October 2017 Newsletter
This newsletter includes:
- It’s old and time to go!
- Bypass Signon with Access Client Solutions
- Are you running Apache Struts?
- Release Levels and PTFs
Halloween is upon us, but to me what is even more scary is the number of customers who are still on IBM i 7.1. This is a 7 year old operating system, and you should really be looking at protecting your company and upgrading to IBM i 7.2 or even better 7.3. Yes, in some situations, you can’t upgrade maybe due to hardware or software issues, but let us help you determine your best upgrade path.
We had some really bad hurricanes hit us over the last few months, and places have been decimated from these storms. We hope those customers, employees, and their families impacted by the hurricanes are recovering. For the rest of us, have you tried to recover your system since then? What will it take to test your recovery? If your recovery is a wish and a prayer, then I think it is time to test your recovery. The job you may save, may be your own. You want to test out the recovery process when it isn’t an emergency. To do that, you need to do a full system recovery based upon how you normally backup your system. If you backup the entire system each Saturday, and then selective backups during the week, then you need to try and recover using both sets of backups.
If you don’t have a machine to test a recovery on, contact our sales group and they can setup a contract for you to use one of our systems at your location, or our location to perform a disaster recovery test. Or better yet, talk to our sales group (203-744-7854 press 3 for sales) about our DR as a Service (DRaaS), where for a very low monthly rate you can do a test and have a partition in our cloud when a disaster strikes.
This issue of our newsletter has 6 articles. The first article is on IBM i 7.1 “It is old and time to go!”. The second article by Chris is on how to Bypass the Sign-on screen with Access Client Solutions. The third article is a reprint of an article I wrote for this month’s COMMON Connect on the Equifax security breach. The fourth article is on determining the fixes for Apache Struts, which caused the Equifax problem. The fifth article lists some of the upcoming events in which iTech Solutions will be participating. The last article is for your reference with updated PTF information. Please note that for all 7.1 customers that are on the Quarterly or Semi-annual iTech Solutions PTF maintenance plan, we will be installing the latest PTFs as you are most likely now on Technology Refresh 11. For the 7.2 customers, we will be installing 7.2 Technology Refresh 7, and 7.3 will be Technology Refresh 3.
It’s old and time to go!
I had a very interesting conversation two weeks ago with another IBM i consultant, who told me there was no reason to upgrade from IBM i 7.1, and that I was just trying to do upgrades. Honestly, we have so many upgrades going on, that we don’t need to fabricate work. Last week, we did 7 OS upgrades. That was just in one week. Now, we all know that IBM announced that the end of life for IBM i 7.1 will be April 18, 2018. It ended marketing (IBM Speak for you can’t order it on a new machine any longer) on September 30, 2017.
Yes, there are reasons why you want to get off of IBM i 7.1. Let’s list a few:
- Most of the ciphers in 7.1 are broken, depending on how current you are with PTFs. If current with PTFs then there are 75% unsecure and 87% if below TR6.
- The default version of Java is version 6. Java 6 was announced on Dec 2006, and standard support is over.
- Doesn’t support SMB2, we all know that SMB1 is again not secure.
- There are so many cool new features that have recently been added to 7.2 & 7.3. Row and Column Access Control, Temporal Support, performance improvements in the IFS, enhancements to Navigator for i, Authority Collector, etc.
Take a look at the chart below and you can see when each release was announced and made generally available (GA). IBM i 7.1 has been out 7 years, it’s time to move up to 7.2 or 7.3. In addition, come April, if you are still on IBM i 7.1, expect your software maintenance (SWMA) to just about double. Now is the time to start planning, or even easier just give iTech Solutions a call, 203-744-7854 and press 3 and we can do the upgrade for you.
Release life cycle
|Release||Announce date*||GA date*||Announce
End of Marketing date*
End of Marketing date*
|End of Program Support*||Program Support Extension Available*|
* All dates are shown in MM/DD/YYYY format.
Note 1: End of program support date will be announced with at least 12 months’ notice prior to the effective termination date.
Note 2: For V5R4 (5.4.x), includes both Machine Code Level V5R4M0 and V5R4M5. For 6.1, includes both Machine Code Level V6R1M0 and V6R1M1.
Note 3: IBM Service Extension Offering for IBM i 5.4 and 6.1 (33KB) is available for customers.
Bypass Signon with Access Client Solutions
As more and more people are moving to the new Access Client Solutions, which is the Java based version of IBM i Client Access, we keep getting questions on how to do a particular function in the new product that they were doing previously. Here is a tip on how to Bypass the signon screen.
- On a command line and with the proper authority, on the IBM I system(s) being accessed by ACS, key: WRKSYSVAL QRMTSIGN. Press the Enter key. If value is not, *VERIFY, change the value to *VERIFY, if needed.
- In the IBM i ACS 5250 Emulator, Select Communications, Configure, and then the Advanced option on the left hand side, select the Bypass Signon option (see below). Use the appropriate Password Prompting as required.
