EMC Clariion array - using powerpath vs pvlinks

I think I've found the answer to whether or not we should use Pvlinks when configuring our volume groups in HP-UX - the answer being no.  It's only recommended to use alternate links when booting from a storage array, which we don't do on any of our HPUX hosts.

From the powerpath admin guide:

EMC recommends using LVM alternate links (PVLinks) when you
boot from a storage system. If the primary path fails, an automatic
switch to the alternate path occurs. If PowerPath is not installed,
using alternate links increases availability in the event of hardware
PowerPath uses alternate links as part of its boot/root failover
strategy, but not for load balancing, path prioritization, or other
PowerPath-related reasons. Thus, EMC recommends that you use
LVM alternate links when booting from a storage system. Otherwise,
EMC recommends disabling PVLinks when using PowerPath.


powerpath check force: "Cannot remove device that is in use"

removing some ports on a clariion on a HP-UX host running service guard, I received the following:
$ powermt check force
Warning: CLARiiON device path c13t2d3 is currently dead.
Cannot remove device that is in use: c13t2d3

Powerpath is pretty darn smart; the last port 0 linked to a disk device was part of the same lvm volume group as one of my cluster lock disks.  It wasn't even listed in as the lock disk for my cluster (in the cluster ascii file), but it was in the same volume group that the lock disk was in.

I had to stop the cluster services on the node, then powerpath allowed me to remove the connection.  This node of the cluster is currently the failover node, so I was able to bring er down without any impact.

HP codewords

codewords used for optional additional pay software in  HP-UX are stored  here in the following format:



#CD_part_number Customer_Id IdType Codeword

manuall set speed and duplex during ignite

set speed and duplex for ignite, instead of relaying on auto-Negotiation:


vgscan not working / ignite not recreating volume groups

I encountered a problem the other day with ignite not recreating the volume groups properly - it was caused by a component of service guard that was stuck on that machine.  For some reason (maybe because serviceguard was once installed on the box), the file /dev/slvmvg (serviceguard file for shared volume groups) also prevented vgscan from working.  Once I removed the file, vgscan created the volume groups without a problem.


gig card on hp-ux 11.00 doesn't keep speed/duplex setting

A 1000Base-T card in an 11.00 box was giving me grief.  the switch port was set to 100 full duplex, but the card kept staying at AUTO even though the speed/duplex was changed via sam and verified in the /etc/rc.config.d/hpgelanconf file; that, of course, cause collisions and a bunch of network errors because the card negotiated 100 half duplex.  There's a patch that fixes the issue:  28995   make sure the config file has the speed and duplex value in uppercase:



swinstall and rpc exception communications error

error when doing an swinstall:
       * Beginning Selection
ERROR:   RPC exception: "Communications failure (dce / rpc)" 11/24/06
         17:27:01 PST
ERROR:   A Remote Procedure Call to a daemon has failed.  Could not
         start a management session for "myhost:/".  Make sure the host
         is accessible from the network, and that its daemon, swagentd,
         is running.
       * Target connection failed for "myhost:/".
ERROR:   More information may be found in the daemon logfile on this
         target (default location is myhost:/var/adm/sw/swagentd.log).
       * Selection had errors.

fix by restarting swagentd:
/sbin/init.d/swagentd stop
/sbin/init.d/swagentd start


mkboot complains about logical volumes when none exist

$ mkboot /dev/dsk/c2t6d0
There appear to be non-boot logical volumes on this device.
Overwriting them could destroy all the data on this device
Should the logical volumes be overwritten [y/n]? y

because PV isn't marked as bootable.   pvcreate -B /dev/dsk/c2t6d0
PV belongs (or thinks it does) to a volume group already.  (tread lightly here!):
Fix by using the -f (force) option:  pvcreate -Bf /dev/dsk/c2t6d0 


upgrade vxfs online

update version 3 veritas JFS file system to version 4

vxupgrade -n 4 /mount_point

vxfsconvert -- offline version or to convert an HFS


my favorite vim settings

my vimrc is customized with these, my favorite settings and options for vim / gvim:

set ic
colorscheme torte
set nobackup
set showmatch


dmisp daemon on HP-UX hogging CPU

It's no longer used much anymore and there's a bug in it which will cause it to consume tons of cpu on the system.  Turn it off:

ps -ef | grep -i dmisp
/sbin/init.d/Dmisp stop
ch_rc -l -p START_DMI ; ch_rc -a -p START_DMI=0 ; ch_rc -l -p START_DMI


Google Toolbar shortcut - firefox 2

Customize Firefox (2), remove the History menu so that the google toolbar shortcut key will work. If the history menu is present, it overrides the keyboard shortcut for the google toolbar focus (alt - s). Use the instructions here: Geek to Live: Consolidate Firefox's chrome - Lifehacker

The History Menu used to be called the "go" menu, so use the #go-menu keyword



NFS / PCNFS / Hummingbird Maestro problems

NFS maestro PCNFS mounts on PC doesn't work for user. (invalid username or password)    UID of user is too big.  Either change the UID to less than 60002 or uidrange needs to be added to the pcnfsd.conf file.

