Lukas Beeler’s IT Blog

The newest CUME for V5R4 adds a nice command key in the DSPPTF screen (F20) which shows the current firmware levels in a model 5xx system.

This information has always been available, but through a rather complicated set of keystrokes in SST/DST. They of course still work, and you still need them if you want to change several advanced configuration options without having a HMC.

If you do not have a HMC, you usually do not need to pay as much attention to your firmware levels as someone with a HMC. If you do not have an HMC, the firmware level is managed by i5/OS. As you can only have a single i5/OS LPAR without a HMC, it’s quite clear which LPAR that is. But it still makes sense to keep your firmware level current.

Upgrading the firmware requires a “server ipl”. This means that all LPARs need to restart at the same time. It’s not possible to do the update concurrently (or “hot patching” in modern terms). IBM’s documentation for OS managed firmware isn’t that current - the page refers to LIC V5R3M0 and V5R3M5. The currently newest firmware Image for V5R4 is MH01001 - i didn’t find much references to this images on IBMs website, maybe someone else knows more.

• 1. Start a service tool
• 4. Display/Alter/Dump
• 1. Display/Alter storage
• 2. Licensed Internal Code (LIC) data
• 14. Advanced analysis
• 1 FLASHLEVELS
• Just press “Enter”

The System i has come a long way, and so have most of it’s administrators. Back when i started working with Networks, 10mbit Ethernet using 10BASE2 was the norm, but just a few months later i’ve switched to 10BASE-T.

But the System i has dealt with a lot more LAN standards than i ever did. From Twinax (which still sees some use for connecting legacy printers or consoles), over Token Ring and of course some more obscure variants. Even though IBM has moved on regarding to the hardware, and all current 5xx models ship with two Gigabit ports standard.

The problem is that many System i admins never moved away from their 10BASE-T Ethernet knowledge, and stuck with that. This leads to many ethernet lines which are not configured correctly, or not for optimal performance.

Today, Ethernet auto negotiation works perfectly. But many setups use fixed values on the System i side (like 10mbit full duplex), but leave the switch/network side on auto negotiation - this is prone to troubles which is usually called a “duplex mismatch”. This duplex mismatch will not cause your ethernet line to cease functioning, but it will work at extremely degraded speeds (usually just a few kilobyte per seconds). If you’re just using 5250 to connect to your i5/OS instance, you won’t notice this. But as soon as you start using data transfer to your System i (e.G. Image Catalogs), you will notice the extremely degraded performance.

Now, there are two ways to fix this problem:

Configure your System i correctly

Use DSPLIND to have a look at your Ethernet line. It should look like this:

Übertragungsgeschwindigkeit  . . . :   *AUTO
Aktuelle Übertragungsgeschw. . . . :   100M
Duplex . . . . . . . . . . . . . . :   *AUTO
Aktueller Duplexwert . . . . . . . :   *FULL

This means that you’re using autonegotiation, and the system currently has negotiated 100mbit full duplex (of course, it might’ve negotiated different things on your networks, depending on the capability of your network).

If it looks like this, your system is not configured correctly:

Übertragungsgeschwindigkeit  . . . :   10M
Aktuelle Übertragungsgeschw. . . . :   10M
Duplex . . . . . . . . . . . . . . :   *FULL
Aktueller Duplexwert . . . . . . . :   *FULL

This means that your System i is configured to use 10mbit, full duplex no matter what the other end thinks. This can lead to the aforementioned duplex mismatches.

Fixing is easy, but requires the Ethernet line to be varied off. So you’ll need to do this after hours, from a console:

CHGLINETH LIND(ETHLINEX)
          LINESPEED(*AUTO)
          DUPLEX(*AUTO)

After varying on the Ethernet line, you should be having full network performance. Please note that not all cards support autonegotiation. The 2838 that are used in the models 170, 800, 270 work perfectly though, but if my memory serves correctly the cards that usually ship with the model 150 did not. It might also depend on the OS level, and i don’t have a V4Rx machine around for testing. The integrated 5706 in the 5xx models also work perfectly (and also support Gigabit speeds, if your switch supports them).

Configure the switch to use fixed values

If your DSPLIND looks like this:

Übertragungsgeschwindigkeit  . . . :   10M
Aktuelle Übertragungsgeschw. . . . :   10M
Duplex . . . . . . . . . . . . . . :   *FULL
Aktueller Duplexwert . . . . . . . :   *FULL

And you can’t or don’t want to change your line description, you will need to reconfigure the switch (or hub) to use fixed values. This is only possible if you have a managed switch or hub, with a telnet/ssh/web/serial interface, and this differs from manufacturer to manufacturer. It’s important that you configure the switch to the exactly same values as your System i - this will make sure that you don’t have a duplex mismatch or much worse a speed mismatch. I don’t recommend this approach, but it will work just as fine.