The Bypass Signon is now enabled. The change will take effect immediately. Bypassing the IBM i OS Sign-On Screen, could create a potential security risk. Implement this at your own risk.
Configuring and Setting up Access Client Solutions for the first time can be a little confusing. Are you using ACS to it’s fullest? Have you set up ACS correctly? If unsure, or want some help, please email iTech Solutions.
This is my Pete’s Perspective that I wrote for this month’s issue of COMMON Connect. With all the concerns of security today, I thought it was worth putting it into the newsletter.
Equifax – what is the first thing that came to your mind? Just a few months ago it would have been your credit score, credit cards, information on mortgages and loans, or your complete financial history. Now Equifax is synonymous with a massive data breach and compromising the identities of consumers. According to Equifax, the breach lasted from mid-May through July and during which time people’s names, Social Security numbers, addresses, date of birth, and in some circumstances driver’s license numbers were disclosed. This is enough information for you to be impersonated with dire ramifications such as ruining your credit, stealing the equity in your home, or taking out a loan in your name. While neither myself nor COMMON are vouching for this site, one has been established so you can determine if your information was divulged https://www.equifaxsecurity2017.com/am-i-impacted/
In a scant few months decades of business reputation was tarnished and contracts have been revoked. Speaking personally, I no longer trust this organization and will not use their services personally or professionally. The Federal Trade Commission says likely 143 million American consumers were affected in addition to an undisclosed number in Canada and the UK. My intent isn’t to write yet more on this breach but rather our collective need to be aware of security; the vast personal data stored by corporations. Your Social Security number is extremely private information and perhaps the key to credit fraud scam. Always make sure you are on a secure computer and an encrypted network connection any time you enter this crucial data. Don’t provide your personal information at any time unless absolutely necessary.
We now know more information about the underlying causes that allowed this to happen. An initial flaw was in a tool designed to build web applications, Apache Struts, which is used the world over. This issue was first identified in March of 2017 and Equifax simply didn’t apply the security patch in to address it. This is the very root of the problem, and unfortunately it is endemic in IT and far from unique.
Keeping up with security issues and staying current with fixes is the very least we can do to secure our systems. The very least. On every platform, in every operating system, using every application development and web tool there are security exposures we must be aware of. Patches must be applied and this must be done in a timely manner. I was on a system the other day which hadn’t had a PTF in over 10 years! Think this system had some security exposures? Of course they did. The argument could be made that the operating system should be upgraded to the most recent release in that case and of course I concur. Keeping the operating system, PTFs, Java versions, etc. all up to date needs to be attended to diligently.
Now, this is when IT professionals comment that they know the importance of doing all the above but getting the knowledge to do so correctly can be a challenge. Anyone who has followed my writing knows my response to this is look to COMMON. The association’s publications, webcasts, webinars, virtual conferences, and in person education events cover all topics relevant to modern IBM i specialists. The most recent conference in St. Louis showcased sessions covering security, OS upgrades, PTF management, open source, database, web programming, and many others. There is also the upcoming 2018 Annual Conference being held May 20 to 23, in San Antonio for you to plan to attend. This is where you can learn from the best in the industry about how to secure your environments as well as best practices for managing your machines and partitions.
Which brings us back to who was really to blame at Equifax for this debacle? Management can say it wasn’t them as they wouldn’t know anything specifically about Struts. However, corporate leadership needs to set the policies that would have a directive in place requiring known security exposures to be patched within “X” weeks from discovery. The IT management team would have more insight into the tools in use and communications regarding same however the details probably would have been too technical and may not have come to their attention. Leadership in technical departments needs to be following up with those team members who have this trench knowledge and ensure they are prioritizing keeping up with threats in order to address issues. Then there are the web developers and administrators who are tasked with the daily use of tools such as Apache Struts. They should have been aware of the exposure, however if there was pressure to meet deadlines and no one specifically assigned for response to emerging threats things get missed. I think all these components of the organization were to blame and I am sure all are paying the price. Even if they were not punished individually the damage to the company has put everyone’s employment at risk. Security is everyone’s responsibility, plain and simple. One relatively small exposure has ruined a company and caused millions the pain of identity theft.
Of course, it isn’t my place to assign blame but to explore an example of what happened.
The intend of this article was not to figure out who was to blame, but to show you an example what happens when a simple patch is ignored, or a simple upgrade isn’t performed. Many times, people are rushing to get projects complete, and they don’t spend the time to do what is required from a security and infrastructure standpoint. This is a good example of don’t cut corners, insure that security is part of your overall implementation.
If security of your IBM i is of concern to you, perhaps you should contact iTech Solutions and learn about the monitoring services for security that we have in place.
Are you running Apache Struts?
WebSphere application server is susceptible to vulnerabilities in Apache Struts.
