May 2017 Newsletter
Greetings iTech Fan,
i can do anything with iTech Solutions
May was brutal from a security standpoint. Do you “Wannacry”? If you have been lax in security then you probably already are in trouble. I hope your systems are safe and secure. Remember, the IBM i is SECURABLE, but not secure out of the box unless you take the measures to implement security. If you think you are secure because you have passwords, oh boy. Security can’t be overlooked. Are you secure? Do you think you are secure? The Wannacry virus underscores the need for all of us, even those in the IBM i community to pay attention to security. One of our offerings is a security assessment, if you don’t know if you are secure, you should definitely think about an assessment.
The 2017 iTech Solutions IBM i State of the Union was completed in the beginning of May, and I hope you had a chance to read about where we see the platform currently, and predictions for the future. We have gotten some great feedback already from those who have read the 2017 State of the Union. Check out the iTech Solutions video on our 2017 IBM i State of the Union and later on in this newsletter you will see a link to read the entire document. Turn up your speakers, and click here, or the image below to watch the video.
May was certainly conference month, going to various conferences and meeting so many customers, and prospective customers. Certainly a highlight getting to know you better. Plus we had fun giving out the “i Can do anything… with iTech Solutions” shirts, and playing find the matching button at COMMON. Also at the COMMON conference, IBM had an IBM i connected to Watson. I told you this platform had more years left than you can imagine. Yes, you can connect your machine to IBM Watson and have it help you with various analytics. I went to a session on this, and it was APIs callable via any language. Pretty cool, and much easier than I had envisioned. Well, at the COMMON Conference, IBM had it connected with an application that you could talk into, and it would determine which Harry Potter House you belonged in. It was interesting watching the application interact, and how it moved through various questions based upon your responses and the tone of your replies. True artificial intelligence. See the picture below with Jesse Gorzinski of IBM and Pete Massiello having some fun with the Harry Potter Sorting Hat.
This issue of our newsletter has 6 articles. The first article is on iTech Solutions 2017 IBM i State of the Union. The second article by Steve Pitcher is on Reducing the risk of Disaster doesn’t eliminate the need for a Disaster Recovery Plan. The third article by Charlie Kaplan is about Is your IBM i Recoverable. The fourth article is about determining the true PTF level of WepSphere Application Server as you prepare for an OS Upgrade. The fifth article lists some of the upcoming events in which iTech Solutions will be participating. The last article is for your reference with updated PTF information. Please note that for all 7.1 customers that are on the Quarterly or Semi-annual iTech Solutions PTF maintenance plan, we will be installing the latest PTFs as you are most likely now on Technology Refresh 11. For the 7.2 customers, we will be installing 7.2 Technology Refresh 6, and 7.3 will be Technology Refresh 2.
Some notes on the latest HMC release:
- HMC V8 R8.6.0 will be the last release to support POWER6.
- HMC V8 R8.6.0 will be the last release to allow ‘classic’ UI login (Not happy with that decision).
- HMC V8 R8.6.0 will be the last release that supports the model CR5, CR6 and C08.
- The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.
Having a business partner isn’t the same as having iTech Solutions. If you are not getting the support, the help, the guidance, and the advice you need to succeed, then you owe it to yourself to contact iTech Solutions for all your IBM Power Systems running IBM i needs. We can help you upgrade your AS/400 or iSeries to a Power Systems running IBM i, or even your existing POWER5, POWER6, or POWER7 machines to POWER8.
iTech Solutions vast experience can help you improve performance, perform security audits, implement a high availability solution, perform health checks, systems management, remote administration, PTF management, cloud-based systems, hosting, replication, and backup/recovery; upgrade an existing machine; or upgrade to a new machine. If you are thinking of LPAR or HMC, then think iTech Solutions. We have the skills to help you get the most out of your IBM i.
For more information on any of the articles below please visit us on the web at iTech Solutions or email iTech Solutions. We would love for you to let us know any articles that you wish for the future, or if you enjoy any of the articles in the current newsletters.
IBM i State of the Union.
Last year we published our first annual iTech Solutions IBM i State of the Union looking at where the platform has been over the years and seeing what directions it is moving in. Being in touch with members of the IBM i community by visiting customers weekly and attending conferences provides the insight into what shops are doing. One thing is certain, no one is standing still. The IBM i (once known as the AS/400, iSeries, or System i) is still going strong; new applications are being developed, existing ones expanded and modernized, while integrating with a myriad of external sources. Those utilizing the capabilities of the system are forward thinking, innovative companies. Unfortunately, there are still companies trapped in the year 2000. There is a mix of both in this community, but we are seeing more of the former investing in their IBM i and upgrading to utilize the functionally the platform has to offer. Later, we will discuss both these types of organizations as they are interesting and affect us all, as professionals in this industry.
