Few programming related queries resolution...

1. How can we add another module in running rpgle pgm
Sol: In debug mode, we can press F14 "Work with Module List" to add modules to running RPGLE Program.

2. How to handle MSGW in a program?
Sol: First question here is why program is going in Message wait? Definitely, due to some error, where the program is looking for a response like ('C', 'I', 'D') etc. Thus the root cause here is runtime errors occuring in the program, which can be avoided using appropriate error handling mechanism, like MONITOR.

3. How to retrieve the duplicate records
Sol: Not sure whether the context of question is CL or RPG or SQLRPG program. But in RPG, READE opcode can be well used. In SQLLE, we can use SELECT with WHERE clause and use cusors to read the same, and finally, if req. in CL, we can use OPNQRYF with selection creteria.

4. How to enter the values at runtime without using parm keyword in cl program.
Sol: It can easile be performed while executing the program in debug mode. There, we can set the values of any variable.

Comments are invited..

General Considerations- IPSec or VPN on iSeries & Supported Transforms Used by Native VPN and IPSec

Some users do not wish to have (or deem it a violation of their corporate security policy) to have a VPN tunnel (IPSec data) inside their private network. In these cases, Universal Connection (for PTF ordering, sending PM/400 data, and allowing for IBM® remote support connectivity) can still be established using your connection to the Internet over your LAN. The diagram below shows the environment in which this is possible:

 

 

 

 

 

 

 

 

The table below outlines the VPN configuration settings when configuring IBM Universal Connection for Multi-hop on your VPN device.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Note:  These configuration settings are those that must be used to configure your VPN device for this Multi-hop scenario for Universal Connection. The configuration settings above are not negotiable in any way.

If these exact configuration settings are not allowed in your environment, use one of the following options for your Universal Connection configuration:

o Direct Connect - VPN tunnel is established from your IBM® iSeries™ family of servers system to the VPN gateway at IBM.

o Dial Up Connection - Uses a modem to dial and connect to IBM (at V5R3 the data is encrypted by VPN).

These are currently the only possible connectivity methods for Universal Connection. Because this multi-hop device is not an iSeries, the specific configuration for that device is not supported by the iSeries Support Center. The above table shows configuration settings for this multi-hop device but not the method used to configure your specific platform.

This is a list of Supported Transforms used by the IPSec protocol also known as VPN

Problem Restoring Objects Saved From an Unmounted UDFS

Trying to restore using operating system (RST) or BRMS (RSTBRM or WRKLNKBRM) commands if the create parent directories (CRTPRNDIR) parameter is set to *YES, objects are not restored correctly.

When restoring objects which were saved from an unmounted UDFS and using the create parent directories parameter, directories are created under a job unique temporary directory (for example, /QSR/ALBYQPADEV00114533381091102100015432/dev) and the objects are restored into those directories. The objects being restored will exist in that directory after the restore completes.

Use of the create parent directory (CRTPRNDIR) parameter is not supported when restoring objects saved from an unmounted UDFS, and the objects should not be restored.

Fixing QAOK* Files in QUSRSYS

To compare the files on the system to a system with the correct logical files and physical files, use the following command:

WRKOBJPDM LIB(QUSRSYS) OBJ(QAOK*) OBJTYPE(*FILE)

The following is a list of things to do to fix the files without restoring QUSRSYS. Ensure there are no locks on the QAOKL03A file. You should do the following:

Note: The user must determine the best method. Involving IBM in this requires a consulting agreement. WRKF command can be used to display and manipulate the needed files.

1. Make a list of the logical files and what physical files they point to.

2. Look at the physical files and determine which ones have data. Make a note of those files.

3. If you have a good logical file pointing to a good physical file, there is no need to do anything.

4. If you have a good logical file pointing to a wrong physical file, do the following:

o If the wrong physical file contains the data, delete the correct named file, and rename the wrong file to the correct file name (the logical file will follow the rename).

o If the correct physical contains the data, type CLRPFM on the wrong file. Then copy the file of the correct physical file to the wrong physical file with the CPYF command. Delete the correct physical file, and rename the wrong physical file to the correct physical file name.

5. If you have a wrong logical file pointing to a good physical file, make a backup of a good logical file, delete the correctly named logical file, rename the wrong logical file to the correct name, and correct the description.

6. If you have a wrong logical file pointing to a wrong physical file, delete both files.

Note:This takes time because you must chart out what the problems are.

You can use the DSPDBR command on a physical file to see what logical file is attached to it.

Verify All Mail Pointers on the System

The following commands can be run to verify all mail pointers on the system. The commands should be run when there is no mail activity. Normally, you can only ensure that there is no mail activity by putting the system into a restricted state (ENDSBS *ALL *IMMED).

1 DLTDST DSTID(*ERROBJ) OPTION(*ERROR) OBJ(*ALL)


2 CALL QZDRECLM

3 CALL PGM(QSYS/QOHFIXIX) PARM(Y)

Group PTFs by Release

V5R3M0

V5R4M0

V6R1M0

V7R1M0

IBM i Trends & Directions - New Power Equation !!

Unified Hardware & Virtualization Technologies

Do you think IBM should change the name of the operating system, i5/OS®, when it introduces the new POWER6™ server platform?

 









Introducing IBM PowerVM™














IBM Power Systems

Introducing a New generation of Power Systems

PC5250 Connection Error MSGPROG706

Making a Client Access connection over TCP/IP, PC5250 may report a Program Check 706 (PROG 706) error. The text of this message is, An SNA message was received with incorrect chaining.

This usually indicates a network issue. Check the average time for a PING. Also, try the following:
ping -l 1000 [AS/400name]

This will PING the AS/400 system with 1000 bytes of data rather than the 10 bytes of a regular PING. This may yield a very high average time, or it may time out. In this case, the network is most likely loosing frames. A lost frame will result in a TCP protocol error.

Theoretically, protocol errors should not be reported to the PC5250 application, but in this case they might. The error text indicates an SNA error because the PROG message text was written prior to SNA connectivity for this product. The PC5250 interprets a missing frame as an SNA chaining error.

