It feels a little crazy to have to point this out but your IBM i isn’t a bloody refrigerator! And yet, there are some users who seem to think that you can treat IBM i as they would a fridge, namely they turn it on when it’s shiny and new and just leave it running with no thought given to maintenance or housekeeping.
In extreme cases I’ve seen customers who power up their server at go live and don’t power it down until it is decommissioned many (and I mean many) years later, no not even a restart IPL, let alone PTFs.
Yes, I know IBM i is awesome, IBM i is very good at looking after itself and IBM i is arguably the most robust operating system ever created……… BUT, what this latest round of “pants on fire” Log4J vulnerabilities has highlighted is that nothing is invincible, not even IBM i and, like the toughest of diamonds would benefit from a little polish from time to time.
Even though our IBM i core Operating System is not vulnerable to Log4j based vulnerabilities, IBM i runs java and so can be abused by this pesky problematic program. In other words, IBM i users shouldn’t get complacent.
If it ain’t broke don’t fix it
If there is one saying that drives me nuts, it is “If it ain’t broke don’t fix it” I understand that we are all busy and if you take the time to patch your server, it can feel like a thankless task as often the best result is that no one notices the difference.
What you have to remember is that the world of IT has changed in two key ways:
- Computer Systems are no longer stand-alone entities, they are interconnected and usually only one hop from the public internet, where the naughty children play.
- Most of us are now obligated by laws (like the GDPR) to keep our systems up to date with the latest security patches and to have an appropriately secure configuration in place to protect our data.
When it comes to house insurance, we all accept that if you don’t lock your house, then you will not be covered if someone wanders in and steals your stuff. We are now starting to see the same ethos applying to business insurance.
So, what is the answer?
It’s not rocket science; in fact, it is just common sense. IBM does most of the hard work, you just need to patch your systems. If you are not sure where to start or what to patch, then call on your friendly business partner to begin with and they will help but when they do, be sure to watch them, as you may find that once you have seen the patching in progress, you feel confident enough to do it yourself the next time.
Here is what my team do week in and week out for the systems we look after:
Step 1 – Make a list
- IBM i Cumulative AND Group PTFs
- Open source tools
- Third party middleware packages such as:
- HA software replication
- Business intelligence
- Security and auditing
- Spool file enhancement
- GUI frontend servers
- Domino server
- IFS antivirus scanner
- ISV application updates
As well as software that works in conjunction with your IBM i such as:
- IBM ACS client
- Hardware Management Console
- Power firmware
- VIO servers
- SAN firmware
- Fibre switch firmware
Step 2 – Make a list of contacts and websites where you can check for updates
Make a list of all the current version numbers of the components listed above that you are running and where you check for updates. Ideally, subscribe to a service that lets you know when updates are made available.
Step 3 – Create a schedule of updates
Many people make the mistake of thinking you should update all elements of the above in one go. In fact, this is not best practice, ideally what you should do is group them into logical sets and create a plan to update these groups on regular, spaced intervals.
For example. You could group the following patches together:
- HMC, Power firmware, VIO server, SAN and fibre switches.
Install any appropriate updates in months 1,4,7 and 10 of each year.
- IBM i Cumulative PTFs, Group PTFs, Open source tools and ACS
Install any appropriate updates in months 2,5,8 and 11 of each year.
- Third party middleware package updates and ISV updates.
Install any appropriate updates in months 3,6,9 and 12 of each year.
If you want a place to start, then run the following two SQL statements on your IBM i server and they will let you know what PTFs and Power firmware you have and what the latest available versions are:
The IBM i Firmware Currency statement below is available from your ACS Insert from Examples:
The IBM i Group PTF Currency statement below is available from your ACS Insert from Examples:
ProTip: If either or both of the above run but return no data, then your PTFs are out of date, as IBM changed the public facing webserver that holds these catalogues some years ago. When you install the latest PTFs they will start working normally again.
To order the patches you found above and to find out updates for all the other IBM elements, you can use the IBM Fix Central Website: https://www.ibm.com/support/fixcentral/
Keeping your system up to date is easier if you are doing little and often. What’s more, if an update does cause some undesired behaviour, it will be easier to diagnose and fix.
Nice to see you IN PERSON!
It was great to see you all IN PERSON at Bletchley Park, it was our fastest selling event ever. With all the places being snapped up in a week, we had to add more capacity and that sold out too. In fact, for the first time ever we had to create a waiting list.
We have two more events lined up for you early next year, February – Norton Grange Hotel Rochdale and March – London. More details and a booking form are available at our website www.i-ug.co.uk
Nigel Ainsworth says