Newsletter

This newsletter includes:

• • Do You Know Where Your Audit Journals Live On Your System?
  • Protecting your IFS with Anti-virus and Anti-ransomware Solutions
  • Information Technology – Proactive or Reactive Perspectives
  • iTech iTip Videos
  • Sips & Tricks: Coffee with iTech
  • iBasics: IBM i Education for the Beginner System Administrator
  • Let iTech Take You Out to the Ballgame  ⚾
  • Upcoming Events
  • iTech Spotlight
  • IBM i, FSP, and HMC release levels and PTFs (May 2022)

IBM announced IBM i 7.5 with a host of new features and functions at the beginning of the month.   Plenty of security enhancements, DB2 for i enhancements, general OS improvements, DB2 Mirror for i, and of course Merlin.  Merlin stands for Modernization Engine for Lifecycle Integration.…

This newsletter includes:

• • Consuming Journal Receiver Data Easily with SQL
  • Yes or No to Managed Service Providers?
  • Securing Spool Files
  • iTech iTip Videos
  • Sips & Tricks: Coffee with iTech
  • iBasics: IBM i Education for the Beginner System Administrator
  • Let iTech Take You Out to the Ballgame  ⚾
  • Upcoming Events
  • iAdmin Spring 2022 – Register Now!
  • iTech Spotlight
  • IBM i, FSP, and HMC release levels and PTFs (April 2022)

Well from reading Steve Will’s blog this month, we know the next release of IBM i is very, very close to being announced. That is great news for IBM i customers. There are a lot of really cool features that have been added to this next release, and I can’t wait to tell you all that I know on Announcement day. In fact, we will show you just how easy it is and everything you need to know to upgrade to the next release of IBM i as soon as it is announced. I think the other benefit for the whole community, is that the roadmap gets updated and we will still have at least 2 more releases of IBM i still to come out after the one this year. That pushes IBM i support probably out to around 2035ish by simple math applied to the current schedule.…

This newsletter includes:

• • Perform VIOS Backups to Your HMC
  • Lock Into the Future of Power10
  • What is a “UAK”, Why Do I Need One, and How Do I Update It?
  • iTech iTip Videos
  • Sips & Tricks: Coffee with iTech
  • iBasics: IBM i Education for the Beginner System Administrator
  • Let iTech Take You Out to the Ballgame
  • Upcoming Events
  • iAdmin Spring 2022 – Register Now!
  • iTech Spotlight
  • IBM i, FSP, and HMC release levels and PTFs (March 2022)

March Madness is certainly going on here at iTech.   Let me tell you what I mean by that.

First, we have had a record number of POWER Systems and SAN Storage happen this month.  We have our team all over the US installing new Power Systems and SANs.  I can see it just looking at my team’s calendars, but also in all our project plans we do with each customer during the installation process.  Depending on the configuration, options, number of partitions, etc that checklist can be anywhere from 100 to 300 steps for an installation. Each installation has its own unique project plan.  So, it’s not just the installers, it’s the project managers and the rest of the technical team.…

With the armed conflict in Ukraine developing, we forecast Russian and Belarussian cyber-attacks against Western nations to escalate imminently. This page will be updated as the situation unfolds.

While critical infrastructure customers are likely the most obvious targets, you need to be prepared to defend against cyber-attacks and protect your business no matter your industry. Every organization is at risk.

