Today was my first day at Common 2010 and my first time at a common event. I’m in my mid 20s and I felt very young among the wise AS400 Dinosaurs. Grey hairs were abundant, but i know one day i’ll be like them talking about the days of PHP 5.3 as some whipper snapper is talking about how thats old news and that SGS is the language to use, but i digress.

Session 1 – Road to Compliance was presented by Robin Tatam
This is some of my notes/bullet points

  • IBM is struggling to get people V6R1
  • V6R1 has some type of Intrusion Detection system
  • If your using the IFS you can get a virus and you should use AntiVirus
  • “Security by Obscurity” is not a good option
  • There is a book out on Hacking the Iseries, 98% about how to get in, 2% talks about how to stop it
  • Most users are running at level 40 QSECURITY
  • Public Auth is set *change for 58% of most systems
  • You need to think about Data loss prevention even when giving read only permissions
  • Inactive profiles and default passwords are bad
  • You should be auditing your files %30 aren’t using auditing
  • Make sure your purging your journal records
  • Even if you don’t know how to read and understand an audit, powertech would be able to come in and tell you what happened if you have auditing on.
  • Power Users are bad, remember to only give the permissions needed for the group or user
  • Remember to delete user profiles after someone leaves the company
  • Do not write programs under a programmers name because of the reason above
  • System Values should be checked periodically against expected values
  • Do not give programmers *ALLOBJ
  • Audit changes to system values
  • Obtain a copy of Authority Progression Algorithm to understand how permissions are obtained
  • Object level protection works regardless of interface
  • Exit points allow you to Accept/Reject/Audit a program such as FTP
  • 30 exit points that deal with network access
  • only telnet and 5250 are locked
  • FTP allows you to run commands that  you thought couldnt be ran
  • QPWDRULES define password syntax your uses must use
  • QPWDEXPWRN gives your user a expiration warning
  • QLMTDEVSSN – limit device sessions
  • Encryption – AES Advanced Encrption Standard US Government standard; another popular solution is PGP

Session 2 – 5250 to Web with PHP was Presented by Alan Seiden

Alan went a bit too quick through his slides and didn’t have enough code of real world examples of using the 5250 bridge.

The main Idea i got is that the 5250 bridge is right for some solutions and not right for other solutions.  You have to figure out if its the right technology to implement.  You can either rewrite your business logic and re-write everything in PHP and SQL, but if thats too daunting you can use the 5250 bridge and communicate between PHP and RPG by passing parameters or sharing a workfile.

Differences between Zend Core (Old PHP on I Server) and Zend Server

Someone had mentioned liking microsoft’s ASP.NET grid control and he recommended using javascript libraries: ext-js, jquery for the same functionality

Session 3 – Conducting a Best Practice Audit of IBM i

SOCKS complaint, SAS compliant

object conversion time can take 6-9 hours for going from v5r4 -> v6r1

test data is “real” data.  A hacker will target your test system since they are usually less secured

Old profiles owning production objects (when installing you should not install under the programmer’s user profile)

iseries profile swaps are bad

don’t bring up all the tcp/ip servers

Don’t use *ALLOBJ

Use Hardware Encryption in case a tape is lost by iron mountain

Use Audit journals on sensitive tables, but don’t over us

Make sure we have a Back-up of the HMC

DR should say:

Who What Where When How


60% of your servers are critical

20% are necessary not immediately needed

20% are optional

Is Email Mission Critical?  It should be.

Do we back-up on Saturday or Sunday?  If not we could be going back more than 24 hours

When was the last Full System Save, only before DR? that is not good

If your backup process says 43917 objects saved and 342 not saved.  Make sure that you find out how to unlock those 342 objects since they are probably needed in a real DR.  During a recovery 43917 object would be recovered and you wouldnt know why the system isn’t working.  It would be because the 342 objects that weren’t saved.

Send off BRMS logs offsite

Session 4 – Function Junction – Mike Pavlak

This was a more of a review for  me as I’m pretty confident in my function skills, passing a parameter by reference, returning a value, php’s functions, creating a function.  I spent most of my time here working on a report i needed to send into the boss going over what was accomplished last month.  I did learn about the list function that i forgot about its.  Its a great function to use to set a bunch of parameters from an array object.

Day 1 afterwards

San Antonio is a great city.  It has a thing called riverwalk which is a 4ft deep river that runs through the city and was nice to run on for 5 miles and explore the city, restuarants and shops.   Then worked out at the hotels gym and went for a swim.  Then started writing this blog entry .  Well time for bed another great day of Common 2010 Fall Expo is ahead for me.