For over 26 years IBM i has gained a well-deserved reputation for security, reliability, and performance which is unbeaten. This is due to the tightly integrated and tested systems delivered by IBM Rochester remaining committed to the calling of being “easy to use and administer.” There is a persistent perception that businesses have moved away from the platform attributed to application availability, green screens dated reputation, emergence of other technologies, and potential lack of skilled professionals. However, companies should be aware this isn’t your grandfather’s AS/400. The playing field has changed. Making business decisions based on antiquated notions of this system being a “has been” is a disservice to the organization and the professionals supporting it. This is often seen……….
To continue to read this, or download the entire iTech Solutions IBM i State of the Union, click here.
Reducing the risk of disaster does not eliminate the need for a Disaster Recovery plan.
The last few weeks have been a not-so-gentle reminder of what malicious code can do when it’s exposed to an unprotected or unprepared computer system. The Wannacry cryptolocker gets the credit for the biggest cyberattack in history, with 300,000 computers infected including Britain’s National Health Service, FedEx and Nissan. While a Microsoft Vulnerability, the widespread chaos unleashed by Wannacry underscores the need for us in the IBM i world to look introspectively and start protecting our environments. The absolute necessity of protecting IBM i with antiviral software is a reality, not a myth. The IBM i Integrated File System can be used as a storage medium for viruses just like any other server that acts like a shared drive for a network.
This doesn’t protect IBM i from attacks via a virus infected computer however. If you had a computer on the network that’s infected with malware, any shared drive can be subject to attack if the user has read/write authority to the share and its subfolders or *ALLOBJ special authority. This isn’t out of the realm of possibility. In fact, it’s quite common to find companies with far too many users with *ALLOBJ. Contents of those shared folders are subject to being encrypted and/or deleted. And it’s not only the IFS, either. If for some reason you have QSYS.LIB shared on NetServer then QSYS objects are now subject to deletion if the authority on those objects are lax or a user has *ALLOBJ.
But if you look deeper, or many read between the lines, this is not only a security problem but a much larger backup and recovery problem. Wannacry, like other cryptolockers, attempts to encrypt files and subsequently forces victims to pay a ransom in order to have the files decrypted. In general this type of problem could be avoided by applying appropriate Windows patches or having adequate antiviral protection or training users not to open attachments which could be suspect (which is probably the biggest concern of all), the question we’re left with immediately after an attack would be “how do we get the data back?” This isn’t a security issue or a user training issue anymore. This is a disaster recovery issue. Without a properly tested disaster recovery plan, all the security protection, user training and antiviral software you provide could be a moot point, as they’re not 100% effective. They lower the risk of a potential disaster. That’s it. Reducing the risk of disaster does not reduce the need for a disaster recovery plan.
If you look at British Airways last week, which had a worldwide power-related outage effectively stranding 70,000 customers, and compare that with a company brought to its knees by a ransomware attack, the resulting quandary is the same: how do we recover? Some companies are more prepared than others, and those companies will recover faster because of it. If the day comes where we must recover from tape, or by switching over to a hot site, we must execute a plan that’s been tested in advance. If recovering from tape, how do we know our tapes work? Are they tested? We do this for customers who want to determine if their full system save can be recovered. It’s important to test what may be the last resort.
I have a story about an IBM i shop who answered a QSYSOPR message and changed their nightly tapes for years. When they needed to recover from the nightly tapes, it was determined that the operator was answering the message with a C…for “Continue” and effectively canceling half the backup every night. They found that out the hard way because they never tested a single recovery.
What brings a system down may not always be within control but it’s preventable to some degree. As admins, “how we recover” is 100% within our control. If you need assistance with security, antiviral protection or disaster recovery, please contact an iTech Solutions professional. We can work to help you build justification so that you’re never left without an answer to the question: “what do we do now?”
Is Your IBM i Recoverable?
For most IBM i shops, tape backup is their Disaster Recovery plan. In the event that data on the server is lost due to human error, hardware failure, cyber-attack or disaster, the data can be recovered from a tape backup that is ideally stored off-site. Tape backup works and it is reliable, but it takes time. First you need to recover from the incident that caused the loss. That may involve repairing or replacing the server or remediating the agent that caused the data loss. The first step can take hours to days. A full restore from a backup tape can take an additional day. At a minimum it would take a day for recovery using tape backup and it could take a week or more. Can your business tolerate a week long outage?
Experts will tell you that the most important aspect of a Disaster Recovery plan is testing it to make sure that it works when needed. How do you test a Disaster Recovery plan that uses tape backup? You cannot simply do a backup, install a clean version of the operating system on the server and then do a restore. If it doesn’t work right, then you will have lost data, perhaps permanently lost! How do you know that you are saving the right stuff? How do you know that your staff can successfully perform a system recovery? Recovering from a disaster is not the time for on-the-job training.
