been updated to newer versions:

• OpenSSL 3.0.16
• OpenSSH 9.9p2
• ksh93 u+m-1.0.10
• rpm 4.20.1
• bash 5.2.37
• libxml2 2.13.8
• tcl/tk 8.6.16
• rsync 3.4.1
• tmux 3.5a

In addition:

• AIX 7.3 TL4 adds rsync as an included program.
• Python3.11 will become the default python3 version with AIX 7.3 TL4.
• The ping command is enhanced to optionally display the latency in microseconds instead of milliseconds. Another option is included to send the ping requests at a higher frequency, and this can be useful to detect issues in network.
• The LLDB (LLVM community’s Low Level Debugger) is now available for AIX, offering source-level debugging support for applications compiled with IBM Open XL C/C++. LLDB is available as web download package from the AIX web download site (IBM registration required).
• The invscout command with the -e U option will now use Call Home Connect Cloud (CHCC) to automatically download and upgrade the microcode for I/O adapters.
• Unicode 16.0 support has been enhanced to support up to 154,998 characters for a total of 161 scripts.

Active enforcement is another new feature:

“On IBM Power10 and later systems AIX adds active enforcement as part of Software Maintenance Agreement (SWMA) validation during AIX update and migration operations. The AIX Update Access Key (UAK), which includes the SWMA expiration date, is used to verify entitlement. If the AIX image build date is later than the UAK expiration date, updates or migrations will be blocked, even when upgrading from earlier AIX versions. However, fresh installations are not subject to this enforcement and will proceed regardless of UAK status.”

For as much as I’ve shared here, there’s plenty more. So read the whole thing.

Virtualization Enhancements

IBM has also come out with virtualization enhancements:

“IBM PowerVM Virtual I/O Server (VIOS) 4.1.2

Enhancements for improved Availability, Performance, Security, RAS:
vNIC failover / failback improvements
Bypass Port Level Validation in LPM
Virtual FC (NPIV): Faster failover, performance improvements, RAS, and diagnostic enhancements

“IBM PowerVM Hypervisor FW1110.10

Security, RAS, Virtual I/O enhancements:
Hardened communication channel between HMC and AIX operating system (LPAR)
SR-IOV: LLDP enhancements
Support of auto-provisioning vTPM signed endorsement key certificate”

“IBM Power Hardware Management Console (HMC), and the virtual HMC (vHMC) V11.1.1111

Hardened communication channel between HMC and LPAR / OS
Automated System Maintenance: LPM evacuate one-to-many (multiple target systems)
SR-IOV: LLDP enhancements
New I/O adapter and I/O drawer support”

Again, there’s much more, so check the link for details.

Dealing With a Script Error, Enabling Remote Management

I’m grouping these two tips together since both require IBM registration to access the information.

1) Here’s how to deal with a prereqrrl script error (IJ56610):

IJ56610: AIXPERT PREREQRRL SCRIPT ERROR : !=: NOT FOUND
APAR status
OPEN
Error description
A syntax error in /etc/security/aixpert/bin/prereqrrl will be fixed.
Local fix
Edit the file /etc/security/aixpert/bin/prereqrrl
The first and last quotes lines 35,36 must be removed :
     35  userlist=’$(lsuser -a rlogin account_locked shell
ALL|grep “.*rlogin=true account_locked=false shell=.*sh$”
    36  awk ‘$1 != “root” && $1 != “guest” {print $1}’)’
To:
    35  userlist=$(lsuser -a rlogin account_locked shell
ALL|grep “.*rlogin=true account_locked=false shell=.*sh$”
|\
    36  awk ‘$1 != “root” && $1 != “guest” {print $1}’)

2) Here’s the fix for enabling remote management on the network installation management (NIM) server:

IJ56712: REMOTE_MANAGEMENT FAILS IF NIM SSL ENABLED ON NIM MASTER
APAR status
OPEN
Error description
The VIOS remote_management command fails if the NIM_SSL_STATUS is enabled on the NIM master server.
Local fix
Use niminit with -c option under the oem_setup_env.

Security Alerts on Vulnerabilities in NIM, Python

IBM recently noted vulnerabilities in AIX that “could allow a remote attacker to execute arbitrary commands (CVE-2025-36251, CVE-2025-36250), obtain Network Installation Manager (NIM) private keys (CVE-2025-36096), or traverse directories (CVE-2025-36236). These vulnerabilities are addressed through the fixes referenced as part of this bulletin. These vulnerabilities are exploitable only when an attacker can establish network connectivity to the affected host.”

In addition, vulnerabilities exist “in Python used by AIX (CVE-2025-59375, CVE-2024-47081, CVE-2025-6965, CVE-2024-5642). Python is used by AIX as part of Ansible node management automation.”

Power11 Performance Best Practices

Here’s a handy checklist of Power11 Performance Best Practices. The second page of the PDF includes links to other best practices around Power, IBM i, AIX and VIOS, Java, advisor tools, and more.

Tracerout Configuration

Here’s a Q&A from IBM Support on traceroute. Learn why traceroute shows different results for two AIX servers that have the same network configuration and AIX level.

Checking in With Nigel

Finally, here’s Nigel Griffiths on LinkedIn:

“Are you missing a nmon Performance Graphing trick? 1,000 times in the last 9 months, nmon users have created browser-based performance graphs via the “nmonchart live and online service” at -> https://mr-nmon.com –> Take the link: nmonchart graphing online Upload an nmon file and 2 seconds later, you have dozens of graphs.”

---