It was my greatest fear when I started working with AIX

IBM AIX Network Installation Manager

Dec 05, 2025

Many years ago, I installed my first AIX system. Manually, going through all possible menus. When I had two more AIX systems, I learned about NIM – Network Installation Manager. I thought, yes, it is exactly what I need. I read documentation and Redbooks, but I didn’t become smarter. I didn’t install NIM. But I set myself an aim - to learn how to work with NIM.

Nowadays, I install NIM whenever I need it and delete it if I don’t need it anymore. I configure all resources and clients with closed eyes without looking at what I do. At the end, it is just a small number of commands to execute. Everyone can do it!

What you must know about NIM

NIM is still the best tool to install AIX.

You can use it to install Linux on IBM Power or on x86.

You can use it to install IBM i.

You can easily manage your AIX systems from NIM, install security patches, updates, or upgrade them to a newer AIX version.

Still, you must make some thoughts about planning and always be clear that NIM is a tool from the 90s. It is the best that could be done in the 90s, but today is 2025.

Modern systems are installed using HTTPS. AIX still uses NFS.

Modern systems are authenticated using mTLS or similar mechanisms. NIM still uses CPU validation, which doesn’t work if you use Live Partition Mobility.

Modern systems resolve dependencies between many software repositories. AIX NIM client works only with a single repository (lpp_source) at a given time.

Security considerations

One of the reasons to write today about NIM is this article. The fix mentioned in the article is wrong. The correct fix is this one. Read the README file before you install the fix. You must first change the communication between clients and the NIM server to SSL, and only then install the fix.

Unfortunately, the fix is not available for all AIX versions. If you have an unsupported AIX version, you probably can’t use the fix. You probably need to split your NIM environment into several parts. I don’t know if I'm unique, but I have several AIX 6.1s in my zoo.

How to create a new NIM server

It is really easy. You need an AIX server with the latest possible version. As for me, it is AIX 7.3 TL3 SP1. The server can be virtual or hardware. It doesn’t require many resources.

AIX 7.3 requires only 4GB RAM, AIX 7.2 even less - 2GB RAM.

CPU? Usually, 0,1 CPU is enough. Unless you migrate your AIX with nimadm. Then it is better to have more CPUs during the migration. If I remember correctly, you need 1 vCPU for 3 or 5 parallel migrations. Don’t nail me if I am wrong.

The most important resource you need is storage. You will save several different AIX versions on your NIM server, and each AIX version takes ca. 10GB of space. You will also need some temporary space to download ISO images, and even more space to save system backups from your systems.

Filesystem layout

I usually create an additional disk and a separate volume group for my installation resources.

If I expect to have many system backups, I may decide for an separate volume group for the backups.

If I lose my operating system, I can easily reinstall it.

If I lose my installation resources, I can easily recreate them from the original images.

If I lose my system backups, I have a problem.

That’s why if you work with real workloads, think about having separate storage for your backups.

Are disks already there? Create volume groups!

mkvg -S nimvg hdisk2
mkvg -S mksysbvg hdisk3

I prefer to create a small filesystem called /nim as a root for my NIM installation. I put all NIM resources under this filesystem, but I usually make several more filesystems. It is not a requirement of AIX NIM, but it is my usual practice. You may decide that you don’t need so many filesystems and use a single large filesystem for all resources.

mklv -t jfs2 -y lvnim nimvg 512M
mklv -t jfs2 -y lvlpp nimvg 40G
mklv -t jfs2 -y lvspot nimvg 40G
mklv -t jfs2 -y lvscripts nimvg 1G
mklv -t jfs2 -y lviso nimvg 40G
mklv -t jfs2 -y lvssl nimvg 1G
mklv -t jfs2 -y lvtftp nimvg 1G
mklv -t jfs2 -y lvmksysb mksysbvg 512G
crfs -v jfs2 -d lvnim -m /nim -A yes -p rw -a agblksize=4096
mount /nim
crfs -v jfs2 -d lvlpp -m /nim/lpp -A yes -p rw -a agblksize=4096
crfs -v jfs2 -d lvspot -m /nim/spot -A yes -p rw -a agblksize=4096
crfs -v jfs2 -d lvscripts -m /nim/scripts -A yes -p rw -a agblksize=4096
crfs -v jfs2 -d lviso -m /nim/iso -A yes -p rw -a agblksize=4096
crfs -v jfs2 -d lvmksysb -m /nim/mksysb -A yes -p rw -a agblksize=4096
crfs -v jfs2 -d lvssl -m /ssl_nimsh -A yes -p rw -a agblksize=4096
crfs -v jfs2 -d lvtftp -m /tftpboot -A yes -p rw -a agblksize=4096
mount /nim/lpp
mount /nim/spot
mount /nim/scripts
mount /nim/iso
mount /nim/mskysb
mount /ssl_nimsh
mount /tftpboot

Software installation

You must install several filesets from the AIX installation media before creating the NIM environment.

Mount your ISO image:

loopmount -i AIX_v7.3_Install_7300-03-01-2520_flash_072025_LCD8265307.iso -m /mnt -o "-r -V udfs"

I have the “flash” image for installations from a USB device. That’s why I use udfs to mount it. If you have “standard” DVD images, you must use cdrfs instead of udfs.

