AS/400

Product Review - Kisco i2S3

Here’s a link to an i2S3 review I did for Search400.  Neat product and worth a look if you’re interested in cloud based storage for IBM i.

 http://search400.techtarget.com/tip/0,28…

Lord of the Tapes: Return of the Fire King

OK, well it’s the first Fire King I’ve purchased and I hate Lord of the Rings with a passion but I needed a title.

I have a Fire King DM2520-3 being delivered this Wednesday.  This little monster weighs in at a whopping 1050 lbs and will hold about 210 LTO tapes.  I only need storage for about 100 tapes, so there’s plenty of room for growth, documentation, CD/DVD media and other goodies we want to keep out of harms way.

While scoping out a fire resistant safe, I was given a few clear requirements.

• Get the best fire rating possible
  • The 3 hour rating may be overkill, considering a standard office fire temperature would be lower than the 2000 F heat that this safe is rated to protect against, so you can’t say I didn’t find the best available.  Actually, a 1 hour rated safe would probably suffice for most businesses considering if flame is in direct contact for 1 hour with your data safe then you’re probably storing your tapes in an oil refinery.  Heat away from the fire is a much lower temperature than the actual fire, and since most material/fuel will burn away fairly quickly, most 1 hour safes would do the trick.
• Theft protection
  • Considering this thing will take a locksmith a couple of hours to bust into if the front keypad melted off…it’s not easily broken into.  Plus you’re not going to get a few fellas to haul a 1050 lb box away without making a little noise and alerting security.

This puppy is also rated against 30 foot drops and explosions. I’m not sure what they test explosions with, but that would have to be a neat job.

I’m curious, what do you all use for storage protection?  Are there others out there with bigger, better and cooler physical media storage systems?

Comments welcome.

System/Message Monitoring on IBM i

Check out the November edition of System i News magazine.  I submitted an article a little while ago that’s now been published in the Pro VIP section.

Check out www.systeminetwork.com and get yourself a subscription to a great resource.

If you have any questions, please feel free to comment and I’ll do my best to help.

Search400 Tip - Tracking data changes on IBM i with triggers

nbsp;http://search400.techtarget.com/tip/0,28…

iSeries Storage Quotas: Keeping Users Informed

Users and storage quotas.  Groan…

If you’re using the IFS on your iSeries for users to store files then you’ve probably struggled with storage management.  I’ve often compared managing user storage to being a credit card company with a lot of irresponsible customers.  We give a customer a $1000 credit limit (i.e., 100 MB of storage) and they go on a spending spree.  Once they’ve reached their limit they ask for more money.  Since they have good credit we give them an extra $500 (i.e., bump their storage limit an additional 50 MB).  We may do this a couple of times before we catch on and send them to the collection department to hound them on a regular basis to get below their credit limit.

When users reach their storage quotas, simple things like generating spooled files are a problem because they don’t have any space to generate them.  Then they call IT when their reports don’t print.

Now, users who need their storage caps adjusted for a business requirement have a legitimate reason.  I’ll adjust your quota accordingly and perhaps make a case to add disk.  My beef lies with knuckleheads using 90% of their storage on pictures of their family trip to Disney World.  If you can afford the digital camera and the trip then you can afford a flash drive or a DVD burner.  So pretty please, keep the crap off the production server.

I put together a little automated email routine to inform users and cut down on storage related support calls.  Personally, I’d say I’ve easily cut the storage support calls by 50%.  Here’s the gist of what the user gets:

1. A quick explanation that every user has a storage quota and that they’re approaching it.
2. How much space they have left.
3. A list of files they own in descending order of size.  I also include the last change date of the object.

There’s a number of pieces that put this together.

1. Retrieve a listing of iSeries users using the DSPUSRPRF command to an outfile and then do some quick query/400 work.
2. I interface with our Domino server to get the email address for each user. This is done by way of a simple Domino agent that exports mail users to a csv file on our iSeries.
3. I determine which users are exceeding 90% of their storage quota via the output of the DSPUSRPRF command above.
4. I get a list of objects each user owns (using the RTVDIRINF command, some CL and query/400) and create a csv file for that user with some RPG.  The csv file generation stuff was put together after reviewing Scott Klement’s awesome website that has a section on working with files on the IFS  http://www.scottklement.com/rpg/ifs.html)
5. Each user is emailed the notification with the attached csv.  This is accomplished, in my scenario, with the Javamail application that you can install on your iSeries free of charge.

