Informing the IBM Community

A screen a story – A Better way to Retire the Heritage Navigator for i

0
(0)

Let me cut right to the chase, if you have read or have not the article of last month titled: “A screen a story – Retire the Heritage Navigator for i”, forget about it. If, however you do not have the option to apply PTFs in the short term and you are concerned about this vulnerability, then my instructions from last time are your only option.

In that article you will find the link Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) which was updated by IBM since the latest HTTP Server group PTF was made available. Having to change the configuration by editing an IFS file was – as I see it – a quick bandage to solve the log4j issue quickly. A side effect of thissolution was that it made starting the Heritage Navigator for i impossible.

With this new HTTP group PTF for IBM i 7.3 and 7.4 the stopping and starting is controlled by using the IBM Web Administration for i. Below an screenshot of how this can be done:

After installing this group PTF, level 19 for 7.4 and level 38 for 7.3, the Heritage Navigator for i is no longer started when running the command STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN). It is also no longer started when doing an IPL.

IBM is working very hard to add all the functionality available in the Heritage Navigator for i into the new Navigator for i. But as the old saying goes Rome was not build in a day, this is also true for the New Navigator for i.

I think it is fair to say that log4j did surprise the world, including the IBM i team. The end result of this is that the new Navigator for i does not yet have it all, so in some cases or is reasons the better word here to use, you may decide that you need to start the Heritage Navigator for i. So, when you do, you can use the new Navigator for i, as you can see below:

Please be aware that, when starting the Navigator for is from ACS, the option shown below, will no longer bring you to the Heritage Navigator for i, but will bring you to the new Navigator for i. That is also part of the changes the HTTP group PTF is bringing to your system running IBM i 7.3 and 7.4.

In order to help you with the change that the Heritage Navigator for i is no longer started this new HTTP group PTF is bringing to your system IBM did create specific document:

Heritage Navigator Enable and Disable Instructions

Below also a link to inform you which changes this new HTTP group PTF has for the new Navigator for i:

IBM Navigator for i – PTF Update Details

So the next time you need to start the Heritage Navigator for i, change the setting “Disable server” from “True” into “False”. After that you can start and stop the Heritage Navigator for i from the Web Administration for i GUI or us the command: ENDTCPSVR SERVER (*IAS) INSTANCE (ADMIN2). Once finished stop the Heritage Navigator for i and please do not forget to disable it and delete the following directory:

/QIBM/UserData/OS/ADMININST/admin2/wlp/usr/servers/admin2/workarea

If the fact that the Heritage Navigator for i is up and running bothers you, you might have a look at the new Navigator for i’s new function: Function Usage. Below an image of where to find this:

When selecting that option, you can filter with the value “OPNAV” to change the Function Usage for all the areas available in the Heritage Navigator for i. As the new Navigator for i has all new Function IDs to control access change the “OPNAV” Function IDs does not have an impact on the new Navigator for i.

Below an image to show which settings you need to change:

Removing the default authority and maybe also the *ALLOBJ special authority might be a good idea. When doing so, please do not forget to add a user in the section “Access Allowed” for the Function IDs you still want to be able to use. As you are using the new Navigator for i to control access to the Heritage Navigator for i, you need not to worry about locking yourself out.

As the goal is to minimize the use of the Heritage Navigator for i, we can start migrating the System Monitors and the Message Monitors from the Heritage Navigator for i.

After reading the documentation about what is also changed with this HTTP group PTF for the new Navigator for i, you know it now also includes the Message Monitors.

So, if you have a look below you will see that migration your message monitors from the Heritage Navigator for i to the new Navigator for i, is only a few mouse clicks away:

The option “Migrate Heritage Monitors” is available when pressing the Actions button for both the System Monitors and the Message Monitors. After migrating them, the only thing left to do is to start them. With this action not having to use the Heritage Navigator for is comes one step closer, but whenever you us the Heritage Navigator for i, you will realize that the new Navigator for i is so much better. So yes, it is really time to retire the Heritage Navigator for i. 

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *