June 2010 Newsletter

Greetings!
 

It certainly was a busy month in June for IBM i (i5/OS) upgrades as well as new machine installations, and it looks like July and August are going to continue that trend.

 

We are continuing to work with our customers in helping them upgrade to V6R1 and V7R1.  In some cases where program conversion was going to take too long, we have used our machines for program conversion, and allowed the customer to reduce their total downtime (due to program conversions) by 90%. Another reason to look towards iTech Solutions for help with an upgrade.

 

This month two of our articles focus on new features and functions in V6R1 & V7R1.  Both these releases are extremely stable, and where you should be if you are an IBM i (AS/400, iSeries) shop.

We have packed a lot of information into this newsletter, and I hope that you find this useful. This issue of our newsletter has four articles. In the first, we will discuss a new feature in V7R1 for managing disks. The second some new system values in V6R1 that control security and passwords. The third article is about older HMCs and the levels of code they support and what is required for POWER7 hardware. The last article is for your reference with updated PTF information.

iTech Solutions can help you improve performance, upgrade i5/OS, perform security audits, implement a High Availability solution, Health Checks, Systems Management, Remote Administration,  PTF management, Blade installations, iSCSI Configurations, Backup/Recovery, upgrade an existing machine, or upgrade to a new machine.  If you are thinking of LPAR or HMC, then think iTech Solutions.  We have the skills to help you get the most out of your System i.

For more information on any of the articles below please visit us at on the web at iTech Solutions  or  email iTech Solutions.  We would love for you to let us know any articles that you wish for the future, or if you enjoy any of the articles in the current newsletters.

 

 

Removing Disks from the system in V7R1.

 

        One of the hardest parts of a hardware upgrade is trying to do as much as possible with the shortest outage for the customer.  When working with disks, we always had to put the system into a dedicated state to remove disks from an Auxiliary Storage Pool (ASP).  We could add disks to an ASP while the system was up and running, but we couldn’t remove them. 

While I was down at COMMON in Orlando, I was talking to Sue Baker of IBM Rochester, and she told me about this new feature in 7.1 that allowed removing disks from an ASP while you were up and running.  So, when I returned from COMMON, I had to check this out.  As a side note, again the value of attending COMMON and other user groups is the information that is gathered, at both regular sessions and in informal discussions.  This value always seems to outweigh the costs of these conferences. I signed onto SST on one of our 7.1 machines and right there in Work with Disk Configuration was the option to remove disks from configuration. 

Now, when you are removing disks you don’t have to go into Dedicated System Tools (DST).  As an example, if you were going to replace your older SCSI disks with SAS disks in a 5886 draw, you would be able to add all the new disks to the ASP while you were up and running, and then remove all the old SCSI disks (except the load source) from the ASP while your users were on the system.  Please note that when we did this, it did create a lot of disk activity, so your users might notice a slow down, but they can certainly continue to work.  Now the only limitation is the migration of the load source, this requires you to have a dedicated system.  Still you can do all your other disk migrations during the day, and then you would only need downtime for the load source migration.  This is another great new feature in 7.1

  Password Security.
Security is something that everyone needs to be concerned with, and as System Administrators it is our job to insure that the systems for which we are custodians are safe and secure.

There are a few new System Values that have been introduced at 6.1 which are worth discussing.

The first is QPWDCHGBLK (Block password change). This specifies the time period during which a password is blocked from being changed following the prior successful password change operation. This system value does not restrict password changes made by the Change User Profile (CHGUSRPRF) command. A change to this system value takes effect immediately. The shipped value is *NONE . This can prevent someone from changing their password repeatedly until it is back to its initial value.

Hours can be *NONE where there is no restriction on how frequently a user can change a password,or it can be a value between 1-99, which indicates the number of hours a user must wait after the prior successful password change operation before they can change the password again.

The next one is QPWDEXPARN (Password Expiration warning). This gives you the ability to control when the warning messages indicating that a user is required to change their password will start to appear. This value can be from 1 to 99 days, and defaults to 7 days.

QLMTDEVSSN – This doesn’t have to do with Social Security numbers, but rather it limits the number of device signon sessions. This used to be limit or don’t limit in previous releases to 6.1, but now you can specify a number of sessions that people can signon to.

When you really need to control the passwords that your users create, this next system value, QPWDRULES, can give you a lot of customization. In fact, I think it gives you too many functions. One of the best changes you can do is to give the users the ability to create long passwords with upper and lower case letters, numbers, spaces, and other special characters.   This allows people to use phrases which are easy for the creator to remember, and hard for a hacker to figure out. You don’t want to make passwords so difficult for people that they have to write them down on paper to remember them.

The System value QPWDRULES specifies the rules used to check whether a password is formed correctly. Changes made to this system value take effect the next time a password is changed. The shipped value is *PWDSYSVAL.

