November 2017 Newsletter

This newsletter includes:

  • iTech is the Solution to Security
  • WebSphere Upgrades Made Easy
  • How to connect to your Advanced Systems Management Interface (ASMI)
  • Lessons Learned Through Many Years
  • Release levels and PTFs

It’s Thanksgiving time here in the US with Christmas right around the corner. Where did 2017 go?  It’s been a great year here at iTech Solutions! We increased our IBM i services and offerings, added significant staff, are working with many new customers, and continuing to assist our existing customers.  There is so much to be thankful for especially the opportunity to work with you.  We won’t let you down. If there is anything that we do that doesn’t exceed your expectations, please contact me directly. I hope with the upcoming holidays approaching you are able to spend it with your family and friends, and that you have much to be thankful for as well.  As many of our readers over the years know, this will be our last technical newsletter of the year.  In December, we publish the much anticipated How iTech Solutions helped Santa save Christmas newsletter.  Our team had our MSP call with Santa and the Elves and there are plenty of new stories so get your stockings hung by the fire and the December issue will be out soon. If you are still on IBM i 7.1 you might want to ask Santa for iTech Solutions to upgrade you to 7.2 or 7.3 before April 30, 2018 so you don’t have to pay the extra Software Maintenance (SWMA) fee that you will encounter.

We are expanding our remote systems administration offerings by adding security monitoring as an additional service.  There has been so many security issues in the news lately, are you sure that your machine hasn’t been affected?  Perhaps you should schedule a security health check to make sure that everything is in order. In addition, we offer an ongoing security monitoring service to keep you secure.  The more connected we become the more opportunities exist for exploitation. This access can allow people from both inside and outside of your company to access data or perform a function that they should not be doing. If this is something you are concerned about, and really everyone should be, then contact our sales group.  They can setup a presentation to discuss how we can help you meet your security goals.  Or better yet, talk to our sales group  by calling 1-203-744-7854 press 3 for sales.

This newsletter has 6 articles. The first article is by Yvonne on iTech is the Solution to Security. The second article by Steve is on WebSphere Upgrades Made Easy. The third article is on How to Connect to your Advanced Systems Management Interface (ASMI). The fourth article is on Lessons Learned Through Many Years.  The fifth article lists some of the upcoming events in which iTech Solutions will be participating. The last article is for your reference with updated PTF information. Please note that for all 7.1 customers that are on the Quarterly or Semi-annual iTech Solutions PTF maintenance plan, we will be installing the latest PTFs as you are most likely now on Technology Refresh 11. For the 7.2 customers, we will be installing 7.2 Technology Refresh 7, and 7.3 will be Technology Refresh 3.

iTech is the Solution to Security.  

iTech Solutions, like all information technology leaders, is concerned about security infrastructure and enhancing our offerings regarding same. We keep up on industry standards and publications, listen to our community and their concerns, and tailor offerings for our customers. To that end there are some general topics that we have found start conversations organizations need.

Many companies realize they need to address security concerns, and they look to their IT department for leadership. That requires IBM i professionals who usually aren’t security experts in the place of evaluating critical strategic needs. Even if the expectation is that a third party will assist in implementing a security solution the internal team must determine fundamental status in the organization to communicate.

Let us help you start this survey.

As is well documented by now, when we address IBM i specific security the biggest threat is internal lapses and failure to secure the system. Frequently this is based on a false sense of security about being on a system which can’t be hacked. We need to look inside our department to determine how to protect ourselves from outside our organization. Most flaws occur in 3 general areas; confidentiality, integrity, availability.