    If your PC NFS client software is assigning user IDs smaller than 101 or greater than 60002, set the uidrange in the /etc/pcnfsd.conf file to allow access to a different range of user IDs, as in the following example:
    cat /etc/pcnfsd.conf
    uidrange 101-9999999
    kill rpc.pcnfsd


difference between autoboot and autostart flags on HP 9000 hardware

difference between autoboot, and autostart flags in the PDC, BCH menu:

From: http://docs.hp.com/en/A7137-96003/A7137-96003.pdf (rp3410 rp3440 operations guide)

When the autostart flag is off, autoboots will be interrupted if a configuration change occurs
which causes reduced performance; thus requiring you to intervene prior to booting to the
internal system loader (ISL).
The auto boot will halt at the BCH prompt and you may continue booting by entering boot.


cron - run command last day of month

Solves the problem of running a script on the last day of the month. Put 28-31 (for days) in your crontab and put this little section in for date determination.


if test `TZ=MET-24 date +%d` = 01
exec command
exit 1

pseudo swap on HPUX

explanation of pseudo swap in hp-ux:


gmail macros

Great keyboard navigation inside gmail using a greasemonkey script.: http://persistent.info/ do a search for gmail macros (or christmas)

Here's a google group that tracks the script and has some enhanced versions: http://groups-beta.google.com/group/gmail-power-users


logins man page

HP-UX 'logins' command displays user account info.  the -x option doesn't explain the last field reported:

PS 100506 7 175 -1

the last field is the number of days before the password expires to start warning the user.  see the warn option of passwd(1) man page and passwd(4).  The warn flag only works on trusted systems, so you'll see a -1 for non-trusted systems.

Remember that the system (at least on non-trusted boxes) will round to the nearest week, Thursday to be specific.  So the report of when the passwd was last changed is not the actual day it happened, unless it happened to fall on a Thursday.


Gnome / KDE keyboard shortcuts

Linux Desktop manager: Gnome and KDE keyboard shortcuts

non-printable chars in filename

ls -al on a directory produced a "blank" file name.  to see the non-printable  character, pipe the output to more:

ls -al | more

The file show up as a DEL char (^?); so to delete or view the file do a control-v and ? for the filename.

configure HP-UX kernel


cd /stand/build
/usr/lbin/sysadm/system_prep -v -s system

make changes to the /stand/build/system file to add or remove whatever
/usr/sbin/kmsystem -S /stand/build/system -c Y driver-name

creates the /stand/build/vmunix_test
/usr/sbin/mk_kernel -s /stand/build/system

mv /stand/system /stand/system.prev
mv /stand/build/system /stand/system

updates /stand/vmunix and create a bacup /stand/vmunix -> /stand/vmunix.prev before.
/usr/sbin/kmupdate -- tells shutdown script to do the above.


determine bitness of HPUX

HP-UX 64 or 32 bit? :  getconf HW_CPU_SUPP_BITS

Sometime you need to determine this whether to install the 32 or 64 bit version of ODE.


password aging on non-trusted systems

At the end of the encrypted password you add char1, char2.
char1 is the maximum number of weeks the password is valid and
char2 is the minimum number of weeks that must pass before the password can be changed. The following is a good guide: Value # of weeks
. 0
/ 1
0-9 2-11
A-Z 12-37
a-z 38-63
so for example if you wanted a user to change their password somewhere between 11 and 2 weeks you would put ,A9. (man 4 passwd)

problem changing password on trusted system (HPUX)

Try changing password on a HP-UX trusted system and get the followin:
Password cannot be changed.  Reason: Cannot access protected password entry.

This means the auth files in /tcb are out of sync with the /etc/passwd file.  Someone may be making changes manually to the /etc/password file (like adding user acocunts), but that doesn't update or create the appropriate entries in /tcb/files/auth

check it by running the authck -p  (or pwck -s) command to verify the trusted computing base /tcb  This doesn't fix the problem, you'll have to delete (from /etc/passwd) and add again (via sam or useradd) or use the pwconv command.


HPUX trusted system

How to determine whether HP-UX system is trusted or not:
or look for /tcb


No manual entry for man

error message when trying to get standard man pages: No manual entry for XXXX

I figured out why the normal man pages don't work on some systems.  The file /etc/MANPATH overrides the MANPATH variable when /etc/profile runs.  So to fix it just add the "normal" man page locations to /etc/MANPATH:


resizing terminal and fixing

eval $(ttytype -s)
eval $(resize)    -- xterms

HP 9000 servers model numbers

Good reference to use between the 'model' command and the 'standard' name for the server model:

ITO / OVO Openview java client

HP ITO, OVO Openview Operations java client for windows, command line options:

C:\Program Files\Hewlett-Packard\HP VP Java Console>
"C:\Program Files\Hewlett-Packard\HP VP Java Console\ito_op.bat" -help
started with the server hostname as the first parameter.
You can also select from the following parameters:
 -user "username"    ... "username" for login
 -passwd "password"  ... "password" for login
 -server "hostname"  ... default server for login (same as first parameter)
 -display "hostname" ... sets display hostname for X applications
 -nowin              ... starts JavaGUI without a DOS window
 -plugin             ... starts JavaGUI as plugin
 -trace              ... enables tracing
 -nosec              ... disables secure JavaGUI
 -help               ... displays this page

My normal run string:
"C:\Program Files\Hewlett-Packard\HP VP Java Console\ito_op.bat"  -server my_server_name -nowin -user myuseraccount


fsadm - fails with error extending file system

Encountered on HP-UX 11.00:

/$ fsadm -F vxfs -b 20448M /directory
vxfs fsadm: cannot open /directory/lost+found/.fsadm - errno 2

ls /directory   --- no lost+found there.

man mklost+found

cd /directory

/directory$ mklost+found
creating slots...
removing dummy files...
drwxr-x---   2 root       sys           4096 Aug 21 09:34 /directory/lost+found

now fsadm succeeds


sendmail/mail command drop_privileges error on HP-UX

problem with HPUX sendmail, conversation and solution follows:

$ echo hi | mailx -s "test" myemail@mydomain.com
$ drop_privileges: setuid(0) succeeded (when it should not)

