Upgrade to IBM i 7.4 for Simplified Security and Streamlined Development
IBM i expert Dawn May describes the hidden gems in the latest OS release
By Dawn May10/01/2019
Each new release of IBM i brings a host of new features. IBM announced the release of IBM i 7.4 in April and made the new version of the OS generally available in June. I hope those of you using it have explored some of the new features, but if you haven’t installed 7.4 yet, I have some treats that might make you want to move to this new release.
There are many highlights for the newest version of i, but the biggest enhancement for the 7.4 release is Db2* Mirror for i, which provides continuous availability. While this is an exciting enhancement, 7.4 has more new features.
IBM also announced IBM i 7.3 TR6 at the same time as 7.4. While there are interesting details to be found within the TR6 release that are also in 7.4, this article will review new features that are only available with 7.4.
Tools to Simplify Security
Security is an essential—and sometimes legally mandated—focus area in today’s computing environment. You must ensure that your security implementation is solid and harden your system from outside threats. IBM i 7.4 has several enhancements that make
it easier to do both.
Authority Collection by Object
It’s very common for users to have too much authority; after all, it’s easy to simply grant a user you trust excess authority instead of analyzing and implementing a more secure solution. To help understand exactly what authorization is required, IBM has provided a feature called authority collection.
Authority collection is the ability to collect detailed information about the authority checking done by the system when running an application. Using this detailed information, you can determine the minimum authority required to allow the application to run successfully, and then implement security changes to only grant the authorization that is required to run that program.
Digital Transformation and Innovating with an Eye on the Future
Business change is inevitable. In today’s market, organizations are disrupting entire industries by using technology to enhance the customer experience.
IBM i clients have historically used UI modernization as a quick way to unlock value from their green screens. There’s no doubt that you can achieve tangible business benefits from these projects. But are you also anticipating your organization’s future needs?
An increasing number of organizations are using UI modernization as part of a holistic digital transformation strategy that also enhances their core business processes. Digital transformation isn’t one-size-fits-all, and it’s important to determine the right balance of value to investment. For example, you might want to determine which applications should be refaced to meet an immediate need, what should be rewritten or re-architected, and how new applications can play a strategic role.
Look for a vendor who has experience in helping clients with the overall IBM i modernization picture. They will help you build an IT strategy that takes your current business needs into account while providing a roadmap that helps you innovate for the future.
IBM i modernization specialist Fresche Solutions
As an IBM i modernization specialist, Greg Patterson helps organizations innovate and transform their IBM i applications.
IBM first introduced authority collection in the 7.3 release with the ability to collect authority information for a user profile. In 7.3, you ran authority collection on a user profile and reviewed what objects the user accessed and with what level of authority. The report also told you what the minimum level of authority is required so you could easily determine the security implementation changes you should make for that user.
In 7.4, authority collection has been enhanced to collect the detailed information for objects. Authority collection on objects collects information on all authority checks on those objects, regardless of the user profile.
Once you have collected the authority information, you must review and analyze the data to determine what security implementation changes you should make. With 7.4, additional IBM i services provide authority collection views to review the collected information. IBM i Access Client Solutions provides several examples to get started. Navigator for i also provides a user interface into authority collection by user and by object, allowing you to start and stop authority collection users and objects, as well as an interface to display the results.
Service Tools User IDs and Passwords
Service tools user IDs are required to access System Service Tools (SST), Dedicated Service Tools (DST) and the disk management tasks within Navigator for i. These interfaces allow you to perform functions that can have a major impact on your system, such as managing disk units, managing system security and access to tools such as Display/Alter/Dump. It’s critical to carefully control access to these service tools. Prior to 7.4, service tools user ID password composition rules were very basic; there was a minimum length requirement and expiration interval.
With 7.4, you can now implement password composition rules consistent to those of IBM i user profiles. The password rules available are the same as the ones you can specify with the QPWDRULES system value. You can change the password rules within SST or DST using service tools security options.
IBM also provided command interfaces to set (CHGSSTSECA) or display (DSPSSTSECA) service tools security attributes, which includes the SST password rules. This alleviates the need to use the SST or DST menu-driven interfaces to review the settings or make changes. When using the CHGSSTSECA command, you must specify your service tools user ID and password and have the service tools “Service Tools Security” functional privilege. DSPSSTSECA has outfile support, so you also have a programmatic interface to these settings.
In addition to adding service tools password rules, you can now create, change, and display service tools user IDs through command interfaces. The Create SST User, Change SST User and Delete SST User commands are new with 7.4; the Display SST User command has been around since the 6.1 release. With the create and change SST user commands you can change the password, enable or disable the ID, link it to an IBM i user profile, and specify the services tools privileges for that service tools user ID. Again, you must have a service tools user ID to use these commands as well as the “Service Tools Security” privilege but having the command interface will make it easier to manage your service tools user IDs.
Network security is also extremely important, and IBM has been implementing industry standards for secure communications. As the standards evolve, so does the support available within the OS. Each generation of network security standards increase security, so it is critical to keep current on these standards.
With IBM i 7.4, support has been added Transport Layer Security (TLS) version 1.3 and this level is now the default. IBM also added a new API to retrieve TLS attributes, so you now have a programmatic interface to access the system-wide TLS properties.