After IBM shipped us a new 515, the control panel displayed “HMC = 0″. The machine wasn’t ordered with a HMC, the customer wanted to use it with his already existing Twinax console.

Resetting the machine to a non-HMC state without a HMC is not clearly documented, but still easily doable, as long as you can access the ASMI.

Access the ASMI is a simple process, all you need is a laptop and a piece of CAT5 cable. From there, you can reset the ASMI which will remove the HMC affinity from the control panel display.

Problems might arise if someone screwed up and you no longer know the IP addresses on the two FSP ports on the back (labeled HMC 1, 2). In this case, you need to remove the FSP assembly and switch the DIP switch or jumper located on it to the other position (you can leave it there after doing so). This is a bit more invasive, but easily doable.

Setting up and installing i5/OS takes awfully long (usually around 12 hours for a simple install alone, on cheaper machines), but it isn’t that difficult.

IBM offers a very nice and detailled PDF for this, and the whole information is also on the i5/OS Infocenter. IBM’s writing style is very convoluted, and you’ll need to make some jumps through the document to get all the information you need.

First, let’s talk about installing from scratch. When you buy a new machine, you usually don’t need to that because it comes preloaded with the current version of i5/OS and a decent PTF level. You might need to install additionally ordered software and reapply CUM PTFs, because IBM mostly doesn’t get the preinstall of additionally ordered software right (And unlike Windows Service Packs, you need to reapply CUM PTFs after installing new OS components).

But first things first. You need to change a few system values:

• QLMTSECOFR set this to 0 to allow QSECOFR to sign-on from any device.
• QSAVACCPTH set this to 0 for faster saves that need less space, but longer restore times.
• QCTLSBSD set this to QCTL to use a single controlling subsystem with different subsystems for different tasks, or leave it as QBASE for a single subsystem with everything in it.

These two changes are completely optional. Leave them be if you have made different decisions.

• DECFMT change this to the appropriate format for your country. In Switzerland, this is 1.
• QUPSDLYTIM set this to an appropriate time using the documentation for your UPS. 600 seconds is a good start. Never leave the default value.
• QCCSID this is the most important value. This needs to be set to the appropriate value for your country. For Switzerland, this is 500.
• QTIMZON also very important. I wrote about this earlier.
• QLOCALE almost as important as QCCSID - set it to the correct locale for your country. For Switzerland, this is /QSYS.LIB/DE_CH.LOCALE
• QRETSVRSEC needs to be set to 1 for ESA to work

All these chances are of the utmost necessity for a correctly working system. Even if you do live in the US, not all defaults are correct for you (QCCSID defaults to 65535, but should be 037 in the US).

Another important step is to use CHGNETA to change several important attributes, but before you do, decide on a hostname for the system. It doesn’t really matter what it is, but it needs to be consistent. One i’ve seen often is CCXXXXNN, where CC is the ISO country code, XXXX a shorthand for your company, and NN the number of the i5/OS instance. For example, we use CHDLAG01.

• SYSNAME, LCLNETID, LCLCPNAME need to be set to your hostname
• MDMCNTRYID needs to be set to your ISO Country Code - without this parameter set, your modems won’t work (If you still use them)

The next step is to configure your Ethernet line, and adding the appropriate IP address. The common pitfalls here are that people often forget to set a default route (CFGTCP, 2), or do not configure a hostname and the appropriate hosts table entry.

The systems TCP/IP hostname can be chosen arbitrarily, but we will use the same as we’ve used for the SYSNAME value of CHGNETA before, and just add our internal domain suffix. If you’re using Microsoft’s Active Directory, it makes sense to use a single namespace. For example our SYSNAME is CHDLAG01, and our Active Directory domain is int.dataline.ch, this gives us a TCP/IP hostname of chdlag01.int.dataline.ch.

This is configured by using CHGTCPDMN command:

• HOSTNAME should be the same as SYSNAME, just in lower case.
• DMNNAME should be your internal domain suffix.
• HOSTSCHPTY should be set *LOCAL, this avoids some delays.
• INTNETADR should be set to two of your companies internal DNS servers, NOT your ISPs DNS servers.

You will now need to add an appropriate hosts table entry using the ADDTCPHTE command. This is pretty self-explanatory.