IBM Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)
Affected Products and Versions
The following Versions of WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition may be affected:
- Version 9.0
- Version 8.5 and 8.5.5 Full Profile
- Version 8.0
- Version 7.0
The vulnerability has been addressed. Below are the recommended fixes/releases to remediate the issue.
For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:
- Apply Fix Pack 1 (220.127.116.11), or later.
For V18.104.22.168 through 22.214.171.124:
- Apply Fix Pack 10 (126.96.36.199), or later.
For V188.8.131.52 through 184.108.40.206:
- Apply Fix Pack 13 (220.127.116.11), or later.
For V18.104.22.168 through 22.214.171.124:
- Apply Fix Pack 43 (126.96.36.199), or later.
Remember, that when you load the IBM i PTF for WebSphere, that is only the first of two steps. You then must apply the PTF to the WebSphere instance. If you are unsure, we can help you with this or any PTF process. Please contact your iTech rep who can help you.
On Demand Webinar
Why IBM i is Key to Your IT Strategy
Think of IBM i as a legacy platform? Hear from experts Trevor Perry, Steve Will and Pete Massiello on the benefits and reality of modernizing your applications. They’ll also discuss IBM i costs compared to other platforms and how to overcome development challenges that keep you in older OS versions.
Join Steve Will, Pete Massiello and Trevor Perry as they discuss the top concerns of IT executives running mission-critical applications on IBM i. Addressing key issues around alignment, security and skill shortages, they’ll help you understand:
- How to leverage existing applications to meet evolving business needs
- The total cost of ownership of IBM i compared to other systems
- The value of modernizing your applications instead of replacing them
- How to overcome development challenges that keep you in older applications and OS versions
Nov 12 – 15, 2017 – COMMON Poland Hotel Stok, Wisla, Beskid Slaski, Poland
Pete will be speaking on:
- What you need to know when Upgrading IBM i to 7.3, 7.2, and 7.1
- Cool Things in Navigator for IBM i to be a Rock Star Administrator
- Step-by-Step Guide to Creating Virtual i Partitions Hosted by IBM i.
- Tips and Tricks to improve System performance and Save Disk Space
April 23 – 25, 2018 – Northeast User Group Conference, Sheraton Framingham, MA
May 20 – 23, 2018 – COMMON Annual Conference & Expo, Marriott River Center, San Antonio, TX
Release levels and PTFs
People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.
The easiest way to check your levels is to issue the command WRKPTFGRP. They should all have a status of installed, and you should be up to the latest for all the above, based upon your release. Now there are more groups than the ones listed above, but these are the general ones that most people require. We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit. The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released. Therefore, if we look at the cumulative package for V7R1, the ID is 16120. We can determine that it was created on the 120th day of 2016, which is April 29th, 2016. Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.
If you have a Hardware Management Console (HMC,) you should be running:
|Model||Release||Service Pack||End of Service|
|HMC (CR7 & above)||V8R8.7||
|HMC (CR4 last release)||V7R7.9||
If we have a model listed above in the HMC column that is the highest level of firmware that model of the HMC can be upgraded to.
- Note that release 8.8.x does not support any POWER5 servers.
- Version 7.7.9 is not supported as of 12/30/2016 and cannot be installed on HMC models C03, C04 or CR2.
- If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later desk side HMC.
- HMC V8R8.1 is supported on rack-mount models CR5, CR6, CR7 and CR8; and on desktop model C08. These listed models meet or exceed the V8R8.1 minimum memory requirement of 2GB however 4GB is recommended.
- If you want to manage a POWER8 machine, you need to be on at least HMC 8.8.1
Some notes on the new HMC release V8R8.6 that just came out:
- Will be the last release to support POWER6.
- Will be the last release to allow ‘classic’ UI login.
- Will be the last release that supports the model CR5, CR6 and C08.
- The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.
If you have a Flexible Service Processor (FSP) your firmware should be:
|Machine Processor||Model||Version||End of Service|
|Power5 or 5+||520, 515, 525, 550, 570||SF240_418_382||11/30/2012|
|Power6||940x, M15, M25, M50||EL350_176_038||01/31/2017|
|8203-E4A, 8204-E8A, 8204-E4A||EL350_176_038||01/31/2017|
|MMA, 560, 570||EM350_176_038||01/31/2017|
|Power7||8231-E1B, 8202-E4B, 8231-E2B, 8205-E6B, 8233-E8B, 8236-E8C||AL730_154_035||08/09/2017|
|8231-E1C, 8202-E4C, 8205-E6C||AL740_163_042|
|Power7+||8231-E1D, 8202-E4D, 8231-E2D, 8205-E6D||AL770_116_032|
|Power8||8408-E8E, 8284-21A, 8284-22A, 8286-41A, or 8286-42A||SV860_109_056 (OS Managed or HMC Managed; requires HMC 8.8.6+)|
|9119-MHE or 9119-MME||SC860_103_056|
If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.