Preventing Startup Program from Running

In the QCTL controlling subsystem, there is an auto job entry called QSTRUPJD. It runs as soon as the QCTL is started. In the QSTRUPJD job description, a request data CALL QSYS/QWDAJPGM retrieves system value QSTRUPPGM. The program that is specified in the system value will run. If system value QSTRUPPGM is set to *NONE, there is no startup program to call.

To change the system value, on the operating system command line type the following:

CHGSYSVAL SYSVAL(QSTRUPPGM) VALUE(*NONE)

Press the Enter key.

The help text on the operating system for the system value includes the following:

A change to this system value takes effect the next time the system is IPLed. The shipped value is QSYS/QSTRUP.

Automatic System Tuning

Tuning is a way of adjusting the performance of a system. For basic tuning, automatic system tuning is a useful method to maintain good performance. This can be done by setting the system value QPFRADJ to indicate that system tuning adjustments are performed at IPL time or dynamically while the system is running.

Do not use the QPFRADJ value and the SETOBJACC command at the same time for a shared pool. QPFRADJ removes storage from a shared pool that has no paging activity. If the SETOBJACC command is used to preload an object into the same pool, it may lose some of its storage. The SETOBJACC command is used to cause no page faulting to occur in the pool, and QPFRADJ would consider that pool a prime candidate for removing storage.

In some cases, QPFRADJ at IPL should not be used because IPL tuning can undo acceptable performance that is achieved by dynamic tuning or manual tuning done during normal system operation. In an environment with the same number of active jobs and no new applications, QPFRADJ is set to 0 after it has been used to obtain optimal paging rates across the system.

Can IASP data be saved in Restricted system state?

If the system is in restricted state, it is possible to save the security data by using the command SAVSECDTA ASPDEV(*ALLAVL). This command will save the private authorities for all available IASPs.

To save the IASP at V5R2, it must be in AVAILABLE or ACTIVE status. The IASP status changes from AVAILABLE to ACTIVE when all subsystems are closed because the jobs that service the ASP are under QSYSWRK.

Starting from V5R3, it is possible to save the IASP only if it is in AVAILABLE status. This does not mean that the security data cannot be saved if the system is in restricted status because if the IASP is AVAILABLE before the closure of all subsystems, the status will not be changed to ACTIVE any more. In fact, the jobs that service the IASP are system jobs that are no longer under subsystem QSYSWRK, so they will not be ended any more when going to restricted state.

Starting of TCP/IP Interface Fails with Message TCP1B01

When using the STRTCPIFC command, or when trying to start a TCP/IP interface from the NETSTAT or CFGTCP menus, the start attempt times out with error message TCP1B01. The message reads:

Message ID . . . . . . . . . : TCP1B01

Message file . . . . . . . . : QTCPMSG

Library . . . . . . . . . : QSYS

Message . . . . : Unable to determine if &1 interface started.

Cause . . . . . : The QTCPIP job in the QSYSWRK subsystem is not active, or the default wait time for your job was exceeded while waiting for the interface to start.

Recovery . . . : Use the Work with Active Jobs (WRKACTJOB) CL command to list the active jobs in the QSYSWRK subsystem. If the QTCPIP job is not active, issue the End TCP/IP (ENDTCP) CL command followed by the Start TCP/IP (STRTCP) CL command. After STRTCP completes processing, issue the Start TCP/IP Interface (STRTCPIFC) CL command again. If the QTCPIP job in the QSYSWRK subsystem is active, continue to look in the QTCPIP job log to determine if the &1 interface was started. To avoid this problem when using STRTCPIFC, wait for system activity to decrease, or increase the default wait time for your job using the Change Job (CHGJOB) CL command.

Despite the recovery action listed, the problem can actually be due to authority issues. When using the WRKJOB command on the QTCPIP job (WRKJOB QTCPIP), it is possible to see no active QTCPIP jobs. Working with the most recent job in OUTQ status, and reviewing the joblog, it is very likely that message CPFA09C is posted in the joblog. Typically this message refers to an object named QLGPGCMA.LOCALE. However, the message can vary. It is very possible that the object is an Integrated File System object and is potentially the root directory ('/'). Verify the root directory's authority by using the command WRKLNK OBJ('/') or verify the authority to the object identified in the error message. Use Option 9 to view the authority, and ensure *PUBLIC is not set to *EXCLUDE.

Displaying Previous Sign-On Information

When the QDSPSGNINF is set to one, the Previous Signon Date and Time is displayed correctly when using Client Access connectivity. The last date/time of signon for the user profile is updated when the security API is called to verify a positive indicator and also updates the user profile. If the password is good for the ID provided, the API returns a positive indicator and also updates the user profile. There is no implication that this sign-on was for an interactive job.

The Signon Server for Client Access (for APPC and Sockets) calls the security API. Other products (such as an OEM emulator) may not call the security API, for example, Telnet from the DOS prompt. In addition, the PCOMM product (not the emulator shipped with Client Access) goes straight to the Telnet server and will not go through the Client Access Signon Server.

The Client Access Signon Server is used for a specific reason. If the Client Access user is running Data Transfer or RMTCMD, security must verify a user ID and password, and that would be a previous signon. The term signon means the last time a user ID and password were verified but not necessarily when a an interactive job was started. Client Access has a suite of functions that do not use a interactive job. In that case, the Client Access Signon Server is used to verify that the user ID and password are correct. Therefore, the date and time stamps for the user profile reflects the previous time that the user ID and password were checked rather than only the last time that an interactive job was started. This is working as designed and is not a defect.

As long as the same user ID and password are used for the Client Access sign-on and again later at the time the interactive job is started, you will see where the date and time stamps are correct for the previous sign-on. We understand that, in some cases, this information may not mean much. But, the last time that the password was verified and the user attempted any type of signon is always the date listed. This occurs when starting Client Access for the first time or when closing a Client Access connection and the user is prompted for the AS/400 sign-on information.

Setting Up the System So a User Does Not Have to Enter a User ID and Password

At security level 30 and below, signing on by pressing the Enter key without a user ID and password is possible with certain subsystem descriptions. At security level 40 and higher, the system stops any attempt to sign on without a user ID and password.

