October 2017 Newsletter

This newsletter includes:

  • It’s old and time to go!
  • Bypass Signon with Access Client Solutions
  • Equifax
  • Are you running Apache Struts?
  • Release Levels and PTFs

Halloween is upon us, but to me what is even more scary is the number of customers who are still on IBM i 7.1.  This is a 7 year old operating system, and you should really be looking at protecting your company and upgrading to IBM i 7.2 or even better 7.3.  Yes, in some situations, you can’t upgrade maybe due to hardware or software issues, but let us help you determine your best upgrade path.

We had some really bad hurricanes hit us over the last few months, and places have been decimated from these storms. We hope those customers, employees, and their families impacted by the hurricanes are recovering.  For the rest of us, have you tried to recover your system since then? What will it take to test your recovery?  If your recovery is a wish and a prayer, then I think it is time to test your recovery. The job you may save, may be your own.   You want to test out the recovery process when it isn’t an emergency. To do that, you need to do a full system recovery based upon how you normally backup your system. If you backup the entire system each Saturday, and then selective backups during the week, then you need to try and recover using both sets of backups.

If you don’t have a machine to test a recovery on, contact our sales group and they can setup a contract for you to use one of our systems at your location, or our location to perform a disaster recovery test.  Or better yet, talk to our sales group (203-744-7854 press 3 for sales) about our DR as a Service (DRaaS), where for a very low monthly rate you can do a test and have a partition in our cloud when a disaster strikes.

This issue of our newsletter has 6 articles. The first article is on IBM i 7.1 “It is old and time to go!”. The second article by Chris is on how to Bypass the Sign-on screen with Access Client Solutions. The third article is a reprint of an article I wrote for this month’s COMMON Connect on the Equifax security breach. The fourth article is on determining the fixes for Apache Struts, which caused the Equifax problem.  The fifth article lists some of the upcoming events in which iTech Solutions will be participating. The last article is for your reference with updated PTF information. Please note that for all 7.1 customers that are on the Quarterly or Semi-annual iTech Solutions PTF maintenance plan, we will be installing the latest PTFs as you are most likely now on Technology Refresh 11. For the 7.2 customers, we will be installing 7.2 Technology Refresh 7, and 7.3 will be Technology Refresh 3.

 

It’s old and time to go! 

I had a very interesting conversation two weeks ago with another IBM i consultant, who told me there was no reason to upgrade from IBM i 7.1, and that I was just trying to do upgrades.  Honestly, we have so many upgrades going on, that we don’t need to fabricate work.  Last week, we did 7 OS upgrades. That was just in one week.  Now, we all know that IBM announced that the end of life for IBM i 7.1 will be April 18, 2018.  It ended marketing (IBM Speak for you can’t order it on a new machine any longer) on September 30, 2017.

Yes, there are reasons why you want to get off of IBM i 7.1.  Let’s list a few:

  • Most of the ciphers in 7.1 are broken, depending on how current you are with PTFs. If current with PTFs then there are 75% unsecure and 87% if below TR6.
  • The default version of Java is version 6. Java 6 was announced on Dec 2006, and standard support is over.
  • Doesn’t support SMB2, we all know that SMB1 is again not secure.
  • There are so many cool new features that have recently been added to 7.2 & 7.3. Row and Column Access Control, Temporal Support, performance improvements in the IFS, enhancements to Navigator for i, Authority Collector, etc.

Take a look at the chart below and you can see when each release was announced and made generally available (GA). IBM i 7.1 has been out 7 years, it’s time to move up to 7.2 or 7.3.  In addition, come April, if you are still on IBM i 7.1, expect your software maintenance (SWMA) to just about double.  Now is the time to start planning, or even easier just give iTech Solutions a call, 203-744-7854 and press 3 and we can do the upgrade for you.