$ ll /usr/sbin/sendmail
-r-sr-sr-t   1 nonroot    mail       1339392 Aug 26  2004

should be owned by root:mail

$ /sbin/init.d/sendmail stop
No sendmail server running
$ /sbin/init.d/sendmail start
drop_privileges: setuid(0) succeeded (when it should not)
451 4.0.0 can not chdir(/var/spool/mqueue): Permission denied

$ chown root /usr/sbin/sendmail
$ ll /usr/sbin/sendmail
-r-sr-sr-t   1 root       mail       1339392 Aug 26  2004
$ /sbin/init.d/sendmail start
/etc/mail/aliases: 7 aliases, longest 9 bytes, 88 bytes total


how to erase disk in HP-UX

HPUX (or any *nix):

I like the concept of destorying all luns, creating a big one and doing a dd of /dev/zero over the raw disk special file.

convert dos unix format in VIM

Here's a vim tip to convert unix to dos or vice-versa.  VIM doesn't have an option in it's file / Save As dialog box.

:set fileformat=dos    or unix or mac


synergy with PCs

Interesting open source project: http://synergy2.sourceforge.net/  Synergy allows you to have multiple PCs all on each own monitor using just one keyboard and mouse.


sendmail error sending mail on HP-UX

Sending mail on hpux
/etc/mail/sendmail.cf: line 691: fileclass: can not open /etc/mail/sendmail.cw: World writable directory

The permissions on /etc are incorrect -  Changed it to the HP-UX standard 555 (r-xr-xr-x) by: chmod 555 /etc  Ran a test: echo test | mailx me@mycorp.local  Received email successfully, no error message.


X error running Openview

when running the Openview (ovw) Xclient on HPUX that's pointing to the X11 server in Cygwin (Cygwin/X), you may get the following errors:
ovw: Xt Warning: Missing charsets in String to FontSet conversion
ovw: Xt Warning: Unable to load any usable fontset

fix it by changing the startxwin.bat file to add the -fp (font server) parameter to the run line.  Point to the server that has Openview installed on it as the font server:
%RUN% XWin -multiwindow -clipboard -silent-dup-error -fp tcp/ovoserver.mycompany.com:7000


what to do about dns outages - plan ahead

What are you supposed to do when your broadband provider's DNS servers are foobarred? First, at the very least you need to know the IP of another DNS server you can point to; great one to try is OpenDNS For instance: standard cable modem - router running dhcp on the lan side. For some reason dns queries don't work, do an nslookup, queries time-out. In Windows: Since you're typically using dhcp client it's a PINA to change this via the ncpa gui, so do it through netsh.

eth0 = the name of my interface. Since most of you are lazy and don't name your connections (like a *nix admin would), your's is probably "Local Area Connection".

netsh int ip set dns eth0 static
and where the IP is a DNS server.

Server: resolver1.opendns.com

Name: resolver2.opendns.com

Recover deleted files

Another undelete/recovery tool:  http://www.z-a-recovery.com/


remote shell error on HP-UX

remsh (remote shell) into a trusted system, got this error:
remshd: Login disallowed (audit error)

Do an /usr/sbin/authck -pv
Check for duplicates in /etc/password  if duplicates are found, then remove them via vipw.


flash format screen capture

Useful for tutorials or how-to videos in that flash is install on almost all PCs out there.  Here is a description from the website: "Wink is a Tutorial and Presentation creation software, primarily aimed at creating tutorials on how to use software (like a tutor for MS-Word/Excel etc). Using Wink you can capture screenshots, add explanations boxes, buttons, titles etc and generate a highly effective tutorial for your users."



sed (text/replace) in Windows

use sed for Win32 to modify text/configuration files on the fly:


Listing open ports and associated program in HPUX

netstat in linux has the -p option for listing the
program/application/PID that is using a port. You can't list open
ports like that in HP-UX, but you can use the lsof command to list

# lsof -i tcp:200

ITRC forum link


speed up Windows XP for benchmarking

For benchmarking, and to force background processing of idle tasks:
rundll32.exe advapi32.dll,ProcessIdleTasks



pipe standard error with standard output

With the posix shell (maybe other shells like korn), to pipe not only standard output, stdout, but also standard error, stderr, use the following:

first_command 2>&1 |  next_command_in pipe

See the following:  http://www.linuxdevcenter.com/pub/a/linux/lpt/13_01.html

HP-UX EMS alerts with EMC

See the following email thread:

In HPUX, if you get serious severity alerts coming from disk_em EMS monitor on EMC disks/luns, it's because the version of OnlineDiags does not work with EMC LUNs that identify themselves as using HP03 firmware.  Can be fixed by adding the hardware paths to the EMC array in: /var/stm/data/tools/monitor/disabled_instances  like this:
Then run 'monconfig' and select 'enable monitoring' to re-read the config file.


trouble viewing EMC LUNs on HP-UX

On HPUX, using EMC Clariion CX700 and powerpath, if you can't see the LUNs just created by a storage administrator, then do the following:

/etc/ioscan -f
/etc/insf -eC disk
/sbin/powermt config
/sbin/powermt set policy=co
/sbin/powermt save
/sbin/powermt display dev=all

here's a very thorough version:
/etc/ioscan -f
/etc/insf -eC disk
/sbin/init.d/agent stop
/sbin/init.d/agent start
/opt/Navisphere/bin/navicli register
/sbin/powermt config
/sbin/powermt set policy=co
/sbin/powermt check
/sbin/powermt save
/sbin/powermt display dev=all

in some cases you may have to delete the /etc/powermt.custom before doing the powermt config command.....


error starting stm in HPUX

HP-UX 11.00 error when starting stm:

-- Error --
The UUT status file
(/var/tmp/stm27188/servername.domain.com/data/uut_status) representing the new device map from the Unit Under Test (UUT) could not be successfully loaded into memory.  The most recent device map for the Unit Under Test (UUT) could not be built successfully.  This means operations apparently available, based on this old map, may not be, and might fail. Please refer to the Map Log and/or the System Activity Log on that system for more details.

