iTech Solutions - for all of your IBM i System needs

IBM i Tech Tips

Posted on November 18, 2020

Marc Vadeboncoeur, iTech Solutions

We all know and heavily rely upon IBM i’s venerable NetServer facility to serve-up IFS folders as standard SMB (Server Message Block) shares on our corporate networks, and to also allow our IBM i systems to act as SMB clients and access network file shares on other servers in heterogeneous environments via the QNTC facility.  So, if I were to ask the question, how can you configure/administer NetServer on an IBM i system, how many of you would only answer with only “Navigator for i”?

 

The answer is, there are actually two ways that you can effectively manage NetServer on IBM i:

  • Navigator for i
  • NETS menu command-line interface

Yes, there is actually a “green screen” way to fully manage NetServer on your system.  By default, IBM ships this capability inside of the IBM i operating system but, you first must “install” it onto your system, and the installation & use of the NETS menu functionality is the focus of this article.

(more…)

Posted on

Amy Upton, iTech Solutions

You can use the following information to set up mirroring of your Robot products:

If you are restoring any Robot product libraries, RBTSYSLIB must be the first library restored to the target system. Then, call RSL062 to create the required user profiles. When mirroring Robot products, the product cannot be active on the target system.

You must change the system name in the product database files for the following products before you can run the products on the mirrored system. Use the Retrieve Network Attributes (RTVNETA) command to retrieve the target system name. Then, enter the Change System Name in Files (RSLCHGSYSN) command and specify the target system name in the Current system name field.

(more…)

Posted on October 28, 2020

Amy Upton, iTech Solutions

Reviewing your MIMIX protection reports is very important for your MIMIX HA solution. You may have all your data groups synced and your audit reports are running clean but if you are missing replication on libraries and objects you need then you will have issues if you need to switch.

You can access the protection report through the precisely AUI interface. You will sign-on and look at the Analysis tab and this will show you libraries, directories, and folders status of replication. The goal is to have no libraries or objects that are not in a NONE status.

(more…)

Posted on

Nathan Williams, iTech Solutions

If you have an IBM SAN (Storwize or FlashSystem family) then you may be familiar with the process of deleting volumes within the storage management GUI. It’s basically as simple as right-clicking on a volume and selecting “delete.” Pretty easy, but as we all know sometimes easy is dangerous. Have you ever considered what would happen if you tried to delete something that might actually be in use? IBM has thought of that, too. The delete process is a one-way trip and there are a couple of checks in place to make sure that you’re paying attention before you commit to something so drastic.

(more…)

Posted on

Nathan Williams, iTech Solutions

If your POWER9 is one of the new refreshed models (9009-41G, 9009-42G, or 9009-22G), then you may be familiar with the fact that your QPRCFEAT system value does not match the processor feature code as ordered from IBM. This is because—while IBM provided unique feature codes for the different processors in the new model—the actual CPU hardware is identical to the original POWER9 models. Internally, the FSP knows that the chips are the same and reports the actual CPU identifier to the Operating System.

This mismatch has already lead to quite a bit of confusion when ordering license keys for 3rd party applications, as many software vendors use the QPRCFEAT value as part of their key generation algorithm. We have had clients order license keys for their brand new system using the ordered processor feature code (EP51 for example) only to find that the keys don’t work on installation day because the new system is reporting a different code (EP11 in this case).

(more…)

Posted on September 27, 2020

Marc Vadeboncoeur, iTech Solutions

Do you have a “backup” for your IBM i system’s Ethernet line in the event that it fails?  If you don’t, did you know that you can configure an automatic failover line quickly and easily in IBM i?

Virtual IP Addressing (a.k.a. “VIPA”) is a capability that has existed on IBM i for quite some time, but surprisingly many shops don’t know about it, or, they are aware of it but don’t realize how easy it is to configure and the terrific redundancy it can quickly & easily provide.

