By Midland on Sunday, 06 August 2023
Category: IBM Power 10

IBM i 7.5 (V7R5) Details: Everything you need to know

IBM V7R5 (7.5) was released on May 10, 2022

Enhancements include new features to the base OS400 operating system, DB2 Database, IBM i license programs and support for additional Open Source solutions.

IBM i V7R5 is supported by IBM i Power10, Power9 Systems and future IBM Power System models.

This article will explain the details of each enhancement and new feature available with the initial IBM V7R5 release.

The successive V7R5 Technology Refresh releases will be explained in detail in separate articles.

IBM V7R5 TR1 was released on December 2, 2022, and IBM V7R5 TR2 was released on May 5, 2023. IBM i customers should read the IBM V7R5 memo before upgrading to ensure compatibility and verify if discontinued support of any software, hardware products or features affects your system.

Quick Access

IBM i V7R5  OS400 Base Operating System Enhancements

IBM SECURITY

The QPWDLVL system value level has a new password encryption scheme for improving IBM i security. Changing the QPWDLVL to 4 enables Password-based Key Derivation Function 2 PBKDF2 with HMAC SHA512 SHA-2 512 bit encryption for the scheme for stronger security. The new IBM i password encryption scheme can also be enabled by changing the System Service Tools SST password level to 3.

A QSYCHKPR API was added to check passwords meet password rules, which utilizes the QPWDRQDDIF system value in conjunction with the QPWDRULES settings which will also encompass QPWDMINLEN, QPWDMAXLEN, QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, and QPWDRQDDGT password settings. This QSYCHKPR API will only check user passwords, it cannot change user passwords.

SYSTEM SERVICE TOOLS SST
The Password Expiration Interval attribute was added to the CRTSSTUSR Create SST User ID, CHGSSTUSR Chante SST User ID and DSPSSTUSR Display SST User ID commands, allowing the SST user password expiration interval to be a different than the SST Password Interval Security attribute. The SST Password Expiration Interval attribute can be set to:
*SAME - The value does not change.
*SSTATR - The password expiration interval defined for the SST security attribute is used. The Display SST Security Attributes (DSPSSTSECA) command shows the current value.
*NOMAX - The password does not expire.
1-366 - The number of days between the date when the password is changed and the date when the password expires.

The CHGSSTSECA Change SST Security Attributes and DSPSSTSECA Display SST Security Attributes commands have been enhanced to include the following new attributes: Duplicate password control, Allow add of digital certificates, Allow service tools user ID with default and expired password to change its own password, Maximum sign-on attempts, Password expiration interval and Allow add and remove of password exit programs (new). The last new attribute “Allow add and remove of password exit programs" controls whether new exit programs can be added or if existing exit programs can be removed from the QIBM_QSY_VLD_PASSWRD and QIBM_QSY_CHK_PASSWRD exit points in WRKREGINF.

DIGITAL CERTIFICATE MANAGER
The IBM Digital Certificate Manager DCM has a few enhancements that enhance security, simplify management, as well as few new functions explained here:

Replacement of the UI for object signing, adding support for object signing store, applications, and actions related to signing objects, and adding a signature verification store and related actions to verifying signatures.

Buttons to browse and select so administrators will not have to manually type IFS paths and file names to locate, import and export certificates and KDB files from the IFS or local file system, and
object signing.

Certificate object management has been improved for various importing, exporting and removing certificates.

Added Root and Intermediate CA certificates from most common certificate providers for the Populate Certificate Store functionality.

The ZLIB algorithm adds a faster data compression option that utilizes on-chip Nest Accelerator (NX) GZIP, which can also deliver a smaller file size when running in IBM i Power10 compatibility mode, and will consume a lot less CPU than other compression methods. The new ZLIB compression option can be used for Save Commands and APIs for Save File and Optical that have a data compression parameter. ZLIB compression can also be used with Geographic Mirroring Synchronization and CPRDATA MI instructions.

SAVE AND RESTORE
ASYNCBRING is the new default parameter of the Save Object (SAV) command and the QsrSave API can provide better performance for saving IFS data. ASYNCBRING brings objects into memory asynchronously for an IFS save, which can improve the performance. The GO SAVE menu options automatically inherit ASYNCBRING.

