Connect With Us

Dan Riehl


Dan Riehl is the president and security specialist for the IT Security and Compliance Group, LLC. Dan performs IBM i security assessments and provides customized security services and software solutions for his customers. He also provides training in all aspects of IBM i security and other technical areas through his training company, The 400 School, Inc. Dan has been writing for System iNEWS for more than 20 years. He is a System iNEWS senior technical editor and the writer and editor for System iNetwork Systems Management email newsletter. Dan regularly teaches classes and seminars on IBM i security and other technical topics. Included among the award-winning books that Dan has authored and coauthored are:

  • AS/400 PowerTools (Volumes I & II)
  • Control Language Programming for the AS/400
  • The Desktop Guide to AS/400 Programmers' Tools
  • PowerTips for iSeries Security

iSeries Security: 5 Common Misconceptions 
Certain aspects of the IBM i's comprehensive security features are often misunderstood, says IBM i security expert Dan Riehl. In his experiences as a consultant and educator, Dan has often seen IBM i pros confused about user-limited capabilities, ownership and authority to user profiles, object authority when using authorization lists, and other security areas. Here, Dan endeavors to clear up five common misconceptions about how IBM i security works, providing examples that can help you maintain a more secure system.
Product Roundup: IBM i QAUDJRN Reporting Tools 
IBM i logs system- and security-related events to a special journal called QAUDJRN. The immense amount of data that QAUDJRN collects, however, is both a bane and a blessing. Fortunately, third-party software is available to help you analyze all that data, set up alerts, create reports, and more. Use this roundup to help you find the QAUDJRN tool that best suits your needs.
Tech Corner (January 2012) 
Defining Eval Statements for Date Conversion

Q. I need to convert a date from CYYMMDD to ISO format, using eval ISODATE = %date(wkdate:*MDY) YYMMDD to MMDDYYYY. I get "result too small to hold result." How can the result field, defined as a date field, be too small? I have a physical file with a field defined as type "L." Is that the same as a field defined within the RPG program as type "D?"