Confidentiality. We must keep data from being accessed from anyone who doesn’t need it. In so many environments the IBM i has helped a company grow from a handful of people to hundreds and unfortunately some lax security has followed. Back in the day customer service needed all access to invoicing and inventory but now those tasks are spilt among different teams with specialized data needs. Letting all three departments unfettered access to each other negates the auditing that prevents fraud and embezzlement. As we acknowledge the need to protect against disclosing information to unauthorized people we start with authorized but unnecessary. This modification can be cumbersome to companies as a highly specialized manager is used to resolving issues and being efficient now needs to work with counterparts. However, for every super user who is now going to need to interface with a slower department there is a curious (or careless) clerk who should not be trusted with company wide information. Data is the lifeblood of your organization, makes sure it is going to the needed departments in the correct sequence. Further, this wide scale access is the easiest exploitation from outsiders who have gotten into your physical location and are intent on causing harm.  As we move into more nuanced issues like confidential data and unauthorized personal getting to same this becomes more complex. Often companies sale through audits with all files and applications locked down per the most recent IBM capability only to fail dismally when it comes to IT access because administrators and programmers have too much authority. The common argument that IT needs to be able to resolve anything that comes at any time is starting to be a known risk. Confidentially and determining where you might have issues is a first place to look when you begin evaluation.

Integrity. As I have written about before, every shop has known “work arounds” that impact data integrity. Unless you are actively preventing data from being manipulated without logging the activity you are at risk. Of course, the reasons these work arounds are in existence is because they are at times necessary; sometimes your only answer for a time might be to record the activity, and then address the need. In determining the correct response and how to prioritize you need to look at what behaviors you engage in that are questionable. First, you want to be preventing unauthorized changes to data. Why might there be a work around for this happening and who has put it in place? What would be the ramifications if locked down? Are there authorized applications that are the only ways to modify data and they don’t allow needed changes? These needs to be documented so the secure modification can be made. Without taking a long hard look at these issues especially how “needed” work arounds can be exploited no one can provide assurance that their data is trustworthy. This is a comprehensive issue – everyone in an organization needs to be committed to the security and integrity of their data! Ask any employee at a breached company if the issue has impacted their career and employment potential.

This brings us to availability. The largest exposure can often be in unknown risks or overlooked consequences. If too many users have too much access to data they can accidently change or delete without even knowing they are. If times and access aren’t monitored an unauthorized entry can abuse or destroy systems. For instance, if the warehouse is closed for maintenance, none of the programs accessing those functions and their associated inventory data should be allowed. If they are there should be an alarm. However, don’t simply think that because alerts are in place that will be sufficient. If a single email alert goes to a warehouse manager over Christmas it can easily be missed. Make sure the robust IBM i is controlling the access and preventing same as needed.

In the coming months iTech is going to continue this discussion and support you as you address these pressing concerns. Now is the time to start planning, or even easier just give iTech Solutions a call, 203-744-7854 and press 3 and we can customize a security solution for you.

WebSphere Upgrades Made Easy.

Updating or upgrading WebSphere Application Server (WAS) on IBM i can be a little arduous especially if you don’t do it too often. Once WAS is set up and working with a production application we find that people would rather not rock the boat and make a change because WebSphere can be daunting to debug. Plus there are some misconceptions about what is actually involved with an update. I’ll try to clarify some of them in this article.

The first misconception is that simply loading and applying the PTF group WebSphere Application Server is all you need to do. All the Group PTF apply does is place an updated code repository in the /QIBM/WAS/WASFIXPACKS directory structure. If you’ve got a number of WebSphere versions on your IBM i partition and you load the Group PTF for each, you’ll see this directory can get subdivided for that reason. For instance, if you have WAS 8.5.5 and WAS 8.0 installed and the PTF Groups for each loaded then you may have a directory structure that contains the following folders:





The second misconception is that a WebSphere update usually involves some work in a shell terminal. This is somewhat true depending on your circumstance. For instance, if you’re doing a WAS 7 to 8.5.5 migration then you should expect some time in front of a shell terminal. However, if you’re simply doing a point release update via PTF then you shouldn’t have to enter a shell at all. If you’re putting up fence posts then you’re going to have to dig some holes. Fortunately, IBM has given us an auger inside Navigator for i, or more specifically the IBM HTTP Administration website.