If anyone would like an explanation on how to do build this yourself, please let me know and I’d be happy to help.  It’s a Frankenstein solution, but it’s free and works well.

Your vendors DON’T need QSECOFR authority!

Well, 99% of the time they don’t.  They probably don’t need any special authorities either.  Here are a few examples of vendors trying to break the rules.

XYZ Software

I’m working with a new application vendor (we’ll call them XYZ Software) and they need access to our system to do some custom programming and software configuration.

Here’s what they asked for right off the bat:

1. Telnet port opened up on our firewall in order to access our iSeries

2. A new user profile with QSECOFR authority.

Well, the 1st request wasn’t going to happen…period.  We use other methods to allow external parties secure access to our network.

The 2nd request I would allow only if the vendor could supply detailed reasons why they would need such excessive authority.  As well, this profile would most certainly be audited.  Not surprisingly, what they need to do (restoring objects to the XYZ software libraries and compiling programs) doesn’t require QSECOFR authority at all.  Actually, it’s not even close.  In reality the XYZ profile would just need proper access to the XYZ library in order for them to compile programs and restore objects to that library.

Vendors attempt to gain much more authority than they need in order to minimize your IT staff getting in their way in the future.  They don’t want the hassle of asking for authority to a command or a library so they go for broke and tell you they “need” QSECOFR authority.

ABC ERP Software

Another vendor I’ve dealt with, I’ll call them ABC ERP Software, really gets away with murder in terms of going against industry security standards.  I’m sure I could make a fortune going to their customer sites and plugging the security holes, but that’s another story.

ABC Software, sadly, was given a profile called ABC which was a copy of the QSECOFR profile.  Let’s say it was somewhat “needed” at the time as they were given the entire task of setting up a new iSeries server, restoring licensed programs, installing ptf’s, etc., so we let it fly.  Once we got the new ERP up and running I wanted to scale that profile back to a less dangerous set of authorities.

This vendor had a fit.  I was told by their Senior iSeries guru in a very curt email that if I changed anything about the profile then the ERP system would fall apart at the seams.  I called his bluff and asked how and why each special authority was needed.  He then displayed either true ignorance towards system security or a barrage of BS that would silence most iSeries techs afraid stand up to the scary senior analyst.

I was told the ABC profile needed *SERVICE and *JOBCTL special authorities to run a STRDBG command.  Untrue!  To debug a program, you only need *change authority to the object.  If you don’t have *change, you need *use on the object AND *service special authority.

Also, they wanted *SERVICE so that they could access the System Service Tools.  No thank you.

I was also told that they have to have *SPLCTL as they “need” to view all user’s spooled files.  Again with the “need.”  Sure buddy.  On our payroll server.  Right.

In the end I successfully debunked the necessity of 5 of the 8 special authorities ABC company wanted, including *ALLOBJ.

A few months later this “guru” stated that any user that wanted to use Fax/400 needed to have *SPLCTL.  Also, I remember him stating that all users should have their MAXSTG set to *NOMAX to compensate for the lack up garbage collection in their ERP.  You see, they have a GUI spooled file viewer that creates temporary PDF files in QDLS…but these files would stay there forever. Unbelievable.

Always question anyone who doesn’t have a vested interest in your company.  You hold the responsibility for the security of your system, not them.

Friday Night Lights

I had a lovely Friday, working from home in complete silence until my little boy woke up.  I then went to the office and shut my door for a few hours, banging out the finishing touches of a project due at the end of the day.

Around 3PM we get word that there’s going to be a scheduled power outage at 3:30 for repairs.  Evidently there were a couple of explosions earlier in the day and some of the electrical equipment got toasted.  The outage would last between 5 hours and 3 days.  Big window of an estimate, but what can you do?  The poor electricians were probably airing the smoke out of the substation and assessing the problem.

We have a 4 person IT shop.  A manager, myself and two other technicians.  As luck would have it, my 2 week after hours on-call shift started Friday, the manager is on vacation and the two other technicians started their vacation Friday after work.  Guess who gets to hang out after work to make sure things are in good order with the equipment?