The RSTUSRPRF USRPRF(*ALL) operation no longer requires a dedicated system and does not require all other subsystems to be ended.

IFS restores now show a progress message with size of objects that have been restored successfully, which should help estimate the time to completion.

NETWORKING
The ability to allow only SNMPv3 for the SNMP agent, local trap manager and SNMP manager APIs has been added, and a SNMPv3 driver is also available for network attached printers. View-based Access Control Model (VACM) rules can also be used to prevent information from being returned by SNMPv3. SHA-256 and SHA-512 SHA-2 authentication has been added for configuring SNMPv3 users. The new and enhanced commands include: ADDVACSNMP, ADDUSRSNMP, CFGTCPSNMP, CHGDEVPRT, CHGSNMPA, CHGUSRSNMP, CHGVACSNMP, CRTDEVPRT and RMVVACSNMP.

TCP Selective Acknowledgment SACK support is added to enable the TCP stack to handle lost packets and selectively acknowledge the data segments that have been received so that only the missing data segments need to be retransmitted by the sender. The new TCP SACK is enabled by default for the TCP network layer. TCP SACK support allows TCP communications to acknowledge segments that have been received, so if a segment is missing between received segments, only the newest adjoining data segment is acknowledged, and any noncontiguous segments received must be retransmitted in addition to the missing segment.

IBM Tivoli Directory Server for i has enhanced the password policy capabilities of IBM i LDAP, and can now enforce rules for advanced password syntax checking in addition to the standard default rules. These new password complexity rules can strengthen the security of authentication mechanisms, like IBM i MFA technology.

IBM i DNS has been enhanced to use a new BIND release, and thereby have changed the *PUBLIC authorities to *EXCLUDE on the following directories /QOpenSys/QIBM/ProdData/OS400/DNS, /QOpenSys/QIBM/UserData/OS400/DNS, and /QIBM/UserData/OS400/DNS.

IBM i FTP Client can now allow FTP users to accept the 

server certificate that is not signed by a trusted certificate authority when building secure connections with the remote server. The FTP Client function is disabled by default for all FTP users. FTP server logon exit point QIBM_QTMF_SVR_LOGON format TCPL0200 and TCPL0300 allow the IPV4 address to be specified for IPV4 passive data connection replies.

The IBM i SMTP KEEPUNTIL parameter of CHGSMTPA CL command now has two fields so successful and unsuccessful email retention time parameter can be configured with different values. The new KEEPUNTIL parameters FORWARDING and ORIGINATOR are added to ADDUSRSMTP CL command and CHGUSRSMTP. If the FORWARDING parameter was specified for a current local SMTP user, then mail going to the current local SMTP user will be automatically forwarded to the new address as specified. If the ORIGINATOR parameter was specified for a current local SMTP user, then the "From:" field in the MIME file sent by the current local SMTP user will be displayed as specified. If the current user profile differs from the ORIGINATOR, then the "Sender:" field in the MIME file will be displayed as the current user profile.

APPLICATION DEVELOPMENT
The IBM i Rest API engine for Integrated Web Services IWS has been significantly improved from 7 parameters to 248 parameters for API calls using the QARUCLSP Call Services Program Procedure API. IWS logging for IBM i HTTP messages has also been enhanced to support writing event logs in JSON format for quick and simple integration with SIEM solutions such as Splunk and Elastic Stack.

This does not include IBM i security events such as QAUDJRN, network event logs captured by exit programs, DB2 Database audit events or other important event log sources such as SQL Statements, MFA, PAM, QHST and QSYS. For these IBM i event log forwarding requirements for compliance, see our IBM i SIEM forwarding integration tools that format these critical event logs into SYSLOG Key-Value Pairs KVP, CEF Common Event Format, JSON Java Script Object Notation, LEEF Log Event Extended Format for QRadar, LOGR for LogRhythm SIEM, GENR a generic message format, USRD User defined format, RFC5424 SYSLOG message format and RFC3164 SYSLOG message format.

IWS Rest API event logs now support additional access details, such as who is calling, location and what is performing the call. IBM i HTTP access logs can now include header attributes and message log details can no include key items about the request within the content of the message payload for each Rest API called.