The Systems Management Newsletter: In Retrospect  1
December 21, 2011 will mark the final issue of our Systems Management Newsletter. Having worked on the newsletter for these many years, the change is bittersweet. It is sweet that I will not need to come up with new ideas and articles every two weeks, but it is bitter in that I will miss the challenge and miss working regularly with the great editorial staff and writers at System iNetwork.
Tech Corner (December 2011) 
Running Multiple File Reads Q. I need to read a single file two times in CL. Is there a way to restart the file access so that I can start reading sequentially over again after the first cycle? A. In the past, whenever I had to read multiple files—or one file multiple times—in a CL program, I actually had to create two programs. I would call the first program to make the first pass, then call the second program for the second pass. However, in newer OS versions (can't remember where it was introduced, but I believe it was in IBM i 5-something), you can open multiple files in one CL program or use multiple instances of the same file, as follows: DCLF OPNID(file1) DCLF OPNID(file2) ... RCVF OPNID(file1) ... RCVF OPNID(file2) When you use multiple files, and you want to reference a field name, you have to prefix the name by using the OPNID and an underscore character (e.g., &file1_fieldname). —John, from the System iNetwork Forums Capturing Error Messages Q. I have a CL program to ping a server, and I want to capture the message that’s generated if the server is not reachable. I tried to use RCVMSG to capture the TCP messages, but that did not work. Any idea how should we do this? A. The MSGMODE() keyword of the Ping command enables you to have Ping send an escape message to notify you if an error occurs. Consider the example in Figure 1. This is just a quick one-off test program. When I submit this program to batch processing, I receive the following messages: PICO IS DOWN WWW IS UP This is correct because the host that’s named "PICO" is usually offline, whereas "WWW" is always online. It seems to me that if you add a loop to this program, and maybe also add a DLYJOB command, you can force the program to run a check every few minutes to see whether a host is up or down and then generate a report. —Scott Klement, from the System iNetwork Forums Is IBM i Susceptible to PC Viruses, Worms, or other Malware? It's a widely hel
Take a Full Backup of Your Spooled Files 
Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents (the spooled file reports) in the output queue.
How Large Can a File Really Be? And Other Maximum Capacities 
The maximum physical file member size is 1,869,162,846,624 bytes, with a maximum record length of 32,766 bytes. You can have up to 256 input capable fields in a display file.
Tech Corner (November 2011) 
Outputting a Physical File with RPG Q. I have to take the contents of a PF and output it as *.txt, then do the reverse at a later point. I have to do this on a scheduled basis by using RPG. Can anyone give me any pointers about where to start? A. The system includes two CL commands (well, there are more, but two main ones) that convert a physical file (PF) into a text file. The first is CPYTOSTMF (Copy To Stream File). This command assumes that each record in the PF is a line of text, suitable for a text file, and that the PF is not externally defined or broken up into separate fields representing separate values. The second command is CPYTOIMPF (Copy To Import File), which assumes that the file is a database table that has multiple externally defined fields. It also assumes that the displayed result in these fields should be in text format, by having either a fixed (positional) layout or a delimited (comma-separated value, tab-delimited, and so on) layout. —Scott Klement, from the System iNetwork Forums Bypassing a Locked Record Q. Here is some standard code that I thought would bypass a locked record. Apparently, it does not! C PROCES BEGSR C *IN99 DOUEQ *ON C READ F55634LB 9699 C *IN99 IFEQ *ON C LEAVE C ENDIF C *IN96 IFEQ *ON C ITER C ENDIF ~ do processing C ENDDO ? I thought the ITER statement would cause the next record to be read, but a debug session shows that the cursor remains on the same record, trying and retrying to read that one locked record. What’s that the point of the second indicator if this sort of logic won't work? Is there an easy remedy for this? A. To bypass a locked record, you have to read it by using no-lock, as follows: C *IN96 IFEQ *ON C status ANDEQ recordlock C READ(N) F55634LB 9699 C ITER C ENDIF —Barbara Morris, from the System iNetwork Forums Generating a GUID in a Service Pro
Batch Bottleneck Got You Down? 
As system administrators, one of our primary jobs is to help optimize the usage of our main computing resources (memory, disk and processor). We try to keep workstation interactive response very quick during peak periods, while at the same time allowing a measured number of batch jobs to run in the background. In off hours, if there are any, we try to push through as much batch work as the system can handle. If there's a lot of batch work (queries, reporting, batch updates, data offloads, etc.), we need to make sure we fit all that work into our "batch window." After that nighttime batch work, many of us perform our nightly backup during our "backup window." One problem is that the nightly backup window time continues to increase. Now that we're backing up system QAUDJRN receivers, spooled files, private authorities, and just more data, our old backup window of two hours, has now increased to possibly three hours—a menacing trend. So what if we could decrease our batch window time? We could possibly compensate for the growing backup window. Note: Even if you don't perform backups on your main production system, you can still potentially shrink your batch window using the techniques covered here. Performance of Your System We need to attack the batch window with a view to minimizing the time it takes to get through our nightly batch processing. We also need to attack general batch processes that run throughout the day, to ensure we're getting the best throughput and not wasting our costly computing resources. I suspect many of you use the command Work with Active Jobs (WRKACTJOB) in order to see the CPU percentage and database percentage of the system being used. We use the command Work with System Status (WRKSYSSTS ) to view information about the performance within our memory pools, like pool Size, job transitions, activity levels, etc. When you see your machine running at an aggregate CPU percent of 40% or 50%, you know you have additiona
Is IBM i Susceptible to a PC Virus Worm or other Malware?  1
It's a widely held belief that IBM i is totally immune to viruses and other malware that attack other operating systems. As we all know from our work in Windows and other operating systems, malware is a real challenge that requires constant vigilance. It's required that we run virus protection software on our desktop and laptop PCs and that that virus protection software be up to date with the latest virus information. But what about the IBM i? Isn't it vulnerable too? IBM has provided us with a nice slice of knowledge regarding PC viruses on the IBM i. Here's a snippet of IBM Technical Document #19541539 IBM Technical Document #19541539 Viruses, the Operating System, and the Integrated File System "The operating system is not susceptible to PC virus attacks. Viruses attack a specific computer architecture. The architecture of the IBM System i makes it highly unlikely that a virus could be written to attack it. PC-based viruses will not infect (or run on) the operating system." Now, we all feel really safe. PC viruses won't not run on this OS. Whew! Yes, But! In the very next paragraph of the IBM Technical Document, we see "More of the Story." Please read on with me. … "Although the operating system cannot be infected by a PC virus, if the Integrated File System on the operating system is used as a file server for PC files, the files stored on the Integrated File System may carry viruses. An infected file that is moved or saved from a PC to the Integrated File System and then redistributed to another PC can transmit a virus to the new PC. Likewise, if a network drive is mapped to the Integrated File System, a virus running on a PC (and which is capable of damaging files on a network drive) can damage any file stored on the Integrated File System." The Main Exposures Most of us use the IFS to provide for hosting a shared network drive. We store documents, spreadsheets, and scanned images in the IFS, just as we would with an