-- Information --
Aborting all open command files.

Solution: restart diagnostic daemons:
/sbin/init.d/diagnostic stop
/sbin/init.d/diagnostic start


create vmware .vmx virtual machines

Create virtual machines for VMware Player online and free - easyvmx http://www.easyvmx.com/


comments in password file

In HP-UX, comments can be used in the password file, although I don't think anyone would recommend it. It may be in violation of SOX requirements as well; be careful. That having been said, I've found the following when using comments in the passwd file of HPUX (very well may apply to other *nix flavors):

3 requirements:
* 7 total fields - exactly 6 colons must be in every line
* uid must be numeric or valid
* gid must be numeric or valid

You should check your /etc/passwd file using the pwck command if you are in doubt of the integrity of the file.

Some symptoms to look out for if your password file is screwed up:
$ /bin/su - user123
su: Unknown id: user123

$ passwd
Invalid login name.

The password file is read from top to bottom, so if one account works, but others don't check the location of the comment/bad entries and where they relate in position to the account in question.


verify OV agent status

verify your OpenView (OV) agent is working properly:
opcagt -status


Get Phyisical RAM on HP-UX

in HPUX to get the phyisical / real memory, you can do one of the following:

grep Physical /var/adm/syslog/syslog.log


Replacing a Mirrored HP-UX Boot Disk

Replacing a Mirrored HPUX Boot Disk

Reduce any logical volumes that have mirror copies on the faulty disk so that they no longer mirror onto that disk. (note: lvdisplay -v /dev/vgXX/lvol* will show the lvols)

# lvreduce -m 0 /dev/vgXX/lvolX /dev/dsk/cXtXd0 (for 1 way mirroring)

Reduce the volume group.

# vgreduce /dev/vgXX /dev/dsk/cXtXd0

Stop I/O's going to drive

# pvchange -a n /dev/dsk/c0t2d0

---> Replace the drive.

# pvchange -a y /dev/dsk/c0t2d0

Initialize the disk for LVM.

# pvcreate -f –B /dev/rdsk/cXtXd0

Set boot switch for no quorum and add offline diagnostics (if available to drive)

# mkboot –a "boot vmunix –lq" /dev/dsk/c0t2d0

# mkboot –b /usr/sbin/diag/lif/updatediaglif2 –p ISL –p HPUX –p LABEL –p AUTO /dev/rdsk/cXXtXd0.

Extend the volume group.

# vgextend /dev/vgXX /dev/cXtXd0

Lvextend the mirrors back onto the replaced drive.

# lvextend -m 1 /dev/vgXX/lvolX /dev/dsk/cXtXd0 & (for 1 way mirroring) Do this for each lvol on the system. The & allows you to run the task in the background. You can check on the progress using the lvdisplay –v /dev/vg00/lvolXX.

After running the mkboot and lvextend commands, do an lvlnboot -Rv to relink the disk into the

Boot Data Reserved Area of all the physical volumes in the volume group.

# lvlnboot -Rv


allowing backspace and @ in login prompt on HPUX

The backspace, @ (at sign), and # (pound character) don't work at the login prompt on HPUX systems. In HP-UX the default kill and erase values are set to @ and # respectively, you can change them via /dev/ttyconf by creating a custom startup script. See the following ITRC threads and the section labeled "Control Character Default Assignments" on the man page for stty: http://docs.hp.com/en/B2355-60127/stty.1.html

See termio(7) for the default values of control characters: http://docs.hp.com/en/B2355-60127/termio.7.html

like this: stty erase ^H kill ^U intr ^C susp ^Z < /dev/ttyconf


using WS_FTP to automate file xfers

Some notes:

  • Many options in WS_FTP are now user-specific, i.e. the changes made to the options are only reflected in that current user's profile.

  • PGP support is now included in V9, but I'd rather do the encryption/decryption outside of ws_ftp and use the 'gpg' tool instead. By default, ws_ftp will try to decrypt and verify every file downloaded with a .pgp extension. This option must be turned off. Go into the options under the PGP section and uncheck the "Always decrypt & verify encrypted and signed".

  • If WS_FTP needs to be reinstalled, make sure you go in and out of the application and verify the options that you changed are still intact.

  • I had to connect to each site to make sure the connections were still good. In the process of doing so I needed to click "Trust this connection" on any of the SSH connections because a new fingerprint was generated.

  • Each user profile has a registry setting pointing to the application data directory. After the upgrade this initially pointed to the user's specific profile, so we had to change it back to the following:


"DataDir"="C:\\Documents and Settings\\All Users\\Application Data\\Ipswitch\\WS_FTP"

  • Since we typically use the 'local_assigned' user account and he's not an admin on windowBox1, we needed to change some registry permissions in order to allow some options to be read and customized. We changed the security on the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch] -- added WindowsGroup1 group with 'Full Control'

  • The speed of uploads on SSH servers dropped in half in v.9.01. Add "sftppipefraction=150" to the sftp/ssh site's section in ws_ftp.ini to gain full speed. Without this, every lifemasters transfer failed.

