March 2010 Newsletter
Spring! I can just feel it in the air as I write this month’s newsletter. It is certainly the season of change, and as I look around we can see it even in our IBM i (AS/400, iSeries, i5, System i) world. Last month IBM delivered some new POWER7 mid to high-end servers that we discussed in the February Newsletter. We have all heard about a new version of IBM i being delivered this spring, version 7.1. While IBM hasn’t made public exactly when it will be delivered, they have been forthcoming regarding many new enhancements. We reported about 7.1 in our October 2009 iTech Solutions Newsletter. There are things changing all around us, but are you changing? Are you keeping up with the new features and functions that are available to you? Are you still on V5R2, V5R3, or V5R4? It’s time to move forward.
One area that I am a firm believer in is education. I believe that learning is a continuous process. You need to invest in yourself, learn new skills, upgrade existing skills, learn new ways of doing things, learn about new technology, learn about ways to improve your life as well as your job; but no matter what you do you need to learn to continue to grow. You can’t learn by going to a one-hour session and then be done for the year. It is a continuous process. I am also very passionate about user groups, because it was there that I learned so much about the AS/400 and now the IBM i. What I have learned at user groups has helped me so much in my career. Don’t forget that there is just as much learning in the formal sessions at user groups as there is in the networking with other users. Therefore, I would like to let you know about two user groups which I think provide excellent educational value. First, there is the Northeast User Group Conference (NEUGC) coming up April 13 and 14th in Framingham, MA. Then right afterwards, May 3rd to May 6th is the Annual COMMON conference, which is having their 50th annual conference this year in Orlando, Florida. Both of these conferences have the best speakers in the world as their subject matter experts and provide an excellent value in meeting your educational needs. I highly recommend both conferences. I have been invited to speak at both conferences, and I look forward to meeting many of you again at these conferences. Here are some of the sessions that I will be presenting:
iTech Solutions can help you improve performance, upgrade i5/OS, perform security audits, implement a High Availability solution, Health Checks, Systems Management, Remote Administration, PTF management, Blade installations, iSCSI Configurations, Backup/Recovery, upgrade an existing machine, or upgrade to a new machine. If you are thinking of LPAR or HMC, then think iTech Solutions. We have the skills to help you get the most out of your System i.
For more information on any of the articles below please visit us at on the web at iTech Solutions or email iTech Solutions. We would love for you to let us know any articles that you wish for the future, or if you enjoy any of the articles in the current newsletters.
Spring Cleaning User profiles.
In the theme of this month’s newsletter, we are going to start doing a little spring cleaning on our user profiles. This is one of the services that we provide during our iTech Solutions iSeries Health-check, as well as some of our remote monitoring services. I thought this would be extremely valuable as I see unused profiles on so many customer machines each month. It just amazes me how many customers don’t do anything to manage user profiles. Have you ever heard the saying, “The strength of a chain is determined by the weakest link in the chain”? Well user profiles are the access into your system, and as such you don’t want user profiles on your system belonging to people who have left the company, user profiles that have default passwords, or user profiles that haven’t had any activity in a few years.
The most important consideration in user profile management is what you do to the user’s profile when the user leaves the companyDo you change the password for the user profile, disable the user profile, delete the user profile, or do nothing with the user profile? I always hear “we can’t delete the profile because it owns objects” or “we can’t delete the profile because we run production jobs from that id”. While both statements have some validity to them, what is really being said is “I don’t want to figure out what objects that profile owns” and/or “I am too lazy to figure out how to run this job from another id”. Ok, I understand everyone is busy and has way too many tasks than time to complete them, but security is important. When someone leaves the company, no matter if it was voluntary or involuntary, their profile should be disabled immediately. Immediately!! That will prevent anyone from using that profile to access your system. This is extremely easy to do with the command CHGUSRPRF USRPRF(profile) STATUS(*DISABLED). When a user profile is disabled, it is not valid for sign-on until an authorized user enables it. Yet, batch jobs can still be submitted for a disabled user profile. This is a great first step, but just a first step. I think you should also change the password for the profile as well, so that if it is enabled, the old password would not be valid for the user profile. However, we are no way near done with this user profile. We need to reassign the objects that this profile owns before we delete it. A good lesson to learn is that you shouldn’t run production jobs from a user’s profile. Instead set up a generic profile that you can use for running batch jobs. Now we need to address objects owned by a profile. The easiest way to see the objects that a profile owns is with the command WRKOBJOWN USRPRF(userprofile). This will give you a list of objects owned. Now comes the hard part. What do you do with this list? Well for that I can’t tell you exactly what to do, but you need to look at each object, and for those objects you wish to keep you, transfer to another user profile. Then delete those objects you don’t want or need. You can’t delete a user profile while it owns objects.
The next security exposure is having user profiles where where no one has ever signed on and may have a default password that you assigned, or similarly user profiles which haven’t signed on in some time. We should also address passwords that haven’t been changed in a while, but I am going to leave that for another month. To tackle the exposure, first I want to get a list of all the user profiles on the system by entering the following command: DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(QTEMP/DSPUSRPRF) . Notice that I put the outfile into QTEMP: this way when I sign off, the file is automatically deleted, and I didn’t leave a file which lists all my user profiles in a library accessible to everyone, like QGPL. Now all I have to do is create a query or SQL over this file to retrieve the information that I need. The SQL statement to list all the profiles that have not signed on this year would be SELECT * FROM QTEMP/DSPUSRPRF WHERE UPPSOD < ‘100101’ ORDER BY UPPSOD. Give this a try, and see for yourself if there are any surprises.
