Blog

IBM i 7.5: Security Improvements and More

Posted by John Huntoon

Find me on:

Security Improvements and Features

IBM i 7.5 (announced May 3, 2022) is here, featuring a diverse array of enhancements that will help this environment stay as secure as possible while continuing to add new functionality. In the wake of threats like the Log4J virus, IBM continues its commitment to continually improving protections for what is already one of the most secure environments around.

In this blog, we provide a summary of some of the most important features included in the IBM i 7.5 update, followed by a more comprehensive feature list.

IBM i 7.5: Important Features

We last checked in with the IBM i release cycle with Version 7.4, an important security update that nonetheless introduced some Java-related compatibility issues for some organizations. This release continues the theme of security-related improvements, with a particular focus on out-of-the-box protection. While IBM i has long been valued as a highly secure environment, its most robust protections have historically required some level of configuration. In a useful comprehensive review of changes in Version 7.5, IT Jungle notes that “With IBM i 7.5, IBM is taking aim at security and delivering a system that is more secure when it ships from the factory. From default settings to the elimination of some options, IBM has taken several steps to make IBM i more secure by default.”

Another key addition is the addition of MERLIN (Modernization Engine for Lifecycle Integration), which offers a pre-packaged suite of DevOps and CI/CD tools. Finally, IBM is now making IBM i available on a 1-5 year subscription basis, giving organizations the flexibility to operationalize this expenditure and avoid CAPEX accounting. We provide a comprehensive summary of these and other changes below.

Base Operating System Security

  • A new Password Encryption Scheme helps users achieve even greater levels of security, implemented by setting the Password Level (QPWDLVL) to 4

  • By using a new API, Check Password Meets Password Rules (QSYCHKPR), users or password management tools can predetermine if a value would meet the configured password rules set by the company.

  • The Service Tools CL commands have been enhanced. The SST user attribute "Password expiration interval" can now be set using the Create Service Tools User ID (CRTSSTUSR) and Change Service Tools User ID (CHGSSTUSR) commands. Many other SST security attributes can now be set using the Change SST Security Attributes (CHGSSTSECA) command. A new SST security attribute was added to indicate whether password exit programs can be added or removed from the QIBM_QSY_VLD_PASSWRD and QIBM_QSY_CHK_PASSWRD exit points. This attribute can be set in SST or by using the CHGSSTSECA command.

  • Digital Certificate Manager (DCM) has multiple enhancements to improve the user experience and provide additional functions to the base security components.

Compression

  • The ZLIB algorithm is allowed on selected commands to provide an additional option for data compression to produce a smaller result and to improve performance when running on an IBM Power10 processor.

Save and Restore

  • The new default on the ASYNCBRING parameter on Save commands improves performance for saving IFS data.

  • RSTUSRPRF *ALL no longer requires a dedicated system.

  • Restore operations have an updated message that includes the size of data that has been completed to allow a better estimation of the time remaining to finish the restore.

Networking

  • SNMP attributes can be configured to allow only SNMPv3 in some environments and to restrict information being returned by SNMPv3 to provide a higher level of security.

  • TCP Selective Acknowledgment (SACK) support on IBM i streamlines the retransmission of data when there is packet loss in the network.

  • The password policy capabilities of IBM Tivoli® Directory Server for i can be extended to enforce rules for advanced password syntax checking in addition to the standard default rules.

  • IBM i DNS upgrades to a newer BIND release.

  • The FTP client can be configured to allow a FTP user to accept a server certificate that is not signed by a trusted certificate authority. The FTP server logon exit point allows the IPV4 address to be specified for IPV4 passive data connection reply.

  • SMTP allows users to configure a different retention time for successfully and unsuccessfully sent emails, configure a different sender address, and allow auto-forward emails.

Application Development

  • With IBM i 7.5, some significant changes are made to the Integrated Web Services Rest API engine, including increasing the number of parameters to 248 and updating capabilities of the IWS logging to include Access Client Solutions logging capabilities.