WS_FTP Pro notes v8: (some of this applies to v9 as well)



During the install it will ask about "shared" and "personal" sites. The only option we want selected is the "Allow users to create or modify shared sites". The reason for this is that it simplifies where the site data is held. Shared sites go into the "all users" profile directory. "Personal" sites go to the individual user profile, which means if switching from one user account to another, the ws_ftp.ini file would have to be copied over as well. The registry settings this affects are recorded below.


"DataDir"="C:\\Documents and Settings\\All Users\\Application Data\\Ipswitch\\WS_FTP"



Directories and files:

shared sites (shared by all users) stored in:

C:\Documents and Settings\All Users\Application Data\Ipswitch\WS_FTP\Sites\ws_ftp.ini

Predefined Sites stored in: predef.ini

MySites are stored in: original.ini

Any folders created will generate an .ini file based on the folder name. The ini file will contain any sites created under that folder.

Log files stored (usually over-wrote each time WS_FTP is called from the command line):

C:\Documents and Settings\All Users\Application Data\Ipswitch\WS_FTP\Logs

You can copy sections of an .ini file from one computer to another but the password may have to be re-entered on the destination computer because of the way WS_FTP encrypts the password field.

Must use fully qualified path because the command line instance will bring us to the root directory. Otherwise it will default to /usr/bin on some systems.

File specifications for uploading/downloading can be wildcarded. ( * or . )

command line example

NOTE: Trailing slash must be used for destination directory....

cd "%programfiles%\ws_ftp pro" &

wsftppro -s ftp://anonymous:test@ftp.ipswitch.com/pub/msdos/vmenu.zip -d local:c:\


cd "%programfiles%\ws_ftp pro" & wsftppro -s amisys:~/bin/list.sh -d local:c:\ -ascii


cd "%programfiles%\ws_ftp pro" & wsftppro -s amisys:~/bin/list.sh -d local:c:\ -binary


cd "%programfiles%\ws_ftp pro\wsftppro" & wsftppro -s amisys:~/bin/list.sh -d local:c:\

-lower lowercases the filename (only works when uploading TO a remote host, not downloading from a host)

WARNING: Using the command line, be careful that when downloading, the remote file name must be in the EXACT case in order to download the correct file.

The WS_FTP scheduler is just another front-end to the Win2k task scheduler.

GNUpg, gpg, encryption notes

Public Key Cryptography:

http://www.wvu.edu/~lawfac/mmcdiarmid/digital%20signatures.htm - older reference, but pretty easy to understand

http://www.lugod.org/presentations/pgp/ - good introduction and beginners guide

http://www.linuxjournal.com/article.mydivision?sid=4828 GPG the Best Free Crypto You Aren't Using, Part I of II

http://www.linuxjournal.com/article.mydivision?sid=4892 GPG the Best Free Crypto You Aren't Using, Part II of II



gpg usage: http://www.rhce2b.com/clublinux/RHCE-38.shtml

GPG notes:

http://www.gnupg.org/ - GNU Privacy Guard

If the --output option is not specified, gpg will usually write contents to stdout (the screen). You can also do file redirection to route the output to a file. The exception to this is the default decryption option:

gpg [filename]

The above syntax will decrypt the file to the original unencrypted filename. You can add other options to this command.

You encrypt with someone's public key, they decrypt with their secret key. Give your public key out to those that want to send you encrypted files/messages. Then only you (or anyone that has your secret key, which should be no one but you) can decrypt and view the file.

[name] = name, email or identifier of key. email addr is usually the best one to use because it's usually the most unique identifier.


gpg.man -- man page for gpg (lists all switches)

gpg.conf -- found in c:\gnupg (see readme.w32), contains all config options

If you receive the following when decrypting a file, then there is probably a compatiblity problem with the other user's signature, usually nothing to worry about: "WARNING: message was not integrity protected". To prevent the message from appearing use the --no-mdc-warning in the gpg command line or put the following in the gpg.conf file: no-mdc-warning

On the Windows platform, be sure to include the following option in gpg.conf or on the command line:


The Windows version of GnuPG replaces the exten­

sion of an output filename to avoid problems

with filenames containing more than one dot.

This is not necessary for newer Windows versions

and so --no-mangle-dos-filenames can be used to

switch this feature off and have GnuPG append

the new extension. This option has no effect on

non-Windows platforms.

NOTE: Any options specified in the configuration file(gpg.conf) should NOT have the double dashes at the beginning of them.

gpg.conf example file:



load-extension lib\idea

Generating a new key pair:

gpg --gen-key

The default way we have been creating the keys is:

kind of key you want: (1) DSA and ElGamal (default)

keysize: 2048

expiration: 0 -does not expire

"Real name": mycompany

email: mydivision-{vendor}@mycompany.com where {vendor} is the vendor's name.

comment: mydivision - mycompany (usually)

Displaying/listing keys:

list all secret keys on the system:

gpg --list-secret-keys

list all public keys on the system:

gpg --list-keys

Importing keys:

to import an exported public or secret key into the appropriate keyring on this system:

gpg --import keyfile_to_import


use --armor option if sending key via email or if vendor requires ASCII armored data.

to export a public key; don't specify a name if you want to export all:

gpg --output filename.key --export [name]

to export a secret key; don't specify a name if you want to export all:

gpg --output filename.key --export-secret-keys [name]

Always export any keys before using them. This keeps a backup of all keys in case you screw up (you probably will too!). You can use the following as a template, replacing {vendor} with the vendor's name, and paste the text directly to the shell.

gpg --output mydivision-{vendor}@mycompany.com-public.asc --armor --export mydivision-{vendor}@mycompany.com

gpg --output mydivision-{vendor}@mycompany.com-public.key --export mydivision-{vendor}@mycompany.com

gpg --output mydivision-{vendor}@mycompany.com-secret.asc --armor --export-secret-keys mydivision-{vendor}@mycompany.com

gpg --output mydivision-{vendor}@mycompany.com-secret.key --export-secret-keys mydivision-{vendor}@mycompany.com

NOTE: In some cases the vendor can't use certain algorithms such as AES192, AES256, etc. In these cases you will need to edit the key after generating it and export the key in order to disable or restrict use of the particular "problematic" algorithms. Instructions below:

gpg --edit-key [name]

setpref S3 S2 S1 H2 H3 Z2 Z1 (This string was used for Express-Scripts because of their requirment)

(do a setpref xx xx; or whatever algorithms/options you want included. Include all options except the ones you want to disable.)