Using GO TCPADM, 2 we can configure all our applications. My recommendation is to disable any application you don’t need RIGHT NOW. You can always reenable them later. I usually disable everything except Telnet and FTP, and enable SNTP (which is normally disabled). SNTP allows your i5/OS instance to sync against NTP timeservers. If you’re using Active Directoy, it’s a good idea to sync against the domain controller which inhabits the PDC FSMO role.

The last step would be to setup the Electronic Service Agent. I’ve documented this procedure in details earlier.

If you’ve been using 5722-QU1 in the past (aka Query), you might have wanted to work with something more modern. There are a few solutions for this, however many of them have most of the business logic and configuration on the client, which is especially cumbersome in small business environments.

One of the other applications that does this right is SEQUEL from Help/Systems. However, this application is only available in English, which doesn’t work when you’re looking for an end user ready solution.

However, IBM has recently a web based product which works purely server based, is compatible to Query, and is available in several local languages. This product is 5733-QU2 aka “Web Query”. This product gets released this Friday (the 14th).

I’m very interested on how it’s performance will turn out. We have several customers which are still using legacy machines (170, 250, 270, 800), and are not willing to stay current (this is a topic on it’s own). WAS Express was an extreme performance hog on our test 270, and performed horrible. But 5733-QU2 will use Tomcat, a more lightweight application server. I really hope that this will give better performance even on older machines.

IBM has published a few flash presentations of the new HMC GUI. This finally looks like something decent. Now if only the HMC were included into the base system (with the price of that staying the same, of course), even smaller businesses could use such advanced features like a remote accessible console.

This is a topic that i’ve spent fighting for the past year. A solution is still not in sight, but i decided to publish all this stuff anyway - so that it might help someone with the same problem to know that they’re not alone.

The problem starts early. If you want to print with color from i5/OS, you’ll need FS45 capable IPDS printers. Some IPDS ROMs support this, and so does ExcelliPrint. Pay attention that not all IPDS ROMs support FS45.

The next step is to create a color overlay. I’ve written about this in the past, involving a cumbersome way through a TIFF printer and tiff2afp. Those of you familiar with overlays know that there’s IBM’s AFP printer driver, but that doesn’t handle colors correctly. About 3/4 years ago, i’ve opened my first PMR about this problem.

This was PMR 33480, involving a bizarre, month long debate with IBM, which first didn’t acknowledge the problem, and later promised a fix in 2Q07.

A few weeks ago, i’ve opened PMR 61439, which was just a request for the fix promised in 2Q07. One of the best excerpts from that PMR is

What is an .eps file? Googling shows
“encapsulated postscript”? When I try to open it with any PC
application I have, it says it cannot process the file. Do they have a
sample image that can be opened with the basic microsoft software that
is installed on an IBM corporate PC?

I found it quite ridiculous that an IBM printing support person didn’t know what EPS is. But even funnier than this was the end of the PMR, with a simple statement:

Unfortunately, there is no estimated date on
when color support can be improved.

Which means “we won’t fix this”. Again, there is a suitable workaround using tiff2afp, which i’ve documented here. That’s only half of the problem.

The second half of the problem is the creation of color PDFs on your i5/OS instance. PDF is a very important format if you’re sending electronic bills, etc. IBM’s InfoPrint Server product (5722-IP1) handles this. Unfortunately, the performance for the generation of a single page color PDF is abysmal - about 5 minutes on a usual customer system, and about 30 second on one of IBM’s high performance testing systems.

I would consider a PDF generation time of about 10 or maybe 15 seconds on a very low end system acceptable - 5 minutes is way out of dimension. Again, i’ve opened a PMR on this topic. This is PMR 61235. Again, it took over a month of forth and back with IBM until they told me again that this won’t be fixed.

Another funny thing in that PMR is that IBM support tried to contact me on the 1st of August - which is a swiss national holiday. Looks like they lack a concept to know when people aren’t working…

The PRTPDF job is spending most of its time in CPU, this
is due to processing. If the amount of processing (work)
can not be reduced then a faster processor may be
required.

IBM’s way to solve this problem is to through a faster CPU at it. This might be reasonable, but my ThinkPad T60 with CutePDF just needs 5 seconds to generate a multipage, color PDF, and cost 2000 CHF - all the while a System i5 with appropriate i5/OS licenses costs 15′000 CHF minimum - but is not capable of generating color PDFs in less than 10 seconds.

Color printing, easy creation of overlays, and fast generation of color PDFs are essential for a business. Currently, i5/OS does not provide this, and IBM refuses to fix these problems.