The CRTPGM Create Program, CRTSRVPGM Create Service Program, UPDPGM Update Program, and UPDSRVPGM Update Service Program commands now have a new creation option (OPTION(*EVENTF) that provides completion information to an events file for monitoring errors and other actions.

GLOBALIZATION
IBM i CCSID now supports converting dates to and from Unicode for data stored in EBCDIC CCSIDs 1377 Traditional Chinese and 1388 Simplified Chinese. IBM provides new CCSIDS preserve the current mapping by using 13676 instead of 1388 and 5473 instead of 1

377. IBM CCSID 1379 provides additional support for Traditional Chinese and some Simplified Chinese support. IBM CCSID 1210 adds limited support for UTF-EBCDIC and only applicable on the iconv_open() and QtqIconvOpen() conversion APIs, which can enable legacy IBM i applications running to process Unicode data containing variant characters without losing those characters.

CL CONTROL LANGUAGE
Compiled ILE CL procedures using a Call (CALL) command can now specify expressions as parameters passed on the PARM parameters when run interactively or in batch using the SBMJOB Submit Job command. The type and length can be specified explicitly to tell h

ow the parameters are passed to the called program. For a Call Bound Procedure (CALLPRC) command that is issued from a compiled ILE CL procedure, expressions can be specified as parameters passed on the PARM parameters, and type and length can be specified explicitly to tell how the parameters are passed to the called procedure.

ILE C/C++ COMPILER
GNU Compiler Collection GCC Atomic memory access functions have been added for multi-threaded programs to atomically and safely modify data in one thread without interference from another thread. The GCC atomic memory access functions support parameter types T, U, and V can be of pointer or integral type. U and V can also be of real floating-point type, but only when T is of integral type. The integral and floating-point types that are supported by these built-in functions are INT Unsigned INT, LONG INT Unsigned Long INT and LONG LONG INT Unsigne4d LONG LOGN INT.

SYSTEM ADMINISTRATION
IBM recommends moving all dates in RPG and Db2 for i to a 4-digit year format, because neither will support adjusting the date range. With that said, the IBM V7R5 OS now supports dates entered in a command using a 2-digit year and can refer to the base year specified in the QIBM_QBASEYEAR environment variable with a new base year of 1970, and a date range of January 1, 1970 - December 31, 2069. Whereas the current supported date range for 2-digit year date format is January 1, 1940 - December 31, 2039, so when using a date format that includes only the last two digits of a year, the system assumes years 40 to 99 are 1940 - 1999, and years 00 to 39 are 2000 - 2039. The new base year support is limited to commands that use a parameter of TYPE(*DATE). IBM i applications that continue to use a 2-digit date format may need to be updated to use a date format with a 3-digit or 4-digit year before January 1, 2040.

IBM V7R5 supports a maximum of 48 SMT8 processor cores per partition and therefore a maximum of 384 threads on servers with Power10 or Power9 technology. IBM Lab Services is able to increase the 48 maximum SMT8 processor cores per partition maximum to 240 processors and increase the 384 to 1920 threads when using Power10 compatibility mode.

System Service Tools SST can now display the IBM i NVMe device health details, including Life Remaining, Spare Capacity, Number of Media Errors, Firmware Level and other NVMe device details. It is important to monitor media errors that pertain to the firmware level, as there are common faults related to firmware and a specific NVMe device and environmental conditions, such as low I/O workloads over a period of time, and will likely impact multiple IBM i SSD if not all. To locate NVMe storage health on the IBM i, do the following in SST:
Select Work with disk units on the Use System Service Tools (SST) display.
Select Work with disk configuration on the Work with Disk Units display.
Select Work with NVMe Devices on the Work with Disk Configuration display.
Select Display NVMe health on the Work with NVMe Devices display.
Select the NVMe device.

Determine IBM Storwize SAN SSD Firmware using the GUI:
Click Pools > Internal Storage to display the list of installed drives
Right-click on one of the table headers such as Drive ID and select the Firmware Level option
The firmware level is now added to the table.
Applies to IBM Storwize V9000, V7000, V5200, V5000, V3700, V3500, FS9200, FS9100, FS9000, FS7300, FS5200 and FS5100

Determining the drive firmware using the CLI
The firmware level for an individual drive can be displayed through the lsdrive Drive_ID command, where Drive_ID specifies an individual drive. The following short script will display the firmware levels for all drives in the system.