 

Password rules

When QPWDRULES is set to *PWDSYSVAL, then QPWDRULES is ignored and the other password system values are used to check whether a password is formed correctly. Specifically, the QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDRQDDGT system values will be used instead of QPWDRULES

Note: If any value other than *PWDSYSVAL is specified for QPWDRULES, the QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDRQDDGT system values are ignored when a new password is checked to see if it is formed correctly.

The following values of QPWDRULES provide the control of passwords as the values are defined.

*CHRLMTAJC – The password may not contain 2 or more occurrences of the same character that are positioned adjacent (consecutive) to each other. This value cannot be specified if the *CHRLMTREP value is also specified

*CHRLMTREP The password may not contain 2 or more occurrences of the same character. This value cannot be specified if the *CHRLMTAJC value is also specified

*DGTLMTAJC The password may not contain 2 or more adjacent (consecutive) digit characters.

*DGTLMTFST The first character of the password may not be a digit character. This value cannot be specified if *LTRLMTFST and *SPCCHRLMTFST values are also specified

*DGTLMTLST The last character of the password may not be a digit character. This value cannot be specified if *LTRLMTLST and *SPCCHRLMTLLST values are also specified.

*DGTMAXn – Where n is a number from 0 to 9. Specifies the maximum number only one *DGTMAXn value can be specified. If a *DGTMINn value is also specified, the n value specified for *DGTMAXn must be greater than or equal to the n value specified for *DGTMINn.

*DGTMINn Where n is a number from 0 to 9. Specifies the minimum number of digit characters that must occur in the password. Only one *DGTMINn value can be specified. If a *DGTMAXn value is also specified, the n value specified for *DGTMAXn must be greater than or equal to the n value specified for *DGTMINn.

*LMTSAMPOS The same character cannot be used in a position corresponding to the same position in the previous password.

*LMTPRFNAME -The uppercase password value may not contain the complete user profile name in consecutive positions

*LTRLMTAJC – The password may not contain 2 or more adjacent (consecutive) letter characters.

*LTRLMTFST -The first character of the password may not be a letter character. This value cannot be specified if *DGTLMTFST and *SPCCHRLMTFST values are also specified. If the system is operating with a QPWDLVL value of 0 or 1, *LTRLMTFST and *SPCCHRLMTFST cannot both be specified.

*LTRLMTLST -The last character of the password may not be a letter character. This value cannot be specified if *DGTLMTLST and *SPCCHRLMTLST values are also specified

*LTRMAXn – Where n is a number from 0 to 9. Specifies the maximum number of letter characters that may occur in the password. Only one *LTRMAXn value can be specified. If a *LTRMINn value is also specified, the n value specified for *LTRMAXn must be greater than or equal to the n value specified for *LTRMINn.

*LTRMINn – Where n is a number from 0 to 9. Specifies the minimum number of letter characters that must occur in the password. Only one *LTRMINn value can be specified. If a *LTRMAXn value is also specified, the n value specified for *LTRMAXn must be greater than or equal to the n value specified for *LTRMINn.

*MAXLENnnn – Where nnn is a number from 1 to 128 (without leading zeroes), the maximum number of characters in a password. If the system is operating at QPWDLVL 0 or 1, the valid range is 1-10. If the system is operating at QPWDLVL 2 or 3, the valid range is 1-128 The nnn value specified must be large enough to accommodate all *MIXCASEn, *DGTMAXn, *LTRMAXn, *SPCCHRMAXn, first and last character restrictions, and non-adjacent character requirements. If *MINLENnnn is also specified, the nnn value specified for *MAXLENnnn must be greater than or equal to the nnn value specified for *MINLENnnn. If no *MAXLENnnn value is specified, a value of *MAXLEN10 is assumed if the system is operating with a QPWDLVL value of 0 or 1 or a value of *MAXLEN128 is assumed if the system is operating with a QPWDLVL value of 2 or 3.

*MINLENnnn – Where nnn is a number from 1 to 128 (without leading zeroes). This is the minimum number of characters in a password. If the system is operating at QPWDLVL 0 or 1, the valid range is 1-10. If the system is operating at QPWDLVL 2 or 3, the valid range is 1-128. If *MAXLENnnn is also specified, the nnn value specified for *MAXLENnnn must be greater than or equal to the nnn value specified for *MINLENnnn. If no *MINLENnnn value is specified, a value of *MINLEN1 is assumed.

*MIXCASEn -Where n is a number from 0 to 9. The password must contain at least n uppercase and n lowercase letters. This value is rejected if the system is operating with a QPWDLVL value of 0 or1 because passwords are required to be uppercase. Only one *MIXCASEn value can be specified. If a *LTRMAXn value is specified, the n value specified for *LTRMAXn must be greater than or equal to two times the n value specified for *MIXCASEn.

*REQANY3 -The password must contain characters from at least three of the following four types of characters.

o Uppercase letters

o Lowercase letters

o Digits

o Special characters

When the system is operating with a QPWDLVL of 0 or 1, *REQANY3 has the same effect as if *DGTMIN1, *LTRMIN1, and *SPCCHRMIN1 were all specified.

