iTech Solutions - for all of your IBM i System needs

IBM i Tech Tips

Posted on August 26, 2020

Steve Pitcher, iTech Solutions

I’ve been doing quite a bit of Domino upgrades to 10.0.1 and 11.0.1 recently. What HCL has done in terms of product updates have been outstanding. Their documentation however leaves a lot to be desired. I can’t seem to find any decent documentation for upgrading Domino to 11.0.1.

So, I’ve built my own installation instructions for you.

First, you’ll have to set your environment variable of DOMINO_INSTALL_TYPE. Most shops I’ve been upgrading are enterprise servers, which is a 2. Use the following command:

ADDENVVAR ENVVAR(DOMINO_INSTALL_TYPE) VALUE(2)

(more…)

Posted on

Steve Pitcher, iTech Solutions

Deck: Users with *ALLOBJ special authority is a no good, terrible, very bad idea.

One cool thing about working for iTech Solutions is the boss doesn’t nickel and dime our team’s education, resources, and technology. We need to practice on new hardware, so we got a POWER9. We need practice with external storage, so we got a V5030. We need to practice on virtual tape libraries, so we got one from Cybernetics.

I have a presentation in the Fall called IBM i Security: Perception vs Reality. I needed to test some system security scenarios with malware built by yours truly so my colleague Nathan Williams propped us up an IBM i 7.4 partition. We called it WLECYOTE…because we wanted to drop an anvil on its head.

(more…)

Posted on

Marc Vadeboncoeur, iTech Solutions

Do you want to know, in real-time, who/what is connecting to the TCP/IP environment on your IBM i?  Need to know how much data is going outbound and coming inbound for any specific TCP/IP connection, and have immediate access to a bunch of other cool IP environment metrics and capabilities and control?  Well, the tool to do so is right at the tip of your fingers, and knowing how to use it is absolutely essential to the effective management of your IBM i’s network connectivity.

The NETSTAT command on your IBM i is the de facto go-to resource that you need to get a 360-degree view of what’s going on with all the TCP/IP activity on your system, yet many clients that I work with have never even heard of it, and if they have heard of it they don’t really know what it does and the critical management capabilities that it offers.

(more…)

Posted on July 30, 2020

Nathan Williams, iTech Solutions

With the push to secure all data traffic to our critical systems, many organizations are moving to secured versions of classic technology. One project we see repeatedly is the switch from insecure FTP to encrypted FTPS. Not to be confused with SFTP, FTPS stands for FTP over SSL/TLS and it is to FTP what HTTPS is to HTTP. Just like secure web pages, FTPS uses a system of certificates to encrypt and secure FTP transfers. If you’re making the switch to FTPS, you may find that you begin to receive the error message “Secure connection error, return code -23” when you attempt to connect to another system.

Return code 23 means the certificate in use on the remote server is not signed by a trusted authority. This is caused by one of two things:

  1. The server is using a self-signed certificate
  2. The server is using a commercial certificate issued by an entity for which IBM i does not have a built-in root certificate.

To correct this, the CA certificate used to sign the server’s certificate needs to be imported into DCM on the IBM i and marked as trusted. You will need to obtain a copy of that CA certificate in the form of a .cer file which needs to be placed in the IFS where DCM will be able to read it. The server administrator should be able to provide this file or tell you how to obtain it.

If the certificate being used was issued by a commercial entity, you may be able to download what you need directly from the issuer’s website (assuming you can figure out who that is). Once the CA is trusted by the system then all certificates signed by it—including the one in use on this FTP server—will automatically be trusted by extension. That should eliminate the error.

(more…)

Posted on

Marc Vadeboncoeur, iTech Solutions

When managing your IBM i environment, is time on your side?

Do you still manually maintain the system clock on your IBM i system and occasionally adjust it to exactly the right time and/or still manually correct it in the Spring/Fall when we roll the clocks forward/backward?  Well, read on, and we’ll tell you how to configure the system to automatically do that for you so you can put your system’s clock management on full autopilot.