The following is a quick cheat sheet of proactive advice for your IBM i:

• Ensure you have a recent and successful full system save readily available
  • On the GO SAVE menu, this happens when you take option 21.
  • If you run Backup and Recovery Media Services, ensure you have a good *SYSTEM backup.
  • If you don’t have a recent full system save then please schedule it ASAP. We can only recover what you save.
• Download the latest Licensed Internal Code resave for all IBM i releases you are running in case the need arises for a bare-metal recovery
• Ensure you are auditing security events on your IBM i
  • Run command DSPSECAUD to check your security auditing status
  • Federal law enforcement will want extended logging that QHST and the QSYSOPR message queues do not provide
• Reduce the amount of read/write-capable file shares
• Stop sharing critical IBM i directories such as
  • Root (/)
  • /QIBM
  • /QOpenSys
  • /QDLS
• Do not share critical user data directories if at all possible
• For all user directory file shares, ensure that proper object security is in place
  • Exclude *public
  • Only allow the users you want to allow access
• Considerably reduce the number of users with special authorities, especially *ALLOBJ.
• Ensure you have minimal to zero Network Address Translation rules that directly forward port traffic from your firewall to your IBM i. Do not assume. Have your network team prove this out to you well in advance.
• Ensure you are up to date on Program Temporary Fixes (PTFs)

More generally speaking:

• Educate your users that:
  • Foreign cybersecurity attacks are imminent and likely.
  • Any suspicious activity must be reported immediately.
  • Take precautions when opening email attachments or if asked to provide secure information over the phone/Internet

If you suspect you’ve been breached, please contact one of the following federal authorities:

• United States:
  • Department of Homeland Security
    • Cybersecurity and Infrastructure Security Agency (CISA)
    • United States Secret Service
  • Department of Justice
    • FBI
  • If you notify any single DOJ or DHS entity, the other two are notified on your behalf. There is

This newsletter includes:

• • Permanently Applying PTFs & Why Doing So is Important
  • How Does Power Systems Fit in My Organization?
  • A Simple IBM i Penetration Test Lesson – Part 2
  • How To Explain Cloud Services To Your Mother
  • IBM i Journaling Management 
  • iTech iTip Videos
  • Sips & Tricks: Coffee with iTech
  • iBasics: IBM i Education for the Beginner System Administrator
  • Let iTech Take You Out to the Ballgame
  • Upcoming Events
  • iAdmin Spring 2022 – Save the Date!
  • iTech Spotlight
  • IBM i, FSP, and HMC release levels and PTFs (February 2022)

We received some great Valentine’s Day gifts from our IBM i’s all over the world, I think it was how we treated them, but is it because at iTech Solutions we know what to do, when to do it, and how to do it when it comes to IBM i? That is a good reason. Just so you know, our feelings are mutual, as we love our IBM i machines as well. Maybe it was our red shirts for valentine’s day?  In either case, you know when dealing with iTech Solutions your IBM i will be in good hands.…

This newsletter includes:

• • BRMS – Omitting Constantly Locked Files
  • What is Zero Trust?
  • Shut Down Those /QIBM Shares
  • Understanding Storage Options for IBM i
  • IBM i Security Resource Page
  • iTech iTip Videos
  • Sips & Tricks: Coffee with iTech
  • iBasics: IBM i Education for the Beginner System Administrator
  • iPOWER Hour Episode 36: Log4j2 Vulnerability: Are You Affected?
  • Upcoming Events
  • iTech Spotlight
  • IBM i, FSP, and HMC release levels and PTFs (January 2022)

Well, I thought by 2022, we would be back to normal life, but unfortunately, it doesn’t seem that the start of 2022 is any different than the start of 2021. By now it is clear that both 2020 & 2021 were unprecedented years, and 2022 has already been eventful. Let’s hope that with people getting vaccines and boosters, plus with everyone catching Omicron, getting back to normal is right around the corner.  I said this last year, “It is hard to say what will happen a month from now, much less a whole year!” boy was that ever true.…

Updated as of January 10, 2022 for the affected Products and Versions

On December 2021, CVE-2021-44228 was announced as a critical zero-day vulnerability and detailed the capability of remote code execution on systems using Log4j versions 2.0 through 2.15. This was one of the largest patch updates efforts in history.

IBM is regularly releasing new information on Log4j vulnerabilities and related mitigation recommendations. Other vulnerabilities have been since released, such as CVE-2021-45105, CVE-2021-4104 and CVE-2021-45046, which will also be continued to be investigated with remediation recommendations.

