Lukas Beeler’s IT Blog

Setting up and installing i5/OS takes awfully long (usually around 12 hours for a simple install alone, on cheaper machines), but it isn’t that difficult.

IBM offers a very nice and detailled PDF for this, and the whole information is also on the i5/OS Infocenter. IBM’s writing style is very convoluted, and you’ll need to make some jumps through the document to get all the information you need.

First, let’s talk about installing from scratch. When you buy a new machine, you usually don’t need to that because it comes preloaded with the current version of i5/OS and a decent PTF level. You might need to install additionally ordered software and reapply CUM PTFs, because IBM mostly doesn’t get the preinstall of additionally ordered software right (And unlike Windows Service Packs, you need to reapply CUM PTFs after installing new OS components).

But first things first. You need to change a few system values:

• QLMTSECOFR set this to 0 to allow QSECOFR to sign-on from any device.
• QSAVACCPTH set this to 0 for faster saves that need less space, but longer restore times.
• QCTLSBSD set this to QCTL to use a single controlling subsystem with different subsystems for different tasks, or leave it as QBASE for a single subsystem with everything in it.

These two changes are completely optional. Leave them be if you have made different decisions.

• DECFMT change this to the appropriate format for your country. In Switzerland, this is 1.
• QUPSDLYTIM set this to an appropriate time using the documentation for your UPS. 600 seconds is a good start. Never leave the default value.
• QCCSID this is the most important value. This needs to be set to the appropriate value for your country. For Switzerland, this is 500.
• QTIMZON also very important. I wrote about this earlier.
• QLOCALE almost as important as QCCSID - set it to the correct locale for your country. For Switzerland, this is /QSYS.LIB/DE_CH.LOCALE
• QRETSVRSEC needs to be set to 1 for ESA to work

All these chances are of the utmost necessity for a correctly working system. Even if you do live in the US, not all defaults are correct for you (QCCSID defaults to 65535, but should be 037 in the US).

Another important step is to use CHGNETA to change several important attributes, but before you do, decide on a hostname for the system. It doesn’t really matter what it is, but it needs to be consistent. One i’ve seen often is CCXXXXNN, where CC is the ISO country code, XXXX a shorthand for your company, and NN the number of the i5/OS instance. For example, we use CHDLAG01.

• SYSNAME, LCLNETID, LCLCPNAME need to be set to your hostname
• MDMCNTRYID needs to be set to your ISO Country Code - without this parameter set, your modems won’t work (If you still use them)

The next step is to configure your Ethernet line, and adding the appropriate IP address. The common pitfalls here are that people often forget to set a default route (CFGTCP, 2), or do not configure a hostname and the appropriate hosts table entry.

The systems TCP/IP hostname can be chosen arbitrarily, but we will use the same as we’ve used for the SYSNAME value of CHGNETA before, and just add our internal domain suffix. If you’re using Microsoft’s Active Directory, it makes sense to use a single namespace. For example our SYSNAME is CHDLAG01, and our Active Directory domain is int.dataline.ch, this gives us a TCP/IP hostname of chdlag01.int.dataline.ch.

This is configured by using CHGTCPDMN command:

• HOSTNAME should be the same as SYSNAME, just in lower case.
• DMNNAME should be your internal domain suffix.
• HOSTSCHPTY should be set *LOCAL, this avoids some delays.
• INTNETADR should be set to two of your companies internal DNS servers, NOT your ISPs DNS servers.

You will now need to add an appropriate hosts table entry using the ADDTCPHTE command. This is pretty self-explanatory.

Using GO TCPADM, 2 we can configure all our applications. My recommendation is to disable any application you don’t need RIGHT NOW. You can always reenable them later. I usually disable everything except Telnet and FTP, and enable SNTP (which is normally disabled). SNTP allows your i5/OS instance to sync against NTP timeservers. If you’re using Active Directoy, it’s a good idea to sync against the domain controller which inhabits the PDC FSMO role.

The last step would be to setup the Electronic Service Agent. I’ve documented this procedure in details earlier.

If you’ve been using 5722-QU1 in the past (aka Query), you might have wanted to work with something more modern. There are a few solutions for this, however many of them have most of the business logic and configuration on the client, which is especially cumbersome in small business environments.

One of the other applications that does this right is SEQUEL from Help/Systems. However, this application is only available in English, which doesn’t work when you’re looking for an end user ready solution.

However, IBM has recently a web based product which works purely server based, is compatible to Query, and is available in several local languages. This product is 5733-QU2 aka “Web Query”. This product gets released this Friday (the 14th).

