This newsletter includes:
- Checking Encryption Protocol and Cipher Strength
- Dissecting The Encryption Trace
- The GUI Interface to my tape drive stopped working. Firefox Support for Java Applets Dropped.
- New Dashboard in IBM Navigator for i
- Release Levels and PTFs
My calendar says spring, but it certainly doesn’t feel like it. As I write this newsletter, Baseball opening day is less than a week away, and there are still piles of snow on the ground. They say spring is about rebirth, well that is certainly true here at iTech Solutions. We continue to grow and expand here, with what I believe is an amazing team to help you with all your IBM i needs. As we expand our offerings and services, we aren’t changing or losing our focus on IBM i. Remember, we are an IBM Business Partner that you can depend upon.
This issue of our newsletter has 6 articles. In the first article we show you how to Check Encryption Protocols and Cipher Strength. The second article is on why your GUI interface to your tape drive might have stopped working if you are using Firefox. The third article shows you the new Dashboard in Navigator for IBM i. The fourth is on great education you need to succeed as an IT Professional, from the CIO to the System Administrator and Programmer. There is something for everyone. The fifth article lists some of the upcoming events in which iTech Solutions will be participating. The last article is for your reference with updated PTF information. Please note that for all 7.1 customers that are on the Quarterly or Semi-annual iTech Solutions PTF maintenance plan, we will be installing the latest PTFs as you are most likely now on Technology Refresh 11. For the 7.2 customers, we will be installing 7.2 Technology Refresh 6, and 7.3 will be Technology Refresh 2.
Some notes on the new HMC release that just came out:
- HMC V8 R8.6.0 will be the last release to support POWER6.
- HMC V8 R8.6.0 will be the last release to allow ‘classic’ UI login.
- HMC V8 R8.6.0 will be the last release that supports the model CR5, CR6 and C08.
- The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.
In March 2016 we released our first IBM i State of the Union and the positive comments and the number of downloads has been phenomenal. We updated it this summer to include everything from the first half of 2016; you can get a copy on our website. We are currently writing the 2017 IBM i State of the Union.
Having a business partner isn’t the same as having iTech Solutions. If you are not getting the support, the help, the guidance, and the advice you need to succeed, then you owe it to yourself to contact iTech Solutions for all your IBM Power Systems running IBM i needs. We can help you upgrade your AS/400 or iSeries to a Power Systems running IBM i, or even your existing POWER5, POWER6, or POWER7 machines to POWER8.
iTech Solutions vast experience can help you improve performance, perform security audits, implement a high availability solution, perform health checks, systems management, remote administration, PTF management, cloud-based systems, hosting, replication, and backup/recovery; upgrade an existing machine; or upgrade to a new machine. If you are thinking of LPAR or HMC, then think iTech Solutions. We have the skills to help you get the most out of your IBM i.
|
 |
For more information on any of the articles below please visit us on the web at iTech Solutions or email iTech Solutions. We would love for you to let us know any articles that you wish for the future, or if you enjoy any of the articles in the current newsletters.
___________________________________________________________________________________________
Checking Encryption Protocol and Cipher Strength.
With an industry-wide renewed focus on security, it’s important to know what encryption protocols and ciphers you have active. This is extremely valuable information on an integrated operating system like IBM i, where you can have many different applications at different versions and a large amount of supported encryption configurations. For instance, you may be looking to standardize on Transport Layer Security (TLS) version 1.2 but you’re not sure what, if any, services are actually using TLS 1.2 yet or what services are perhaps hard coded to use an inferior (i.e., broken) protocol like SSLv3 or SSLv2.
Using the Trace Internal command (TRCINT).
TRCINT is a command interface to a Licensed Internal Code service tool used to capture (among a litany of other things but for the purposes of this tip) an encryption trace point. In layman’s terms, you can turn on a trace and capture information about encrypted connections to an IBM i partition, then turn it off and send the information to a spooled file for review.