After changing your security level to 20 or higher, signing on without a user ID and password is not allowed in the subsystems shipped by IBM®. However, defining a subsystem and job description combination that allows default sign on is possible and represents a security exposure. When the system routes an interactive job, it looks at the workstation entry in the subsystem description for a job description. If the job description specifies USER(*REQ), the user must enter a valid user ID and password at the sign-on display. If the job description specifies a user profile in the USER field, anyone can press the Enter key and sign on as that user.

CPF3810 during PTF Installation

Some users are seeing message CPF3810 authority error being received during PTF install processing.

Problem

Message CPF3810:

Message . . . . : Save file &1 not restored to library &3. (One of the typical libraries we see in this message is QSRV)

Cause . . . . . : You do not have sufficient authority to restore a save file that does not exist on the system.

Recovery . . . : Do one of the following:

1) Obtain authority to the CRTSAVF command from your security officer and use the RSTOBJ command to restore the save file.

2) Have your security officer restore the save file.

Resolution

To resolve the problem, do the following:

1 Sign in as the actual QSECOFR profile.
2 Verify that QSYS library is at the top of the system library list using the DSPLIBL command. If not, consider temporarily removing the library above QSYS with the following command:
CHGSYSLIBL LIB(xxxxxx) OPTION(*REMOVE)
3 Install the PTFs.
4 If you removed a library from the system library list during Step 2, add the library back in the system library list using the following command:
ADDLIBLE LIB(xxxxxx)

Group Profile Names Cannot Be Used for Authentication

User names that are group profiles cannot be used as the Security Server ID when security is enabled with the LocalOS user registry. Nor can group profiles be used to authenticate to IBM® WebSphere® Application Server when attempting to access any protected WebSphere resource. Use the DSPUSRPRF command to determine if a user profile is used as a group profile. Each such user profile is assigned a unique group ID number.

Securing a Library from Some Users but Allowing *PUBLIC Access

There are times when you want a person or group to have less access than *PUBLIC has. To be the most secure possible, you can even make the entire system excluded from the user except what you want that user to be able to see.

For the person or group, do the following:


1 To exclude a person from all libraries on the system and, therefore, all objects in libraries on the system, run the following command:
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(xxxx) AUT(*EXCLUDE)
2 Run the following command:
DSPSYSVAL QSYSLIBL
Document every library in the system library list.

3 For each library in the system library list, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
This allows the user to access the libraries in the system library list. Without this, the user cannot sign on.

4 Do the same thing for each library in the user library list (which is listed in their job description). Then, repeat Step 3 for each library added to the user's library list.

5 For each additional library you want the excluded user to be able to use objects in that library, do one of the following:
To give the user the same authority that public does, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)

To give the user specific authority to the library, run the following command:

GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)

If a user is *EXCLUDE from a library, that user is excluded from all objects in the library. However, if the user can *USE the library, the user can do more than merely *USE the objects within. The authority goes down to the specific object authorities. Therefore, the user might be able to change or even delete objects within the library.


The user must always have access to the following:

o The libraries in their library list.

o Most objects available to *PUBLIC in QSYS.

o The device that they're signing in from, with at least *CHANGE authority.

o Their own user profile, with at least Operator and Management data authorities, and all data authorities.

Without these, the user is not able to sign on.

What happens if the QSECOFR user profile gets deleted?

If the QSECOFR user profile gets deleted from the system, the best way to ensure it is properly re-created is to restore it from your latest full system backup tapes or security backups (created with the SAVSECDTA command).

This ensures that all authorities are returned. (Others who might have security authorities might not have the complete range of special authorities and, therefore, cannot authorize other users to these.) If full system or security backups are not available, the default values for QSECOFR can be restored from PID tapes or CD-ROM.

Users Cannot Log In - Error 19114

When attempting to sign on to DB2® Web Query, a user may be blocked and given error code 19114, if both their user profile and the QWEBQRYADM profile are blocked from using the Remote Command server. The Remote Command server can be blocked by the QIBM_QZRC_RMT exit point.

You must make sure if you use a third party security product that you allow the user and QWEBQRYADM to use the Remote Command server.

IBM Power Systems

Support for Alternative Console

DST switches to an alternative console when the system console does not work. This does not occur automatically. An SRC appears on the control panel indicating when intervention is needed. To access the alternative console, select function 21 on the control panel and press the Enter function.

DST is the only tool that uses the alternative console. OS/400 checks to see if DST used an alternative console. If DST used an alternative console, the system console cannot be used. OS/400 then sees if it can switch to performing an unattended IPL. OS/400 does not use the alternative console.

DST does not allow an installation to be performed from an alternative console because an installation requires an attended IPL.

Configuration for Alternative console:

The primary console is the workstation that is:
o On port 0
o At address 0
o On the first workstation I/O processor on bus 0

The first alternative console is the workstation that is:
o On port 1
o At address 0
o On the first workstation I/O processor on bus 0

The second alternative console is the workstation that is:
o On port 0
o At address 0, if twinaxial workstation I/O processor
o On the second workstation I/O processor on bus 0

Note: The second workstation I/O processor can be a twinaxial or an ASCII I/O processor.