  • To better serve client-based development tools, the create and update commands for program and service program objects can provide command completion information in an events file. That information can be interrogated to provide command completion status.

  • To support many new markets for IBM i, the range of CCSIDs has been increased.

  • The Call (CALL) and Call Bound Procedure (CALLPRC) commands now allow expressions to be passed as parameters and allow you to specify type and length for each parameter.

  • New ILE C/C++ built-in functions for atomic memory access are added in this release. In a program with multiple threads, you can use these functions to atomically and safely modify data in one thread without interference from another thread.

System Administration

  • Clients can now change the scope of 2-digit year date ranges. The QIBM_QBASEYEAR environment variable enables clients to shift the base year from 1940 to 1970.
  • IBM i 7.5 supports a maximum of 48 processors per partition in SMT8 mode and therefore a maximum of 384 threads on servers with Power10 or IBM Power9 technology.
  • Service Tools can now display detailed information about individual NVMe devices on the system.
  • New enhancements have been added to the Job Scheduler commands and display.
  • Several hardware and software enhancements have been made in IBM i 7.5 Performance Tools.
  • IBM Navigator for i offers additional tasks and features to provide administrators with more information than previous versions.
  • Several hardware and software enhancements have been added to the Integrated File System (IFS), including a new layer of security for IBM i NetServer, new exit points, and more resilient file sharing options.
  • It takes less time to perform Cluster Resource Group (CRG) switchover for selected configurations.
  • System administrators can use Service Tools to display and make better-informed decisions about NVMe devices with more detailed information about the individual devices.
  • To set the console configuration and debug console problems on a server that is not managed by a Hardware Management Console (HMC) or other management interface, the operator panel must be used. The number of operator panel functions to get to the console service functions has been reduced.

Db2® for i

  • Db2 for i provides additional functions for HTTP requests to publish or consume web services.

  • Db2 for i is providing more advanced, easy-to-use tooling for the database engineer (DBE).

  • IBM i Services, the strategic method for gaining access to IBM i objects, system information, and much more is expanding to provide useful SQL-based alternatives to IBM i commands and APIs.

  • Db2 for i increases the number of working examples and tools in the SYSTOOLS schema.

Open Source for IBM i

  • In response to community requests, IBM is restating the various options available for applications serving on IBM i. Many of these have support available from IBM Technical Support Services.

LPPs

  • In IBM Rational® Development Studio, RPG IV is responding to requirements from the development community and offering some new message-handling operations.

  • The IBM i Access Client Solutions (ACS) interface is updated and enhanced with three major updates to the core ACS product: Group Views, Customize the GUI content, and a Run SQL Scripts tab capability.

  • IBM PowerHA® SystemMirror® for i 7.5 brings a new set of enhancements centered around simplification, reporting, and performance.

  • The Backup, Recovery, and Media Services (BRMS) for i product has numerous enhancements across many areas of the product, adding or updating command defaults and providing new capabilities through SQL Services and new APIs.

  • IBM Db2 Mirror for i at 7.5 fulfills the commitment of running in a mixed OS release environment.

  • IBM Content Manager OnDemand for i (CMOD) has improved programmer productivity by adding and enhancing capabilities such as commands, creation of .pdf files, and better integration with other IBM i tools.

Learn More About Working with the IBM i Experts

In our experience, complexities like new updates are precisely why so many companies can benefit from working with an expert application support provider. The benefits of a new update are often worth investing in but the work required (like updating a major Java application to the newest version) can place a major strain on internal IT teams.

 PSGi has a proven track record of helping manufacturing and distribution companies get the most out of their IBM i applications. We take pride in taking the time to understand our clients’ business requirements, using this knowledge to develop and execute a long-term strategy that is aligned with present and future organizational needs.

 If you are interested in reaching out to learn more about identifying the right long-term approach, please contact a PSGI IBM i Specialist.

ibm i review

Tags: IBM i Modernization, IBM i Platform