A full-system-save (Save 21) saves everything on the IBM i server. But it takes time. How much time? That depends on how much is being saved, the speed of the server, the speed of the tape drive and the speed of the interface. Some customers can perform a full-system-save every night. Most cannot. Some IBM i shops do not have a weekly, monthly or even quarterly window large enough to perform a full-system-save. For those in that situation, a full-system-save can only be performed on national holidays when the business is closed. When a full-system-save cannot be done regularly, then daily incremental backups are necessary. When backing up with both full-systems-save and incrementals, the recovery process is even longer and becomes more complicated. That is why you need to know if your recovery process really works.
There are several options for testing recovery using tape backups. You cannot only make sure that you are saving the right stuff, but also train the operations staff for recovery.
Options for Testing Disaster Recovery from Tape:
- Backup Server – this option is possible if you have access to a second server that you can use to test recovery. It could be a retired server that you have, as long as it supports the version of the operating system on the current production server and it has enough disk. It could also be a server that you could borrow or rent to test the recovery. If you just installed a new server, before you get rid of the old server, why not scratch install a new OS on it and practice your recovery process. That’s getting the most value out of your old server.
- Virtual LPAR – current IBM servers (Power6 and later) and operating systems (V6.1 and later) allow the creation of a virtual LPAR using hardware resources allocated from the production environment. If you meet the server and OS requirements for Virtual LPAR and have enough available CPU, memory and disk, then you can create a Virtual LPAR and restore the backup to it. Once the restore is completed, the system can be tested and when completed the Virtual LPAR can be removed and the hardware resources returned to the production environment. You will need IBM’s PowerVM software and a Hardware Management Console (HMC) to create and remove the Virtual LPAR.
- Cloud Server – cloud providers can provision a virtual server for you and restore your backup to it. You can then test the recovered server via the internet. Some cloud providers can provision a virtual server for you just for the test. With other cloud providers a longer contract may be necessary.
Options for reducing system outages for tape backup:
- Save While Active – this option has been available on the IBM i since V2R2. It allows backups to occur while the system is active, after reaching a checkpoint. The checkpoint is a point in time when all processing has been stopped and data has become synchronized. This option works well for some customers, but requires skill to implement and operate.
- Faster hardware – this can include a faster tape drive, a faster tape interface (fibre), a faster tape adapter, more memory or disk and even a faster server. All these hardware components contribute to tape backup performance.
- Parallel Backups – using IBM’s BRMS (Backup Recovery Media & Services) you can allocate more than one tape drive to a backup and significantly reduce backup times. This can be done without BRMS, but recovery will be very complicated.
- Virtual Tape Library (VTL) – appears to the IBM i as a tape device, but is actually an appliance that has Hard Disk Drives (HDD) or Solid State Drives (SSD). Backups, and recoveries, are much faster when they use disk devices instead of tape. A tape drive may be attached to the VTL so that a tape backup can be created for off-site storage.
- Cloud Backup – sends your backups to a cloud provider. Since backups to the cloud can be very slow, most cloud backup providers use an appliance that is like a VTL to get the backup performed quickly and then later the appliance sends the backup data to the cloud. With Cloud Backup not only is your data stored safely off-site, your backups should be much faster.
- Data Replication – is a High Availability/Disaster Recovery solution that uses a backup server and data replication software to keep data on the backup server in sync with the production server. In the event of a failure of the production server, the backup server is ready to take over the production workload. Since the backup server has the same data as the production server, backups can be performed on the backup server while the production server is active. That means no downtime for the production server for backups.
- Hardware Replication – instead of using internal disk on your IBM i, external disk is used. External disk systems have various options for replicating data to another external disk system. External disk on the IBM i is a viable solution, but one that requires management and coordination of an additional resource. Most IBM i shops prefer internal storage because it is faster, less expensive and simpler to operate.
If you don’t know if you are saving the right stuff, or if you need to improve your tape backup performance, how do you get started? Find an expert that offers ALL of the possible solutions so that you can work with them to determine which option is the best solution for your environment. iTech Solutions offers all these solutions including IBM hardware, IBM and 3rd Party software and implementation services. To learn more on how iTech Solutions can help you with any backup or restoration, please call us at 203-744-7854 and press 3, or email us.
Determine the true PTF level of WebSphere.
As we do so many IBM i OS upgrades, we always come across during our preparation items of concern. No matter upgrading to IBM i 7.1, 7.2, or 7.3 there are versions of Java and WebSphere that you must be at a minimum for each release of IBM i. What we find with WebSphere Application Server (WAS) is that people load and apply the WAS PTF group but forget there is a second part to installing the fixes. I am not going to get into how to run the UPDI process to put the actual package onto your WAS software. I want to instead make sure you can determine what level that WAS is really running. Then you will know if the latest group level and the version of PTFs applied to WAS are the same.