Tech Corner (October 2011) 
Creating Check for Locked File Q. I know you can write code to check whether a file is accessible and not locked, but I want to know whether you can also check to see who locked a file. We get job failures at night when we try to clear a physical file member when no job is supposed to be locking it, but we get an error message saying “member in use.” When the on call programmer logs in and checks for object lock, there is none on either the file or member level. A. The WRKOBJLCK command will tell you what you want to know, providing that you run it interactively. You can also use the QWCLOBJL API to get the information programmatically. To do this, you use the MonMsg and CLRPFM commands (e.g., MonMsg MsgID(CPF3130)), and then call QWCLOBJL to retrieve the lock information. Object auditing will also do the job. First, use the QAUDCTL, QAUDLVL, and QAUDLVL2 system values to set up the audit journal receivers to record different types of security events. Then, use the Audit Object command (OBJAUD) to configure “change” auditing for the file. After the failure, check the audit journal entries for the time period in which your clear operation ended in error. —Scott Klement, Craig Lockhard and Ernest D, from the System iNetwork Forums Determining Last User Log on Q. How do you determine the last time that a user profile was used to log on to the system? A. You use the DSPUSRPRF command, which shows "Previous sign-on" right at the top. But I believe that reflects only sign-ons from the green sign-on screen. —Ray Marsh, from the System iNetwork Forums Relieving a Migration Headache Q. We have successfully moved 15 of 20 AS/400 iSeries to a new business DMZ subnet. The five systems that we failed to move range from OS level V4R5M0 to V5R4M0 and system types 50S to 520. Some failed systems are LPARs. Half the LPAR systems are functioning as set up with their new IPs while the other half can’t communicate on the new DMZ. The failed ETHLINEs show a variety o
Solving the Mystery: What are All Those Active NETSTAT Services? 
When managing an IBM i server, one of the fundamental chores is controlling the services needed to support all the application and system level interfaces. Do you need to run the FTP server, the file server, the database server, SMTP, SNMP, the server mapper, etc.? Often, services we don't use and don't need are running on the system. This can be because IBM shipped settings that cause the services to automatically start at IPL time. It can also be attributed to poor command default values. For example, the Start TCP/IP Server (STRTCPSVR) command starts all of the available TCP/IP servers, unless you explicitly specify otherwise. The command default is STRTCPSVR SERVER(*ALL), when it should more correctly be SERVER(*AUTOSTART), to start only those servers that are supposed to with TCP/IP. Recently, IBM included a new server in the OS, the help server. The shipped value is that the help server automatically starts at IPL. Does anyone outside of IBM actually know what this new help server does? Do you use it? And yet it starts and runs multiple jobs on the system all day long. I encourage you to examine your system and start only those services and servers that are needed. But there's a problem. When you examine the services that are running using the NETSTAT command option 3 or WRKTCPSTS OPTION(*CNN), many mystery services show up as running. Here's a sample listing of the NETSTAT option 3 display: Work with IPv4 Connection Status Type options, press Enter. 3=Enable debug 4=End 5=Display details 6=Disable debug 8=Display jobs Remote Remote Local Opt Address Port Port Idl
Watch Out for the Security Level Fake Out 
When assessing the security posture of an IBM i server, there are numerous critical areas of consideration. How are the users configured? How are the permissions assigned? What are the settings for security system values, etc.? In evaluating security for an IBM i, we examine the security system values for settings that are outside the norm for a secure system. One prime system value to examine is QSECURITY. QSECURITY specifies the security level of the system, a numeric value from 20 to 50—50 typically being the most secure, 20 typically being the least secure. (I say "typically" because the security level itself can't be used to determine how secure a system is, only that it can be more secure at a higher security level.) A security colleague told me about a recent assessment he performed in which the customer's QSECURITY system value was set to 50. This was verified using the Display System Value (DSPSYSVAL) command. This setting indicated that someone at the company was certainly paying attention to the security of the system. But when reviewing the security setting that determines if security-related system values were correctly locked from modification, the real truth came out. The command Display Security Attributes (DSPSECA) can be used to examine the service tools setting of whether system values are protected from modification. It also shows additional security settings, including the QSECURITY level, as shown here: Display Security Attributes User ID number . . . . . . . . . . . . . . : 591 Group ID number . . . . . . . . . . . . . : 165 Security level . . . . . . . . . . . . . . : 30 Pending security level . . . . . . . . . : 50 Password level . . . . . . . . . . . . . . : 0
What About Numeric User IDs and Passwords?  4
Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive. However, when it comes to user profile names and passwords, an interesting phenomenon occurs. When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.) CRTUSRPRF USRPRF(BOBSMITH) PASSWORD(PASS1WORD5) Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward. But consider this next example: CRTUSRPRF USRPRF(Q12345) PASSWORD(Q11111) When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain. The user can log on with user Q12345 with a password or Q11111. The user can log on with user Q12345 with an all-numeric password of 11111. The user can log on with an all-numeric user 12345 with a password of Q11111. The user can log-on with an all-numeric user 12345 with an all-numeric password 11111. The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process. You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF command. As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and API. In order to restrict
Tech Corner (September 2011) 
Handling an ExecCmd Exception Q. How can one handle an exception thrown by an ExecCmd within an RPGLILE program? A. When a command run via QCMDEXC fails, an *ESCAPE message is sent to your program and logged to the job log. You can use the RPG monitor block method, which is the equivalent of CL’s MONMSG command, to catch the error and see what the problem is. Scott Klement wrote an article covering the topic well. It’s at —Gosbeck and Tommy Holden, from the System iNetwork Forums Using XML-INTO Q. The XML-INTO command requires a document parameter as an option. I have the following code: xmlfile = '/home/myname/my_xml_doc.xml'; options = 'doc=file + path=RequestForUICGroup/RequestForUIC + case=any + allowextra=yes + allowmissing=yes'; xml-into RequestForUIC %xml(xmlfile: options); Is it possible to use a variable as input, such as a CGI parm passed into the program from a web interface? I could write this variable out to IFS and read it back in, but that seems a bit clunky. A. Taking the XML document from a variable is the default in XML-INTO. Just remove "doc=file" from your options. Then the first parameter to %XML() is the variable containing the XML document. —Scott Klement, from the System iNetwork Forums Navigating the WRKLNK Command Q. I am trying to navigate using the CL WRKLNK command through the following directory path: home/QIBMHELP/.eclipse/org.eclipse.platform_3.2.2/configuration/org.eclipse.osgi/.manager/.tmp9103087281292047364.instance I can navigate via WRKLNK to the
iPro Forums

