During the COVID-19 pandemic we all learned to work remotely when possible. Setting up a VPN connection is something no longer only performed by IT personals.

Losing a VPN connection is also something which many of us have experienced.

Working remotely when doing system management tasks out of office hours, is something we all learned to appreciate.

For some of those tasks working in restricted state is required. Working with IBM i in restricted state means that the only way to communicate with the server, results in us having to use the console.

I have spoken with people who prefer to go to the office, to avoid issues when the VPN connection is lost, but in case that happens IBM has a solution, with a caveat.

Once you are aware of this, I think you will answer the question in the title with a yes.

When working on the console in restricted state the last thing you want is to lose the console. For this reason, IBM has an option available in DST.

Based on the documentation I found: Enabling console takeover it not something new and has been around since at least Power5. It is also not something limited to having a Hardware Management Console (HMC), you can also use it with a LAN console.

With the option “Allow console recovery and console can be taken over by another console” set to the value “1”, meaning yes. Losing your VPN connection during an upgrade, or when running an attended Full System Save, is no longer a problem as your task will keep running.

In order to test this you can execute the scenario described below:

1. Run the command “STRSST” in a 5250 emulation session
2. After entering your credentials take option 8 “Work with Service Tools Server Security and Devices”
3. Select option 2 “Select console”
4. Set “Allow console recovery and console can be taken over by another console” to value “1”
5. Start a 5250 console session on the system
6. Select the correct value which matches your language on the “Welcome to Remote 5250 Console” display
7. Sign on to the HMC, with HMC credentials. Depending on what you have setup for the console in IBM i Access Client Solutions (ACS), you must select a server and partition, or you are directly onto a display where you must enter a session key in order to establish the connection to the console.
8. Select option 1 “Connect dedicated” or option 2 “Connect Shared” for the LPAR you want to use with the 5250 console. I always use option 2, just in case someone else needs the console or I forget to sign-off. For the session key I always use the value “abc123”.
9. After signing on, run the command “WRKACTJOB”
10. Now select from the 5250 Menu bar “Communication” and “Disconnect”
11. Please check the subsystem QCTL in the 5250 emulation, after entering the “WRKACTJOB” you will notice that your 5250 console task is still active. As you can see there the Function value has the value “CMD-WRKACTJOB” for the console.
12. Switch back to your 5250 console and select from the Menu bar “Communication” and “Connect”
13. Repeat the steps 6, 7 & 8, after doing so, you will get a display similar to the one shown below:
    
    
14. Notice that you now have to enter your DST credentials in order to get the current console session back. If you do not have DST credentials available, remember that as you were running in restricted state, the only option left is to use F18. By doing that IBM i cuts lose your session, depending on the state your job is in.
15. When pressing F18 you will have to sign on to the system again and you might get the screen shown below:
16. Taking option 1 “Attempt to recover previous interactive job” might result in getting your active session back, but the word “Attempt” does not guarantee that.
    
    

Now you may think that the earlier mentioned caveat in working with the option takeover console, is having the DST account credentials ready. That is, however, not the case.

Maybe you have noticed that the first time you use the 5250 console after selecting the LPAR you do not have to enter DST credentials. This is only needed when coming back to an already active 5250 console session.

The caveat I would like to bring to your attention was introduced by IBM i 7.5. The screen below is showing the new Password expiration interval in days:

When entering SST use option 8 “Work with Service Tools Server Security and Devices” and option 5 “Work with service tools security options” to get here.

This results in something like this when leaving those new security settings unchanged:

As we all have learned IBM i 7.5 will go into history as the security release. Well, the above is the living proof of that.

Recently I did an upgrade for a customer from IBM i 7.4 to 7.5. The first time I started the 5250 console I did not need to enter DST credentials, the second time when reconnecting I did run into this.

The fact that your password is expired due to the new security settings of DST accounts brought me into trouble.

When opening a support case, I learned that this was working as designed. In order to ask IBM to change this, I was told to enter an IBM idea.

To solve the problem of detecting that the password is expired, also gave me the option to change it in the 5250 console starting workflow.

My question to you reading this article is simple, should I enter an IBM idea for this? Please let me know.

This is the true caveat for me, before entering restricted state and using the console I need to check my DST account’s expiration date. This can be done using option 4 “Display” when using “Work with Service Tools User IDs” option in DST.

Maybe even better, think of DST as you do with disk protection: have a spare one ready.