The memo to users also documents important changes for SSL and TLS. In particular, the default cipher specification lists have changed. You’ll no longer find SSLv2, and TLS1.1 and 1.0 are disabled by default. The System TLS Enhancements section in the Knowledge Center has complete details on the changes in 7.4.
Other Gems in IBM i 7.4
While the security enhancements were a key part of the 7.4 release, there were other small enhancements. Too numerous to cover them all in this article, below are some of my favorites.
Due to the increasing use of open source on IBM i, more applications run in PASE. Most open-source packages are AIX* binaries ported to PASE. The good news for these applications is that in 7.4, PASE for i is derived from AIX 7.2, Technology Level 2. As of August 2019, AIX 7.2 TL2 is the second-most current version of AIX.
Varying-Dimension Arrays for RPG
Varying-dimension arrays, as the name implies, are arrays that can vary in the number of elements within them. You specify that the array dimension is a variable and provide a maximum number of elements in the array. The number of elements is initially zero, and the array size is automatically increased as you add elements to the array.
Limiting Temporary Storage and CPU Used by Queries
The Maximum Temporary Storage (MAXTMPSTG) and Maximum CPU Time (MAXCPU) parameters in the class object are used to limit the temporary storage and CPU time used by a job. It’s a good practice to put limits in place as it protects your system from potentially bad things happening. In particular, a limit of the maximum temporary storage could protect your system from a crash if you were to get into an unexpected situation where some misbehaving job started to use a lot of temporary storage.
In 7.4, you can now limit the temporary storage and CPU time used when running queries. This support was initially made available in 7.2 and 7.3 with PTFs, but that initial support had controls on it that have now been removed with 7.4.
When running queries, newly allocated temporary storage used for the query is accounted for under MAXTMPSTG limit of the job running the query. Once the query completes, the optimizer’s temporary storage is decremented from the MAXTMPSTG limit for that job.
Prior to 7.4, this accounting did not occur unless the amount of free space in *SYSBAS was below the value set in the QSTGLOWLMT system value. In 7.4, this restriction is gone and the maximum temporary storage accounting for queries is always done.
Learn More About Varying-Dimension Arrays
Read about this new RPG enhancement from IBM Systems magazine Technical Editors Jon Paris and Susan Gantner.
Workload groups were added to the 7.1 release but are still relatively unknown . Using workload groups, you can restrict the number of processors that a workload can use.
In 7.1, a workload group was associated with a subsystem description, so the workload group limited the number of processor cores that could be used concurrently for all jobs and threads in that subsystem. For example, if the workload group is set to a limit of two processors, the jobs and threads running in a subsystem limited by a workload group would be limited to running on two processors, even if the partition has more processors available to it. You also needed to create a data area to associate the workload group with a subsystem. Individual jobs can also be controlled by a workload group by using the CHGJOB command to specify the workload group name.
Now in 7.4, the Create and Change Job Description commands (CRTJOBD and CHGJOBD) have been enhanced with a workload group (WLCGRP) parameter. This parameter can be *NONE where no workload group is used, *SBSD to use the workload group defined in the subsystem description, or it can specify the name of a workload group.
This support allows you to have a set of jobs that use a particular job description to be limited by the workload group specified in the job description, which gives you much more flexibility in defining what jobs are limited by a workload group.
API to Retrieve Active Prestart Job Status
It’s important to appropriately tune your prestart jobs. The DSPACTPJ command provides useful information to aid in setting the best values for the initial number of jobs, threshold, and additional number of jobs. In 7.4, there’s an API, Retrieve Active Prestart Job Status, to retrieve this information.
Improved SMT Reporting
IBM i has supported Simultaneous Multithreading (SMT) for many years. The system default, controlled by the QPRCMLTTSK system value, is to use the maximum supported by the combination of release and hardware.
The Change Processor Multitasking Information API allowed you to specify how many hardware threads you want, so you could decide to run in SMT2, SMT4, or SMT8 mode. The Retrieve Processor Multitasking Information API allowed you to retrieve this configured setting.
In 7.4, the Retrieve Processor Multitasking Information API is able to also return the current and maximum number of secondary hardware threads per processor. This additional information allows you to review the actual value used by the system or the maximum value supported by the hardware. These new fields are collected by Collection Services in the QAPMCONF file .
Memo To Users—Removal of SNA Adapters and Old Protocols
Everyone should know to read the Memo to Users (MTU) prior to upgrading to the new release. Hidden away in the MTU is information about removal of support for SNA adapters and related protocols that you can no longer use.
Essentially, IBM did some housecleaning and removed commands and parameters for SNA communications support that lacked support for some time. You can still use software solutions such as Enterprise Extender. IBM has already updated the 7.4 MTU twice since the announcement in April, so be sure to review the latest version.
Upgrade and Reap the Benefits
Numerous resources exist to help you upgrade to IBM i 7.4. You’ll find a few of them outlined in “More IBM i 7.4 Resources,” below.
IBM delivered significant function in the 7.4 release. Db2 Mirror will undoubtably be important for a select set of IBM i shops, but the enhancements reviewed in this article should be a compelling enough reason to put a plan in place to upgrade to 7.4.
Dawn May is an IBM i consultant. She owns Dawn May Consulting, LLC in the Greater Boston area. Dawn is a former IBM senior technical staff member. More →