iTech Solutions - for all of your IBM i System needs
The world has a lot for us to disagree about, but if there’s one thing we can get the whole world to agree on, is that passwords are a major pain. Passwords are the necessary mechanism for securing many things, but where passwords are not required and still allow for secure authentication is where everyone would prefer to be.
IBM i has had the option for public key authentication for SSH users for a long time now. It allows you to establish SSH connections without having to provide a password. This is great for running automated jobs, and for developers who frequently need to access the system. There is a nice Redbook that details the steps for establishing this, and is still a good read for establishing SSH connections from IBM i to another IBM i system, but a recent version of IBM i Access Client Solutions has made it significantly easier to establish public key authentication from your workstation to the IBM i server. I’m going to cover the steps you’ll need to accomplish this.
The sweetest things in life are free, right?
If you have ever had a complex support case with the IBM i support team in Rochester, they may have instructed you to install the “QMGTOOLS” system utility to gather and also possibly send critical problem-solving information to them to help resolve your system’s issue. The “MG” in “QMGTOOLS” stands for “Must Gather” as the genesis of the tool was a requirement to package a bunch of commands that collect information that “must be gathered” to resolve certain kinds of support issues. For many of you, working with QMGTOOLS to provide info to IBM on a technical problem may have been the first time that you’ve ever dealt with the QMGTOOLS utility package, and for many of you who have only worked with QMGTOOLS at IBM’s direction on a support case, or, never even heard of it, read on…
Our monthly newsletter topics here at iTech Solutions typically zero-in on purely technical subjects related to IBM i hardware/software and system-level functionality, but every now and then a topic comes along that is more development-related in nature but is also so technically noteworthy that it has both development-level and technical-level relevance, and this is one of those topics.
The SQL tsunami has long since taken over the IBM i world with most every shop doing some form of SQL development, it could be in the form of embedded SQL in ILE RPG programs, creating SQL stored procedures, etc., or deploying 3rd-party apps that use native SQL for all of their database I/O. While most IBM i shops are now doing some form of SQL development work, most installations do not have a database administrator on staff and thus the task of “tuning” the SQL environment on IBM i for optimal performance sometimes falls onto an applications developer who may not be aware of the very powerful DB2 database performance tooling that is available right now that’s baked-into the IBM i software environment, and one of those powerful tools is Visual Explain in IBM’s Access Client Solutions client software.
Savings objects from the Integrated File System (IFS) is not quite as straightforward as saving them from the QSYS.LIB file system using commands such as SAVOBJ and SAVLIB. For example, a SAVLIB command has a parameter called DEV where you can simply specify the name of the device you want to use for the save. This could be a tape drive like TAP01 or a tape library like TAPMLB01. It could also be a save file, in which you would specify *SAVF and then the name of the save file on the SAVF parameter.
After a recent iTech Sips and Tricks, I was speaking to David Larsen from Cabinetry by Karman in Utah, and he had a great tip that he wanted to share with everyone. So, he sent me some information that I reformatted as a technical tip for our newsletter. Thanks, David !!!
If you have ever used the Display Job Table (DSPJOBTBL) command to see the number of jobs on your system, you might have seen more jobs than you can account for. There can be more total jobs than actual jobs in the system when there are PENDING job logs. There is no output in the out queues, making the system appear to have “phantom” jobs in the system. You can have this problem if the system value QLOGOUTPUT is sent to *PND, and not *JOBEND, or the job description has JOBLOG *PND, instead of *JOBEND. Changing the value to *JOBEND will produce a joblog. When the value is *PND, the job log will not be produced. The job log remains pending until removed.
Here’s a command for your startup program for MIMIX to determine if you are on the source or target:
MIMIX/RTVSYSDFN SYSDFN(*LOCAL) RTNSYSDFN(&LCLSYS)
When you are running MIMIX, you want to have two startup programs for your source and target. You do not want to start all your applications on your target but certainly do on your source.
You can use one program with the command above and then it will determine which system and will run the correct startup program automatically. This MIMIX command will give you the local system name defined MIMIX, so it will know if you are switched and run the correct startup program.
You can then run your startup program once you are switched and it will start all the applications you have in the startup program. This will also stop MIMIX from replacing your startup program since they will always be the same on both sides and then will execute the correct program.