IBM has been publishing subsequent remediation recommendations in their PSIRT blog and security alerts.

Given that Log4j architecture has been continuously investigated over the last month there’s a lot of noise on the subject. People may think that they’re “one and done.” That is not necessarily the case. iTech Solutions will provide more clear insight on risk and remediation as new information becomes available. This blog entry will be a living document, outlining each Log4j CVE and remediation requirements as per IBM for their products.

For customers using versions of Log4j in custom applications, we would encourage you to either upgrade to the latest version of Log4j if possible or investigate different options for logging solutions for those custom applications.

There are a few different ways to determine what versions of Log4J are installed on your system:

1. Scott Forstie has posted a handy script using IBM i Services located here. Please note that this works for IBM i 7.3 and higher. https://gist.github.com/forstie/9662d4c302f5224c66b7a4c409141a2c
2. For 7.2 or lower, you can use the following shell script. The script posted the other day did not account for case sensitivity whereas this does:

qsh
cd /
find . -type d \( -path ./QDLS -o -path ./QFileSvr.400 -o -path ./QIMGCLG -o
-path ./QNTC -o -path ./QOPT -o -path ./QSYS.LIB -o -path ./QSYS.LIB \) -prune -o -name ‘*[lL][oO][gG]4[jJ]*’ -print

Vulnerability: CVE-2021-45105
Type: DoS
Description: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Severity Score: 4.3
Published: 2021-12-18
Affects IBM i: Yes
Affected Products: DB2 Web Query versions 2.2.1 and 2.3.0. IBM WebSphere Application Server versions 8.5 and 9.0.
Remediation:  https://www.ibm.com/support/pages/node/6537454, https://www.ibm.com/support/pages/node/6538148

Vulnerability: CVE-2021-45046…

These last two years have been years like no other, yet we hope this finds you and your family safe from the virus that has uprooted our daily lives.  Who really knows what the New Year has in store for us all, but just know you will be able to count on us yet again. As 2021 comes to a close, we wish to thank you for allowing iTech Solutions to be part of your team. We hope that our IBM i newsletters, Blogs, Webinars, Sips & Tricks, iTip Videos, Two-Day iAdmin Conferences, iBasics seminars, Slack Channel, and Podcasts have been educational and informative for you and that you have learned from them. We encourage your feedback on what other things we can add to make them more helpful to our customers, and others who read them. Look for even more to come this year in 2022.

We have continued our growth this year adding additional employees to improve our services as well as the breadth of our IBM i offerings. We hope that you have a happy holiday season, with good health, happiness, and prosperity in the New Year.  All of us at iTech thank you for your business, and for the confidence you have placed with us over the years.  We look forward to working together in the coming year, and we will continue to strive to exceed your expectations. Whenever we don’t, please reach out directly to me.…

By now, we hope you have heard about the Log4j2 vulnerability called Log4Shell, and that it can potentially affect your IBM i if you are using certain versions of Log4j2 in any of your applications.

Log4Shell Vulnerability – Need to check if Log4j2 is being used

As with any security vulnerability, one of the best things to do is keep up to date with PTFs. You should be regularly applying IBM PTFs to your system so that known security fixes are installed. If you don’t have the experience to put PTFs on, or you just don’t wish to do it for any reason, we can put PTFs on to your system, either one time, or better on a regular cadence. Contact Ron Dolan at rdolan@itechsol.com for more information.

Over the past week, IBM has been steadily publishing information on what products are and are not affected. The products that have been announced with mitigation recommendations. The products that have been announced as not affected are located here: https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/#list-of-products

Please note the following products in the not affected list as of 7:30 AM on December 16^th, 2021 include:

• IBM i Access Family
• IBM PowerHA System Mirror for i
• IBM i Portfolio of products under the Group SWMA
• OmniFind Text Search Server for DB2 for i
• Rational Developer for i
• IBM Application Runtime Expert for i
• IBM Backup, Recovery, and Media Services for i
• IBM Db2 Mirror for i

Areas of concern remain any IBM products that may run on or affiliated with IBM i such as WebSphere Application Server versions 8.5 and 9.0, Hardware Management Console, independent software vendor products or custom software.