In order to update WebSphere Application Server using the HTTP Administration utility you need to have the following PTF levels:

IBM i 7.1

Number Minimum level
SF99710 11116
SF99701 12
SF99572 7
SF99368 16

IBM i 7.2

Number Minimum level
SF99720 14101
SF99702 2
SF99716 2
SF99713 2

IBM i 7.3

Number Minimum level
SF99730 6085
SF99703 1
SF99725 1
SF99722 1

Once these PTF requirements are met, you can then shut down the WebSphere Application Server that you want to update. Also, I’d recommend you back up your WebSphere environment to ensure you have a recent recovery point.

To get to the HTTP Administration website, go to http://<yoursystem>:2001/HTTPAdmin. Click the Manage tab and then click the Installations link.

Then, simply select the radio button for the WebSphere instance you want to update and click the Update button. On the following screen, select the Fix Pack check box then click the Next button.

At this point we’re going to select the fix pack repository directory of which the Group PTF updated on its’ apply. For instance, if you’re looking to update your WAS 8.5.5 server to then you’ll be looking for directory /QIBM/WAS/WASFIXPACKS/WAS/85512/FIXPACK. You can click the browse button and work your way through the directory structure or simply type it into the text box. Press the Next button.

From here, you simply confirm your selection by clicking Ok to the popup window and then clicking the Finish button.

The actual fix pack update may take some time depending on the CPW, memory and current system utilization. In the background, the system will be submitting update commands so you don’t even need to use a shell terminal.

In the end you should have a fully patched WAS instance. This process is far easier than having to copy and paste commands into a shell and should take some of the fear out of keeping your WebSphere servers current.

In the next newsletter I’ll talk about doing a release upgrade and migration of WebSphere servers. We’ve been doing a lot of updates and upgrades/migrations for customers going from IBM i 7.1 to 7.3, where versions of WebSphere below are not supported. It’s best to do this type of work well in advance of your 7.3 upgrade to ensure your applications function as expected in a new version. If you need a hand with keeping WebSphere current or prepping for an IBM i 7.1 to 7.2/7.3 upgrade then contact iTech Solutions.

How to connect to your Advanced Systems Management Interface (ASMI).

In September, I wrote an article in the newsletter about the need to keep your Flexible Service Processor (FSP) up to date. In that article I discussed the Firmware Entitlement Date which is the expiration date of the Update access key.  Server firmware fix packs with a later date will not be activated until a valid Update access key expiration date is entered.  You can get the new key, which is only valid for 6 months, from the IBM Entitled Systems Support (ESS) Website. It’s under Hardware, and you only need an Update Access Key (UAK) if you are on Power8, none of the earlier machines had one. Here is a screen shot below where you see the expiration date is October 02, 2018.  Please note the system will continue to work after this date however you can’t update the firmware.

You need to access the ASMI to enter the code, via the COD menu.

If your system is not managed by a Hardware Management Console (HMC), you can connect a PC to the server to access the Advanced System Management Interface (ASMI). You need to configure the Web browser address on the PC to be on the same subnet as what your ASMI address is (meaning the first 3 subnets of your TCP/IP address will be the same, and the last one will be different). If you are managed by an HMC, then you access the ASMI from the HMC by selecting the server, selecting Operations, and then Launch ASMI.

The Web interface to the ASMI is available during all phases of system operation including the initial program load (IPL) and run time. The ASMI is used to perform general and administrator-level service tasks. These tasks include reading service processor error logs, reading vital product data, setting up the service processor, and controlling the system power.

To set up the Web browser for direct or remote access to the ASMI when you have no HMC, complete the following tasks:

  1. If the server is not powered on, perform the following steps:
    1. Connect your power cord or cords to the server.
    2. Plug the power cord or cords into the power source.
    3. Wait for the control panel to display 01. A series of progress codes are shown before 01 appears.