Get answers to questions, share tips, and engage with the iPro Community in our Forums.

From the Blogs
Sep 20, 2004

Getting Started   1

Day 1 Checked our current cds. Went to the web site on CD. Knew we were out of date on CDs. Called BP to get refresh at no charge. $30 to expedite, free refresh as we were already an existing customers. Also sent required PTFs to my operator to make sure they can get on before we install. Day 4 Started going back to iSeriesNews and the printed publication and actually READING the articles that George and Phil from IBM have written on WDSc. Day 7 Installed WDSCe client. Started at 11:37 am. Spent a few minutes running through the README files, which I rarely do. I found it was easy to get to the minimum/recommended requiremets sections as the README procewss is a web document instead of a text file. I answered a few calls and walked away from the desk a couple of times so I might have not answered the buttons as often as I could have but the WebSphere install part took until 12:05 and estimated 1.46meg. The next part of the install was for Code/400, VaRPG and iSeries extensions. That part of the install estimated it needed ~500 meg. The second part of the install took until 12:38 to complete. I did not select to install HATS, which was another option. All in all, the install took about 1 hour, but there were no gotchas, no lockups. When finished, I rebooted and was glad to see only one new XP menu option installed. I hate when one install created multiple new menus in XP and you have to figure out which ones are the new ones. I'm not much of a manual reader, I just go! I started the client. The first time it took 1 minute to start up. But, I could quickly see that this was not code/400! On the left side a navigation panel helped me quicly connect to my iServer though I had options to connect to an WinServer, Linus server or iSeries. Nice touch and easy. Day 10 Noticed that I don't have the compile option when I right click on any source. When I click on the Compile menu options, it says Compile->Dummy. I think IBM is trying to t...More

Sponsored Introduction Continue on to (or wait seconds) ×