This works with WAS 6.0, 6.1, 7.0, 8.0, 8.5, and 9.0. With all the dependencies with your OS upgrade, this is a must perform before any OS upgrade. I will give you an example using release 8.5. WebSphere Application Server V8.5 for IBM i group PTF contains PTFs required to run the product. You can find out the current version of WAS V8.5 for IBM i product on your IBM i system by issuing the following command in the QSH environment:
/QIBM/ProdData/WebSphere/AppServer/V85/edition/bin/versionInfo, where edition is:
- Express if you have WebSphere Application Server – Express installed
- Base if you have WebSphere Application Server for Developers, or WebSphere Application Server installed
- ND if you have WebSphere Application Server Network Deployment installed
If you are on WAS version 7, then change the V85 above with V70. If you are on WAS version 8, change the V85 to V8.
You will now see what level that WAS has been patched up to (Meaning you have loaded and applied the PTFs,and then ran the UPDI process). Getting back to OS upgrades. WAS V7.0 will not work with IBM i 7.2 You must upgrade to either WAS V8.0 (fix pack 8 which is 22.214.171.124) or V8.5 (fix pack 2 which is 126.96.36.199) or later. WAS V8.0 will not work with IBM i 7.3 You must upgrade to either WAS V8.5 (fix pack 8 which is 188.8.131.52) or later. You need those fix packs on, therefore it is important to insure the fix packs are applied by running the versioninfo script.
I can tell you from experience, it is easier to keep everything up to date, than to have to catch up when someone hasn’t been keeping up to date with any of these updates. If you would prefer for iTech Solutions to apply your PTFS, then send us an email to email@example.com.
Some of the events that we will be speaking at or exhibiting at are listed below. Don’t forget the iTech Solutions web site at http://www.itechsol.com.
Archived available anytime – Steve Will and Pete Massiello host a session on what’s new for IBM i 7.3.
May 22 – 26, 2017 – IBM Systems Technical University – Hilton Buena Vista Palace, Orlando, FL
Pete Will be speaking on:
- Step-by-step guide to creating IBM i partitions hosted by IBM i
- Cool Things in Navigator for IBM i to be a Rock Star Administrator
- What you need to know when Upgrading IBM i to 7.3
- Tips and Tricks to improve System performance and Save Disk Space
June 18 – 21, 2017 – COMMON Europe Congress, Brussels Belgium. Pete will be speaking on:
- What you need to know when Upgrading IBM i to 7.3
- HMC, IBM i, FSP, and Firmware: Putting the pieces together
People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.
The easiest way to check your levels is to issue the command WRKPTFGRP. They should all have a status of installed, and you should be up to the latest for all the above, based upon your release. Now there are more groups than the ones listed above, but these are the general ones that most people require. We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit. The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released. Therefore, if we look at the cumulative package for V7R1, the ID is 16120. We can determine that it was created on the 120th day of 2016, which is April 29th, 2016. Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.
If you have a Hardware Management Console (HMC,) you should be running:
|HMC (CR4 last release)||V7R7.9||
If we have a model listed above in the HMC column that is the highest level of firmware that model of the HMC can be upgraded to.
- Note that release 8.8.x does not support any POWER5 servers.
- Version 7.7.9 is not supported as of 12/30/2016 and cannot be installed on HMC models C03, C04 or CR2.
- If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later desk side HMC.
- HMC V8R8.1 is supported on rack-mount models CR5, CR6, CR7 and CR8; and on desktop model C08. These listed models meet or exceed the V8R8.1 minimum memory requirement of 2GB however 4GB is recommended.
- If you want to manage a POWER8 machine, you need to be on at least HMC 8.8.1
Some notes on the new HMC release V8R8.6 that just came out:
- Will be the last release to support POWER6.
- Will be the last release to allow ‘classic’ UI login.
- Will be the last release that supports the model CR5, CR6 and C08.
- The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.
If you have a Flexible Service Processor (FSP) your firmware should be:
|Power5 or 5+||520, 515, 525, 550, 570||SF240_418_382||last|
|Power6||940x, M15, M25, M50||EL350_176_038||last|
|8203-E4A, 8204-E8A, 8204-E4A||EL350_176_038||last|
|MMA, 560, 570||EM350_176_038||last|
|Power7||8231-E1B, 8202-E4B, 8231-E2B, 8205-E6B, 8233-E8B, 8236-E8C||AL730_152_035|
|8231-E1C, 8202-E4C, 8205-E6C||AL740_161_042|
|Power7+||8231-E1D, 8202-E4D, 8231-E2D, 8205-E6D||AL770_112_032|
|Power8||8408-E8E, 8284-21A, 8284-22A, 8286-41A, or 8286-42A||
|9119-MHE or 9119-MME||SC860_082_056|
If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.