Steve Bradshaw explains some of the cool enhancements to speed, security and temporary storage management in the latest update to the IBM i operating system.
IBM i v7.2 has arrived and the press is full of news on how its new functionality relates to IBM’s major targets – mobile, cloud and availability. But less has been said about the many less topical, yet rather significant, improvements that have been ushered in by the new release.
There can be no doubt that IBM has been busy and there are plenty of new functions to talk about (some of which IBM plans to PTF back to v7.1) but rather than overload you with a long, dry list, I plan to cherry pick my favourites and discuss them in a series of short articles entitled What Can i Do With 7.2?.
I will start by looking at how this new functionality can benefit some of the more typical IBM i customers – those running on existing Power 6 or 7 servers with a typical mix of RPG, Query/400 and a little integration with their Wintel/Lintel estates.
Performance gains with zero change
The most surprising thing about the announcement (to me, anyway) was that the SQL Query Engine (SQE) in IBM i now supports Query/400 and Open Query File (OpnQryF).
This is something IBM told me – on more than one occasion – would never happen, so I don’t know whether we have IBM to thank for listening to our continued moans or this was just a happy side-effect of another enhancement. Either way, this single change could bring significant performance improvements to your existing workloads without you modifying a single line of code.
SQE, CQE; so what? Well in a word, speed. If the operating system can process a request via SQE rather than the Classic Query Engine (CQE), it can be processed faster. In many cases, orders of magnitude faster.
In short, just upgrading your existing environment to v7.2 could massively improve the performance of your line-of-business applications without making a single change.
Monitoring temporary storage usage
Another enhancement that caught my eye was that IBM has made it much easier to monitor temporary storage use on a system. This has always been a bit of a dark art, often needing specialist (and usually costly) tools to uncover which jobs where consuming this precious resource.
Now, in v7.2, this information is easy to get at. You could use a simple piece of SQL to report on the usage by job. Or, if you fancy something a little prettier, then try the much enhanced IBM Navigator for i interface. This will list the temporary storage used alongside the job.
Either of these methods can quickly and easily allow you to identify any performance-sapping, memory-hogging tasks that are running on your system.
IBM is heralding a new DB2 for i function called RCAC or Row & Column Access Control (SS1 Opt 47 – IBM Advanced Data Security for i). This no-charge function finally allows us to resolve one of the oldest security conundrums in IBM i.
Until now, if a user had the ability to grant a specific authority to another user, they, by definition, would have to have at least this level of authority themselves. So, if a user was able to grant read access to a salary file, then that user would, of course, be able to read that file themselves.
Now, with RCAC, this issue is resolved and we can let sys admins have all the authority they need to keep our systems secure without any of the temptation or risk to themselves.
One of the other enhancements that could really help the security conscious or those of us who are slaves to PCI-DSS compliance, is that we can now use enhanced Kerberos authentication in both FTP and TELNET. This can really simplify the interconnection between systems, particularly in an environment with multiple operating systems.
Let’s take a common example. You have a routine that runs under IBM i. It creates a file and needs to pass it to a Windows server running on your network. Using Kerberos, you can authenticate with the target server without the need to store, manage or pass any user names or passwords.
Why bother with Kerberos? Well it is a widely adopted, mature multi-platform standard that just about all platforms support. What is more, once you have it ,you can deploy a single sign-on policy for most, if not all, of your applications, regardless of the operating system they run on.
To summarise, this means that you no longer have to:
* map identities between systems
* manage password expiry between systems
* encrypt the target authentication credentials stored in your source IBM i application
* justify to auditors why, where and how these credentials are stored in your application (my personal favourite).
If there is any particular function you have heard of that you would like explained in a future article, just drop me a line at Steve.Bradshaw@RowtonIT.com. Or if you would like to do it face to face, please feel free to join me at NiSUG’s International Power conference at Beaumont House, Windsor, England, on June 18 and 19. More details at the NiSUG website: https://www.nisug.org.