In order to do this particular trace, you’ll need the following PTFs applied:
IBM i 7.1 – MF59800
IBM i 7.2 – MF59777
Depending on what encryption protocol you want to trace, use parameter SLTTRCPNT in conjunction with the following table:
| Protocol | Trace Point |
| SSLv2 | 17000 |
| SSLv3 | 17001 |
| TLS 1.0 | 17002 |
| TLS 1.1 | 17003 |
| TLS 1.2 | 17004 |
You can use the TRCTBL parameter to create a trace table named appropriately for the trace you’re doing.
Here are some examples of what you can capture:
Capture all encrypted connections:
TRCINT SET(*ON) TRCTBL(‘All-encrypted’) TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17004))
Capture only SSLv3 connections:
TRCINT SET(*ON) TRCTBL(‘SSLv3’) TRCTYPE(*SCKSSL) SLTTRCPNT((17001))
Capture only SSLv2 connections:
TRCINT SET(*ON) TRCTBL(‘SSLv2’) TRCTYPE(*SCKSSL) SLTTRCPNT((17000))
Capture everything but TLS 1.2 connections:
TRCINT SET(*ON) TRCTBL(‘TLS1.1AndLower’) TRCTYPE(*SCKSSL) SLTTRCPNT((17000 17001 17002 17003))
You’ll have to use a little trial and error to determine how long you run your trace. It all depends on the frequency/amount of encrypted connections to your system. For instance, one system could have 5 connections over a 24 hour period while another could easily have 25,000.
In order to turn off your trace you can run a variation of the following command. Remember to use the same TRCTBL name that you specified when you turned the trace on.
TRCINT SET(*OFF) TRCTBL(‘All-encrypted’) OUTPUT(*PRINT)
This will dump the contents of the trace to a spooled file called QPCSMPRT.
To delete the trace, run the following command:
TRCINT SET(*END) TRCTBL(‘All-encrypted’)
It’s a good idea not to delete the trace until you’re satisfied you have enough information generated based on the contents of your spooled file. If you’ve turned off the trace and find you’ve only got a couple of pages of information, you can always turn the same trace back on and keep adding to the trace table you created.
Dissecting The Encryption Trace
The QPCSMPRT spooled file contains a lot of useful information.
Each blue arrow highlights some important information about a connection on this screen shot.
First, you’ll see that there is a TLS 1.0 protocol in use. Although it’s TLS compared to SSL, it’s still a weak protocol version compared to TLS 1.1 or 1.2. It’s using the *RSA_AES_128_CBC_SHA cipher, which is acceptable.
The connection is hitting port 992, which is the encrypted port for Telnet. You also see the local IP interface the connection is established with and the remote IP address that the connection is coming from. Also, the QIBM_QTV_TELNET_SERVER is identified as the Digital Certificate Manager application that’s being used in conjunction with a certificate.
You can search this spooled file for all sorts of valuable details to narrow down what applications are using substandard encryption. Perhaps you’ll find Apache servers that have been customized and are using old, weak ciphers or Telnet connections that are negotiating down to insecure DES ciphers.
Knowing your connection information is imperative to securing your systems.
In terms of protocols in use, you can also have a great 30,000 foot view using System Service Tools using the following procedure:
STRSST
Option 1: Start a service tool
Option 4: Display/Alter/Dump
Option 1: Display/Alter storage
Option 2: Licensed Internal Code (LIC) data
Option 14: Advanced analysis
Enter 1 next to SSLCONFIG
Press Enter
Enter the following in the Options field: -sslConnectionCounts:enable
Press Enter.
Wait.
Enter the following in the Options field: -sslConnectionCounts:display
Enter
You’ll end up with a screen that looks similar to this:
From here, you can determine what protocols are in use, not necessarily what’s supported. You system value QSSLPCL controls the protocols available to be used. If you’re thinking of altering QSSLPCL, a good measure is to run this LIC analysis to determine what protocols are in use so you know how susceptible your system is and how much work you have in store to tighten things up.