Pretty simple, very effective, and it will prevent unauthorized access to your system. Now all you need to do is set this up to run once a month and keep track of the user profiles on your system. Of course, if you wish, iTech Solutions Managed Services can take care of this and many other system administration tasks for you each and every month. Give us a call or email us.
Remote System Administration
How are you currently monitoring your system? Are you monitoring your replication software? What was the outcome of your last audit? Who checks that backups are done each night? Are you backing up everything you would need in the event you had to recover your system? When was the last time you applied PTFs? Are you in need of an i5/OS upgrade? Are your systems properly being managed and administrated? Is security being managed? What happens when there are performance issues? Who is managing disk growth? These are some of the questions that you need to ask yourself.
Everyone has different requirements for the administration, management, and monitoring of their systems, and iTech Solutions has many different programs that can address those needs. Here at iTech Solutions we design our programs to meet the needs of our customers and can tailor each and every program so that it meets exactly what our customers require. Every customer that I see is doing more and more tasks with the same or less staff. They just don’t have the time or the expertise in many instances to perform the systems administration, management, and monitoring. We can supplement your staff to address any and all of your system administration needs.
Through iTech Solutions advanced IBM i (AS/400, iSeries, System i) Administration & Monitoring Services, iTech Solution’s engineers can remotely perform 99% of the server management functions an engineer can provide onsite, except for those few activities that require someone to physically touch the machine. In those cases, we can utilize our client’s staff or be on-site.
iTech Solutions provides the following as part of our Remote IBM i Administration & Monitoring Services:
Hardware and Operating System Services:
Tape Backup Services:
No matter what support you need, iTech Solutions can provide cost-effective administration, management, and monitoring of your iSeries servers. Our certified engineers have the knowledge, expertise, and experience to keep your iSeries servers running at peak performance. Our services have been proven to reduce IT operating costs by 60% or more while increasing services levels substantially.
Prices starting at just $995 per month for Remote iSeries Administration & Monitoring. For additional information, please email email@example.com
|Managing tapes inside a Tape Media Library.|
You just purchased an autoloader tape media library, but you continue to use it as a tape drive. Ok, don’t feel bad, almost everyone does. But for those who have worked with the tape media library commands, they know media libraries are really fantastic.
First, how do you know if you have a tape media library? Well, if you can only load just one tape at a time into the device, it’s a stand-alone device. So, you don’t have the need for these commands. But if you can load multiple cartridges into the tape device at once it is a tape media library.
If you do have a tape media library, you will notice that when you first connected your tape drive, it created two devices. The first was called TAPMLB01 and the other was called TAP01. Most people don’t know what to do with the TAPMLB01 and just vary it off, and vary the TAP01 device on. Note: You can’t have both varied on at the same time. Many people use the control panel on the tape drive to perform these tape movement functions, but there are CL commands as well that you can use. Once you start using these commands, you won’t want to use the control panel on the front of the tape drive. Here are some of the commands:
If you need help or additional information on using your media library, contact Pete via email at firstname.lastname@example.org
|What files does my Query use?|
How many times have you wanted to know which files are used by some queries? Or perhaps you are making a change to a physical file, and you want to change any queries that use the file which you are changing? You already know that the DSPPGMREF command will tell you what files are used by a program. Well now in V6R1, IBM has enhanced the DSPPGMREF to also show you which files are used by an SQL Packages and Query definitions. Although, there is one drawback: you must go in and change the query once you are on V6R1 and save the query definition for the information to be displayed by the DSPPGMREF command. Any query that hasn’t been resaved since upgrading to V6R1 will not show any information about files being used. If you want to see all what files are being used by every query on your system residing in a user library, enter the command DSPPGMREF PGM(*ALLUSR/*ALL) OUTPUT(*OUTFILE) OBJTYPE(*QRYDFN) OUTFILE(library/outfile) . Now the file outfile in library would have a listing of every file used by your queries. This is an excellent tool to help manage your queries.
If you require any help or would like to learn more about how iTech Solutions can help you manage your environment and get more from your existing system, please contact iTech Solutions.
|Release levels and PTFs|
People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.
6.1 V5R4 V5R3 V5R2
Cumul. Pack 10047 9321 8267 6080
Grp Hipers 58 123 169 189
DB Group 13 25 24 25
Java Group 11 22 23 27
Print Group 17 39 20 7
Backup/Recov. 12 29 33 31
Security Group 16 14 7 –
Blade/IXA/IXS 13 14 – –
Http 12 22 17 –
If you have an HMC, you should be running V7R7.1 If your HMC is a C03, then it should stay at V7R3.
For your Flexible Service Processor (FSP) that is inside your Power 5 or Power5+ (520, 515, 525, 550, 570), the code level of the FSP should be 01_SF240_382. Power 6 (940x M15, M25, & M50 machines, and 8203-E4A & 8204-E4A) customers should be running EL350_038. For Power6 (MMA, 560, and 570 machines) your FSP should be at EM350_038. If you have a Power6 595 (9119-FMA) then you should be on EH350_038. POWER7 the firmware level is AL710_043.
If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.