Objects Cleaned Up by Operational Assistant Cleanup

1. Messages

o User message queues
Note: The message queues for the following IBM-supplied user profiles are not cleaned up by Operational Assistant cleanup (automatic cleanup):

QDBSHR
QDFTOWN
QDOC
QLPAUTO
QLPINSTALL
QRJE
QSECOFR
QSPL
QSYS
QTSTRQS
o Work station message queues
o System operator message queue

2. Printer Output

o Output queue QEZJOBLOG job logs
o Output queue QEZDEBUG (service and program dumps)

3. Journals

o APD journal
o DSNX journal
o Job accounting data journal (see note below)
o Performance adjustment data journal
o Problem databases journal
o QSNADS journal
o OSI Message Services/400 journal
o QZMF, QZCAJRN, and QVPN
Notes:
1. The security journal QAUDJRN is not cleaned up by the Operational Assistant cleanup function. If this journal is used, change and delete journal receivers periodically.
2. The journal receivers associated with the following journals are cleaned by Operational Assistant cleanup:
QACGJRN
Journal for Job Accounting Data
QAOSDIAJRN
Journal for Document Internalchange Architecture (DIA) Files
QAPD/ADJRNLO
Journal for the APD Licensed Program
QCQJMJRN
Journal for Managed System Services/400 Licensed Program
QDSNX
Journal for Distributive Systems Node Executive (DSNX) Log
QLYJRN
Journal for Application Development Manager Transactions
QLYPRLOG
Journal for Project Logs
QMAJRN
Journal for Work with Order Requests
QO1JRN
Journal for Application Enabler OFC Files
QSNADS
Journal for SNA Distribution Services (SNADS) Files
QSNMP
Journal for SNMP
QSXJRN
Journal for Problem Database
QPFRADJ
Journal for Performance Adjustment Data
QX400
Journal for the X.400 Licensed Program

4. IBM OfficeVision for IBM OS/400 Program

o Calendar entries
o Folders (reorganized)
o Database files (reorganized)

5. Other System Objects

o History log
o Problem log and files
o Alerts database
o PTF save files
o Reclaim temporary storage used by temporarily decompressed objects

The Sign-On Display Does Not Appear on a Workstation after It Is Varied On

To determine why the sign-on display does not appear on a workstation after it is varied on, check the subsystem setup. Do the following:

o Ensure the subsystem is active.

o Use the Work with Subsystem Description (WRKSBSD) command to check the interactive subsystem descriptions for name and type entries.

o Use the Add Work Station Entry (ADDWSE) command to add an entry if you see that other workstation entries exist.

o If only *CONS and *ALL are used, ensure that the subsystem for interactive jobs is active.

User Profiles Creation during Operating System installation

When the operating system is installed from IBM-supplied media OR SAVSYS, the user profiles that are created in stage 1 of the operating system installation are determined by a security program that runs and checks for the existence of a specific list of profiles. If the profile does not exist in this list, it is not created. It does not matter which profiles were saved with the SAVSYS. Therefore, a scratch install is performed (for example, a disaster recovery or a migration to a different system) and there are objects in QSYS that are owned by a profile other than the specific set of profiles listed in the security program, they will end up being owned by QDFTOWN.

The profiles that are currently created when the operating system is installed are listed, in order, below:

Obtaining a List of Public Authorities for All Objects in a Library

To obtain a list of *PUBLIC authorities for all objects in a specific library, do the following:

1) On the operating system command line type the following:
WRKOBJ OBJ(LIBXXX/*ALL) OBJTYPE(*ALL)
Press the Enter key. Select Option 5 for all of the objects, as shown below:
Opt Object        Type       Library     Attribute    Text
 5   DTAQ1      *DTAQ   LIBXXX
 5   BATCHRT *FILE      LIBXXX SAVF
 5   CRTMQM *FILE      LIBXXX SAVF
 5   IBM           *FILE      LIBXXX PF
 5   IBM1         *FILE      LIBXXX PF

2) At the command line, type the following:
OUTPUT(*OUTFILE) OUTFILE(XXX/ZZZZ) OUTMBR(*FIRST *ADD)
where XXX is the library where you want the file to reside and ZZZZ is the name of the file to be created.
Then press the Enter key. The system will automatically create the file specified in the OUTFILE if it does not already exist. A record will be added to the file for each object that had a 5 placed in front of it. After the file has been created, you can run a query on the file to create your report.

Delete an object in Integrated File System - Message identifier CPFA0B1

Message CPFA0B1 occurs when one creates a directory in the Integrated File System (CRTDIR) with parameter RSTDRNMUNL set to (*YES). This parameter specifies whether special restrictions apply for rename and unlink operations performed on objects within a directory. This can be set only for a directory in the NFS, QFileSvr.400, "root" (/), QOpenSys, or user-defined file systems. A user cannot unlink an object that has the "restricted rename and unlink" attribute set on unless one or more of the following is true:

o The user is the owner of the object.

o The user is the owner of the directory.

o The user has all object (*ALLOBJ) special authority.

To resolve the problem, do the following:

o Open iSeries Navigator.

o Go into Integrated File Systems.

o Right-click on Integrated File System objects.

o Select Properties.

o Select the Security tab.

o Uncheck Restrict rename and unlink.

Internal security object not available – Message Identifier Message CPF2247 RC6

When a message CPF2247 RC6 is posted, there is no explanation on what a RC6 means. Below is the text that will be seen:

Message ID . . . . . . . . . : CPF2247
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message . . . . : Internal security object not available. Reason code &1.
Cause . . . . . : An internal security object is not available for one of the following reasons:

1-Object is locked by another process.
2-User profile does not have enough auxiliary storage.
3-Interactive profile is damaged.
4-Damaged object detected, it is not an interactive profile.
5-Unable to access temporary interactive profile.

A RC6 indicates that the Password for user &1 not available. This will occur as a result of system value QRETSVRSEC being set to 0 when the profile was created and the password has not been changed since the system value was changed to 1. The fix is to change the password for the profile on each of the nodes.

Security Information Changes When an Object is Restored

When an object is restored to the system, the system uses the authority information stored with the object. The following applies to security of the restored object:

Object Ownership

o If the profile that owns the object is on the system, ownership is restored to that profile.

o If the owner profile does not exist on the system, ownership of the object is given to the QDFTOWN (default owner) user profile.

o If the object exists on the system and the owner on the system is different than the owner on the save media, the object is not restored unless ALWOBJDIF(*ALL) is specified. In that case, the object is restored, and the owner on the system is used.

o See “Restoring Programs” on page 219 for additional considerations when restoring programs.

Primary Group

For an object that does not exist on the system:

o If the profile that is the primary group for the object is on the system, the primary group value and authority are restored for the object.

o If the profile that is the primary group does not exist on the system:

- The primary group for the object is set to none.

- The primary group authority is set to no authority.

When an existing object is restored, the primary group for the object is not changed by the restore operation.

