Upgrade to IBM i 7.4 for Simplified Security and Streamlined Development

IBM first introduced authority collection in the 7.3 release with the ability to collect authority information for a user profile. In 7.3, you ran authority collection on a user profile and reviewed what objects the user accessed and with what level of authority. The report also told you what the minimum level of authority is required so you could easily determine the security implementation changes you should make for that user.

In 7.4, authority collection has been enhanced to collect the detailed information for objects. Authority collection on objects collects information on all authority checks on those objects, regardless of the user profile.

Once you have collected the authority information, you must review and analyze the data to determine what security implementation changes you should make. With 7.4, additional IBM i services provide authority collection views to review the collected information. IBM i Access Client Solutions provides several examples to get started. Navigator for i also provides a user interface into authority collection by user and by object, allowing you to start and stop authority collection users and objects, as well as an interface to display the results.

Service Tools User IDs and Passwords

Service tools user IDs are required to access System Service Tools (SST), Dedicated Service Tools (DST) and the disk management tasks within Navigator for i. These interfaces allow you to perform functions that can have a major impact on your system, such as managing disk units, managing system security and access to tools such as Display/Alter/Dump. It’s critical to carefully control access to these service tools. Prior to 7.4, service tools user ID password composition rules were very basic; there was a minimum length requirement and expiration interval.

With 7.4, you can now implement password composition rules consistent to those of IBM i user profiles. The password rules available are the same as the ones you can specify with the QPWDRULES system value. You can change the password rules within SST or DST using service tools security options.

IBM also provided command interfaces to set (CHGSSTSECA) or display (DSPSSTSECA) service tools security attributes, which includes the SST password rules. This alleviates the need to use the SST or DST menu-driven interfaces to review the settings or make changes. When using the CHGSSTSECA command, you must specify your service tools user ID and password and have the service tools “Service Tools Security” functional privilege. DSPSSTSECA has outfile support, so you also have a programmatic interface to these settings.

In addition to adding service tools password rules, you can now create, change, and display service tools user IDs through command interfaces. The Create SST User, Change SST User and Delete SST User commands are new with 7.4; the Display SST User command has been around since the 6.1 release. With the create and change SST user commands you can change the password, enable or disable the ID, link it to an IBM i user profile, and specify the services tools privileges for that service tools user ID. Again, you must have a service tools user ID to use these commands as well as the “Service Tools Security” privilege but having the command interface will make it easier to manage your service tools user IDs.

TLS 1.3

Network security is also extremely important, and IBM has been implementing industry standards for secure communications. As the standards evolve, so does the support available within the OS. Each generation of network security standards increase security, so it is critical to keep current on these standards.

With IBM i 7.4, support has been added Transport Layer Security (TLS) version 1.3 and this level is now the default. IBM also added a new API to retrieve TLS attributes, so you now have a programmatic interface to access the system-wide TLS properties.

The memo to users also documents important changes for SSL and TLS. In particular, the default cipher specification lists have changed. You’ll no longer find SSLv2, and TLS1.1 and 1.0 are disabled by default. The System TLS Enhancements section in the Knowledge Center has complete details on the changes in 7.4.

Other Gems in IBM i 7.4

While the security enhancements were a key part of the 7.4 release, there were other small enhancements. Too numerous to cover them all in this article, below are some of my favorites. 

PASE

Due to the increasing use of open source on IBM i, more applications run in PASE. Most open-source packages are AIX* binaries ported to PASE. The good news for these applications is that in 7.4, PASE for i is derived from AIX 7.2, Technology Level 2. As of August 2019, AIX 7.2 TL2 is the second-most current version of AIX.

Varying-Dimension Arrays for RPG

Varying-dimension arrays, as the name implies, are arrays that can vary in the number of elements within them. You specify that the array dimension is a variable and provide a maximum number of elements in the array. The number of elements is initially zero, and the array size is automatically increased as you add elements to the array. 

