Although the log4j media storm of December 2021 has settled and is part of what we call the past.

IBM did publish a document titled Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) When looking at this document you will find a section called “Workarounds and Mitigations”, in there you can read the following:

IBM Navigator for i – heritage version uses log4j v1.x and cannot be updated to log4j v2.x or be removed from use.  Customers can mitigate the CVE by discontinuing the use of the heritage version of IBM Navigator for i.

This advise is given to stop using the now called heritage Navigator for i and to start using the new Navigator for i. IBM is working very hard to let the new Navigator for i become a full replacement for the heritage version, but the general message is, that if you want to mitigate the log4j vulnerability part of the heritage Navigator for i, to stop using it. In order to prevent the heritage Navigator for i from being started when you IPL the system, you need to modify a configuration file. All the instruction on how to do this are documented.

As we did call IT in the past automation, I always prefer to automate things. So once tested properly, I can use the automation everywhere without having to repeat manual steps over and over again. As the Db2 for i Services are now part of every system administrator’s toolbox, the following SQL script does what needs to be done in order to retire the heritage Navigator for i.

Of course the same can be done in 5250 emulation, but you will understand the value of this script if you have to give several LPARs the same treatment.

So let us get started:

This will stop the heritage Navigator for i.

This will prevent the heritage Navigator for i from being started in the future.

If you want to learn more about this Db2 for i Service please have a look at the link below: QSYS2.IFS_WRITE, QSYS2.IFS_WRITE_BINARY, and QSYS2.IFS_WRITE_UTF8

In order to get comfortable with using Db2 for i Services, it does not do any harm to check what you think was done.

Stopping and starting the heritage Navigator for i ADMIN2 task can take some time, so again a quick check to see if the task stopped, using the Db2 for i Service => QSYS2.ACTIVE_JOB_INFO().

Note: If the ADMIN2 server is restarted, this ‘userdata’ directory will automatically recreate.

The setting “engine.server.disabled=true “ will prevent the heritage Navigator for i from starting.

If you need to use functionality in the heritage version not yet available in the new Navigator for i, you can change the “true” into “false”. In that way you are able to start it using the following command: “STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN2)”.

A better solution is to add some extra lines to the SQL script. As always, it is a good starting point top start with a backup:

If you have BRMS available on your system and you are including the IFS meta data in your backup, you could also use BRMS to restore the “i5OSStartup.properties” file.

In that case 5250 emulation is the most convenient way. Start with running the command:

“WRKLNKBRM DIR(‘/QIBM/UserData/OS/AdminInst/admin2/conf’)”

Option 9 will bring you to the next screen which will look similar to the one below:

Again option 9 to take you to the place from which you can initiate the restore:

Using BRMS or the option to use an extra savefile is up to you. They are only needed if you do not want to change the file manually. The heritage Navigator for i is not as good as the new Navigator for i, the new one does perform a whole lot better, so allowing the heritage version to retire does do any harm and in case you still need it, it is nice to now that you can bring it back to life.