Your IBM i operating system includes built-in support for the industry-standard NTP (Network Time Protocol) client.  This functionality enables you to configure your system as an NTP “client” where the system will continually reach out to public time servers and/or local time servers already on your network to automatically adjust your system clock and keep it always at the precise time.  Your system can not only serve as an NTP client to keep its clock accurate but it can also serve as an SNTP (Simple Network Time Protocol) server to serve-up the correct time to client servers on your network, or it can serve as an SNTP client, but this article will focus on setting-up the NTP client functionality on IBM i as this is typically what most shops need to enable.  Many people think that SNTP and NTP are the same and they are not, both protocols have the same objective, to automatically keep the time on your system correct by referencing an external time server, but NTP client functionality is more complex & precise in how it verifies the correct time and adjusts the system clock, thus it is the time adjustment protocol of choice in most server environments because it provides a higher degree of accuracy and reliability than an SNTP client configuration.

(more…)

Posted on

Steven McIver

Object ownership is very important on IBM i, as often group profiles are used to secure objects, and sometimes programs are compiled to run under the authority of the profile that owns the program. There are times when a decision is made to change the owner of a particular library in order to change the scheme of securing objects, or you may go to restore a library to another system, and realize that the profile that owned the objects on the original system, does not exist on the target system to take the ownership. Sometimes in these cases, the library has hundreds or even thousands of objects in them, and changing the owner of these objects one at a time is just not feasible. There are several ways to resolve this, but certainly, the easiest way is to use the CHGOWN command.

(more…)

Posted on June 24, 2020

Chris Flick, iTech Solutions

Run the DSPTAP *LABELS command to *PRINT. To determine how much save/restore data is on a cartridge, add all the file lengths and multiple by (block length less 4096). This gives you how many bytes are written to the tape.
(more…)

Posted on

Steven McIver

The world has a lot for us to disagree about, but if there’s one thing we can get the whole world to agree on, is that passwords are a major pain. Passwords are the necessary mechanism for securing many things, but where passwords are not required and still allow for secure authentication is where everyone would prefer to be.

IBM i has had the option for public key authentication for SSH users for a long time now. It allows you to establish SSH connections without having to provide a password. This is great for running automated jobs, and for developers who frequently need to access the system. There is a nice Redbook that details the steps for establishing this, and is still a good read for establishing SSH connections from IBM i to another IBM i system, but a recent version of IBM i Access Client Solutions has made it significantly easier to establish public key authentication from your workstation to the IBM i server. I’m going to cover the steps you’ll need to accomplish this.

(more…)

Posted on

Marc Vadeboncoeur, iTech Solutions

The sweetest things in life are free, right?

If you have ever had a complex support case with the IBM i support team in Rochester, they may have instructed you to install the “QMGTOOLS” system utility to gather and also possibly send critical problem-solving information to them to help resolve your system’s issue.  The “MG” in “QMGTOOLS” stands for “Must Gather” as the genesis of the tool was a requirement to package a bunch of commands that collect information that “must be gathered” to resolve certain kinds of support issues.  For many of you, working with QMGTOOLS to provide info to IBM on a technical problem may have been the first time that you’ve ever dealt with the QMGTOOLS utility package, and for many of you who have only worked with QMGTOOLS at IBM’s direction on a support case, or, never even heard of it, read on…

(more…)

Posted on May 27, 2020

Marc Vadeboncoeur, iTech Solutions

Our monthly newsletter topics here at iTech Solutions typically zero-in on purely technical subjects related to IBM i hardware/software and system-level functionality, but every now and then a topic comes along that is more development-related in nature but is also so technically noteworthy that it has both development-level and technical-level relevance, and this is one of those topics.