Administrators installing the IBM V7R5 Operating System or needing to debug console problems of an IBM i system not managed by an HMC or other management interface, IBM has simplified and reduced the steps needed to access the console’s service functions from 65 steps to only 21 steps to cycle through.

The IBM i Job Scheduler can now prevent the scheduler from submitting jobs until a later time while preserving the individual status of each entry via the JOB(*JOBSCD) option. The *JOBSCD can be used on the HLDJOBSCDE Hold Job Schedule Entry and RLSJOBSCDE Release Job Schedule Entry commands. The IBM i Job Scheduler ADDJOBSCDE Add Job Schedule Entry command now has the ability to schedule a job frequency of once a year via the FRQ(*YEARLY) option.

IBM i Performance Tools built into the operating system enhancements include Power10 hardware updates in Collection Services and Performance Explorer, additional SQL Plan Cache metrics in Collection Services, new Db2 Mirror performance analysis metrics in both Collection Services and Job Watcher, enhancements for Performance Explorer resource affinity events and activation group events, and the creation of Collection Services Historical Data by default.

IBM Managed System Services 5770-SM1 and IBM Managed System Services for i 5770-MG1 have been withdrawn with the release of V7R5, and a subset of their commands have been extracted from these licensed programs and moved into the base operating system. The commands that have been moved are now located in the QSYS library instead of QSMU. Any programs that library qualify these commands with library QSMU will need to change to specify library QSYS or remove reference to QSMU. The Managed System Services SM1 commands moved to XPF include:

ADDPRDLICI Add License Information
CHGPRDOBJD Change Product Object Description
CPYPTFSAVF Copy PTF to Save File
CRTPRDDFN Create Product Definition
CRTPRDLOD Create Product Load
CRTPTF Create Program Temporary Fix
CRTPTFPKG Create PTF Package
DLTPRDDFN Delete Product Definition
DLTPRDLOD Delete Product Load
GENLICKEY Generate License Key
HLDPTF Hold Program Temporary Fix
PKGPRDOPT Package Product Option
RLSPTF Release Program Temporary Fix
WRKPTF Work with PTF
WRKSPTPRD Work with Supported Products

IBM i Navigator now as the ability to configure the Simple Network Time Protocol service SNTP, Virtual Private Networking, Internet Key Exchange IKE and IBM i LDAP servers. IBM i Navigator has been enhanced the viewing of Authority Collection information and the Performance Data Investigator for easier navigation, added iASP support for Custom Charts metrics, and now provides ability to review Audit Journal details.

It is important to note, users may no longer be able to access IBM i Navigator due to the QIBM_NAV_ALL_FUNCTION function usage value being changed to *DENIED by default, which should be a standard security policy. User Profiles with *SECOFR and *ALLOBJ special authority will still be able to access IBM i Navigator by default. However, it is recommended method to only grant access IBM i Navigator Function Usage for only profiles that require these capabilities for specific business functions.

Advanced Job Scheduler - QIBM_NAV_AJS
Configuration & Service - QIBM_NAV_CONF_SRV
Custom Charts - QIBM_NAV_CUSTOM_CHARTS
Performance - QIBM_NAV_PDI
Monitors - QIBM_NAV_MONITORS
NetServer Shares - QIBM_NAV_SVRSHRS
Network - QIBM_NAV_NETWORK
File System - QIBM_NAV_FILE_SYSTEM
File System Upload - QIBM_NAV_FS_UPLD
File System Download - QIBM_NAV_FS_DOWNLD
Security - QIBM_NAV_SECURITY
Serviceability - QIBM_NAV_SERVICEABILITY
System - QIBM_NAV_SYSTEM
Use of IBM Navigator for i functions - QIBM_NAV_ALL_FUNCTION
Users and Groups - QIBM_NAV_USERS_GROUPS
Work Management - QIBM_NAV_WRK_MGT

