August 2008 Newsletter

Greetings!
 

With Labor Day upon us, many of you are drawing up your plans for your fall projects and end-of-calendar-year projects.  We have been busy working with many of you on initiatives to allow you to reach those goals.  It looks like a busy and fun fall with all of these projects.

While many of you have recently been enjoying the Olympics, iTech Solutions has earned some medals as well.  Pete Massiello won a Silver Medal for his presentation “What you need to know and understand to do Successful i5/OS Upgrades” at the COMMON Spring 2008 Conference in Nashville, and was also awarded the Best New Speaker at the conference.  For a list of presentations that will be in the coming months, you can visit our website at events .

This issue of our newsletter has four articles.  In the first, article we’ll talk about the Security level of your machine. As performance and disk space is an issue in most shops, our second article deals with “where has all the disk space gone?”  The third article deals with Security using ODBC: Come Steal my iSeries data. The last article is for your reference with updated PTF information for your use.

iTech Solutions can help you improve performance, upgrade i5/OS, perform security audits, implement a High Availability solution, VoIP, Systems Management, PTF management, Blade installations, iSCSI Configurations, upgrade an existing machine, or upgrade to a new machine.  If you are thinking of LPAR or HMC, then think iTech Solutions.  We have the skills to help you get the most out of your System i.  For more information on any of the articles below please visit us at iTech Solution or contact us at info@itechsol.com . We would also like to know what you think of this newsletter and any items you would like us to discuss in future issues.

Security Level. 
I usually get asked “What is the right Security level to be at”.  I always say at least 40.  That provides the best infrastructure for your security.  Although, being at Security level 40 and everyone having *ALLOBJ is no better than being at level 20. So, while you are doing this also examine how many people have *ALLOBJ authority. We need to make sure everyone understands what security levels are.  Do a WRKSYSVAL QSECURITY, and put a “5” to display your Security level.  Here are the levels:

10 – This used to be referred to as Physical Security and is no longer supported. There really is no security at all at this level. You do not even need a user-id and password to sign on. If you are at this level, stop reading the article immediately and call us at 203-744-7854.

20 – The system requires a user to have a user-id and password to sign on. Users have access to all system resources, because basically everyone has *ALLOBJ authority.  It requires some work and planning to move from this, but you should start soon, like after lunch perhaps. 🙂  You are at risk if someone has access to a command line. They could delete your entire system.

30 – The system requires a user to have a user-id and password to sign on, and users must have authority to access objects and system resources. At a minimum you should be here, but 40 is where you want to end up.  Your system still has some vulnerabilities, but it’s relatively safe.

40 – The same as 30, plus Programs fail if they try to access objects through interfaces that are not supported. This is where everyone should strive to be at a minimum.

50 – The same as 40, plus Programs fail if they try to pass unsupported parameter
values to supported interfaces.

Ok, now that you know what the levels mean, what should you be doing?  First, you should contact any third party vendor and tell them you are currently on Security level x and are planning to move to Security level y.  Ask them whether there are any implications that they know of, or do you need any fixes from them?

If you are at 20, you really need to have a plan of attack to move to 30. You currently have a wide open system where everyone can do ANYTHING.  As your users have been accustomed to everyone having *ALLOBJ authority, you will have to determine what access people actually need  build a plan to remove their *ALLOBJ authority, and give them access only to the resources required to perform their jobs.

While 30 is a reasonably safe level as users have passwords and need explicit authority to objects, most shops that are on 30 should be looking to go to 40.  This is a really easy move, however, you need to monitor which programs being used may have unsupported interfaces inside of them.  The easiest way to do this is to turn on Object Auditing with CHGSYSVAL QAUDCTL *AUDLVL & CHGSYSVAL QAUDLVL *AUTFAIL and monitor for programs that are failing.  We usually run this for about a week.  Once we have a clean report, we can move to 40 or 50.

Obviously, it’s always simpler discussing this in a summary fashion than actually going from one Security level to the next.  If you need help, we have done this at many of our customers, and can help you avoid many of the problems you will encounter as you secure your machine and your data.  Contact us and let iTech Solutions help you .  Don’t forget to read the third article on ODBC.

  Where has my disk space gone?
 

 

Last month we discussed the need for Disk arms and how the number of arms affects performance.  This month, we want to spend some time on keeping those disks free from clutter.

It’s a timely topic, as we recently got a call from one of our customers that went something like this: “Help, my disk space has shot up 25%, and I don’t know why”.  We get calls about increased disk space all the time, usually increases of more like 5 or 10%.  We ask questions:  Have you duplicated the production database? Have you  stopped deleting the Journal Receivers? Has anyone done a restore of a large library?  It really doesn’t matter what questions we ask, as the answers are invariably “NO”.  Well, then it’s time for a little detective work and to open up our bag of tools.

IBM has tools that are standard with i5/OS that can provide information about the sizes of Libraries, Objects, and Directories on the iSeries.  Unfortunately, this information is not dynamic and needs to be created if not already there, or possibly updated if not current. Normally, you can just rerun the command to collect the data, but if for some reason you wanted to see when was the last time you collected information, you can look at the creation date for the member QCURRENT in the file QAEZDISK in library QUSRSYS.  The command to collect this information about objects on your system is RTVDSKINF.  This is a long running command, and I would highly recommend submitting this to batch.  By the way, you can also set this up to be run once a month so that you always have some recent information.