List the algorithms/options on the key:

gpg --edit-key keyid showpref quit (long verbose format)

gpg --edit-key keyid pref quit (short terse format)

List of options/preferences to use on keys:

s2 = 3des

s3 = cast5

s4 = blowfish

s7 = aes

s8 = aes192

s9 = aes256

s10 = twofish

s1 = idea (if you use it, otherwise leave out)

h3 = ripemd160

h2 = sha1

h1 = md5

z2 = zlib

z1 = zip

z0 = no compression


When encrypting a file, you can use multiple -r (recipient) options if needed. To decrypt the file, the secret key pair that corresponds to the public key used to encrypt the file will be needed.

The following example will create an encrypted file with a .gpg extension.

gpg -r info@claimsnet.com --encrypt-files encrypt-test.txt (preferred method)

gpg --ouput ouput_filename -r [name] --encrypt filename_to_encrypt

for interactive prompt asking which key to use to encrypt:

gpg --ouput ouput_filename --encrypt filename_to_encrypt

When using a key to encrypt for the very first time, you will see text similar to the following:

gpg: checking the trustdb

gpg: checking at depth 0 signed=1 ot(-/q/n/m/f/u)=0/0/0/0/0/7

gpg: checking at depth 1 signed=0 ot(-/q/n/m/f/u)=1/0/0/0/0/0


to decrypt a file: (must have secret key that matches the public key that was used to encrypt the file

gpg filename_to_decrypt -- decrypt file and write to original filename (preferred method)


gpg --ouput output_filename --decrypt filename_to_decrypt

if you don't have the secret key for an encrypted file you'll get the error: "gpg: decryption failed: secret key not available"

signing a key:

gpg --local-user mydivision-claimsnet@mycompany.com --sign-key info@claimsnet.com

-- it will ask for level of trust. Choose the highest level of trust. (3)

after you receive someone's public key (whom you trust) you can sign it. If you don't you'll get the following message every time you try to encrypt something with their public key:

gpg --output encrypt-test.pgp -r info@claimsnet.com --encrypt encrypt-test.txt

gpg: C458F397: There is no indication that this key really belongs to the owner

1024g/C458F397 2001-02-28 "Claimsnet.com Inc. <info@claimsnet.com>"

Primary key fingerprint: 1254 FD28 5BF7 DF69 CD02 9072 4155 8840 575F 950E

Subkey fingerprint: 0164 29BF CEB1 96B6 91AC FF76 CE41 BAAA C458 F397

It is NOT certain that the key belongs to the person named

in the user ID. If you *really* know what you are doing,

you may answer the next question with yes

Use this key anyway? n

gpg: encrypt-test.txt: encryption failed: unusable public key

After you sign the recipient's key when encrypting a file you won't get the error message.

marking keys as trusted (need to do this when we import our keys into new keyring file):

gpg --edit-key mydivision-esi@mycompany.com

Command> trust

Your decision? 5

Do you really want to set this key to ultimate trust? y

Command> quit

Changing the passphrase of the secret key (in case of lost/stolen key):

gpg --editkey mydivision-esi@mycompany.com

Command> passwd

Enter passphrase: ****

Enter the new passphrase for this secret key.

Enter passphrase: *******

Repeat passphrase:*******

Command> save

Deleting/removing keys no longer needed:

Recommend exporting the keys first before deleting them.

delete secret key:

gpg --delete-secret-keys [name]

delete a public key:

gpg --delete-keys [name]

delete both secret and public key pair:

gpg --delete-secret-and-public-key [name]

--delete-secret-and-public-key name

Same as --delete-key, but if a secret key

exists, it will be removed first. In batch mode

the key must be specified by fingerprint.


to automate/batch decrypt files use the following options. MAKE SURE that the gnupg directory is secured well and keep the "passphrase-file" in the same directory or another secure directory.:

--passphrase-fd n

Read the passphrase from file descriptor n. If

you use 0 for n, the passphrase will be read

from stdin. This can only be used if only

one passphrase is supplied. Don't use this

option if you can avoid it.


type passphrase-file | gpg --passphrase-fd 0 [filename_to_decrypt]


Signatures are basically good for verifying the authenticity of message/file/whatever.

clearsign (good for emailing), example:

hp.txt contents (in courier new font) before signing:

This is a test file...

gpg --local-user mydivision-abf@mycompany.com --clearsign hp.txt

after signing it will create a file named: hp.txt.asc:


Hash: SHA1

This is a test file...


Version: GnuPG v1.2.4 (MingW32)





verify signature (must have public key in keyring to do this):

gpg --verify hp.txt

in the case of a detached signature, by putting the signature file first:

gpg --verify file.sig file

Log of session running of gen-key (bold ours):

C:\>gpg --gen-key

gpg (GnuPG) 1.2.4; Copyright (C) 2003 Free Software Foundation, Inc.