Release life cycle

Release Announce date*  GA date* Announce
End of Marketing date*		 Effective
End of Marketing date*		 End of Program Support* Program Support Extension Available*
Rel 1 06/21/1988 08/26/1988
V2R1 04/22/1991 05/24/1991 03/12/1993 06/30/1994
V2R1.1 04/22/1991 03/06/1992 03/12/1993
V2R2 02/18/1992 09/18/1992 09/06/1994 03/31/1995
V2R3 02/16/1993 12/17/1993 12/29/1995 05/31/1996
R7.5 SSP 02/20/1996 03/08/1996 02/09/1999 02/25/2000 05/31/2000
V3R0.5 05/03/1994 06/03/1994 02/11/1997 05/16/1997 05/31/1997
V3R1 05/03/1994 11/25/1994 02/11/1997 05/16/1997 10/31/1998
V3R2 06/04/1996 06/21/1996 02/10/1998 02/25/2000 05/31/2000
V3R6 06/21/1995 12/22/1995 08/19/1997 11/21/1997 10/31/1998
V3R7 09/03/1996 11/08/1996 09/01/1998 12/01/1998 06/30/1999
V4R1 08/19/1997 08/29/1997 02/09/1999 02/25/2000 05/31/2000
V4R2 02/10/1998 02/27/1998 02/09/1999 02/25/2000 05/31/2000 01/31/2001
V4R3 09/01/1998 09/11/1998 02/15/2000 12/29/2000 01/31/2001
V4R4 02/09/1999 05/21/1999 02/13/2001 05/31/2001 05/31/2001 11/30/2001
V4R5 05/22/2000 07/28/2000 02/12/2002 07/02/2002 07/31/2002 12/31/2002
V5R1 04/23/2001 05/25/2001 07/29/2003 11/21/2003 09/30/2005
V5R2 06/04/2002 08/30/2002 02/08/2005 10/01/2005 04/30/2007
V5R3 05/04/2004 06/11/2004 02/06/2007 01/04/2008 04/30/2009 04/30/2013
V5R4
(5.4.x)		 01/31/2006 02/14/2006 01/27/2009 05/27/2011 09/30/2013
Note 2		 09/30/2017
Note 3
6.1.x 01/29/2008 03/21/2008 09/09/2014 12/09/2014 09/30/2015
Note 2		 09/30/2018
Note 3
7.1 04/13/2010 04/23/2010 04/11/2017 09/30/2017 04/30/2018
7.2 04/28/2014 05/02/2014 Note 1
7.3 04/12/2016 04/15/2016 Note 1

* All dates are shown in MM/DD/YYYY format.

Note 1: End of program support date will be announced with at least 12 months’ notice prior to the effective termination date.

Note 2: For V5R4 (5.4.x), includes both Machine Code Level V5R4M0 and V5R4M5. For 6.1, includes both Machine Code Level V6R1M0 and V6R1M1.

Note 3: IBM Service Extension Offering for IBM i 5.4 and 6.1 (33KB) is available for customers.

 

Bypass Signon with Access Client Solutions

As more and more people are moving to the new Access Client Solutions, which is the Java based version of IBM i Client Access, we keep getting questions on how to do a particular function in the new product that they were doing previously.  Here is a tip on how to Bypass the signon screen.

  1. On a command line and with the proper authority, on the IBM I system(s) being accessed by ACS, key: WRKSYSVAL QRMTSIGN. Press the Enter key. If value is not, *VERIFY, change the value to *VERIFY, if needed.
  2. In the IBM i ACS 5250 Emulator, Select Communications, Configure, and then the Advanced option on the left hand side, select the Bypass Signon option (see below).  Use the appropriate Password Prompting as required.

The Bypass Signon is now enabled. The change will take effect immediately.  Bypassing the IBM i OS Sign-On Screen, could create a potential security risk.  Implement this at your own risk.

 

Configuring and Setting up Access Client Solutions for the first time can be a little confusing. Are you using ACS to it’s fullest?  Have you set up ACS correctly?  If unsure, or want some help, please email iTech Solutions.

 

Equifax

This is my Pete’s Perspective that I wrote for this month’s issue of COMMON Connect. With all the concerns of security today, I thought it was worth putting it into the newsletter.

Equifax – what is the first thing that came to your mind? Just a few months ago it would have been your credit score, credit cards, information on mortgages and loans, or your complete financial history. Now Equifax is synonymous with a massive data breach and compromising the identities of consumers. According to Equifax, the breach lasted from mid-May through July and during which time people’s names, Social Security numbers, addresses, date of birth, and in some circumstances driver’s license numbers were disclosed.  This is enough information for you to be impersonated with dire ramifications such as ruining your credit, stealing the equity in your home, or taking out a loan in your name.  While neither myself nor COMMON are vouching for this site, one has been established so you can determine if your information was divulged https://www.equifaxsecurity2017.com/am-i-impacted/

In a scant few months decades of business reputation was tarnished and contracts have been revoked. Speaking personally, I no longer trust this organization and will not use their services personally or professionally. The Federal Trade Commission says likely 143 million American consumers were affected in addition to an undisclosed number in Canada and the UK. My intent isn’t to write yet more on this breach but rather our collective need to be aware of security; the vast personal data stored by corporations.  Your Social Security number is extremely private information and perhaps the key to credit fraud scam. Always make sure you are on a secure computer and an encrypted network connection any time you enter this crucial data.  Don’t provide your personal information at any time unless absolutely necessary.

We now know more information about the underlying causes that allowed this to happen. An initial flaw was in a tool designed to build web applications, Apache Struts, which is used the world over. This issue was first identified in March of 2017 and Equifax simply didn’t apply the security patch in to address it.  This is the very root of the problem, and unfortunately it is endemic in IT and far from unique.