*SPCCHRLMTAJC – The password may not contain 2 or more adjacent (consecutive) special characters

*SPCCHRLMTFST The first character of the password may not be a special character. This value cannot be specified if *DGTLMTFST and *LTRLMTFST values are also specified. If the system is operating with a QPWDLVL value of 0 or 1, *LTRLMTFST and *SPCCHRLMTFST cannot both be specified.

*SPCCHRLMTLST – The last character of the password may not be a special character. This value cannot be specified if *DGTLMTLST and *LTRLMTLST values are also specified.

*SPCCHRMAXn – Where n is a number from 0 to 9. Specifies the maximum number of special characters that may occur in the password. Only one *SPCCHRMAXn value can be specified. If a *SPCCHRMINn value is also specified, the n value specified for *SPCCHRMAXn must be greater than or equal to the n value specified for *SPCCHRMINn.

*SPCCHRMINn – Where n is a number from 0 to 9. Specifies the minimum number of special characters that must occur in the password. Only one *SPCCHRMINn value can be specified. If a *SPCCHRMAXn value is also specified, the n value specified for *SPCCHRMAXn must be greater than or equal to the n value specified for *SPCCHRMINn.

As with any system change you need to understand the repercussions with changing these values, and most importantly inform your users that you will be making these changes so they understand what new passwords would be valid when it is time for them to change their password. If you would like help or assistance in creating a better security policy for your machine, please contact iTech Solutions at info@itechsol.com

Older HMCs.        
 IBM has released 7.7 of the HMC licensed code which has some great new functionality, but unfortunately this release doesn’t run on some of the older HMCs. The HMC Model 7310-C03 cannot be upgraded to HMC Version 7.7.  If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later deskside HMC.  The reason is these early HMCs don’t have the memory, disk storage, or processor speed to hand all the new features and functions found in this new release.  If you have one of these older HMCs, they will continue to run, but can only be upgraded to 7.3.5
The POWER7 based Power Systems require that you have 7.7.1 with Service Pack 1 level of HMC code installed on your HMC, so we can see how this could be a problem for customers upgrading to a newer POWER7 machine. For those customers, you will be required to purchase a new HMC (there is no MES upgrade path).  If you have an older HMC managing a POWER5 or POWER6 machine, then you can upgrade it as far as 7.3.5, but you are really fine for awhile. I would certainly recommend getting up to that level.  When you eventually upgrade to a POWER7 machine, you will need to get a new HMC which will support the latest HMC code.  If you already have a newer HMC, I would certainly advocate upgrading it to 7.7. Remember as with any upgrade, you need to check the level of code in your Flexible Service Processor (FSP) to make sure the two levels are compatible.  If you require any help in either upgrades, please contact iTech Solutions for information on having us perform the upgrade with you or for you.
Release levels and PTFs
 

People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system.  I updated this article from last month with the current levels of PTFs. Let’s look at PTFs.  First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring.  In addition, some times PTFs add new functionality, security, or improve performance.  Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly.  If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem.  Therefore, I think a quarterly PTF maintenance strategy is a smart move.  Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs.  Below is a table of the major group PTFs for the last few releases.  This is what  we are installing for our customers on iTech Solutions Quarterly Maintenance program.

Releases

7.1   6.1    V5R4    V5R3
Cumul. Pack    10096   10047   10117     8267

Grp Hipers             6        65       130      169

DB Group                2       14         26       24

Java Group             2       12         23       23

Print Group             –       17         40       20

Backup/Recov.        3       16        34      33

Security Group         2       17       14        7

 

Blade/IXA/IXS          1       15       14        –

 

Http                         2      14       23       17

 

 

The easiest way to check your levels is to issue the command WRKPTFGRP.  They should all have a status of installed, and you should be up to the latest for all the above, based upon your release.  Now there are more groups than the ones listed above, but these are the general ones that most people require.  We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit.  The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released.  Therefore, if we look at the cumulative package for V5R4, the ID is 9104. We can determine that it was created on the 104th day of 2009, which is April 14, 2009.  Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.  I left V5R1 off the list, because if you are on V5R1, you don’t need to be worrying about PTFs, you really need to be upgrading your operating system.  The same can be said for V5R2 and V5R3, but there are still customers who are on those releases.

If you have an HMC, you should be running V7R7.1  If your HMC is a C03, then it should stay at V7R3.

 

For your Flexible Service Processor (FSP) that is inside your Power 5 or Power5+ (520, 515, 525, 550, 570), the code level of the FSP should be 01_SF240_382. Power 6 (940x M15, M25, & M50 machines, and 8203-E4A & 8204-E4A) customers should be running EL350_063.  For Power6 (MMA, 560, and 570 machines) your FSP should be at EM350_063. If you have a Power6 595 (9119-FMA) then you should be on EH350_049. POWER7 the firmware level is AL710_065.

 

If you need help with upgrading your HMC or FSP just give us a call.  We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.

Leave a Reply

Your email address will not be published. Required fields are marked *

*