The system has power, but is not yet Powerup when the light on the control panel is flashing green. The system is powered on if the light on the control panel is green.

Important: Do not connect an Ethernet cable to either the HMC1 port or the HMC2 port until you are directed to do so later in this procedure.

2. Select a PC that has Netscape, Microsoft Internet Explorer 7.0, Opera 9.24, or Mozilla Firefox to connect to your server.

Complete the following steps to disable the TLS 1.0 option in Microsoft Internet Explorer to access the ASMI using Microsoft Internet Explorer 7.0 running on Windows XP:

  1. From the Tools menu in Microsoft Internet Explorer, select Internet Options.
  2. From the Internet Options window, click the Advanced
  3. Clear the Use TLS 1.0check box (in the Security category) and click OK.

3. Connect an Ethernet cable from the PC to the Ethernet port labeled HMC1 on the back of the Power system. If HMC1 is occupied, connect an Ethernet cable from the PC to the Ethernet port labeled HMC2 on the back of the managed system.


The service processor’s Ethernet ports are configured for DHCP by default. If the service processor is attached to a live Ethernet network equipped with a DHCP server and the service processor is turned on, an IP address is assigned. The default IP address of the service processor is no longer valid.  You can put the machine in manual mode, and then go up to Function Code 30.  You can view HMC1 TCP/IP address at 3000 and HMC2 TCP/IP address at 3001.

4. If you have never connected your HMC1 or HMC2 ports to a DHCP Server, the addresses will be the defaults below. You would set your PC as the address in the last column. The Ethernet interface on the PC needs to be configured within the same subnet mask as the service processor so that they can communicate with each other. For example, if you connected your PC or notebook to HMC1, the IP address for your PC could be and the subnet mask would be Set the gateway IP address to the same IP address as the PC.

POWER8® processor-based systems Server connector Subnet mask IP address of the service processor Example of an IP address for your PC
Service processor A HMC1
Service processor B (if installed) HMC1

5.Set the IP address on your PC using the values from the table.

6. To access the ASMI using a Web browser, type the IP address in the Addressfield on the Web browser of your PC and press enter. For example, if you connected your PC to HMC1 on a machine with one FSP, type in the Web browser on your PC.


It might take 2 – 5 minutes for the service processor to reach standby. The ASMI menus can be accessed with a Web browser only after the service processor reaches standby. Function code 30 on the control panel cannot be used to view the service processor’s IP addresses until the service processor reaches standby.

  1. When the Login display appears, enter adminfor the user ID and password.
  2. Change the default password when prompted.

We do this all the time, if you have questions or need some help, perhaps you should contact iTech Solutions and let us help you connect.

Lessons Learned Though Many Years.

It isn’t unusual for us to be asked why we do things specific ways. All of the services we offer have variations and we adjust based on a variety of factors. Our team has over 400 years of IBM i experience and we know all too well there are permutations in every project. Further there is no absolute single right way to do anything from installing hardware, to updating PTFs and OS levels, to migrations, and everything else we do. We know there is a specific right way to do things for our specific customer for a given specific project.

There are ways we address these nuances with our customers. For instance, recently a customer had concern over our methodology installing MIMIX in a complex environment. He was used to handling things one way with a minute difference to our process. We were able to quickly convene a call with the principals on the project and review the steps and ramifications of the 2 approaches. Within half an hour we explained why we needed extra care in the front end of the project given the large scale of the environment and how that would save work on the post end, as well as ensure success via an early test. While our way seemed more cumbersome it was in fact more efficient. Meanwhile, we learned the depth of the customer’s knowledge and we able to partner more fully. A win-win for all involved.