Keeping up with security issues and staying current with fixes is the very least we can do to secure our systems. The very least. On every platform, in every operating system, using every application development and web tool there are security exposures we must be aware of. Patches must be applied and this must be done in a timely manner. I was on a system the other day which hadn’t had a PTF in over 10 years! Think this system had some security exposures?  Of course they did. The argument could be made that the operating system should be upgraded to the most recent release in that case and of course I concur. Keeping the operating system, PTFs, Java versions, etc. all up to date needs to be attended to diligently.

Now, this is when IT professionals comment that they know the importance of doing all the above but getting the knowledge to do so correctly can be a challenge. Anyone who has followed my writing knows my response to this is look to COMMON. The association’s publications, webcasts, webinars, virtual conferences, and in person education events cover all topics relevant to modern IBM i specialists. The most recent conference in St. Louis showcased sessions covering security, OS upgrades, PTF management, open source, database, web programming, and many others.  There is also the upcoming 2018 Annual Conference being held May 20 to 23, in San Antonio for you to plan to attend. This is where you can learn from the best in the industry about how to secure your environments as well as best practices for managing your machines and partitions.

Which brings us back to who was really to blame at Equifax for this debacle? Management can say it wasn’t them as they wouldn’t know anything specifically about Struts. However, corporate leadership needs to set the policies that would have a directive in place requiring known security exposures to be patched within “X” weeks from discovery.  The IT management team would have more insight into the tools in use and communications regarding same however the details probably would have been too technical and may not have come to their attention. Leadership in technical departments needs to be following up with those team members who have this trench knowledge and ensure they are prioritizing keeping up with threats in order to address issues. Then there are the web developers and administrators who are tasked with the daily use of tools such as Apache Struts. They should have been aware of the exposure, however if there was pressure to meet deadlines and no one specifically assigned for response to emerging threats things get missed. I think all these components of the organization were to blame and I am sure all are paying the price. Even if they were not punished individually the damage to the company has put everyone’s employment at risk.  Security is everyone’s responsibility, plain and simple.   One relatively small exposure has ruined a company and caused millions the pain of identity theft.

Of course, it isn’t my place to assign blame but to explore an example of what happened.

The intend of this article was not to figure out who was to blame, but to show you an example what happens when a simple patch is ignored, or a simple upgrade isn’t performed.  Many times, people are rushing to get projects complete, and they don’t spend the time to do what is required from a security and infrastructure standpoint.  This is a good example of don’t cut corners, insure that security is part of your overall implementation.

If security of your IBM i is of concern to you, perhaps you should contact iTech Solutions and learn about the monitoring services for security that we have in place.

 

Are you running Apache Struts?

WebSphere application server is susceptible to vulnerabilities in Apache Struts.

IBM Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)

Affected Products and Versions

The following Versions of WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition may be affected:

  • Version 9.0
  • Version 8.5 and 8.5.5 Full Profile
  • Version 8.0
  • Version 7.0

The vulnerability has been addressed. Below are the recommended fixes/releases to remediate the issue.

For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:

For V9.0.0.0

  • Apply Fix Pack 1 (9.0.0.1), or later.


For V8.5.0.0 through 8.5.5.9:

  • Apply Fix Pack 10 (8.5.5.10), or later.


For V8.0.0.0 through 8.0.0.12:

  • Apply Fix Pack 13 (8.0.0.13), or later.


For V7.0.0.0 through 7.0.0.41:

  • Apply Fix Pack 43 (7.0.0.43), or later.

Remember, that when you load the IBM i PTF for WebSphere, that is only the first of two steps.  You then must apply the PTF to the WebSphere instance. If you are unsure, we can help you with this or any PTF process. Please contact your iTech rep who can help you.

 

Events

On Demand Webinar

Why IBM i is Key to Your IT Strategy

Think of IBM i as a legacy platform? Hear from experts Trevor Perry, Steve Will and Pete Massiello on the benefits and reality of modernizing your applications. They’ll also discuss IBM i costs compared to other platforms and how to overcome development challenges that keep you in older OS versions.

Join Steve Will, Pete Massiello and Trevor Perry as they discuss the top concerns of IT executives running mission-critical applications on IBM i. Addressing key issues around alignmentsecurity and skill shortages,  they’ll help you understand:

  • How to leverage existing applications to meet evolving business needs
  • The total cost of ownership of IBM i compared to other systems
  • The value of modernizing your applications instead of replacing them
  • How to overcome development challenges that keep you in older applications and OS versions

Click Here for Webinar

Nov 12 – 15, 2017 – COMMON Poland  Hotel Stok, Wisla, Beskid Slaski, Poland

Pete will be speaking on:

  • What you need to know when Upgrading IBM i to 7.3, 7.2, and 7.1
  • Cool Things in Navigator for IBM i to be a Rock Star Administrator
  • Step-by-Step Guide to Creating Virtual i Partitions Hosted by IBM i.
  • Tips and Tricks to improve System performance and Save Disk Space

April 23 – 25, 2018 – Northeast User Group Conference, Sheraton Framingham, MA

May 20 – 23, 2018 – COMMON Annual Conference & Expo, Marriott River Center, San Antonio, TX

 

 

 

Release levels and PTFs

People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.