In our services practice here at iTech it is very rare that we see an Ethernet adapter in an IBM i system fail, however, Ethernet switch failures can be a common occurrence.  If you have an unused Ethernet port on your system (as many installations do) and you have another switch in your data center that is on the same network, adding automatic redundancy for your current primary Ethernet connection to your network to guard against a primary switch failure is a snap, and here’s how you do it.

(more…)

Posted on September 23, 2020

Chris Flick, iTech Solutions

What you may not know about SAVCHGOBJ or BRMS equivalent (Incremental Save), may be detrimental to your backup strategy.

By definition: The Save Changed Object (SAVCHGOBJ) command saves a copy of each changed object or group of objects located in the same library. When *ALL is specified for the Objects (OBJ) parameter, objects can be saved from all user libraries or from a list of libraries. When saving to a save file, only one library can be specified. For database files, only the changed members are saved.

By default, objects being journaled are not saved, which is what this iTech iTip covers.

(more…)

Posted on

Steven McIver

Navigator for i has many convenient ways to manage your IBM i system with a graphical interface. You may not realize that in new versions of IBM i Access Client Solutions, you can launch it easily from your 5250 Emulation Sessions by clicking the icon pictured below:

Once you sign in to Navigator for i, you’ll notice one of the very first options on the left side of the page is called Target Systems and Groups. This option allows you to access Navigator for i sessions on other systems in your network. The biggest perk of this is it allows you to quickly access other systems in your network from one window. It also helps in a pinch when you don’t have a route to Navigator for i on another system from your PC but the system you connect to Navigator for i on does, or the Admin instance is just not working on that other system. You can sometimes still access Navigator for i on that remote system by using the Target System option.

(more…)

Posted on

Nathan Williams, iTech Solutions

IBM i Access for Windows/Mac/Linux (a.k.a. “old Client Access”) has been around for a long time. It’s familiar, stable, and probably already installed on most of your end-user PCs. This massive installed base makes it difficult to fathom switching to IBM i Access Client Solutions, especially when the older software continues to work for the vast majority of users. Unfortunately, that may not be the case forever.

Many of our customers have made the move in recent years to secure the communication channels into and out of their systems, including IBM i. In most cases, this means encrypting all client connections using SSL/TLS. All flavors of IBM i Access support encrypting encrypted connections so implementing security for 5250, file transfer, ODBC, and pretty much anything else is relatively straightforward. Most of these projects are driven by compliance concerns (PCI-DSS, HIPAA, etc.), but encrypting your client sessions vastly increases system security even when there is no policy reason to do so – for example, did you know that unencrypted 5250 sessions send the user’s credentials down the wire in plain text?

(more…)

Posted on August 26, 2020

Steve Pitcher, iTech Solutions

I’ve been doing quite a bit of Domino upgrades to 10.0.1 and 11.0.1 recently. What HCL has done in terms of product updates have been outstanding. Their documentation however leaves a lot to be desired. I can’t seem to find any decent documentation for upgrading Domino to 11.0.1.

So, I’ve built my own installation instructions for you.

First, you’ll have to set your environment variable of DOMINO_INSTALL_TYPE. Most shops I’ve been upgrading are enterprise servers, which is a 2. Use the following command:

ADDENVVAR ENVVAR(DOMINO_INSTALL_TYPE) VALUE(2)

(more…)

Posted on

Steve Pitcher, iTech Solutions

Deck: Users with *ALLOBJ special authority is a no good, terrible, very bad idea.

One cool thing about working for iTech Solutions is the boss doesn’t nickel and dime our team’s education, resources, and technology. We need to practice on new hardware, so we got a POWER9. We need practice with external storage, so we got a V5030. We need to practice on virtual tape libraries, so we got one from Cybernetics.

I have a presentation in the Fall called IBM i Security: Perception vs Reality. I needed to test some system security scenarios with malware built by yours truly so my colleague Nathan Williams propped us up an IBM i 7.4 partition. We called it WLECYOTE…because we wanted to drop an anvil on its head.