I’m very interested on how it’s performance will turn out. We have several customers which are still using legacy machines (170, 250, 270, 800), and are not willing to stay current (this is a topic on it’s own). WAS Express was an extreme performance hog on our test 270, and performed horrible. But 5733-QU2 will use Tomcat, a more lightweight application server. I really hope that this will give better performance even on older machines.

IBM has published a few flash presentations of the new HMC GUI. This finally looks like something decent. Now if only the HMC were included into the base system (with the price of that staying the same, of course), even smaller businesses could use such advanced features like a remote accessible console.

This is a topic that i’ve spent fighting for the past year. A solution is still not in sight, but i decided to publish all this stuff anyway - so that it might help someone with the same problem to know that they’re not alone.

The problem starts early. If you want to print with color from i5/OS, you’ll need FS45 capable IPDS printers. Some IPDS ROMs support this, and so does ExcelliPrint. Pay attention that not all IPDS ROMs support FS45.

The next step is to create a color overlay. I’ve written about this in the past, involving a cumbersome way through a TIFF printer and tiff2afp. Those of you familiar with overlays know that there’s IBM’s AFP printer driver, but that doesn’t handle colors correctly. About 3/4 years ago, i’ve opened my first PMR about this problem.

This was PMR 33480, involving a bizarre, month long debate with IBM, which first didn’t acknowledge the problem, and later promised a fix in 2Q07.

A few weeks ago, i’ve opened PMR 61439, which was just a request for the fix promised in 2Q07. One of the best excerpts from that PMR is

What is an .eps file? Googling shows
“encapsulated postscript”? When I try to open it with any PC
application I have, it says it cannot process the file. Do they have a
sample image that can be opened with the basic microsoft software that
is installed on an IBM corporate PC?

I found it quite ridiculous that an IBM printing support person didn’t know what EPS is. But even funnier than this was the end of the PMR, with a simple statement:

Unfortunately, there is no estimated date on
when color support can be improved.

Which means “we won’t fix this”. Again, there is a suitable workaround using tiff2afp, which i’ve documented here. That’s only half of the problem.

The second half of the problem is the creation of color PDFs on your i5/OS instance. PDF is a very important format if you’re sending electronic bills, etc. IBM’s InfoPrint Server product (5722-IP1) handles this. Unfortunately, the performance for the generation of a single page color PDF is abysmal - about 5 minutes on a usual customer system, and about 30 second on one of IBM’s high performance testing systems.

I would consider a PDF generation time of about 10 or maybe 15 seconds on a very low end system acceptable - 5 minutes is way out of dimension. Again, i’ve opened a PMR on this topic. This is PMR 61235. Again, it took over a month of forth and back with IBM until they told me again that this won’t be fixed.

Another funny thing in that PMR is that IBM support tried to contact me on the 1st of August - which is a swiss national holiday. Looks like they lack a concept to know when people aren’t working…

The PRTPDF job is spending most of its time in CPU, this
is due to processing. If the amount of processing (work)
can not be reduced then a faster processor may be
required.

IBM’s way to solve this problem is to through a faster CPU at it. This might be reasonable, but my ThinkPad T60 with CutePDF just needs 5 seconds to generate a multipage, color PDF, and cost 2000 CHF - all the while a System i5 with appropriate i5/OS licenses costs 15′000 CHF minimum - but is not capable of generating color PDFs in less than 10 seconds.

Color printing, easy creation of overlays, and fast generation of color PDFs are essential for a business. Currently, i5/OS does not provide this, and IBM refuses to fix these problems.

If anyone knows a solution to one of the problems stated above, i would be very interested.

If you’re intending to buy a System i 515, there are a few pitfalls IBM has built into the product to lower it’s price a bit.

The model usually advertised comes with 2 70GB disk drives, without any console, 1 GB of RAM, and a 4mm 36/72 GB tapedrive.

Here are the pitfalls:

• i5/OS is very I/O intensive. Two 70GB disks will give your a very crawling system if your datasets don’t fit into RAM. Make that you have at least 4 disks - and use RAID5 if possible. Mirroring only makes sense if you can afford enough disks (8).
• i5/OS also needs enough RAM because of the first point. I would consider 4 GB to be a fair starting point for a standard configuration. You might get away with less if you’re using legacy applications, but remember that all the new System administration stuff is still in Java.
• Remember to buy a Console. The HMC is the best technical solution, but far too expensive. You can got with OpsCon (requires a PC) or with the Thin Console (a special Neoware appliance).
• The low end model only includes 3 months of software maintenance, and does not include CRU (Customer replaceable unit) service. Make sure that you have SWMA as long as you’re using the machine (it’s a support contract and a license upgrade contract). The CRU service is also important if you do not have on-site IT staff.

