iseries

Product Review - Kisco i2S3

Here’s a link to an i2S3 review I did for Search400.  Neat product and worth a look if you’re interested in cloud based storage for IBM i.

 http://search400.techtarget.com/tip/0,28…

Lord of the Tapes: Return of the Fire King

OK, well it’s the first Fire King I’ve purchased and I hate Lord of the Rings with a passion but I needed a title.

I have a Fire King DM2520-3 being delivered this Wednesday.  This little monster weighs in at a whopping 1050 lbs and will hold about 210 LTO tapes.  I only need storage for about 100 tapes, so there’s plenty of room for growth, documentation, CD/DVD media and other goodies we want to keep out of harms way.

While scoping out a fire resistant safe, I was given a few clear requirements.

• Get the best fire rating possible
  • The 3 hour rating may be overkill, considering a standard office fire temperature would be lower than the 2000 F heat that this safe is rated to protect against, so you can’t say I didn’t find the best available.  Actually, a 1 hour rated safe would probably suffice for most businesses considering if flame is in direct contact for 1 hour with your data safe then you’re probably storing your tapes in an oil refinery.  Heat away from the fire is a much lower temperature than the actual fire, and since most material/fuel will burn away fairly quickly, most 1 hour safes would do the trick.
• Theft protection
  • Considering this thing will take a locksmith a couple of hours to bust into if the front keypad melted off…it’s not easily broken into.  Plus you’re not going to get a few fellas to haul a 1050 lb box away without making a little noise and alerting security.

This puppy is also rated against 30 foot drops and explosions. I’m not sure what they test explosions with, but that would have to be a neat job.

I’m curious, what do you all use for storage protection?  Are there others out there with bigger, better and cooler physical media storage systems?

Comments welcome.

System/Message Monitoring on IBM i

Check out the November edition of System i News magazine.  I submitted an article a little while ago that’s now been published in the Pro VIP section.

Check out www.systeminetwork.com and get yourself a subscription to a great resource.

If you have any questions, please feel free to comment and I’ll do my best to help.

Search400 Tip - Tracking data changes on IBM i with triggers

nbsp;http://search400.techtarget.com/tip/0,28…

iSeries Storage Quotas: Keeping Users Informed

Users and storage quotas.  Groan…

If you’re using the IFS on your iSeries for users to store files then you’ve probably struggled with storage management.  I’ve often compared managing user storage to being a credit card company with a lot of irresponsible customers.  We give a customer a $1000 credit limit (i.e., 100 MB of storage) and they go on a spending spree.  Once they’ve reached their limit they ask for more money.  Since they have good credit we give them an extra $500 (i.e., bump their storage limit an additional 50 MB).  We may do this a couple of times before we catch on and send them to the collection department to hound them on a regular basis to get below their credit limit.

When users reach their storage quotas, simple things like generating spooled files are a problem because they don’t have any space to generate them.  Then they call IT when their reports don’t print.

Now, users who need their storage caps adjusted for a business requirement have a legitimate reason.  I’ll adjust your quota accordingly and perhaps make a case to add disk.  My beef lies with knuckleheads using 90% of their storage on pictures of their family trip to Disney World.  If you can afford the digital camera and the trip then you can afford a flash drive or a DVD burner.  So pretty please, keep the crap off the production server.

I put together a little automated email routine to inform users and cut down on storage related support calls.  Personally, I’d say I’ve easily cut the storage support calls by 50%.  Here’s the gist of what the user gets:

1. A quick explanation that every user has a storage quota and that they’re approaching it.
2. How much space they have left.
3. A list of files they own in descending order of size.  I also include the last change date of the object.

There’s a number of pieces that put this together.

1. Retrieve a listing of iSeries users using the DSPUSRPRF command to an outfile and then do some quick query/400 work.
2. I interface with our Domino server to get the email address for each user. This is done by way of a simple Domino agent that exports mail users to a csv file on our iSeries.
3. I determine which users are exceeding 90% of their storage quota via the output of the DSPUSRPRF command above.
4. I get a list of objects each user owns (using the RTVDIRINF command, some CL and query/400) and create a csv file for that user with some RPG.  The csv file generation stuff was put together after reviewing Scott Klement’s awesome website that has a section on working with files on the IFS  http://www.scottklement.com/rpg/ifs.html)
5. Each user is emailed the notification with the attached csv.  This is accomplished, in my scenario, with the Javamail application that you can install on your iSeries free of charge.

If anyone would like an explanation on how to do build this yourself, please let me know and I’d be happy to help.  It’s a Frankenstein solution, but it’s free and works well.

Your vendors DON’T need QSECOFR authority!

Well, 99% of the time they don’t.  They probably don’t need any special authorities either.  Here are a few examples of vendors trying to break the rules.