Public Authority

o If the object being restored does not exist on the system, public authority is set to the public authority of the saved object.

o If the object being restored does exist and is being replaced, public authority is not changed. The public authority from the saved version of the object is not used.

o The CRTAUT for the library is not used when restoring objects to the library.

Authorization List

o If an object other than a document or folder already exists on the system and is linked to an authorization list, the ALWOBJDIF parameter determines the result:

- If ALWOBJDIF(*NONE) is specified, the existing object must have the same authorization list as the saved object. If not, the object is not restored.

- If ALWOBJDIF(*ALL) is specified, the object is restored. The object is linked to the authorization list associated with the existing object.

o If a document or folder that already exists on the system is restored, the authorization list associated with the object on the system is used. The authorization list from the saved document or folder is not used.

o If the authorization list does not exist on the system, the object is restored without being linked to an authorization list and the public authority is changed to *EXCLUDE.

o If the object is being restored on the same system from which it was saved, the object is linked to the authorization list again.

o If the object is being restored on a different system, the ALWOBJDIF parameter on the restore command is used to determine if the object is linked to the authorization list:

- If ALWOBJDIF(*ALL) is specified, the object is linked to the authorization list.

- If ALWOBJDIF(*NONE) is specified, the object is not linked to the authorization list and the public authority of the object is changed to *EXCLUDE.

Private Authorities

o Private authority is saved with user profiles rather than with objects.

o If user profiles have private authority to an object being restored, those private authorities are usually not affected. Restoring certain types of programs may result in private authorities being revoked.
o If an object is deleted from the system and then restored from a saved version, private authority for the object no longer exists on the system. When an object is deleted, all private authority to the object is removed from user profiles.

o If private authorities must be recovered, the Restore Authority (RSTAUT) command must be used. The normal sequence is:

a) Restore user profiles

b) Restore objects

c)  Restore authority

Securing a Library from Some Users but Allowing *PUBLIC Access

There are times when you want a person or group to have less access than *PUBLIC has. To be the most secure possible, you can even make the entire system excluded from the user except what you want that user to be able to see.

For the person or group, do the following:

1. To exclude a person from all libraries on the system and, therefore, all objects in libraries on the system, run the following command:
GRTOBJAUT OBJ(QSYS/*ALL) OBJTYPE(*LIB) USER(xxxx) AUT(*EXCLUDE)
2. Run the following command:
DSPSYSVAL QSYSLIBL
Document every library in the system library list.
3. For each library in the system library list, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
This allows the user to access the libraries in the system library list. Without this, the user cannot sign on.
4. Do the same thing for each library in the user library list (which is listed in their job description). Then, repeat Step 3 for each library added to the user's library list.
5. For each additional library you want the excluded user to be able to use objects in that library, do one of the following:
To give the user the same authority that public does, run the following command:
RVKOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(*ALL)
To give the user specific authority to the library, run the following command:
GRTOBJAUT OBJ(QSYS/library) OBJTYPE(*LIB) USER(xxxx) AUT(xxxx)
If a user is *EXCLUDE from a library, that user is excluded from all objects in the library. However, if the user can *USE the library, the user can do more than merely *USE the objects within. The authority goes down to the specific object authorities. Therefore, the user might be able to change or even delete objects within the library.
The user must always have access to the following:

o The libraries in their library list.
o Most objects available to *PUBLIC in QSYS.
o The device that they're signing in from, with at least *CHANGE authority.
o Their own user profile, with at least Operator and Management data authorities, and all data authorities.
  
Without these, the user is not able to sign on.

Checking System Authority

When a user attempts to perform an operation on an object, the system verifies that the user has authority for the operation. The system first checks authority to the object library. If the authority to the library is adequate, the system checks authority to the object itself. In the case of database files, authority checking is done at the time the file is opened, not when each individual operation to the file is performed.

During the authority-checking process, when any authority is found (even if it is not adequate for the requested operation) authority checking stops and access is granted or denied. Adopted authority function is the exception to this rule. Adopted authority can override any specific (and inadequate) authority found. See the topic Objects That Adopt the Owner's Authority in the Security Reference manual for more information about adopted authority.

The system verifies a user's authority to an object in the following order:

1. User's *ALLOBJ special authority

2. User's specific authority to the object

3. User's authority on the authorization list securing the object

4. Group's *ALLOBJ special authority

5. Group's authority to the object -- see Note below.

6. Group's authority on the authorization list securing the object

7. Public authority specified for the object or for the authorization list securing the object

8. Program owner's authority, if adopted authority is used

Note: Authority from one or more of the user's groups may be accumulated to find sufficient authority for the object being accessed.

Determining What Objects Were Deleted with User Profile Deletion

If an administrator deletes a profile and also accidentally deletes the owned objects, it is possible to track what objects may have been deleted if security auditing is already being used at that time with QAUDLVL set with type *DELETE.

In the following example, user SMOHAMED deletes user profile COCO04 with the following command:

DLTUSRPRF USRPRF(COCO04) OWNOBJOPT(*DLT)

At the time it was deleted, the user profile owned a number of objects including job queues COCO401 through COCO405.

Using security auditing, it is possible to create an output file containing the deletes using the following commands:

Step 1: Create a file based on the correct field description file for DO journal entries:

CRTDUPOBJ OBJ(QASYDOJ4) FROMLIB(QSYS) OBJTYPE(*FILE) NEWOBJ(COCODELETE)

Step 2: Create an output file from the appropriate journal entries. In this example, I also narrowed down the search with specifics for date and time.

DSPJRN JRN(QAUDJRN) FROMTIME(083106 0730) ENTTYP(DO) OUTPUT(*OUTFILE) +

OUTFILFMT(*TYPE4) OUTFILE(COCODELETE)

Step 3: Look at the resulting file with the following command:

WRKF FILE(COCODELETE)

The following is shown:

 

 

 

 

 

 

 

 

 

Press F20 one time to get to the following screen.