This program comes with ABSOLUTELY NO WARRANTY.

This is free software, and you are welcome to redistribute it

under certain conditions. See the file COPYING for details.

Please select what kind of key you want:

(1) DSA and ElGamal (default)

(2) DSA (sign only)

(4) RSA (sign only)

Your selection? 1

DSA keypair will have 1024 bits.

About to generate a new ELG-E keypair.

minimum keysize is 768 bits

default keysize is 1024 bits

highest suggested keysize is 2048 bits

What keysize do you want? (1024) 2048

Requested keysize is 2048 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 0

Key does not expire at all

Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id

from Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: mycompany

Email address: mydivision-mckession@mycompany.com

Comment: mydivision - mycompany

You selected this USER-ID:

"mycompany (mydivision - mycompany ) <mydivision-mckession@mycompany.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? e

Email address: mydivision-othercorp@mycompany.com

You selected this USER-ID:

"mycompany (mydivision - mycompany ) <mydivision-othercorp@mycompany.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.






We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.





public and secret key created and signed.

key marked as ultimately trusted.

pub 1024D/51CF3CC5 2004-04-23 mycompany (mydivision - mycompany ) <mydivision-othercorp@p


Key fingerprint = 9982 34EB 114A 6A4D 8EC5 9FB8 98A8 F30F 51CF 3CC5

sub 2048g/DF7989E4 2004-04-23

getting a public key from a keyserver:

gpg --keyserver http://pgp.mit.edu --search-keys dd9jn@gnu.org

Curl notes and usage

cURL notes:

official web sites:

curl: http://curl.haxx.se


openssl: http://www.openssl.org

Curl is an open source command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and a busload of other useful tricks. Openssl handles the encryption part of the transfer.

Curl usage:

TO use config file ( _culrc ) the next line must be set in the batch file or scripting environment.

set home=c:\directory_pathto_config_file

Since curl will only work with PEM formatted certificates, we need to convert the PKCS12 format certificate:

openssl pkcs12 -in [original certificate file] -clcerts -out [PEMfile]

I believe some web sites use cookies for the session timeout (I believe a 5-10 minute timeout period). For that reason when initially communicating with the server we MUST run 2 passes of curl, 1 to authenticate and 1 to do the transfer or whatever other command we want to issue.

Using config file:

list directory:

curl https://this.secretwebsite.com/* -- will list everything recursively; lists just file/path names

curl https://this.secretwebsite.com -- is like doing an ls -l


curl -O https://this.secretwebsite.com/outbound/SFT_Win32_4.0.39_Guide.doc


curl -T mylocalfile.txt https://this.secretwebsite.com/

files we get back: mylocalfile.txt_201706.NO_ADD_REC

that's HHMMSS (maybe pacific timezone)

Deleting files:

curl -X DELETE https://this.secretwebsite.com/mylocalfile.txt_201706.NO_ADD_REC

from manual-

-X/--request <command>

(HTTP) Specifies a custom request to use when com­

municating with the HTTP server. The specified

request will be used instead of the standard GET.

Read the HTTP 1.1 specification for details and


_culrc (config file) contents:

#cookie send file (-b)

cookie C:\sys\temp\curl\cookie.jar

#cookie receive file (-c)

cookie-jar C:\sys\temp\curl\cookie.jar

#redirect to different location (-L)


#certificate file and pw for authenication (-E)

cert e:\curl\mysecrets.pem:the_password_goes_here

#display progress bar (-#) instead of default statistics


#Write output to a local file named like the remote file we get.

#(Only the file part of the remote file is used, the path is cut off.)


HP-UX btmp-utmp accounting

/home/maint/bin/acctcleanup.sh ;; runs only via cron on the first day of every month at midnight. It moves all entries in btmp and wtmp to /home/maint/logs/acct with a file name format of: wtmp-monthYEAR or btmp-monthYEAR

see utmp(4)

/var/adm/btmp Bad login database

/var/adm/wtmp Login database


utmp = record of all users logged onto the system.

btmp = bad login entries for each invalid logon attempt

wtmp = record of all logins and logouts.

# cleans up accounting files: /var/adm/wtmp and /var/adm/btmp  Should be run via
# cron at 0:00 the first of every month.
#wtmp contains a record of all logins and logouts
#btmp contains bad login entries for each invalid logon attempt

#if not running under cron then exit
if ! /home/maint/bin/rptree.sh $$ | grep cron >/dev/null; then
 banner executes "only under" cron


#Since we are in a new month, get last month's name
case `date +%B` in
January) month=December;;
February) month=January;;
March) month=February;;
April) month=March;;
May) month=April;;
June) month=May;;
July) month=June;;
August) month=July;;
September) month=August;;
October) month=September;;
November) month=October;;
December) month=November;;

wdate=$log/wtmp-$month`date +%Y.log`
bdate=$log/btmp-$month`date +%Y.log`

$fwtmp < $w > $wdate
cat /dev/null > $w

$fwtmp < $b > $bdate
cat /dev/null > $b

fbackup/frecover tips

Diagnostics: HP Library and Tape Tools (L&TT or LTT)

in: /opt/ltt and the main program: /opt/ltt/hp_ltt

most of our maintenance scripts are contained in:


Our main backup script and associated files are in:

/home/maint/bin/fbackup main script: /home/maint/bin/fbackup/bin/fullback.sh

An email reminder to swap the tape is sent when the backup job is complete. Tapes must be swapped every M-F.