To clear up a misconception, the issue is with Log4J 2.0 through 2.15 and not version 1. Versions of Log4J between versions 2.0 and 2.15 only are to be deemed a concern.

There are a few different ways to determine what versions of Log4J are installed on your system:

1. Scott Forstie has posted a handy script using IBM i Services located here. Please note that this works for IBM i 7.3 and higher. https://gist.github.com/forstie/9662d4c302f5224c66b7a4c409141a2c
2. For 7.2 or lower, you can use the following shell script. The script posted the other day did not account for case sensitivity whereas this does:

qsh
cd /
find . -type d \( -path ./QDLS -o -path ./QFileSvr.400 -o -path ./QIMGCLG -o
-path ./QNTC -o -path ./QOPT -o -path ./QSYS.LIB -o …

This newsletter includes:

• Is Your System Using Outdated and Insecure SSL/TLS Security Protocol Versions?
• Why Project Management Matters
• Three Steps to Protect Your IFS
• IBM i Security Resource Page
• iTech iTip Videos
• Sips & Tricks: Coffee with iTech
• iBasics: IBM i Education for the Beginner System Administrator
• iPOWER Hour Podcast Episode 34: Why External Storage Makes Sense for Your IBM i
• Upcoming Events
• iTech Spotlight
• IBM i, FSP, and HMC release levels and PTFs (November 2021)

When you live in the northeast United States, each season has its own charm and is totally unique. Although, nothing beats a New England fall. The leaves turn from green to golden yellow, sunburnt orange, and raspberry reds appear all over the gentle hills and the cool crisp air reminds you that snow isn’t too far away. Fall’s transformation reminds us of the constant change in our lives and the ability we have to create change for others, as well as improve our customer’s IBM i environments. It’s empowering and yet humbling.…

This newsletter includes:

• Advanced Security Testing: Processes Part 1
• Groundhog Day for Malware
• iAdmin Fall 2021
• IBM i Security Resource Page
• iTech iTip Videos
• Sips & Tricks: Coffee with iTech
• iBasics: IBM i Education for the Beginner System Administrator
• iPOWER Hour Podcast Episode 33: Assessing Your IBM i Cybersecurity Risks
• Upcoming Events
• iTech Spotlight
• IBM i, FSP, and HMC release levels and PTFs (October 2021)

October for me is always the start of the second conference season of the year, with a multitude of conferences happening in October.  Unfortunately, two of my favorite the COMMON Fall Conference and IBM Technical University both are virtual events due to COVID. I am so sick of the pandemic, I want to see all my IBM i friends who I see at conferences.  Sometimes, it’s not necessarily the sessions you learn the most at, it is at the informal discussions and networking where you learn the most.…

This newsletter includes:

• How to Make Your E-mail Server Like You!
• Need Another Tape Drive? Go Virtual!
• Types of Mimix Switches and Best Practices
• iAdmin Fall 2021
• Disaster Recovery Resource Page
• iTech iTip Videos
• Sips & Tricks: Coffee with iTech
• iBasics: IBM i Education for the Beginner System Administrator
• iPOWER Hour Podcast Episode 32: Will the “Great Resignation” Leave Your Business Exposed?
• Upcoming Events
• iTech Spotlight
• IBM i, FSP, and HMC release levels and PTFs (September 2021)

With Summer almost in our rear-view mirror, signs of fall are fast approaching. Everyone was expecting a new Technology Refresh for IBM i due later this Fall, but IBM released it earlier with the announcement of the POWER10 Enterprise server. The scale-out servers are coming “sometime” next year is what was announced. This means the POWER9 machines for most of the community are still the bell-weather state of the art, server to migrate to.…