 

 

 

 

 

 

 

 

As you can see, it does not reference the owner of the deleted objects (COCO04) in each entry. However, in the three tests I made, the owned objects were listed immediately above the deletion of the profile. Therefore, the entries are not a definitive answer but at least give a list of everything the administrator deleted immediately before the actual deletion of the profile. Unless the administrator deleted objects right before going on to delete the profile, the list should be fairly accurate.

PM Agent Jobs

A list of PM Agent jobs and their function follows:

Determining Who Started the Performance Collection Job

The performance collection (QYPSPFRCOL) job can be started using one of the following ways:

• Starting a Management Central Monitor
• iSeries Navigator - Under the Configuration and Service container, right-click on Collection Services, and then click on Start Performance Collection
• Performance Monitor (PM/400)
• GO PERFORM, Option 2 or STRPFRCOL command using a character-based interface
• Collection services (QYPSSTRC) API  

Depending on the method used to start the QYPSPFRCOL job, there will be different jobs specified in the CPI1125 message that is logged in the joblog for the job (as shown in example below). The message indicates that the QYPSPFRCOL job was started by PM/400.  

 

Message ID . . . . . . : CPI1125 Severity . . . . . . . : 00

Message type . . . . . : Information

Date sent . . . . . . : 01/04/07 Time sent . . . . . . : 09:38:08

Message . . . . : Job 373713/QSYS/QYPSPFRCOL submitted.

Cause . . . . . : Job 373713/QSYS/QYPSPFRCOL submitted to job queue QSYSNOMAX in QSYS from job 373682/QPM400/Q1PPMSUB.

 

Following is a table which shows the job that is specified in message CPI1125 message, indicating where the QYPSPFRCOL job was started from:

 

Note: To determine if the QZRCSRVS job was started as a result of a Management Central monitor versus iSeries Navigator, check the timestamp for message CPI1125 in the QYPSPFRCOL joblog. Then, check the Management Central server (QYPSJSVR) joblog for message CPIB901 indicating that a monitor was started. If the timestamps for both messages are the same, this means the QYPSPFRCOL job was started using a Management Central monitor.

Performance Tools - Manager and Agent

You can use the Manager and Agent features to efficiently divide required functions of Performance Tools over a distributed environment. Performance Tools are available with two separately installable features. This document explains the differences between the two features to help you decide which feature is more appropriate for your applications.

Manager Feature

The Performance Tools Manager feature is a full-function package that is intended to be used on the central site system in a distributed environment or on a single system. If you require analysis of trace data, viewing data graphically, viewing system activity in real time, or managing and tracking system growth, the Manager feature of the Performance Tools licensed program is more useful.

Agent Feature

The Performance Tools Agent feature, with a subset of the Manager function, is a lower-priced package with the more basic functions. In a distributed environment, the Agent feature works well for managed systems in the network because the data can be sent to the Manager if detailed analysis is required. It is also an effective tool for sites that need a reasonable level of self-sufficiency but have no expert skills available.

The Agent feature of Performance Tools provides functions to simplify the collection, management, online display, data reduction, and analysis of performance data. The Performance explorer reporting function and its associated commands are included in the base option in the IBM® Performance Tools for iSeries™ licensed program and, therefore, are available with either the Manager feature or the Agent feature. The major Performance Tools functions that are not contained in the Agent feature are performance and trace reports, performance utilities (job traces and the select file utilities), system activity monitoring, and performance graphics.

System Value QPFRADJ

During an IPL, CPF1805 messages are sent to the history log (QHST) by the IPL tuner; this indicates machine pool size changes. The IPL tuner runs only if QPFRADJ is set to 1 or 2. The dynamic tuning (automatic adjustment by the performance adjuster) does not log changes to pool sizes, so you will not see a message in QHST for the changes it makes to the machine pool size. Dynamic tuning runs after the IPL tuner when QPFRADJ is set to 2.

So, we are really talking about two separate tuning algorithms. When QPFRADJ is set to 2, the IPL tuner sets the machine pool size based on its own calculation of reserved size and the configuration of the system. It does not look at the minimum machine pool size on WRKSHRPOOL. Those values are only used by the dynamic tuning. The help text on QPFRADJ and WRKSHRPOOL might not be totally clear about these being two separate things; however, it does differentiate adjustment at IPL from automatic adjustment. The help text on WRKSHRPOOL only states that the size percent is used when QPFRADJ is set to 2 or 3. It does not explicitly say automatic adjustment only.

Even if you set the minimum % for the machine pool to a user-defined value, the IPL tuner will still set the machine pool first during the IPL if the QPFRADJ system value is set to 2. The dynamic tuning will recalculate the machine pool size based on the minimum %; however, it will always happen after the IPL tuning. The dynamic tuning runs immediately after the IPL tuning during IPL. However, the point I am trying to make is that there is a window between these two separate adjustments, even though you see only one of them logged in QHST. The IPL tuner does not know what the dynamic tuner minimum % is set to.

Advising that the minimum % be raised to a greater value is good. However, the QPFRADJ system value should also be changed from 2 to 3 to avoid the window where the IPL tuning is setting the machine pool to a low value prior to when the dynamic adjustment changes it to the minimum size set through WRKSHRPOOL.

If the QPFRADJ value is set to 3, the IPL tuner is not invoked; the machine pool is set to the value seen prior to the IPL. As a general recommendation, the QPFRADJ system value should be set to 3.

IBM PM iSeries Installation and Activation Instructions V5R1M0

These instructions provide the steps necessary to activate IBM Performance Management for eServer iSeries. To use this document, find the section pertaining to the operating system release currently in use on the system (for example, V5R3M0).

Operating System Release PM iSeries Availability Options 

• V5R1M0 => Included in operating system
• V5R2M0 => Included in operating system
• V5R3M0 => Included in operating system
• V5R4M0 => Included in operating system

Note: At V5R1M0 and later, PM iSeries is part of the base operating system. However, it must be configured to work properly

Disk Space Requirements

5MB of disk space is required for PM iSeries code at all releases.

Approximately 58MB is required for each day of raw performance data retained on the system. To alter the overall size of the raw performance data retained on the system, on the operating system command line, type the following:

GO PM400,  Press the Enter key. Select Option 3, and change the number of performance data purge days.V5R1M0: Performance Management/400 Activation

1. Sign on as a user with *SECOFR authority.

2. On the operating system command line, type the following:

    WRKSBS

   Press the Enter key.