Once the information has been collected, we can run some of the reports.  The command to run the reports is PRTDSKINF.  There are a few reports, so let’s start off by running the System Summary, which is PRTDSKINF RPTTYPE(*SYS). This report will tell you how much disk space is being taken up by Libraries, Directories, Folders and Documents (the old QDLS), QSYS, Licensed Internal Code, etc.  It’s a great summary. You could print these off monthly, and have a nice summary to refer back to each month. Notice, that we don’t know what has grown, we only know what amount of space is being utilized.  Now if we need to look at libraries, we can run the command PRTDSKINF RPTTYPE(*LIB).  This will show us the details by library. Notice the report is sorted by the largest library down to the smallest.  If we wish to see the largest objects on the system regardless of library, which is sometimes helpful in cleanup, we can run the command PRTDSKINF RPTTYPE(*OBJ)  OBJ(*ALL) MINSIZE(x).  Where x is the size in 1,000 bytes.  So, if I was looking for all objects over 10MB, I would enter 10000 for x.  Using this tool is a very quick and easy way of determining where all my disk space is going for traditional libraries and objects.

What happens when the object that we are looking for is in the IFS?  Then we have to use the Print Directory Information command, PRTDIRINF.  Again, we can run this command to find the largest objects within the IFS and really help clean up our system.  If we wished to find all the IFS objects over 1MB in size, we would run PRTDIRINF RPTTYPE(*OBJ) MINSIZE(1000).

These are some of the tools that we use in helping to identify “garbage” that has been left on your disks.  Remember, as you free up this disk space, your backups will probably also run quicker.

We are currently working with three customers right now helping them clean up their system.  For assistance in cleaning up your system, contact us at  info@itechsol.com

 ODBC – Come Steal my data !!

 

 

A strong statement?  Nope, a reality, and I will show you how it’s even worse than you imagined. ODBC, which stands for Open Data Base Connectivity, provides a mechanism for data to be read or written from your iSeries to your PC.  You install Client Access on everyone’s machine and they now have an ODBC Driver.  It’s very easy to setup this driver to point to your iSeries, and then read the data from any file directly into Excel, Access, or any other PC application.  In the wrong hands, this will allow someone to retrieve your entire customer master file onto their PC, and then email it to a competitor all in under 5 minutes.  That is pretty scary, but wait: it can even be worse.
We just implemented a security plan for one of our customers that shuts down the gaping holes that were in their security plan.  Now, it doesn’t even matter if someone has *ALLOBJ authority, we can still control who can use ODBC and File Transfer to/from the iSeries.  Remember, I told you it was worse than you thought.  Let me describe a nightmare for you.  Someone with an ODBC driver decides to download the payroll master file into Excel, they find their employee record in the Excel file, give themselves a raise, and then upload the file back with ODBC.  Yes, ODBC can both read data from your iSeries and write data back to your iSeries. Now, when you run the next payroll, their new hourly rate will be used in the payroll.  This hole allows them to change data in any of your files, without adhering to the rules and controls that are in your application programs.
Obviously, there are not many employees who would do something like this.  Perhaps they just download the Customer master file or your vendor master file to their laptop and by accident their laptop gets stolen on the way home. Your data is now in someone else’s hands.  What we have done to prevent this from happening is gone in and removed the rights for everyone except for a select few people to run ODBC.  This reduces your security exposure, and keeps the company data where it belongs, on the company iSeries.  Give us a call, and we will show you exactly how simple it is to start to lock down your machine. Contact us.

 

Release levels and PTFs
 

People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system.  I updated this article from last month with the current levels of PTFs. Let’s look at PTFs.  First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring.  In addition, some times PTFs add new functionality, security, or improve performance.  Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly.  If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem.  Therefore, I think a quarterly PTF maintenance strategy is a smart move.  Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs.  Below is a table of the major group PTFs for the last few releases.  You might notice that this week, IBM just created a new Security PTF Group, so I have added this to our list, as we are installing this for our customers on iTech Solutions Quarterly Maintenance program.

Releases

6.1    V5R4    V5R3    V5R2
Cumul. Pack   8190   8183    8085   6080

Grp Hipers       17      81      154      189

DB Group          5       17       22         25

Java Group       3       15       21         27

Print Group       4      24       15          7

Backup/Recov.  2      21       29         31

Security Group  2       2         3           –

The easiest way to check your levels is to issue the command WRKPTFGRP.  They should all have a status of installed, and you should be up to the latest for all the above, based upon your release.  Now there are more groups than the ones listed above, but these are the general ones that most people require.  We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit.  The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released.  Therefore, if we look at the cumulative package for V5R4, the ID is 8183. We can determine that it was created on the 183rd day of 2008, which is July 1st, 2008.  Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.  I left V5R1 off the list, because if you are on V5R1, you don’t need to be worrying about PTFs, you really need to be upgrading your operating system.  The same can be said for V5R2 and V5R3, but there are still customers who are on those releases.

If you have an HMC, you should be running V7.3.3, with PTF MH01105 installed. This is Serive Pack 1 for V7.3.3. For your Flexible Service Processor (FSP) that is inside your Power 5 or Power5+ (520, 515, 525, 550, 570), the level should be 01_SF240_338. Power 6 customers will have the latest FSP code installed since those processors are new.  If you need help with upgrading your HMC or FSP just give us a call.  We will be happy to perform the function for you.

Leave a Reply