Another area we are very particular about how we do things is upgrading OS levels and migration to new hardware. At iTech when both the source and target machine for a migration can run the same release, we always upgrade the existing hardware to the OS the new POWER Machine will be at before migration. To some this seems an unnecessary additional step. Why would they want their old box upgraded, it is being discarded. However, we have found this is the gold standard to use, yes, it is doing things the “long way” but it works and works correctly with no issues down to road. Mixed mode migration simply adds complexity and we avoid it whenever possible (exception being when the current hardware can’t get to the new OS, and the new hardware can’t support the currently used out of support OS.) When we must perform migrations with different OS releases we compensate with a longer, more detailed conversion process and documentation.

Which brings us to why we spend so much time, energy, and money supporting our customer community by writing and presenting through road shows, webinars, and professional associations. We want IBM i professionals as well informed as possible especially with IBM i 7.1 going off of support and all the ramifications for same.  As companies determine when to acquire new hardware, what version of currently supported OS to upgrade to, and talk to their third party software vendors about certified packages they need all information possible.

iTech Solutions puts the experience of all our resources into the hands of our customers and we do so with confidence. We enjoy communicating to our community about how and why we do things because we are invested in their comfort and careers, and the overall stability and health of the IBM i install base.

If this is the kind of IBM Business Partner that you want working on your next installation, upgrade, migration, or whatever other project, then please contact your iTech rep who can help you.


Dec 4, 2017 – iTech Solutions and HelpSystems on Upgrading to IBM i 7.3. 

Hear Pete Massiello speaking on How to Successfully upgrade to IBM i 7.3

When upgrading IBM i, there is more work involved in the planning of the upgrade than in the actual upgrade itself. By having done the planning, the actual upgrade is simple. We will cover planning tips, prerequisites and then post installation requirements. Your upgrade isn’t complete until this last step is done. While this presentation will focus on upgrading to 7.3, if you are upgrading to an earlier release (7.2, 7.1), we will also cover those releases.

Dec 12, 2017 – COMMON Virtual Conference

Hear Pete Massiello speaking on How to Successfully upgrade to IBM i 7.3

When upgrading IBM i, there is more work involved in the planning of the upgrade than in the actual upgrade itself. By having done the planning, the actual upgrade is simple. We will cover planning tips, prerequisites and then post installation requirements. Your upgrade isn’t complete until this last step is done. While this presentation will focus on upgrading to 7.3, if you are upgrading to an earlier release (7.2, 7.1), we will also cover those releases.

April 23 – 25, 2018 – Northeast User Group Conference, Sheraton Framingham, MA

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i. In addition, hear Steve Pitcher and Pete Massiello speak on Various System Administration topics.

May 20 – 23, 2018 – COMMON Annual Conference & Expo, POWER-UP18 at Marriott River Center, San Antonio, TX

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i. In addition hear Pete Massiello, Yvonne Enselman, and Steve Pitcher speak on a variety of IBM i System administration topics.

Sept 27, 2018 – VTMUG Technical Conference – Double Tree Hotel Burlington, VT

Visit Laurie & Paul at our booth and learn how iTech Solutions can help you with your IBM i. Pete Massiello will be speaking on various Systems Management sessions to be determined.

Oct 15 – 17, 2018 – COMMON Fall Conference & Expo, Pittsburgh Marriott City Center, Pittsburgh, PA     Booth #20

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i. In addition hear Pete Massiello, Yvonne Enselman, and Steve Pitcher speak on a variety of IBM i System administration topics.

Oct 15 – 18, 2018 – Jack Henry Annual Conference – Gaylord Texan Hotel, Grapevine, TX

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i



Release levels and PTFs

People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.