Notes on using fbackup:

fbackup -v -f /dev/rmt/1m -f /dev/rmt/2m -I /indexfile.txt -g graphfile -i include_path -i include_another -c configFile

fbackup graph files do not support wildcards....

graph file contents:

i /include_me

e /exclude_me

If media is write protected you'll see something similar to the following:

fbackup(3032): could not open output file /dev/rmt/2m

default fbackup config used by sam: /etc/sam/br/fbackup_config

fbackup stores incremental backup information in /var/adm/fbackupfiles/dates

fbackup -u option updates the 'dates' files: /var/adm/fbackupfiles/dates

fbackup config file : current config file used in production: /home/maint/fbackup/cfg/best

current config file

description of each line

blocksperrecord 256

+ Number of 1024-byte blocks per record.

records 32

+ Number of records of shared memory to allocate.

checkpointfreq 1024

+ Number of records between checkpoints. Since the EOF marks between checkpoints are also used for fast searching on DLT tape drives, changing the checkpoint frequency may also affect selective recovery speed (see WARNINGS section).

readerprocesses 6

+ Number of file-reader processes.

maxretries 5

+ Maximum number of times fbackup is to retry an active file.

retrylimit 5000000

+ Maximum number of bytes of media to use while retrying the backup of an active file.

maxvoluses 2000

+ Maximum number of times a magnetic tape volume can be used.

filesperfsm 2000

+ The number of files between the fast search marks on DDS tapes. The cost of these marks are negligible in terms of space on the DDS tape. Not all DDS tape devices support fast search marks.

chgvol /home/maint/fbackup/bin/chgvol

+ Name of a file to be executed when a volume change occurs. This file must exist and be executable.

error /home/maint/fbackup/bin/error

+ Name of a file to be executed when a fatal error occurs. This file must exist and be executable.

Clearing fbackup header:

If you wish to clear the fbackup volume header from an fbackup tape because you want to blank out the number of times the tape has been used, use another backup utility on the tape. For example:

tar -cvf /dev/rmt/1m file_to_backup

frecover - recovering files from fbackup tape:

recovering files may take quite a long time, escpecially if they are small files. To restore a small home directory containing less than 18mb took over 10minutes, compared to restoring an 8.5GB file which took only 17 minutes.

Unlike fbackup, single files and wildcarded files(sometimes) may be specified and recovered using frecover. In either fbackup or frecover, the hyphen ( - ) can be used almost anywhere to write/read to/from stdout (standard output). This can be used to pipe commands together as well.

to export the contents (the index) of an fbackup tape:

frecover -f /dev/rmt/1m -I /path/index_file

to write contents to stdout: frecover -f /dev/rmt/1m -I -

to view the volume header ( contains fbackup specific info ):

frecover -f /dev/rmt/1m -V /path/volume_file

test recover (N option): preform the same options, but don't recover the files to disk:

frecover -xvN -f /dev/rmt/1m

recover everything (should only be done in the event of a total system failure):

frecover -v -r -f /dev/rmt/1m


frecover -v -x -f /path_to_fbackup_file

recover all files on tape to the current directory without creating directory structure

frecover -v -x -f /dev/rmt/1m -F

recover all the files in the -i included path to the current directory without creating directory structure

frecover -v -x -f /dev/rmt/1m -F -i /home/maint/fbackup/cfg

recover entire tape contents to current working directory:

frecover -v -x -f /dev/rmt/1m -X

recover graph contents to current working directory:

frecover -v -x -f /dev/rmt/1m -X -g mygraphfile

recover /home/maint/fbackup to current working directory:

frecover -v -x -f /dev/rmt/1m -X -i /home/maint/fbackup/

recover back to orginal file location. File on disk will not be over-written if it's newer than the file from the tape. Use the -o option CAUTIOUSLY to bypass this limitation.

frecover -vxf /dev/rmt/1m -i /home/maint/bin/showuser.sh

frecover option:

-m Print a message each time a file marker is encountered.

Using this option, frecover prints a message each time

either a DDS fast search mark, a filemark (EOF), or a

checkpoint record is read. Although useful primarily for

troubleshooting, these messages can also be used to

reassure the user that the backup is progressing during

long, and otherwise silent, periods during the recovery.


if tape is of unknown format you can extract the contents using pax:

cd to_path_where_extracted_files_should_be_placed

pax -rv -s'/^\///' </dev/rmt/0m

tar - tape archiver:

WARNING: Use -tV to list all the files on the tape before extracting, because tar will not prompt to overwrite and will restore to the fully qualified pathname that is stored in the archive. So when creating a tar archive, please remember to use relative path names and not absolute ones. If no file argument is given, the entire content of the archive is extracted. Note that if several files with the same name are on the archive, the last one overwrites all earlier ones. Wildcards don't work.

tar -cvf /dev/rmt/1m path_to_archive -create a new archive

tar -cvf /dev/rmt/1m -C /home/maint . -create new archive, first change to /home/maint and backup that directory using the relative path (.) Multiple -C options can be used

tar -tVf /dev/rmt/1m -list all files on tape

tar -xvf /dev/rmt/1m - extract all files from tape

tar -xvwf /dev/rmt/1m - extract all files from tape prompting the user to restore each file

tar -xvf /dev/rmt/1m ./index_file - extract the file named index_file into the current directory.


make_tape_recovery: makes a bootable recovery tape

copy_boot_tape: make a copy of a recovery tape

/makerecovery.sh is the custom make_tape_recovery script that creates a recovery tape.

Ejecting a tape:

mt -f /dev/rmt/1mnb offline

Obtaining tape drive status:

mt -f /dev/rmt/2mnb status --show if tape is write protected

st -f /dev/rmt/0mnb -s --limited to displaying if device is OK and ready