(more…)

Posted on

Marc Vadeboncoeur, iTech Solutions

Do you want to know, in real-time, who/what is connecting to the TCP/IP environment on your IBM i?  Need to know how much data is going outbound and coming inbound for any specific TCP/IP connection, and have immediate access to a bunch of other cool IP environment metrics and capabilities and control?  Well, the tool to do so is right at the tip of your fingers, and knowing how to use it is absolutely essential to the effective management of your IBM i’s network connectivity.

The NETSTAT command on your IBM i is the de facto go-to resource that you need to get a 360-degree view of what’s going on with all the TCP/IP activity on your system, yet many clients that I work with have never even heard of it, and if they have heard of it they don’t really know what it does and the critical management capabilities that it offers.

(more…)

Posted on July 30, 2020

Nathan Williams, iTech Solutions

With the push to secure all data traffic to our critical systems, many organizations are moving to secured versions of classic technology. One project we see repeatedly is the switch from insecure FTP to encrypted FTPS. Not to be confused with SFTP, FTPS stands for FTP over SSL/TLS and it is to FTP what HTTPS is to HTTP. Just like secure web pages, FTPS uses a system of certificates to encrypt and secure FTP transfers. If you’re making the switch to FTPS, you may find that you begin to receive the error message “Secure connection error, return code -23” when you attempt to connect to another system.

Return code 23 means the certificate in use on the remote server is not signed by a trusted authority. This is caused by one of two things:

  1. The server is using a self-signed certificate
  2. The server is using a commercial certificate issued by an entity for which IBM i does not have a built-in root certificate.

To correct this, the CA certificate used to sign the server’s certificate needs to be imported into DCM on the IBM i and marked as trusted. You will need to obtain a copy of that CA certificate in the form of a .cer file which needs to be placed in the IFS where DCM will be able to read it. The server administrator should be able to provide this file or tell you how to obtain it.

If the certificate being used was issued by a commercial entity, you may be able to download what you need directly from the issuer’s website (assuming you can figure out who that is). Once the CA is trusted by the system then all certificates signed by it—including the one in use on this FTP server—will automatically be trusted by extension. That should eliminate the error.

(more…)

Posted on

Marc Vadeboncoeur, iTech Solutions

When managing your IBM i environment, is time on your side?

Do you still manually maintain the system clock on your IBM i system and occasionally adjust it to exactly the right time and/or still manually correct it in the Spring/Fall when we roll the clocks forward/backward?  Well, read on, and we’ll tell you how to configure the system to automatically do that for you so you can put your system’s clock management on full autopilot.

Your IBM i operating system includes built-in support for the industry-standard NTP (Network Time Protocol) client.  This functionality enables you to configure your system as an NTP “client” where the system will continually reach out to public time servers and/or local time servers already on your network to automatically adjust your system clock and keep it always at the precise time.  Your system can not only serve as an NTP client to keep its clock accurate but it can also serve as an SNTP (Simple Network Time Protocol) server to serve-up the correct time to client servers on your network, or it can serve as an SNTP client, but this article will focus on setting-up the NTP client functionality on IBM i as this is typically what most shops need to enable.  Many people think that SNTP and NTP are the same and they are not, both protocols have the same objective, to automatically keep the time on your system correct by referencing an external time server, but NTP client functionality is more complex & precise in how it verifies the correct time and adjusts the system clock, thus it is the time adjustment protocol of choice in most server environments because it provides a higher degree of accuracy and reliability than an SNTP client configuration.

(more…)

Posted on

Steven McIver

Object ownership is very important on IBM i, as often group profiles are used to secure objects, and sometimes programs are compiled to run under the authority of the profile that owns the program. There are times when a decision is made to change the owner of a particular library in order to change the scheme of securing objects, or you may go to restore a library to another system, and realize that the profile that owned the objects on the original system, does not exist on the target system to take the ownership. Sometimes in these cases, the library has hundreds or even thousands of objects in them, and changing the owner of these objects one at a time is just not feasible. There are several ways to resolve this, but certainly, the easiest way is to use the CHGOWN command.

(more…)

Newsletters