May the third IBM i 7.5 was announced, if you follow the IBM i news, this announcement was hard to miss. Normally it does take a while before every IBM i LPAR is running this version, but this time things are little different.
First of all, the date IBM I 7.5 will be available is this week, the Tuesday 10 May, a week after announcement. For IBM i 7.4 the announcement was on 23 April 2019, availability 21 June 2019.
Secondly in this new release security has a big section in the announcement letter 222-078. As one of the biggest worries of IT managers today is security, my guess is that due to the focus on security the adoption rate of this new release might be higher than what we saw in any previous new release.
We all remember the log4j vulnerability and I think it is a safe guess that if I asked you to name a company that had become a victim of ransomware, that we could all come up with a name. IBM i 7.5 is the most secure release for sure.
So, you should ask yourself, can you afford the risk of not running the safest release of IBM i? This article, highlights just one of the many new security improvements in IBM i 7.5.
Set Subsystem Routing
When going through the announcement letter, I noticed the following sentence:
“SET_SERVER_SBS_ROUTING: Enhanced to support the secure versions of the Database server (QZDASSINIT) and File server (QPWFSERVSS).”
A day after the IBM i 7.5 announcement, I received a mail from IBM telling me that the IBM Power Idea Add System TLS (GSKit) support for SERVER_SBS_ROUTING was delivered in IBM i 7.5.
The original idea to ask for this functionality in IBM i came from a company running one of the big ERP solutions running on IBM i. Using subsystem routing in combination with TLS support has big benefits, please allow me to explain what this is all about. A word of warning, it will be technical, but I will do my best to make it easy to digest.
In the modern IBM i world it is not uncommon for the IBM i database to play a big role in the web of databases that make up your company’s data. When accessing the IBM i database, we see that the ODBC/JDBC jobs are one of the most common methods.
By default, these jobs run in the subsystem QUSRWRK. Meaning that as soon as an IPL is finished and QUSRWRK is started the database can be accessed. This is generally convenient but when doing a release upgrade or cumulative PTF package and Technology Refresh install, that is something you do not want.
IBM addressed this issue with the Db2 for i Service SET_SERVER_SBS_ROUTING procedure was originally made available with IBM i 6.1 and the IBM i Access Client Solutions (ACS) Run SQL Scripts contains an example to get you started with this:
Later IBM enhanced this IBM i Services and added the option “allow-rollover” for IBM i 7.3 and (PTF’d back to IBM i 7.2 via Database Group PTF level 11). The default for that was “YES”, but with “NO” specified, the documentation explains the following: “If the alternate subsystem cannot be used, the connection request will fail.” This may sound bad but actually, it is a good thing for both security and system administration.
Below an example how this can be used:
So, when a user initiates an ODBC/JDBC task, the task is started in QUSRWRK but when an entry exists for the user to route their task to another subsystem, this task will start running in that subsystem. With “allow-rollover” set to “NO”, that subsystem needs to active otherwise the connection request will fail.
With this in place an IPL of the system will prevent users from getting access to the database, if that subsystem is not started.
A big limitation of the Db2 for i Service SET_SERVER_SBS_ROUTING is removed with the release of IBM i 7.5. The subsystem routing now allows you run tasks using encryption for accessing the File server and Database server.
In today’s world we see a growing adoption of using encryption in the IBM i world and for some users it is a compulsory and not using encryption is no longer allowed.
As security is growing in importance keeping control of who can access your system, is becoming more and more important, with that in mind we have added an extra layer in getting access to the system.
When setting up an IBM i LPAR I choose to define an IP address for the system and one for the applications. When we IPL the system we added flexibility to our startup routine, please have a look below and notice the field “ACTIEF” (which is Dutch for ACTIVE):
The command STRJOBJS is an Advanced Job Scheduler command which in this case starts the job SYSTEM_STR. This job allows us to make changes to the startup program without a recompile. Below an example of how a SYSTEM_STR Job might look:
Before you say, I do not have a licence for the Advanced Job Scheduler (5770-JS1) please be aware that the IBM i entitlement has changed. The Advanced Job Scheduler is changed from separately charged to “entitled with IBM i”.
If that is only for when moving to IBM i 7.5 or when ordering a new box with IBM i, is something I do not know yet, but when I do, I will write an article.