7.3 7.2 7.1 6.1 V5R4
Cumul Pack 17283 17290 17192 15063 12094
Tech. Refresh  3 7 11
Grp Hipers 41 102 205 210 204
DB Group 7 19 43 33 33
Java Group 6 14 29 40 34
Print Group 3 13 31 49
Backup/Recov. 15 37 70 61 57
Blade/IXA/IXS 1 16 30 15
HTTP 11 24 50 46 36
TCP/IP 3 10 17 22
Security 17 49 71 60  33
High Availability 5 8 15  5
Hardware 13 30 40  17
Open Source 5 5 5

The easiest way to check your levels is to issue the command WRKPTFGRP. They should all have a status of installed, and you should be up to the latest for all the above, based upon your release. Now there are more groups than the ones listed above, but these are the general ones that most people require. We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit. The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released. Therefore, if we look at the cumulative package for V7R1, the ID is 16120. We can determine that it was created on the 120th day of 2016, which is April 29th, 2016. Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.

HMCs

If you have a Hardware Management Console (HMC,) you should be running:

Model Release Service Pack End of Service
HMC (CR7 & above) V8R8.7
  1. MH01706
 Not Announced
HMC V8R8.6
  1. MH01655
  2. SP2 MH01690
  3. MH01722
 10/31/2018
HMC V8R8.5
  1. MH01617
  2. SP3 MH01689 (must be installed from classic GUI or command line)
 05/31/2018
HMC V8R8.4
  1. MH01560 (must be installed from command line using UPDHMC)
  2. SP3 MH01652 (must be installed from command line using UPDHMC)
 11/30/2017
HMC V8R8.3
  1. SP3 MH01619
  2. MH01717
 07/31/2017
HMC  V8R8.2
  1. SP3 MH01583
  2. MH01688
 10/31/2017
HMC (CR4 last release) V7R7.9
  1. SP3 MH01546
  2. MH01587
  3. MH01687
 12/30/2016
HMC V7R7.8
  1. SP1 MH01397
  2. SP2 MH01432
  3. MH01570
 10/31/2015
or V7R7.7
  1. SP3 MH01379
  2. SP4 MH01415
  3. MH01516
 02/28/2015
HMC C03 V7R3.5
  1. SP4 MH01277
 05/31/2014

If we have a model listed above in the HMC column that is the highest level of firmware that model of the HMC can be upgraded to.

  • Note that release 8.8.x does not support any POWER5 servers.
  • Version 7.7.9 is not supported as of 12/30/2016 and cannot be installed on HMC models C03, C04 or CR2.
  • If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later desk side HMC.
  • HMC V8R8.1 is supported on rack-mount models CR5, CR6, CR7 and CR8; and on desktop model C08. These listed models meet or exceed the V8R8.1 minimum memory requirement of 2GB however 4GB is recommended.
  • If you want to manage a POWER8 machine, you need to be on at least HMC 8.8.1

Some notes on the new HMC release V8R8.6 that just came out:

  • Will be the last release to support POWER6.
  • Will be the last release to allow ‘classic’ UI login.
  • Will be the last release that supports the model CR5, CR6 and C08.
  • The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.

 

If you have a Flexible Service Processor (FSP) your firmware should be:

Machine Processor Model Version End of Service
Power5 or 5+ 520, 515, 525, 550, 570 SF240_418_382 11/30/2012
Power6 940x, M15, M25, M50 EL350_176_038 01/31/2017
8203-E4A, 8204-E8A, 8204-E4A EL350_176_038 01/31/2017
MMA, 560, 570 EM350_176_038 01/31/2017
9119-FHA EH350_176_038 01/31/2017
Power7 8231-E1B, 8202-E4B, 8231-E2B, 8205-E6B, 8233-E8B, 8236-E8C AL730_154_035 08/09/2017
9117-MMB, 9179-MHB AM780_089_040
8231-E1C, 8202-E4C, 8205-E6C AL740_163_042
9117-MMC, 9179-MHC AM770-116_032
Power7+ 8231-E1D, 8202-E4D, 8231-E2D, 8205-E6D AL770_116_032
8408-E8D, 9109-RMD AM770_116_032
9117-MMD, 9179-MHD AM780_089_040
Power8 8408-E8E, 8284-21A,  8284-22A, 8286-41A, or 8286-42A SV860_109_056 (OS Managed or HMC Managed; requires HMC 8.8.6+)
9119-MHE or 9119-MME SC860_103_056

 

If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*