If you fix all these things, remember that you’ll probably increase your system price by about 50%-75% - but that’s just the way this game works. It exactly the same in the System x world, or even when you’re buying a car - all upgrades add extra cost.

i5/OS is often touted as one of the more secure operating systems, through it’s very rigid abstraction of everything into objects. I’m not a security expert, and i don’t claim to be one, but in many i5/OS or OS/400 deployments, beginner mistakes are made by the gallon.

A few basic things first: QSECURITY should be at level 40, and all users should have normal user profiles, without special permissions. Even if you are an admin or a developer, if you need *ALLOBJ or similar permissions, you should use a second user account for that.

QPWDLVL should be at value 3 - supporting long, secure and case sensitive passwords. Of course you’ll need to set all the other QPW* system values to enforce secure passwords.

But one thing most often overlooked is the encryption of 5250 connections to the system itself. Many, many companies do not use SSL to encrypt their 5250 sessions, leaving plain ASCII err EBCDIC visible over the network. This makes it particularly easy to hijack sessions and passwords, even those of very important users like QSECOFR.

Note that security wise, a System i without SSL encrypted FTP and Telnet is wide open, even worse than an unpatched Windows machine. It really boggles the mind if you ask yourself why IBM hasn’t made this a standard yet on new OS installs.

Using DCM you should secure Telnet and FTP with SSL. You’ll also need to configure iSeries Access appropriately to use the SSL encryption.

Make sure to configure both the Telnet and FTP server to accept SSL sessions only, using CHGTELNA ALWSSL(*ONLY). This will make sure that only secure connections to your system can be established.

If you’re looking for SSL enabled 5250/FTP clients, i can recommend TN5250, Filezilla (GUI), SSLFTP (CLI). All of them are free.

in the i5/OS Program Conversion: Getting ready for i5/OS V6R1 redbook there is mention of several PTFs for enabling the ANZOBJCVN that is necessary to estimate conversion time when upgrading to V6R1.

The version of the draft available since today also includes the necessary PTF numbers for Systems with a language feature code other than #2924. The V5R4 PTF for the language feature #2939 is SI26524.

However, this PTF is not available yet, you can’t order it through SNDPTFORD or the System i Fix Central.

PTF 5722SS1-SI26524 V5R4M0 nicht elektronisch verfügbar.

So far, so good. I’ve opened a software call on when this PTF will be available, the only response i’ve gotten is that it will be available “soon”. So if you’re looking to the ANZOBJCVN and you’re not running #2924, you’ll have to wait until it gets released “soon”.

There is an updated version of the IBM AFP Driver available that fixes most of the color conversion issues. It may be included in recent versions of System i Access, but it might also help to try this direct download link here.

My suggestion would be to no longer use the method below.

IBM provides it’s own printer driver for creating AFP overlays. However, this printer driver is broken for quite some time, and doesn’t handle the colors used in color overlays correctly. If you want to create black and white overlays on your System i, use the original IBM AFP print driver.

If you want to create color overlays, things become a tad more difficult. First, you’ll need a device that supports IPDS FS45 for color printing. There are several IPDS ROMs sold for Lexmark Color Lasers which do not support FS45.

ExcelliPrint however does support FS45 (and works flawlessly with color overlays) - and no, i’m still not getting paid for writing about ExcelliPrint.

But back to our overlays. Creating a working, fully fledged color overlay is not difficult, but it’s an unintegrated process with lots of manual steps.

First, you need two pieces of Software: the InfoPrint converter software, for which you’ll need to install 5722-IP1 on your System i and a way to create TIFF images (if you’re using e.G. Adobe Illustrator for creating your overlays, you can skip this) - i’ve found ZAN Image Printer to suit my needs perfectly.

After Installing 5722-IP1, you can find the InfoPrint converter software in the following IFS directory:

/QIBM/ProdData/InfoprintServer/Transforms/Install/Image/setup.exe

ust install the application, and you’re already done.

Next step would be to install the ZAN Image Printer.

Now you can print your Microsoft Word overlay using the ZAN Image Printer - make sure to choose the following settings: TIFF, 24bit, LZW compression.

Save this file wherever you’ll find it again. After that, use the tiff2afp tool to create the AFP overlay itself:

tiff2afp -a ioca45 -pagetype overlay -cmp jpeg foo.tiff

This will create foo.afp. Note that it will probably look broken in the AFP viewer - this is normal (and a bug of the AFP viewer).

All you need to do now is to upload this overlay file into your System i - i’m not completely sure how that works (our dev guys handle that nicely), but i’ve found some information about it here.

