April 16, 2021 | IBM i

IBM i 7.3 & 7.4 TR Updates for Security, Auditing, Automation & Monitoring

image

On April 13, 2021, IBM announced two new Technology Refreshes (TRs) for IBM i 7.3 and IBM i 7.4. The new TR numbers are IBM i 7.3 TR10 and IBM i 7.4 TR4. Scheduled availability for both TRs is April 16, 2021.

At SEA, we specialize in providing IBM i security, auditing, automation and monitoring tools. To that end, let’s review IBM’s recent announcement and see what new features Big Blue is providing in these critical i 7.3 and 7.4 functions.

Migrating functions to SQL

Most of the refresh updates in our target areas focus on duplicating existing IBM i commands and APIs with SQL-ready views and statements, using IBM i services and SYSTOOLS. These TRs focus more on migrating older tools to SQL rather than providing many newer capabilities for security, auditing, automation, and monitoring.

The one exception was the introduction of the Query Supervisor which monitors run-time queries and allows you to take automated actions when a query is running out of control (more below). It’s also intriguing that you can now change a user profile using SQL, which may be an outlier for other SQL-based security capabilities to come.

IBM TR updates for enhanced security and auditing

Here are the updates IBM announced for IBM i security and auditing.

1.  Controlling and reporting on security data using SQL—IBM updated or provided a number of views under IBM i Services and SYSTOOLS, where security can be reported on or controlled through SQL statements. Among the views added are:

  • QSYS2.CERTIFICATE_INFO–Returns a result table containing information about server or Certificate Authority (CA) certificates
  • QSYS2.DISPLAY_JOURNAL—Returns information about journals. This information is similar to what you’d retrieve by using the Display Journal (DSPJRN) command or the Retrieve Journal Entries (QjoRetrieveJournalEntries) API
  • QSYS2.SECURITY_INFO – Returns a single row containing IBM i security system values and other security information.
  • SYSTOOLS.AUDIT_JOURNAL_AF()—Returns rows from the audit journal containing information from authority failure (AF) journal entries
  • SYSTOOLS.AUDIT_JOUNRAL_CA()—Returns rows from the audit journal containing information from Authority Changes (CA) journal entries
  • SYSTOOLS.AUDIT_JOURNAL_OW()—Returns rows from the audit journal containing information from Ownership Change (OW) journal entries
  • SYSTOOLS.AUDIT_JOURNAL_PW()—Returns rows from the audit journal containing information from Password Change (PW) journal entries
  • SYSTOOLS.CHANGE_USER_PROFILE()—Calls the Change User Profile (CHGUSRPRF) command and returns the results in a single row.

2.  IBM i Common Cryptographic Architecture Cryptographic Service Provider (CCA CSP), delivered as IBM i Option 35, now includes support for Release 5.6.x for CCA for the IBM 4767 Cryptographic Coprocessor.

IBM TR updates for automation and monitoring

1.  IBM added a Query Supervisor to its DB2 for SQL Query Engine (SQE) that can help identify run-away queries. You can now assign enforceable threshold values for the following performance characteristics for run-time query execution.

  • Total CPU time—Total query processing time used, in seconds
  • Elapsed time—Total clock time used, in seconds
  • Temporary Storage—Total storage that the query is using
  • Total IO Count­—Total number of I/O operations

Query thresholds are maintained in the new ADD_QUERY_THRESHOLD and REMOVE_QUERY_THRESHOLD procedures. After setup, the SQE will monitor SQL and native query performance. When a running query exceeds these thresholds, the query will first be interrupted. The SQE will then call the user-created exit program assigned to the new QIBM_QQQ_QRY_SUPER exit point. The exit point program can then take action to stop the query, send out an alert, or run a corrective action program.  This is a nice feature to monitor queries and automate responses when a query goes bad.

2.  Reporting on automation and monitoring information using SQL— IBM provided new and enhanced views, where automation or monitoring information can be reported on or controlled through SQL statements. The added views include:

  • QSYS2.MESSAGE_QUEUE_INFO()—Returns one row for each message inside a message queue (does not change the messages).
  • QSYS2.ACTIVE_JOB_INFO()—Returns Work with Active Job (WRKACTJOB) information via SQL
  • QSYS2.JOB_INFO()—Returns similar information to that returned by the Work with User Jobs (WRKUSRJOB), Work with Subsystem Jobs (WRKSBSJOB), and Work with Submitted Jobs (WRKSBMJOB) commands or the List Jobs (QUSLJOB) API.
  • QSYS2.QUERY_SUPERVISOR—Returns the query thresholds used by the Query Supervisor.
  • QSYS2.SEND_MESSAGE()—Sends an informational message to the QSYSOPR message queue through SQL
  • QSYS2.USER_INFO—Retrieves user profile information, similar to the Retrieve User Information (QSYRUSRI) API

3.  GO SAVE and GO RESTORE menu options have been changed to bypass invoking the End Subsystem (ENDSBS) command, if the system is already in restricted mode.

4.  Alerts for IBM i System Limits—Once a day, IBM i will scan for instances where some system limits have exceeded 90% of the maximum allowable size. The OS will send messages for each instance of high system consumption it finds. For more information, check out IBM’s Alerts for IBM i System Limits.

The other TR updates

We’ve only covered the IBM i updates that touch on security, auditing, automation, and monitoring. IBM also released a number of updates focusing on these areas:

  • Db2 for i
  • Db2 Mirror for i (5770-DBM)
  • RPG updates delivered under Rational Development Studio (5770-WDS)
  • IBM i Access Client Solutions
  • Clustering
  • I/O Support for IBM POWER hardware and firmware
  • BRMS for i (5770-BR1)
  • PowerHA System Mirror for i (5770-HAS)

See the IBM i 7.3 TR10 and IBM i 7.4 TR4 enhancement pages for more details on these items.

The Technology Refresh timeline

If you’re interested in seeing in seeing the progress of past TRs or want to install a previous TR release, check out the IBM i Technology Updates Web page, where you can view all the enhancements released in previous i 7.4, i 7.3 and i 7.2 Technology Refreshes.

For more information

SEA offers a wide variety of products to secure, audit, automate and monitor your IBM i servers. Please contact SEA for more information on how we can help you with your IBM i needs.