Install the packages:

installp -acgXYd /mnt bos.sysmgt.nim.master bos.sysmgt.nim.spot

If you want to use NIM control objects to retrieve information from your HMC, you also need to install the dsm.core and dsm.dsh filesets.

Anyway, you need OpenSSL, but it should already be installed on your system.

Create NIM server!

We are almost done. We must define how to name our first network. It can be net-aix, vlan-123, or something else. You decide, but remember about naming conventions and be consistent in naming your NIM resources.

Did you choose the name? Issue the command to configure the NIM server:

nimconfig -c -a netname=net-aix -a pif_name=en0 -a platform=chrp -a netboot_kernel=64 -a client_reg=no -a cable_type=N/A

Let’s take a look at options.

-c means to create SSL certificates for our NIM environment.

-a netname=net-aix defines the name of our first network.

-a pif_name=en0 defines where NIM can find the network.

-a platform=chrp is the only available platform for IBM AIX – Common Hardware Reference Platform.

-a netboot_kernel=64 means we use a 64-bit kernel, and it is the only available kernel since … AIX 7.1? or AIX 6.1?

-a client_reg=no disables client registration. No worries! We can always register clients from our NIM server, but we usually don’t want clients to self-register. This is not the best security practice.

-a cable_type=N/A means that the interface is virtual. I don’t know why IBM still wants to know the cable type.

Tuning?

There are some options I always want to set.

First, I always increase the number of threads for the NIM server process. It means it can process more requests in parallel. In this case, you may need more CPU power in your NIM server:

nim -o change -a max_nimesis_threads=150 master

Next, I switch off CPU ID validation. The feature was good 30 years ago when we had only hardware systems. Today, all my AIX LPARs are completely virtualized. If I move them from one managed system to another, the CPU ID changes, and NIM no longer works. This is not a security feature of today, and can be switched off:

nim -o change -a validate_cpuid=no master

The last setting I change is a security feature. When I install fixes or updates on AIX, I allocate a resource to it. I don’t want the resources to be available to everyone in the network. The resources must be available only to the servers I work with right now. That’s why I switch off global eport of resources:

nim -o change -a global_export=no master

On the other hand, the global export makes it easier to use resources from non-NIM clients. Think if you really need it. The usual recommendation is to switch it off, but if you have a good use case in your environment, let it be on.

My SSL butthurt

As you saw in the screenshot above, NIM automatically creates a certificate for it. It creates not only the certificate, but also a certificate authority and client certificates. Everything is put into /ssl_nimsh directory.

You can’t change the directory name!

You can’t change the certificate information!

You can’t change the certificate!

I know many companies where you are only allowed to use their “official” certificates. Everything else is reported as a security problem.

You can’t use the official certificates from your official certificate authority. You can get a subordinate certificate authority certificate if it is allowed in your environment and put it into /ssl_nimsh/certs/root.pem.

You can also change values in /ssl_nimsh/configs/ files and re-generate your NIM certificates.

No, I have never done it. I think it is a good idea for another article, and I will try it once.

The Security Fix

Think about installing our famous security fix:

emgr -e IJ55897m1b.251112.epkg.Z

Of course, all your clients must be patched before you install the fix on your NIM server.

Support the Power DevOps Newsletter!

If you like reading technical articles about IBM Power, AIX, and Linux on IBM Power, consider upgrading to the paid tier to show your support. As a paid subscriber, you not only get regular posts, but you will get additional posts with the full code and further explanations, access to the whole archive of the blog, and take part in our monthly calls where you can ask your questions and propose topics for future newsletters. Be an active member of our community!

Register your clients!

Yes, we can create installation resources first. But why not register the clients?

The NIM server is already there, and we can register clients to it.

If you disabled self-registration, as I did, you must first register the client on your NIM server:

nim -o define -t standalone -a platform=chrp -a if1=”net-aix aix73tl2sp4 0” -a connect=nimsh aix73tl2sp4

After it, you can register the client on the client side:

niminit -c -a name=aix73tl2sp4 -a pif_name=en0 -a master=nim.power-devops.cloud -a platform=chrp -a netboot_kernel=64 -a connect=nimsh

If your client were previously registered to another NIM server, you must first stop nimsh and remove /etc/niminfo before registering it to your new NIM server:

stopsrc -s nimsh
rm -f /etc/niminfo

NIM does not work well with DHCP and transient hostnames. Before configuring the NIM client, you must definitely define the hostname in ODM:

# chdev -l inet0 -a hostname=aix73tl2sp4
inet0 changed

This is usually not a problem in production environments, but I use a cloud environment with DHCP for my test lab, and I always forget to set the hostname. Then I search for several hours for the reason of NIM problems ;-)

Have fun with AIX NIM!

Andrey

Hi, I am Andrey Klyachkin, IBM Champion and IBM AIX Community Advocate. This means I don’t work for IBM. Over the last twenty years, I have worked with many different IBM Power customers all over the world, both on-premise and in the cloud. I specialize in automating IBM Power infrastructures, making them even more robust and agile. I co-authored several IBM Redbooks and IBM Power certifications. I am an active Red Hat Certified Engineer and Instructor.

Follow me on LinkedIn, Twitter and YouTube.

You can meet me at events like IBM TechXchange, the Common Europe Congress, and GSE Germany’s IBM Power Working Group sessions.

Power DevOps Substack

Discussion about this post

Ready for more?