At 3:30 the power shuts off and our UPS handles the power load for our servers for about a minute or so until the propane generators fire up.  At 3:32 the propane generator kicks in like clockwork and runs along for all of 5 minutes before shutting off again.

I run and find one of our electricians to have a look while I check the UPS.  Cool.  I have 33 minutes of battery time left.  I make a few calls and send a few emails to prep users on the possibility of a total computer shutdown on the 5 companies we support out of our office.

Looks like the generator was toasted from the power surges earlier in the day.  Knowing all is lost and I need to power down 3 AS/400’s and maybe 10-12 Windows servers with 15 minutes to spare, I head back to the server room and check the UPS.  The front panel says “15 minutes battery time remaining” so I have plenty of room to move.

I get 2 AS/400’s on the way down (and I need a full 8 minutes for them to shut off) and start working on the 3rd when the UPS starts making the awful fast beeping noise indicating an imminent shutdown.  It’s times like these when you second guess yourself on your ability to restore from backup tapes.  1 very short minute later, all machines go down…HARD.  My stomach rolled over like you’d expect.

Colorful and creative cursing ensued at the UPS for telling me I had 15 minutes when I really had 5-6.

More colorful and creative cursing ensued at the flipping generator for failing when I needed it the most.

6 long hours later after the power was restored I started to power up the machines to find the lovely amber alert light on our new AS/400 model 515.  Luckily after booting into SST it just turned out to be an indicator of power fluctuation.

Even more colorful cursing ensued at the bloke at IBM who put this feature in the new machines.  Our models 170 and 270 went through the same experience but appeared fine with no system attention light.  Put the message in the QSYSOPR message queue but don’t fire up the “uh oh” light and cry wolf.  I want to see that light come on when I have a DASD failure or something and need to take action.

With all that said, all systems were a go with no hardware or software damage.

I don’t like dodging a bullet, but the alternative is being hit by one.  I had to hunt down one of the technicians in order to put myself on the UPS email alert system in case the systems went to UPS power in the next few days until we get the generator repaired.  In that case I’d have to remote in and power down all systems and bank on only having 20 instead of 33 minutes to get the job done right.  Tethered to the computer room 30 miles away.  I’ll also have to get the UPS checked to ensure it’s giving an accurate representation of battery time based on the load.

It’s time to review our systems continuity strategy and schedule more regular testing.  I’d suggest you do the same.

First post…the post that hurts the most!

For the Mighty Boosh fans (and they’re already thinking “I’ll take you out for a meal with Mr and Mrs Pain.  Order up some violent quiche”), I couldn’t resist that as a title after struggling to come up with something clever for about 10 minutes.  Hey, coders are like musicians…you can rob something as long as you give credit.

Hey Now!

First blog post.  I’ll try and keep it brief and give a little introduction of who I am, what I do and what you’ll expect in future blogs.

Who I am:

I’m a 30 year old systems analyst that’s been working with the AS/400 since about the year 2000.  I use the term AS/400 because I think that IBM will eventually re-brand the system to it’s former name.  Naming the system an “IBM i” really did nothing but force AS/400 advocates like myself to ponder about the marketing suits at IBM.

What I do:

I work for a Canadian paper manufacturer.  We have 3 AS/400’s on-site running ERP, payroll, Lotus Domino, Barcode/400 and a slew of other applications (both purchased and home grown) used to augment the primary systems.

Previous to my current job, I worked with a major Canadian IBM Business Partner doing technical sales and services.

What to expect:

Most of my content will be about Lotus Domino and the AS/400 from both administration and development points of view.  I’ll be supplying tips, code, best practices, subtle and not so subtle suggestions, blurbs about current projects I’m working on and the occasional rant on office politics.

As well, I’ll be offering opinions and tips on working with hardware/software vendors and business partners.  For example, I’ve seen many rack configuration proposals that had unnecessary, and sometimes costly,  components.  I’ve also seen some that had more holes than road.  Perhaps in the near future I’ll deconstruct an anonymous system proposal I’ve seen for the purposes of suggesting that you always get a second opinion and to ensure your BP does their homework and reads their system builder handbook.

Later.