It’s been my favorite enhancement of this latest round of Technology Refreshes (TR) for 7.3 and 7.4. Partially because it was my request to IBM for this enhancement. So, let me tell you something about that. A while ago we needed an enhancement to IBM i for virtualizing tape libraries. I put in a Request For Enhancement (RFE) into IBM stating I wanted to share a tape library between IBM i partitions while using IBM i hosting IBM i. Currently, we can share a tape drive between partitions without moving the adapter from the hosting partition, however, we couldn’t share a tape library. IBM accepted the RFE and this is part of the latest TR announced last week. Any customer can put an RFE in, and I encourage you to put your requests in. I will tell you IBM listens to our community’s needs and delivers them with new TRs and OS release features. I was part of the beta team testing this out and I can attest it works.
We maintain many customer systems here at iTech, and one thing that seems to be consistent now across all of our customer environments is that system IFS (Integrated File System) directories are getting very large. Many systems that we manage now have IFS root directories containing over 1 million objects!
Large IFS root directories present a problem from a save perspective in that they can take an inordinate amount of time to save using normal IFS save commands such as SAV, SAVBRM, and GO SAVE option #21. On full system saves of systems with a large population of IFS objects, the save of the IFS can easily take up to 30% or more of the total system save time.
Before doing a version upgrade on an HMC, make sure that the Machine Type-Model and Serial Number reported in the HMC GUI matches that which is printed on the sticker on the front of the machine. If it does not match, then per IBM do not attempt an upgrade.
Moving files between IBM i systems can sometimes be a cumbersome task, but a feature added to IBM i Access Client Solutions in recent versions allows you to transfer files from a single system to multiple systems. The main requirement is that you have to have IBM i NetServer started on the source system and all the target systems of the transfer.
This feature can be found in the Integrated File System function under General tasks.
We had a customer recently who had someone locking out a service account on IBM i. This service account ran their BI dashboard. The question was asked: “how can we find out who did this?”
Using the audit journal, we have the ability to find out where the bad password requests came from. When you narrow down the where, the who becomes much easier to figure out.
If you are auditing your security events (which you should be) then you can do the following steps. You’ll need your QAUDLVL system value to include *AUTFAIL and *SECURITY. If you don’t audit security events, check this IBM technote to start doing so: http://www-01.ibm.com/support/docview.wss?uid=nas8N1014712.
Many of you are familiar with the PASE runtime environment that IBM i has had for many years, if you have licensed program 5770-SS1 option #33 (Portable App Solutions Environment) installed then you have It running on your system. The PASE environment is the secret sauce that enables AIX/Linux apps to run on your IBM i. One very common misconception is that PASE on IBM i is an AIX/Linux “emulation” environment, but, it is not. PASE supplies a collection of AIX shared libraries that run directly on the same IBM Power processor that IBM i runs on. Because it is a true AIX/Linux environment interacting directly with the Power-based processors and not an emulated one, PASE on IBM i runs apps at the same performance level as if they were running natively on an AIX/Linux system. PASE on IBM i is significant in that it opens-up the IBM i to the vast world of free Open Source applications that are out there now in the mainstream.
This is only occurring on Power9 servers, and you need to get the FSP firmware updated, as well as a patch for IBM i. If you don’t have the patches, do not use concurrent maintenance, or dynamic LPAR on POWER9 servers under the following conditions:
Without the fix applied, the server can go to an incomplete state during the operation requiring server level IPL to recover.
With its unique integrated architecture, the IBM i system has many inherent strengths, not the least of which is fully baked-in and robust save/restore functionality. When you save an object on the system such as a file or a data area or a program in a user library with commands such as SAVLIB or SAVOBJ, the system will inform you on the “when” and the “where” of the save of that object by displaying the saved date/time of the object and the save media or save file used to do the save. For example, if you want to know the last time file QRPGLESRC in library QGPL was saved and what it was saved to, you would simply execute command DSPOBJD OBJ(QGPL/QRPGLESRC) OBJTYPE(*FILE) and take option #5 to display the full attributes, and then scroll down to the last screen where the system tells you the last save date and time and the tape volume ID or save file used to save the object, this is basic functionality that we are all familiar with.