The IBM i Integrated File System IFS enhancements include allowing securing access to the IBM i NetServer or specific shares through *AUTL objects without changes to underlying object permissions, the QNTC file system can now access and follow Distributed File System (DFS) shares, and the QIBM_QP0L_OBJ_CLOSE and QIBM_QP0L_OBJ_OPEN exit points have been added for enhancing IBM i Security and performance via exit programs for user access to the IFS. A IBM i File Server exit program can protect the IFS against malware, such as ransomware, especially when used inconjunction with IBM i MFA. The "Run exit program" ueses a file system attribute to control whether the exit programs registered to these exit points will run when a file system object is opened or closed. A IBM i exit program can perform application specific processing when the object is opened or closed, such as verification, conversion, or removal of temporary objects of the root, QOpenSys, user-defined, and QDLS file systems.

Cluster Resource Group CRG performance enhancement for switchovers of a device, where the job queue that is specified in the job description for the interactive user performing the switchover is used to vary off and vary on the Independent Auxiliary Storage Pool (IASP) previously resulted in longer switchovers times, if the user profile performing the switchover has its job queue set to a queue that is either held or has a low maximum limit of active jobs. When this occurs, the user performing the switchover may have QDFTJOBD set as the job description, so the IASP vary jobs are submitted to the QBATCH job queue, and the QBATCH job queue may be held or may allow only one active job at a time, causing the switchover to be held up for a long time.

Cluster Resource Group CRG switchovers behavior has been changed so switchovers are now performed with the Initiate Switchover API, and failovers now automatically use the QSYSNOMAX job queue for IASP vary on and off operations, regardless of the user profile initiating the operation. The new Cluster Resource Group CRG switchover process reduces the amount of time required to perform the CRG switchover because there will not be a limit on the number of active jobs. This will not affect CRG user exit programs; the job queue referenced by the user profile parameter specified when creating or changing the CRG will continue to be used. The job queue specified in the user profile's job description is used for submitting user exit programs, regardless of the user initiating the planned switchover operation.

IBM provided many Enterprise PCIe4 NVMe disk I/O enhancement for U.2 form factor drives in IBM i systems. Contact your Midland account manager for details and how to maximize the performance of your Power9 or Power10 with these new features.

The IBM DB2 for i integrated database has many enhancements and new capabilities summarized here:

IBM DB2 for i services adds more advanced tooling for the DBE MTI_INFO returns for details about Maintained Temporary Indexes (MTI), turning an abstract topic into a very easy and straightforward topic for the DBE.

IBM i Services used for accessing details about IBM i objects, system information, and other resources has been greatly expanded by leveraging the power of SQL and the Db2 for i SQL Query Engine SQE, so that application developers, DBEs, and system managers can utilize IBM i objects and data in ways never dreamed of previously without having to use IBM i commands and APIs. Here is the list of IBM I Services enhancements and new capabilities:

ESSPOOLED_FILE_INFO - Matches the speed and usability of the Work with Spooled Files (WRKSPLF) CL command.
ESACTIVATION_GROUP_INFO - Discover the deep details about activation groups within the current or target job.
ESASSOCIATE_JOURNAL_RECEIVER - Use SQL to re-establish the relationship of journal receivers with a journal.
ESREMOTE_JOURNAL_INFO - Discover the existence and attributes of remote journals on other IBM i systems associated with journals on this IBM i.
ESJOURNAL_RECEIVER_INFO - Discover the existence and attributes of journal receivers.
ESSQL_CHECK_SPECIAL_AUTHORITY - Easily determine if the current user has a specific special authority.
ESSQL_CHECK_FUNCTION_USAGE - Easily determine if the current user is allowed to use a specific function usage.
ESCHANGE_USER_SPACE - Use SQL to change the contents of a *USRSPC object.
ESCHANGE_USER_SPACE_ATTRIBUTES - Use SQL to change the attributes of a *USRSPC object.
ESADD_USER_INDEX_ENTRY - Use SQL to add an entry to a *USRIDX object.
ESREMOVE_USER_INDEX_ENTRY - Use SQL to remove an entry from a *USRIDX object.
ESELECTRONIC_SERVICE_AGENT_INFO - An SQL alternative to the Verify Service Agent (VFYSRVAGT) CL command.
ESTELNET_SERVER_ATTRIBUTES - A new service to understand the TELNET server configuration.
ESCHECK_PASSWORD - A new service to test whether a password will be valid.
ESSECURITY_INFO - Enhanced to return more security insight.
ESSET_SERVER_SBS_ROUTING - Enhanced to support the secure versions of the Database server (QZDASSINIT) and File server (QPWFSERVSS).
ESSERVER_SHARE_INFO - Enhanced to return authorization list detail.
ESNETSTAT_JOB_INFO - Enhanced to return job type.
ESUSER_STORAGE - Enhanced to return many new columns, which show previously hard-to-access security deployment summary detail for the user.
ESOBJECT_STATISTICS - Enhanced to return user-controlled build identification object detail.