7.3 7.2 7.1 6.1 V5R4
Cumul Pack 17283 17290 17192 15063 12094
Tech. Refresh  3 7 11
Grp Hipers 44 106 208 210 204
DB Group 7 19 43 33 33
Java Group 6 14 29 40 34
Print Group 3 13 31 49
Backup/Recov. 15 37 70 61 57
Blade/IXA/IXS 1 16 30 15
HTTP 12 25 51 46 36
TCP/IP 3 10 17 22
Security 18 51 72 60  33
High Availability 5 8 15  5
Hardware 13 30 40  17
Open Source 6 6 6

The easiest way to check your levels is to issue the command WRKPTFGRP. They should all have a status of installed, and you should be up to the latest for all the above, based upon your release. Now there are more groups than the ones listed above, but these are the general ones that most people require. We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit. The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released. Therefore, if we look at the cumulative package for V7R1, the ID is 16120. We can determine that it was created on the 120th day of 2016, which is April 29th, 2016. Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.


If you have a Hardware Management Console (HMC,) you should be running:

Model Release Service Pack End of Service
HMC (CR7 & above) V8R8.7
  1. MH01706
  2. MH01723
Not Announced
HMC V8R8.6
  1. MH01655
  2. SP2 MH01690
  3. MH01722
HMC V8R8.5
  1. MH01617
  2. SP3 MH01689 (must be installed from classic GUI or command line)
HMC V8R8.4
  1. MH01560 (must be installed from command line using UPDHMC)
  2. SP3 MH01652 (must be installed from command line using UPDHMC)
HMC V8R8.3
  1. SP3 MH01619
  2. MH01717
HMC  V8R8.2
  1. SP3 MH01583
  2. MH01688
HMC (CR4 last release) V7R7.9
  1. SP3 MH01546
  2. MH01587
  3. MH01687
HMC V7R7.8
  1. SP1 MH01397
  2. SP2 MH01432
  3. MH01570
or V7R7.7
  1. SP3 MH01379
  2. SP4 MH01415
  3. MH01516
HMC C03 V7R3.5
  1. SP4 MH01277

If we have a model listed above in the HMC column that is the highest level of firmware that model of the HMC can be upgraded to.

  • Note that release 8.8.x does not support any POWER5 servers.
  • Version 7.7.9 is not supported as of 12/30/2016 and cannot be installed on HMC models C03, C04 or CR2.
  • If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later desk side HMC.
  • HMC V8R8.1 is supported on rack-mount models CR5, CR6, CR7 and CR8; and on desktop model C08. These listed models meet or exceed the V8R8.1 minimum memory requirement of 2GB however 4GB is recommended.
  • If you want to manage a POWER8 machine, you need to be on at least HMC 8.8.1

Some notes on the new HMC release V8R8.6 that just came out:

  • Will be the last release to support POWER6.
  • Will be the last release to allow ‘classic’ UI login.
  • Will be the last release that supports the model CR5, CR6 and C08.
  • The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.

If you have a Flexible Service Processor (FSP) your firmware should be:

Machine Processor Model Version End of Service
Power5 or 5+ 520, 515, 525, 550, 570 SF240_418_382 11/30/2012
Power6 940x, M15, M25, M50 EL350_176_038 01/31/2017
8203-E4A, 8204-E8A, 8204-E4A EL350_176_038 01/31/2017
MMA, 560, 570 EM350_176_038 01/31/2017
9119-FHA EH350_176_038 01/31/2017
Power7 8231-E1B, 8202-E4B, 8231-E2B, 8205-E6B, 8233-E8B, 8236-E8C AL730_154_035 08/09/2017
9117-MMB, 9179-MHB AM780_089_040
8231-E1C, 8202-E4C, 8205-E6C AL740_163_042
9117-MMC, 9179-MHC AM770-116_032
Power7+ 8231-E1D, 8202-E4D, 8231-E2D, 8205-E6D AL770_116_032
8408-E8D, 9109-RMD AM770_116_032
9117-MMD, 9179-MHD AM780_089_040
Power8 8408-E8E, 8284-21A,  8284-22A, 8286-41A, or 8286-42A SV860_118_056 (OS Managed or HMC Managed; requires HMC 8.8.6+)
9119-MHE or 9119-MME SC860_118_056

If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.

Leave a Comment

Your email address will not be published. Required fields are marked *