Blog

IBM i 7.4: Security Enhancements Pave the Way to Valuable Features

Posted by John Huntoon

Find me on:

IBM i 7.4 - Security Enhancements Pave the Way to Valuable Features_PSGiIBMi 7.4, released in April, 2019, offers valuable new features that make this upgrade especially important. In particular, the 7.4 update offers some essential features for ensuring the most secure IBM i environment possible, including enhanced hashing for SQL queries, improved system tools, passwords, and more. 

If you have been waiting to make the move, now may be a great time to start planning the upgrade (so long as testing demonstrates that critical applications will remain stable in the new environment).


The State of the IBM i Release Lifecycle

When evaluating your IBM i version upgrade strategy, it is always worth taking stock of the overall release lifecycle. The table below provides lifecycle information for releases since 2000. As you can see, version 7.2 reached its end of program support date earlier this year.

 

Screen Shot 2021-09-13 at 1.06.08 PM

Screen Shot 2021-09-13 at 1.05.47 PM

Source: IBM i Release Lifecycle Page

 

PSGi specializes in supporting older or heavily modified applications, and we understand that updating to the latest OS version is not a trivial project. However, once older versions are no longer supported, they can begin to put operations (and therefore the business) at risk. In this case, the newest version delivers capabilities which provide benefits to the IT organization and business security, all while ensuring continued support for years to come.


Important Benefits of the IBM i 7.4 Update

In April, IBM announced a technology refresh that further enhanced the value proposition of moving to the 7.4 update. This IT Jungle article provides a comprehensive account. We highlight some of the most important features for our prototypical clients below.

IBM i 7.4 DB2 and SQL Enhancements

New built-in SQL functions HASH_MD5, HASH_SHA1, HASH_SHA256, and HASH_SHA512 have been introduced for IBM i in 7.4. These provide new methodologies for hashing SQL queries and are now truly built-in “under the hood” of IBM i. Previous versions offered some hashing functions, but were much more limited. These new methodologies offer increased security, and standards like HASH_SHA256 are increasingly becoming industry standard (with 512 offering a more advanced option).

Variable and auto dimension array support have been added to the SQL precompiler, which allows for more flexibility, making it easier to handle incoming data.

Improves performance, concurrency, and the amount of information available on output.

An enhanced Authority Collection service allows the collection of authority information for specific objects when accessed by any user. This supplements the existing functionality, which is limited to collection for all objects accessed by a specific user.

  • SQE (SQL Query Engine) Improvements 

Numerous improvements to the SQE allow for:

  • Enforcing temporary job storage limits
  • Improved paging within the SQL Plan Cache and plans with Random I/O
  • Improved estimates (costing) for plans with temporary objects
  • Improved optimization on busy partitions

IBM i 7.4 Security Enhancements

In addition to the HASH functionality discussed above, IBM introduced other notable security improvements in IBM i 7.4

  • Transport Layer Security version 1.3 protocol (TLSv1.3) is now enabled and used by default for System TLS. This secure FTP protocol is an essential line of defense against ransomware and hacking attacks; our senior security expert recommends that all businesses move towards the TLS 1.3 standard as soon as practicable.
  • New security features for service system tools (SST) passwords offer greatly enhanced protection. This comprehensive feature provides all password rules and levels which are set within the operating system, ensuring that secure practices are maintained. All security values for SST’s must now fall in line with Active Directory security. Previously, SST passwords could be as simple as 8-character lowercase passwords which constituted a major vulnerability.


IBM i 7.4: Other Changes to Note 

IBM 7.3 is compatible with older Java versions like 5/6/7. 7.4 however, no longer supports older Java versions, with 32 or 64 bit Java 8 as the only option. If you’re considering an upgrade to 7.4, now is the time to standardize to the latest version of Java moving forward. Older Java issues retain security vulnerabilities, and this improvement is yet another area where 7.4 helps IBM i work as securely as possible. Newer versions also offer improved performance.

Finally, 7.4 locks down users’ abilities to map a network drive to an IBM i from Windows, Mac, or Linux clients. This file server has long been a security Achilles’ heel for IBM i. Now this process checks security and profile authorities accordingly when users attempt to map a drive.

SQL Query Engine Compatibility Issues

IBM adopted the SQL Query Engine (SQE) as the default engine for processing native queries with IBM i 7.2. In 7.2 and later 7.3, IBM added a switch to select whether applications should employ SQE or the previous method, available through a query options file (QAQQINI) setting.

This ability proved useful, as there were early issues with the SQE when dealing with often used open query file, OPNQRYF, statements in older applications. With the release of IBM i 7.4, the ability to choose the native query engine was removed. Subsequent IBM i ptf’s were made available to solve the underlying issue of SQE but it is important to understand this impact on your applications before upgrading to 7.4. PSGi will be testing the latest version of 7.4 to determine if this compatibility issue has been resolved as it does impact applications we support.
 

Learn More About Working with the IBM i Experts

In our experience, complexities like new updates are precisely why so many companies can benefit from working with an expert application support provider. The benefits of a new update are often worth investing in but the work required (like updating a major Java application to the newest version) can place major strain on internal IT teams.  

PSGi has a proven track record of helping manufacturing and distribution companies get the most out of their IBM i applications. We take pride in taking the time to understand our clients’ business requirements, using this knowledge to develop and execute a long-term strategy that is aligned with present and future organizational needs. 

If you are interested in reaching out to learn more about identifying the right long-term approach, contact our team using the button below.

 

Tags: IBM i Modernization, IBM i Platform