Limiting Temporary Storage and CPU Used by Queries

The Maximum Temporary Storage (MAXTMPSTG) and Maximum CPU Time (MAXCPU) parameters in the class object are used to limit the temporary storage and CPU time used by a job. It’s a good practice to put limits in place as it protects your system from potentially bad things happening. In particular, a limit of the maximum temporary storage could protect your system from a crash if you were to get into an unexpected situation where some misbehaving job started to use a lot of temporary storage. 

In 7.4, you can now limit the temporary storage and CPU time used when running queries. This support was initially made available in 7.2 and 7.3 with PTFs, but that initial support had controls on it that have now been removed with 7.4. 

When running queries, newly allocated temporary storage used for the query is accounted for under MAXTMPSTG limit of the job running the query. Once the query completes, the optimizer’s temporary storage is decremented from the MAXTMPSTG limit for that job. 

Prior to 7.4, this accounting did not occur unless the amount of free space in *SYSBAS was below the value set in the QSTGLOWLMT system value. In 7.4, this restriction is gone and the maximum temporary storage accounting for queries is always done.

Workload Groups

Workload groups were added to the 7.1 release but are still relatively unknown . Using workload groups, you can restrict the number of processors that a workload can use. 

In 7.1, a workload group was associated with a subsystem description, so the workload group limited the number of processor cores that could be used concurrently for all jobs and threads in that subsystem. For example, if the workload group is set to a limit of two processors, the jobs and threads running in a subsystem limited by a workload group would be limited to running on two processors, even if the partition has more processors available to it. You also needed to create a data area to associate the workload group with a subsystem. Individual jobs can also be controlled by a workload group by using the CHGJOB command to specify the workload group name.

In 7.3, the Create and Change Subsystem Descriptions commands (CRTSBSD and CHGSBSD) were enhanced to eliminate the need for the data area to specify the workload group to be used by a subsystem.

Now in 7.4, the Create and Change Job Description commands (CRTJOBD and CHGJOBD) have been enhanced with a workload group (WLCGRP) parameter. This parameter can be *NONE where no workload group is used, *SBSD to use the workload group defined in the subsystem description, or it can specify the name of a workload group.

This support allows you to have a set of jobs that use a particular job description to be limited by the workload group specified in the job description, which gives you much more flexibility in defining what jobs are limited by a workload group.

API to Retrieve Active Prestart Job Status

It’s important to appropriately tune your prestart jobs. The DSPACTPJ command provides useful information to aid in setting the best values for the initial number of jobs, threshold, and additional number of jobs. In 7.4, there’s an API, Retrieve Active Prestart Job Status, to retrieve this information.

Improved SMT Reporting

IBM i has supported Simultaneous Multithreading (SMT) for many years. The system default, controlled by the QPRCMLTTSK system value, is to use the maximum supported by the combination of release and hardware. 

The Change Processor Multitasking Information API allowed you to specify how many hardware threads you want, so you could decide to run in SMT2, SMT4, or SMT8 mode. The Retrieve Processor Multitasking Information API allowed you to retrieve this configured setting. 

In 7.4, the Retrieve Processor Multitasking Information API is able to also return the current and maximum number of secondary hardware threads per processor. This additional information allows you to review the actual value used by the system or the maximum value supported by the hardware. These new fields are collected by Collection Services in the QAPMCONF file .

Memo To Users­—Removal of SNA Adapters and Old Protocols

Everyone should know to read the Memo to Users (MTU) prior to upgrading to the new release. Hidden away in the MTU is information about removal of support for SNA adapters and related protocols that you can no longer use. 

Essentially, IBM did some housecleaning and removed commands and parameters for SNA communications support that lacked support for some time. You can still use software solutions such as Enterprise Extender. IBM has already updated the 7.4 MTU twice since the announcement in April, so be sure to review the latest version.

Upgrade and Reap the Benefits

Numerous resources exist to help you upgrade to IBM i 7.4. You’ll find a few of them outlined in “More IBM i 7.4 Resources,” below. 

IBM delivered significant function in the 7.4 release. Db2 Mirror will undoubtably be important for a select set of IBM i shops, but the enhancements reviewed in this article should be a compelling enough reason to put a plan in place to upgrade to 7.4.