There is so much to keeping your system secure. Are you looking for a security assessment, or perhaps just need help securing your system? Give us a call at 203-744-7854 option 3 or send us an email and we can show you how secure you are.
The GUI Interface to my tape drive stopped working. Firefox Support for Java Applets Dropped.
Do you have a TS2900 Tape Autoloader and use Firefox to access its web interface? If so, you may have trouble accessing it after the latest update to Firefox.
In the latest generally available version of Firefox, Mozilla has dropped support for something called the “Netscape Plugin Application Programming Interface,” or NPAPI for short. NPAPI is a plugin technology which is used by Java, Adobe Flash, and Microsoft Silverlight to load into the Firefox browser. The change is being made to improve the browser’s performance and security, but unfortunately it also renders these popular web plugins nonfunctional. Since the web interface on the TS2900 is entirely based upon a Java applet it also falls victim to this forced obsolescence.
We have come up with two workarounds that will let you once again manage your TS2900:
- Use Internet Explorer. IE still supports Java applets and probably always will, given that it is effectively a dead product, development-wise (note that this is the same reason why you probably shouldn’t use IE for general web surfing).
- Install Firefox 52 ESR. The Extended Support Release of Firefox will continue to support NPAPI plugins until 2018, although it should be noted that only the 32-bit version will support Java. Firefox ESR is intended for deployment by businesses and organizations since it is more rigorously tested for stability and only updates on a clearly defined schedule, something which is often required by corporate IT policy or practice.
The NPAPI tech is outdated, slow, and insecure (the name itself should give some insight into its age). Support for it has been slowly disappearing from mainstream web browsers. One can only hope that by the time Firefox ESR finally joins Chrome, Opera, and Edge in dropping Java applet support, IBM will have released a version of the TS2900 firmware that does not rely upon the technology.
If you need help or have questions on this, iTech Solutions can help you to do the remediation, to update the firmware on the tape drive, or anything else. Contact us to let us help you.
New Dashboard in IBM Navigator for i.
There are always so many new features and functions in Navigator for i that get delivered with each release. Remember, these come as part of the HTTP PTF Group. One that I like is a new “dashboard” type status page now appears when IBM Navigator for i is accessed. It appears instead of the Welcome Page. The Welcome Page still exists, but is not shown by default as before. The dashboard status page shows a quick view of the current status items for your IBM i:
- CPU Utilization
- Page Faults
- Disk Utilization
- Disk Pool Usage
- Jobs
- Operator Messages
It’s a great way to keep an eye on all the important statistics about your system. You can access it via Navigator for IBM i at http://your ibm i address:2001 Sign-in and the dashboard will now display.
So stay on a currently supported release, and keep your PTFs up to date. To learn more on how iTech Solutions can help you with your OS upgrade, please call us at 203-744-7854 and press 3, or email us.
IBM i Education.
There are so many great choices for IBM i education in the next 6 weeks, that I thought it was worth discussing. I want to highlight 3 conferences specifically:
- The COMMON IT Executive Conference for CIOs and IT Directors, at the Loews Sapphire Falls Resort at Universal Orlando – May 7 – 8
- The 2017 COMMON Annual Meeting and Exposition– The largest IBM i Conference in the world, at the Loews Sapphire Falls Resort at Universal Orlando – May 7 – 10
- The Northeast User Group Conference (NEUGC) – at the Sheraton Framingham, in Framingham, MA on April 11 – 1.
The IT Executive Conference (ITEC) was created with the needs of IT managers and decision makers in mind. Plus, if you are sending your team to the Annual Meeting for training, you should also attend. With a focus on strategic issues, you can interact with IBM representatives, speakers and peers regarding how to maximize your IT investment. I don’t think there is a better place to go to interact with other IBM i CIOs and Directors, to discuss the issues that you may be having. Check out the agenda, and see that this is a conference made for the IT Executive. Executive education from COMMON focuses on the big picture. For companies using Power Systems to run their businesses, it is critical to stay current with IBM and the dynamic IT environment.