3. Select Option 8 on the QSYSWRK subsystem, and press the Enter key. Select Option 4 on the QYPSPFRCOL job, and press F4 to prompt. For 'How to end', type *IMMED, and press the Enter key. Press F5 to refresh until the job is gone.

4. Select Option 4 on the Q1PSCH job, and press F4 to prompt. For 'How to end', type *IMMED and press the Enter key. Press F5 to refresh until the job is gone.

5. If upgrading PM iSeries from a prior release in which data was collected, the data in the collection library must be cleared or converted. On the operating system command line, type the following:

GO PM400

Press the Enter key, and select Option 3. Note the data collection library being used (usually QMPGDATA). Press F12 until you return to the main menu.

To clear the library, on the operating system command line, type the following:

CLRLIB xxxxx, where xxxxx is the data collection library. Press the Enter key.

To convert the data, on the operating system command line, type the following:

CVTPFRDTA, Press F4 to prompt. Use the operating system help instructions to complete this task. Consideration should be given to the size of the performance data library and if the system has sufficient space to accommodate another library of that size. For assistance, contact the IBM Support Center in your country.

6. On the operating system command line, type the following:

CFGPM400, Press the Enter key.

Send performance data to IBM? *YES

Receive performance data *NO

Performance data library QMPGDATA(Library from Step 5)

Press the Enter key.

7. A screen listing the PM iSeries communications objects is shown. Change the Do you want to set up PM/400 line control? parameter to *NO. Press F6 to re-create the communications objects regardless of their current status. For information on how to set up PM/400 line control, if necessary, refer to document 21253507 Setting up PMLINMON (V4R5M0 and Higher). To link to document 21253507 immediately, click here .

8. Fill in the customer contact information, paging down as necessary. When complete, press the Enter key.

9. On the operating system command line, type the following:

WRKSBS

Press the Enter key. Select Option 8 on the QSYSWRK subsystem. Verify that the CRTPFRDTA, QYPSPFRCOL, and Q1PSCH jobs are active. If not, contact the IBM Support Center in your country.

10. To configure PM iSeries data to be sent using a point-to-point connection over an internal or dual model modem. If you need assistance, contact the IBM Support Center in your country.

11. To configure PM iSeries data to be sent using a point-to-point connection over an internal or dual model modem. If you need assistance, contact the IBM Support Center in your country.

12. Check the the necessary PM iSeries PTFs by release:

13. GO PM400 option 2, ensure the Q1PCM1, Q1PCM2, Q1PTEST, and Q1PMONTH jobs are inactive. 

Identifying and Resolving Common Performance Problems

When performance problems occur on the IBM System i system, they often affect specific areas of the system first. Refer to the following table for some methods available for researching performance on these system areas. Many of these areas are available as system monitor metrics. However, there are several other ways to access information about them.

Tracking System Performance

Tracking system performance for the IBM® System i™ products server helps you to identify trends that can help you tune your system configuration and make the best choices about when and how to upgrade your system. Moreover, when problems occur it is essential to have performance data from before and after the incident to narrow down the cause of the performance problem and to find an appropriate resolution.

The System i server includes several applications for tracking performance trends and maintaining a historical record of performance data. Most of these applications use the data collected by Collection Services. You can use Collection Services to watch for trends in the following areas:

1. System resource utilization is used to plan and specifically tailor system configuration changes and upgrades.
2. Identify stress on physical components of the configuration.
3. Provide balance between the use of system resources by interactive jobs and batch jobs during peak and normal usage.
4. Collection Services data can be used to accurately predict the effect of configuration changes (for example, adding user groups, increasing interactive jobs) and other changes.
5. Identify jobs that might be causing problems with other activity on the system.
6. Determine utilization level and trends for available communication lines.

 The following tools will help you monitor your system performance over time:

Collection Services

Collection services gathers performance data at user-defined time intervals and then stores this information in collection objects on your system. Many of the other tools (including monitors, Graph history, IBM® PM iSeries™, and many functions in the Performance Tools licensed program) rely on these collection objects for their data.

 

Graph history

Graph history displays performance data that was collected with Collection Services over a specified period of time through a graphical user interface (GUI). The length of time available for display depends on how long you are retaining the collection objects and whether you are using PM iSeries.

 

PM iSeries

PM iSeries automates the collection, archiving, and analysis of system performance data and returns clear reports to help you manage system resources and capacity.

Determining the Actual Security Level of System

To determine the actual security level of a system, do one of the following:

At R370 or later:
Running the DSPSECA command shows the following screen:

User ID number . . . . . . . . . . . . . . : 2840

Group ID number . . . . . . . . . . . . : 177
Security level . . . . . . . . . . . . . . : 40
Pending security level . . . . . . . . . : 50
Password level . . . . . . . . . . . . . . : 0
Allow change of security related system
values . . . . . . . . . . . . . . . . . : *YES
Allow add of digital certificates . . . . : *YES
Allow service tools user ID with default
and expired password to change its own
password . . . . . . . . . . . . . . . . : *YES
If the actual security level is the same as the QSECURITY system value, the 'Pending security level' is not displayed.


At any release:

On the operating system command line, type the following:

DMPSYSOBJ QSYUPTBL QSYS TYPE(0E) SUBTYPE(C5)
Press the Enter key. Then, type the following:
WRKSPLF
Press the Enter key. In the index entries:

QSECURITY entry at offset '21'X,
'0032'X = level 50
'0028'X = level 40
'001E'X = level 30
'0014'X = level 20
'000A'X = level 10

IBM OS/400 Security ToolKit

The Security ToolKit for IBM System i system is a set of tools to audit and manage security and users. The Security ToolKit provides the following menus:

The SECTOOLS (Security Tools) menu is used to run Security ToolKit commands interactively.