The SQL tsunami has long since taken over the IBM i world with most every shop doing some form of SQL development, it could be in the form of embedded SQL in ILE RPG programs, creating SQL stored procedures, etc., or deploying 3rd-party apps that use native SQL for all of their database I/O.  While most IBM i shops are now doing some form of SQL development work, most installations do not have a database administrator on staff and thus the task of “tuning” the SQL environment on IBM i for optimal performance sometimes falls onto an applications developer who may not be aware of the very powerful DB2 database performance tooling that is available right now that’s baked-into the IBM i software environment, and one of those powerful tools is Visual Explain in IBM’s Access Client Solutions client software.

(more…)

Posted on

Steven McIver

Savings objects from the Integrated File System (IFS) is not quite as straightforward as saving them from the QSYS.LIB file system using commands such as SAVOBJ and SAVLIB. For example, a SAVLIB command has a parameter called DEV where you can simply specify the name of the device you want to use for the save. This could be a tape drive like TAP01 or a tape library like TAPMLB01. It could also be a save file, in which you would specify *SAVF and then the name of the save file on the SAVF parameter.

(more…)

Posted on

Pete Massiello, iTech Solutions

After a recent iTech Sips and Tricks, I was speaking to David Larsen from Cabinetry by Karman in Utah, and he had a great tip that he wanted to share with everyone.  So, he sent me some information that I reformatted as a technical tip for our newsletter.  Thanks, David !!!

If you have ever used the Display Job Table (DSPJOBTBL) command to see the number of jobs on your system, you might have seen more jobs than you can account for. There can be more total jobs than actual jobs in the system when there are PENDING job logs. There is no output in the out queues, making the system appear to have “phantom” jobs in the system.  You can have this problem if the system value QLOGOUTPUT is sent to *PND, and not *JOBEND, or the job description has JOBLOG *PND, instead of *JOBEND. Changing the value to *JOBEND will produce a joblog. When the value is *PND, the job log will not be produced.  The job log remains pending until removed.

(more…)

Posted on

Amy Upton, iTech Solutions

Here’s a command for your startup program for MIMIX to determine if you are on the source or target:

MIMIX/RTVSYSDFN SYSDFN(*LOCAL) RTNSYSDFN(&LCLSYS)

When you are running MIMIX, you want to have two startup programs for your source and target. You do not want to start all your applications on your target but certainly do on your source.

You can use one program with the command above and then it will determine which system and will run the correct startup program automatically. This MIMIX command will give you the local system name defined MIMIX, so it will know if you are switched and run the correct startup program.

You can then run your startup program once you are switched and it will start all the applications you have in the startup program. This will also stop MIMIX from replacing your startup program since they will always be the same on both sides and then will execute the correct program.

Posted on April 28, 2020

Pete Massiello, iTech Solutions

It’s been my favorite enhancement of this latest round of Technology Refreshes (TR) for 7.3 and 7.4.  Partially because it was my request to IBM for this enhancement.  So, let me tell you something about that. A while ago we needed an enhancement to IBM i for virtualizing tape libraries.  I put in a Request For Enhancement (RFE) into IBM stating I wanted to share a tape library between IBM i partitions while using IBM i hosting IBM i.  Currently, we can share a tape drive between partitions without moving the adapter from the hosting partition, however, we couldn’t share a tape library.  IBM accepted the RFE and this is part of the latest TR announced last week.  Any customer can put an RFE in, and I encourage you to put your requests in. I will tell you IBM listens to our community’s needs and delivers them with new TRs and OS release features.  I was part of the beta team testing this out and I can attest it works.

(more…)

Posted on

Marc Vadeboncoeur, iTech Solutions

We maintain many customer systems here at iTech, and one thing that seems to be consistent now across all of our customer environments is that system IFS (Integrated File System) directories are getting very large.  Many systems that we manage now have IFS root directories containing over 1 million objects!

Large IFS root directories present a problem from a save perspective in that they can take an inordinate amount of time to save using normal IFS save commands such as SAV, SAVBRM, and GO SAVE option #21.  On full system saves of systems with a large population of IFS objects, the save of the IFS can easily take up to 30% or more of the total system save time.

(more…)

Newsletters