If you have 5722-IP1 installed on your System i, you can create PDF documents quite easily by using a virtual PDF printer.

This virtual PDF printer can be created by using the following two commands:

CRTPSFCFG PSFCFG(QUSRSYS/PRTPDF) PDFGEN(*STMF) +
PDFDEVTYPE(*IP40240) PDFPPRDWR1(*A4) PDFPPRDWR2(*A4) PDFMULT(*NO) +
PDFDTAQ(*NONE) FNTSUBMSG(*NO) IPDSPASTHR(*NO) PDFDIR('/PDF/')

CRTDEVPRT DEVD(PRTPDF) DEVCLS(*LAN) TYPE(*IPDS) MODEL(0) LANATTACH(*IP) AFP(*YES) +
PORT(5039) ONLINE(*YES) FONT(223) FORMFEED(*AUTOCUT) +
RMTLOCNAME('127.0.0.1') USRDFNOBJ(QUSRSYS/PRTPDF *PSFCFG)

In case you’re wondering what is running on Port 5039 on localhost - usually nothing. When you start the printer writer for this printer using STRPRTWTR, you’ll see three jobs for this printer instead of the usual two. One of them is the virtual PDF print server, which is spawned by the PSF configuration.

And this is exactly the problem i ran into: Port 5039 on localhost was already in use (in this case by a third party application), and so the virtual PDF print server was unable to start. Of course the only thing you saw in the logfiles was that the PRTPDF print writer was unable to connect to it’s print server, and not that the port was already in use.

Note that the virtual print server fetches it’s configuration from the device description, so if you change the port in the device description, everything will work automatically.

Printing from the System i sucks as much as printing from any other platform - but with one added twist. The System i has it’s own proprietary printing system called IPDS.

In general, the System i can talk to network enabled printers that support a PCL or PS datastream directly - they must also support a print control protocol like SNMP or the more popular PJL. If you want to attach a desktop printer, you will have to use IBMs iSeries Access. And then there’s IPDS, which some printers can support through either a option ROM, a network appliance, or a conversion software.

If you’re wondering if your printer supports PCL/PS, look it up at the manufacturers website. Here are my quick and dirty rules, which are usually 99% right:

• SOHO equipment usually doesn’t support PCL/PS
• Workgroup equipment always does - there’s a small exception for low price workgroup equipment
• B&W desktop printers above 300 CHF usually do, Color desktop printers above 500 CHF usually do

iSeries Access

iSeries Access can be used to connect printers without a network interface, or without PCL/PS support to the System i. This functionality is quite rudimentary, and can’t be used to print customer facing documents. For the quick printing of a query or a joblog, this is usually sufficient.

If you have a printer that does support PCL/PS, but has no network interface (or an unsuitable one, like cheap print servers), you can use HPT through iSeries Access - this will allow you to support all the printout options that HPT supports.

iSeries Access without HPT is not really an option, except for some quick & dirty printing. iSeries Access with HPT isn’t quite as bad, but a network interface for the printer can be had for just a bit of money.

Host Print Transform

Host Print Transform, also known as HPT. I’ve written about this earlier.

HPT isn’t that bad, and can work well for desktop printers. It’s what we usually use for desktop printers.

IPDS Option roms

You can get IPDS option roms for most workgroup printers. The problem with IPDS option roms is that they’re hugely expensive (around 1500CHF for a single printers). So you’ll have to buy an expensive workgroup printer, but also have to buy an expensive IPDS option rom. If your printer dies, and you can no longer get a similar replacement - your investment has just become worthless.

The good thing about IPDS option roms is that they’re usually troublefree, and come with all the important fonts (like OCR-B) preloaded. This allows for a very easy deployment, at a in my opinion unreasonable cost.

IPDS converters

There are many products that do conversion from IPDS to PCL. I only have experience with a single product ExcelliPrint. This product works quite well, though there are a few things that you’ll need to think about, like OCR-B support.

There are also embedded appliances available that do the same thing. I’ve never used them, so i can’t tell much about them. Maybe those have embedded font support, avoiding the soft font issue that you’ll need to be aware off when using ExcelliPrint.

ExcelliPrint costs about 750 CHF, about half that of an IPDS ROM. If you only have a single printer, an IPDS ROM might not be that more expensive. But when we’re talking about 5-10 printers, the difference becomes quite noticeable.

Conclusions

So what should you do?

I generally recommend against any use of iSeries Access, even with a HPT printer. Purchase a simple desktop laser which is supported by HPT. For printing of invoices etc., i would recommend a workgroup printer with ExcelliPrint.