IBM DB2 for i provides working examples and tools in the SYSTOOLS schema. As IBM has done in previous technology refreshes, SYSTOOLS is enhanced to help clients take a step forward with extreme automation using SQL. One of the functions that has been enhanced is Audit Journal functions. Table functions unique to specific audit journal entry types are added to SYSTOOLS. The table functions return the basic audit journal detail but also extract the entry-specific detail into easily consumed return columns.
For details on these enhancements and the other IBM i Services enhancements, see the IBM i Services wiki.

IBM i Open Source
IBM i has enabled several new open source Java application servers on the IBM i, such as WildFly, Eclipse Jetty, and Apache Tomcat. These are all available on Open Source Java Application Servers GitHub and Support is provided with IBM's open source support offering. WildFly is an open source version of JBoss was developed by Red Hat, and it can provide a simple upgrade path to JBoss Enterprise Application Platform JBoss EAP. Apache Tomcat has been one of the most popular application servers on IBM i for over a decade. Eclipse Jetty is a scalable and easy to use web server.

LPPs
IBM Rational Development Studio 5770-WDS adds new features for the RPG IV ILE compiler, including SND-MSG opcode, which sends a message to the job log and ON-EXCP opcode which can monitor for specific messages and then take an action. Details about these new RPG IV capabilities can be found at the RPG Cafe website.

The IBM i Access Client Solutions ACS 5770-XJ1 version 1.1.9.0 interface has been updated with the following enhancements and new capabilities:
Group support: A new Groups View has been added to ACS, enabling administrators to manage multiple systems as a group. From System Configuration, it is easy to define new groups and move or add systems into these groups for a simpler way to organize multiple systems. Administrators can choose to work with systems using the traditional ACS view or they can leverage the new Groups View.
Control the Information Displayed on GUI: System administrators can choose to limit the columns displayed on the GUI to just those of most interest for their environment. Additionally, it is possible to simplify the main GUI appearance by hiding the right pane.
Run SQL Scripts Tab Support: Multiple SQL scripts may now be opened within a single window or connection. Each script is displayed in its own tab. This can be accomplished by doing a drag and drop of one or more SQL files from Windows Explorer or macOS Finder to have each opened in a new tab. Additionally, dragging and dropping a folder that contains multiple SQL scripts will open each script in its own tab. Additionally, it is possible to save a script while that script is running.

IBM PowerHA SystemMirror for i 5770-HAS 7.5 has a ton of enhancements centered around IBM i HA  and IBM i DR simplification, reporting, and performance that are summarized here:

Other enhancements to PowerHA and details about these enhancements can be read on the IBM PowerHA SystemMirror for i wiki page.

IBM BRMS Backup, Recovery, and Media Services for i 5770-BR1 has numerous enhancements across many areas of the product, adding or updating command defaults and providing new capabilities through SQL Services and new API, which are summarized below:

The IBM BRMS wiki webpage has details about all these enhancements and new functionality.

IBM i DB2 Mirror 5770-DBM now support mixed OS releases, so one node can be running at IBM i 7.4 and the other node running at IBM i 7.5, which is a great way to perform OS upgrades with minimal to zero business impact. IBM i DB2 Mirror also has a new feature that allows designating one node as read-only, while the read-only node will still receive all replication synchronously, and allow other workloads to receive real-time updates from the active node.

IBM i Content Manager OnDemand CMOD 5770-RD1 has many new functions, as well as enhancements to existing commands and ability to convert spooled files to pdf.

Related Posts