XYZ Software

I’m working with a new application vendor (we’ll call them XYZ Software) and they need access to our system to do some custom programming and software configuration.

Here’s what they asked for right off the bat:

1. Telnet port opened up on our firewall in order to access our iSeries

2. A new user profile with QSECOFR authority.

Well, the 1st request wasn’t going to happen…period.  We use other methods to allow external parties secure access to our network.

The 2nd request I would allow only if the vendor could supply detailed reasons why they would need such excessive authority.  As well, this profile would most certainly be audited.  Not surprisingly, what they need to do (restoring objects to the XYZ software libraries and compiling programs) doesn’t require QSECOFR authority at all.  Actually, it’s not even close.  In reality the XYZ profile would just need proper access to the XYZ library in order for them to compile programs and restore objects to that library.

Vendors attempt to gain much more authority than they need in order to minimize your IT staff getting in their way in the future.  They don’t want the hassle of asking for authority to a command or a library so they go for broke and tell you they “need” QSECOFR authority.

ABC ERP Software

Another vendor I’ve dealt with, I’ll call them ABC ERP Software, really gets away with murder in terms of going against industry security standards.  I’m sure I could make a fortune going to their customer sites and plugging the security holes, but that’s another story.

ABC Software, sadly, was given a profile called ABC which was a copy of the QSECOFR profile.  Let’s say it was somewhat “needed” at the time as they were given the entire task of setting up a new iSeries server, restoring licensed programs, installing ptf’s, etc., so we let it fly.  Once we got the new ERP up and running I wanted to scale that profile back to a less dangerous set of authorities.

This vendor had a fit.  I was told by their Senior iSeries guru in a very curt email that if I changed anything about the profile then the ERP system would fall apart at the seams.  I called his bluff and asked how and why each special authority was needed.  He then displayed either true ignorance towards system security or a barrage of BS that would silence most iSeries techs afraid stand up to the scary senior analyst.

I was told the ABC profile needed *SERVICE and *JOBCTL special authorities to run a STRDBG command.  Untrue!  To debug a program, you only need *change authority to the object.  If you don’t have *change, you need *use on the object AND *service special authority.

Also, they wanted *SERVICE so that they could access the System Service Tools.  No thank you.

I was also told that they have to have *SPLCTL as they “need” to view all user’s spooled files.  Again with the “need.”  Sure buddy.  On our payroll server.  Right.

In the end I successfully debunked the necessity of 5 of the 8 special authorities ABC company wanted, including *ALLOBJ.

A few months later this “guru” stated that any user that wanted to use Fax/400 needed to have *SPLCTL.  Also, I remember him stating that all users should have their MAXSTG set to *NOMAX to compensate for the lack up garbage collection in their ERP.  You see, they have a GUI spooled file viewer that creates temporary PDF files in QDLS…but these files would stay there forever. Unbelievable.

Always question anyone who doesn’t have a vested interest in your company.  You hold the responsibility for the security of your system, not them.

First post…the post that hurts the most!

For the Mighty Boosh fans (and they’re already thinking “I’ll take you out for a meal with Mr and Mrs Pain.  Order up some violent quiche”), I couldn’t resist that as a title after struggling to come up with something clever for about 10 minutes.  Hey, coders are like musicians…you can rob something as long as you give credit.

Hey Now!

First blog post.  I’ll try and keep it brief and give a little introduction of who I am, what I do and what you’ll expect in future blogs.

Who I am:

I’m a 30 year old systems analyst that’s been working with the AS/400 since about the year 2000.  I use the term AS/400 because I think that IBM will eventually re-brand the system to it’s former name.  Naming the system an “IBM i” really did nothing but force AS/400 advocates like myself to ponder about the marketing suits at IBM.

What I do:

I work for a Canadian paper manufacturer.  We have 3 AS/400’s on-site running ERP, payroll, Lotus Domino, Barcode/400 and a slew of other applications (both purchased and home grown) used to augment the primary systems.

Previous to my current job, I worked with a major Canadian IBM Business Partner doing technical sales and services.

What to expect:

Most of my content will be about Lotus Domino and the AS/400 from both administration and development points of view.  I’ll be supplying tips, code, best practices, subtle and not so subtle suggestions, blurbs about current projects I’m working on and the occasional rant on office politics.

As well, I’ll be offering opinions and tips on working with hardware/software vendors and business partners.  For example, I’ve seen many rack configuration proposals that had unnecessary, and sometimes costly,  components.  I’ve also seen some that had more holes than road.  Perhaps in the near future I’ll deconstruct an anonymous system proposal I’ve seen for the purposes of suggesting that you always get a second opinion and to ensure your BP does their homework and reads their system builder handbook.

Later.