- Receive industry updates direct from IBM representatives and other experts
- Interact with peers to learn of best practices that can transform your business
- Grow your professional network across various industries
If you are a System Administrator, an RPG Programmer, Open Source Programmer, Developer, Operator, Database Administrator, etc. then COMMON is the conference to attend. It’s the biggest and best in the world. This year the conference is in beautiful Orlando, get there a few days early and explore Universal or Disney. I have learned so much attending COMMON Conferences over the years, and there is still more to learn. As many of you know, I also write an article in the COMMON.CONNECT magazine. Here is an excerpt from my Pete’s Perspective column in the April issue. I discuss the reason why I attend COMMON Conferences.
Investment in career. Investment in my skills. Investment in my future.
No one can remain competitive in today’s job market without constantly updating and enhancing current skills and acquiring new knowledge. In our jobs, the pace of change and new material we are required to understand increases each year, exponentially. Where do I go to keep up? I go to the COMMON conferences. There are always new topics that I learn about, existing technology that I am familiar with but need a better handle on and then stuff I should know better than I do. Plus, I always try to attend sessions on a few other topics that aren’t in my wheelhouse. I am a System Administrator, but I will attend a session on Open Source or database to grasp the technology. I am not going to learn how to be an Open Source programmer, but I do need to understand when to use it, and how you use it, on an IBM i. No matter your job description, I encourage you to learn about other specialties when possible. COMMON conferences are a great place to do this.
If you live in the North East region of the US, then you know about the Northeast User Group Conference, NEUGC. This is a great value for the money, with an easy drive to Framingham, MA. It’s about 80 sessions over 2 full days, plus 2 Monday night deep dive sessions. You will surely want to check out the agenda.
I will be at all 3 of the above conferences and if you are a regular reader of our newsletter please introduce yourself. One of my favorite parts of the conferences is interacting with other attendees and learning what they are doing in their shops. Remember, if you don’t invest in yourself, who will?
| Upcoming Events
Some of the events that we will be speaking at or exhibiting at are listed below. Don’t forget the iTech Solutions web site at https://itechsol.com. |
 |
Archived available anytime – Steve Will and Pete Massiello host a session on what’s new for IBM i 7.3.
April 10 – 12, 2017 – Northeast User Groups Conference
- Stop by our booth and see us
- HMC, IBM i, FSP, and Firmware
- Cool Things in Navigator for IBM i to be a Rock Star Administrator
- What you need to know when Upgrading IBM i to 7.3
- Tips and Tricks to improve System performance and Save Disk Space
May 7 – 10, 2017 – COMMON Annual Conference & Expo – Loews Sapphire Falls Resort, at Universal Orlando, FL
- Stop by our booth and see us
- HMC, IBM i, FSP, and Firmware
- Cool Things in Navigator for IBM i to be a Rock Star Administrator
- What you need to know when Upgrading IBM i to 7.3
- Tips and Tricks to improve System performance and Save Disk Space
May 16, 2017 – Long Island Systems User Group – Westbury, NY
- Stop by our booth and see us
May 22 – 26, 2017 – IBM Systems Technical University – Hilton Buena Vista Palace, Orlando, FL
- Step-by-step guide to creating IBM i partitions hosted by IBM i
- Cool Things in Navigator for IBM i to be a Rock Star Administrator
- What you need to know when Upgrading IBM i to 7.3
- Tips and Tricks to improve System performance and Save Disk Space
June 18 – 21, 2017 – COMMON Europe Congress, Brussels Belgium.