The SECBATCH (Submit or Schedule Security Reports to Batch) menu is used to run the Security ToolKit report commands in batch. The SECBATCH menu has two parts. The first part of the menu uses the Submit Job (SBMJOB) command to submit reports for immediate processing in batch. The second part of the menu uses the Add Job Schedule Entry (ADDJOBSCDE) command. You use it to schedule security reports to be run regularly at a specified day and time.

 

Notes: 1 The QSECLIB library must be in the library list. If the primary language on your system is not one of the Security ToolKit languages, the appropriate QSYS29xx libraries must also be in your library list.

2 Review information APAR II09315 for answers to commonly asked questions, known problems, and associated PTFs. To order the cover letter, use the SNDPTFORD command.

SECTOOLS

The SECTOOLS menu options and commands that relate to users profiles are described briefly below. To access this menu, at the operating system command line type GO SECTOOLS.

Check profiles for default passwords: Use the Check Default Passwords (CHKDFTPWD) command to report on and take action on user profiles that have a password equal to the user profile name.

Display active profile list: Use the Display Active Profile List (DSPACTPRFL) command to display or print the list of user profiles that are exempt from PRCINACTPRF or ANZPRFACT processing.

Change active profile list: Use the Change Active Profile List (CHGACTPRFL) command to add and remove user profiles from the exemption list for the PRCINACPRF and ANZPRFACTcommands. A user profile that is on the active profile list is permanently active (until you remove the profile from the list). The PRCINACPRF and ANZPRFACT commands do not disable a profile that is on the active profile list, no matter how long the profile has been inactive.

Process inactive profiles: Use the Process Inactive Profiles (PRCINACPRF at V3R1 or V3R6) or Analyze Profile Activity (ANZPRFACT at V3R2, V3R7 and later) command to disable user profiles that have not been used for a specified number of days. Specify the number of days of inactivity before user profiles are disabled. The job is run daily at 1:00 A.M. You can use the CHGACTPRFL command to exempt user profiles from being disabled.

Display activation schedule: Use the Display Activation Schedule (DSPACTSCD) command to display or print information about the schedule for enabling and disabling specific user profiles. You create the schedule with the SCDPRFACT command.

Schedule profile activation: Use the Schedule Profile Activation (SCDPRFACT) command to make a user profile available for sign on only at certain times of the day or week. For each user profile that you schedule, the system creates job schedule entries for the enable and disable times.

Display expiration schedule: Use the Display Expiration Schedule (DSPEXPSCD) command to display or print the list of user profiles that are scheduled to be disabled or removed from the system in the future. You use the SCDPRFEXP command to set up user profiles to expire.

Schedule profile expirations: Use the Schedule Profile Expiration (SCDPRFEXP) command to schedule a user profile for removal. You can remove it temporarily (by disabling it) or you can delete it from the system. This command uses a job schedule entry that runs every day at 00:01 (1 minute after midnight).

Change security auditing: Use the Change Security Auditing (CHGSECAUD) command to set up security and to change the system values that control security auditing.

Display security auditing: Use Display Security Auditing (DSPSECAUD) command to display information about the security audit journal and the system values the control security auditing.

SECBATCH

The SECBATCH menu options and associated commands for security reports are described briefly below. To access this menu, at the operating system command line type GO SECBATCH. The menu options on your system may differ slightly because some menu options are not available on every version of the operating system.

Adopted object information: Use the Print Adopted Object Information (PRTADPINF) command to print a list of objects that adopt the authority of the specified user profile.

Audit record report: Use the Print Audit Record Report (PRTAUDRPT) command to display or print information about entries in the security audit journal.

Authorization list authorities: When you use the Print Private Authorities (PRTPVTAUT) command for *AUTL objects, you receive a list of all the authorization lists on the system. The report includes the users who are authorized to each list and what authority the user have to the list.

Command authority: This option uses the Print Publicly Authorized Objects (PRTPUBAUT) command for object type (*CMD) to submit a batch job that will print a list of commands in a library that do not have public authority of *EXCLUDE.

Communications information: Use the Print Communications Information (PRTCMNINF) command to print the security related settings for objects that affect communications on your system.

Document authority: This option uses the Print Publicly Authorized Objects (PRTPUBAUT) command for object type (*DOC) to submit a batch job that will print a list of documents in a folder that do not have public authority of *EXCLUDE.

File authority: This option uses the Print Publicly Authorized Objects (PRTPUBAUT) command for object type (*FILE) to submit a batch job that will print a list of files in a library that do not have public authority of *EXCLUDE.

Folder authority: This option uses the Print Publicly Authorized Objects (PRTPUBAUT) command for object type (*FLR) to submit a batch job that will print a list of folders on the system that do not have public authority of *EXCLUDE.

Job description authority: Use the Print Job Description Authority (PRTJOBDAUT) command to print a list of job descriptions that specify a user profile and have public authority that is not *EXCLUDE.

Library authority: This option uses the Print Publicly Authorized Objects (PRTPUBAUT) command for object type (*LIB) to submit a batch job that will print a list of libraries on the system that do not have public authority of *EXCLUDE.

Object authority: Use the Print Publicly Authorized Objects (PRTPUBAUT) command to print a list of objects whose public authority is not *EXCLUDE.

Private authority: Use the Print Private Authorities (PRTPVTAUT) command to print a list of the private authorities to objects of the specified type in the specified library or folder.

Print queue: Use the Print Queue Report (PRTQAUT) command to print the security settings for output queues and job queues on your system.

Subsystem descriptions: Use the Print Subsystem Description (PRTSBSDAUT) command to print the security related communications for the subsystem descriptions on your system.

System security attributes: Use the Print System Security Attributes (PRTSYSSECA) command to print a list of security related system values and network attributes to a spooled file.

Trigger programs: Use the Print Trigger Programs (PRTTRGPGM) command to print a list of trigger programs that are associated with database files on your system.

User objects: Use the Print User Objects (PRTUSROBJ) command to print a list of the user objects (objects not supplied by IBM) that are in a library.

User profile information: Use the Print User Profile Information (PRTUSRINF) command to analyze user profiles that meet specified criteria.

Check object integrity: Use the Check Object Integrity (CHKOBJITG) command to determine whether operable objects (such as programs) have been changed without using a compiler.