If anyone knows a solution to one of the problems stated above, i would be very interested.

If you’re intending to buy a System i 515, there are a few pitfalls IBM has built into the product to lower it’s price a bit.

The model usually advertised comes with 2 70GB disk drives, without any console, 1 GB of RAM, and a 4mm 36/72 GB tapedrive.

Here are the pitfalls:

• i5/OS is very I/O intensive. Two 70GB disks will give your a very crawling system if your datasets don’t fit into RAM. Make that you have at least 4 disks - and use RAID5 if possible. Mirroring only makes sense if you can afford enough disks (8).
• i5/OS also needs enough RAM because of the first point. I would consider 4 GB to be a fair starting point for a standard configuration. You might get away with less if you’re using legacy applications, but remember that all the new System administration stuff is still in Java.
• Remember to buy a Console. The HMC is the best technical solution, but far too expensive. You can got with OpsCon (requires a PC) or with the Thin Console (a special Neoware appliance).
• The low end model only includes 3 months of software maintenance, and does not include CRU (Customer replaceable unit) service. Make sure that you have SWMA as long as you’re using the machine (it’s a support contract and a license upgrade contract). The CRU service is also important if you do not have on-site IT staff.

If you fix all these things, remember that you’ll probably increase your system price by about 50%-75% - but that’s just the way this game works. It exactly the same in the System x world, or even when you’re buying a car - all upgrades add extra cost.

HP’s LaserJet 4250 is a b/w workgroup printer. As such, it is as unspectacular as it can get for a printer.

We’ve primarely used Lexmark err IBM printers before, like the InfoPrint 1532. The first and most important difference between the IBM and the HP printers is the tray numbering - HP usually counts the multipurpose tray as “Tray 1″, while IBM counts the first real tray as “Tray 1″. This is especially important for users which are not accustomed to this. In fact, i still prefer the naming scheme IBM/Lexmark used here, it just so much more intuitive. One of the reasons for moving away from the IBM printers are the slightly higher cost, but also the exorbitant delivery times (a normal IP1532 can take up to a month, while Also usually has all HP printers on stock and can ship overnight).

In a System i environment, it’s important to note that HP offers their own IPDS modules for these printers, though these didn’t work as expected. We usually ship our HP printers with an ExcelliPrint license, which can be used even after we’ve replaced a printer with a newer model, thus lowering costs for our customers and still having a high quality IPDS interface from our System i. I’ve written aboute ExcelliPrint before, especially what needs to be done when using OCR-B with ExcelliPrint and HP printers without a builtin OCR-B font.

In a Windows environment, the HP LaserJet ships with rather well done Windows drivers, which is quite the norm for HP’s business printers, and no-frills printer drivers are even starting to appear for some DeskJet printers. One of the features i like most about the HP windows driver is that it allows you to predefine some paper settings on the server, name them however you want, and have them automatically published to all clients. This gives you the possibility to save your office workers time and reduce errors when you’re using some standard settings to print certain documents.

i5/OS is often touted as one of the more secure operating systems, through it’s very rigid abstraction of everything into objects. I’m not a security expert, and i don’t claim to be one, but in many i5/OS or OS/400 deployments, beginner mistakes are made by the gallon.

A few basic things first: QSECURITY should be at level 40, and all users should have normal user profiles, without special permissions. Even if you are an admin or a developer, if you need *ALLOBJ or similar permissions, you should use a second user account for that.

QPWDLVL should be at value 3 - supporting long, secure and case sensitive passwords. Of course you’ll need to set all the other QPW* system values to enforce secure passwords.

But one thing most often overlooked is the encryption of 5250 connections to the system itself. Many, many companies do not use SSL to encrypt their 5250 sessions, leaving plain ASCII err EBCDIC visible over the network. This makes it particularly easy to hijack sessions and passwords, even those of very important users like QSECOFR.

Note that security wise, a System i without SSL encrypted FTP and Telnet is wide open, even worse than an unpatched Windows machine. It really boggles the mind if you ask yourself why IBM hasn’t made this a standard yet on new OS installs.

Using DCM you should secure Telnet and FTP with SSL. You’ll also need to configure iSeries Access appropriately to use the SSL encryption.

Make sure to configure both the Telnet and FTP server to accept SSL sessions only, using CHGTELNA ALWSSL(*ONLY). This will make sure that only secure connections to your system can be established.

If you’re looking for SSL enabled 5250/FTP clients, i can recommend TN5250, Filezilla (GUI), SSLFTP (CLI). All of them are free.