- What you need to know when Upgrading IBM i to 7.3
- HMC, IBM i, FSP, and Firmware: Putting the pieces together
Release levels and PTFs
People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.
| 7.3 | 7.2 | 7.1 | 6.1 | V5R4 | |
|---|---|---|---|---|---|
| Cumul Pack | 17061 | 17068 | 16320 | 15063 | 12094 |
| Tech. Refresh | 2 | 6 | 11 | ||
| Grp Hipers | 25 | 86 | 190 | 210 | 204 |
| DB Group | 3 | 15 | 41 | 33 | 33 |
| Java Group | 3 | 11 | 26 | 37 | 34 |
| Print Group | 3 | 12 | 31 | 49 | |
| Backup/Recov. | 9 | 31 | 65 | 61 | 57 |
| Blade/IXA/IXS | 1 | 16 | 30 | 15 | |
| HTTP | 6 | 19 | 45 | 46 | 36 |
| TCP/IP | 3 | 10 | 17 | 22 | |
| Security | 12 | 43 | 67 | 60 | 33 |
| High Availability | 3 | 6 | 13 | 5 | |
| Hardware | 9 | 25 | 36 | 17 | |
| Open Source | 3 | 3 | 3 |
The easiest way to check your levels is to issue the command WRKPTFGRP. They should all have a status of installed, and you should be up to the latest for all the above, based upon your release. Now there are more groups than the ones listed above, but these are the general ones that most people require. We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit. The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released. Therefore, if we look at the cumulative package for V7R1, the ID is 16120. We can determine that it was created on the 120th day of 2016, which is April 29th, 2016. Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.
HMCs
If you have a Hardware Management Console (HMC,) you should be running:
| Model | Release | Service Pack |
|---|---|---|
| HMC | V8R8.6 |
|
| HMC | V8R8.5 |
|
| HMC | V8R8.4 |
|
| HMC | V8R8.3 |
|
| HMC | V8R8.2 |
|
| HMC (CR4 last release) | V7R7.9 |
|
| HMC | V7R7.8 |
|
| or | V7R7.7 |
|
| HMC C03 | V7R3.5 |
|
If we have a model listed above in the HMC column that is the highest level of firmware that model of the HMC can be upgraded to.
- Note that release 8.8.x does not support any POWER5 servers.
- Version 7.7.9 is not supported and cannot be installed on HMC models C03, C04 or CR2.
- If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later desk side HMC.
- HMC V8R8.1 is supported on rack-mount models CR5, CR6, CR7 and CR8; and on desktop model C08. These listed models meet or exceed the V8R8.1 minimum memory requirement of 2GB however 4GB is recommended.
- If you want to manage a POWER8 machine, you need to be on at least HMC 8.8.1
Some notes on the new HMC release V8R8.6 that just came out:
- Will be the last release to support POWER6.
- Will be the last release to allow ‘classic’ UI login.
- Will be the last release that supports the model CR5, CR6 and C08.
- The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.
If you have an Flexible Service Processor (FSP) your firmware should be:
| Machine Processor | Model | Version | Notes |
|---|---|---|---|
| Power5 or 5+ | 520, 515, 525, 550, 570 | SF240_418_382 | last |
| Power6 | 940x, M15, M25, M50 | EL350_176_038 | last |
| 8203-E4A, 8204-E8A, 8204-E4A | EL350_176_038 | last | |
| MMA, 560, 570 | EM350_176_038 | last | |
| 9119-FHA | EH350_176_038 | last | |
| Power7 | 8231-E1B, 8202-E4B, 8231-E2B, 8205-E6B, 8233-E8B, 8236-E8C | AL730_152_035 | |
| 9117-MMB, 9179-MHB | AM780_080_040 | ||
| 8231-E1C, 8202-E4C, 8205-E6C | AL740_161_042 | ||
| 9117-MMC, 9179-MHC | AM770-112_032 | ||
| Power7+ | 8231-E1D, 8202-E4D, 8231-E2D, 8205-E6D | AL770_112_032 | |
| 8408-E8D, 9109-RMD | AM770_112_032 | ||
| 9117-MMD, 9179-MHD | AM780_080_040 | ||
| Power8 | 8408-E8E, 8284-22A, 8286-41A, or 8286-42A |
|
|
| 9119-MHE or 9119-MME | SC860_070_056 |
If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.
