Security Bulletin: OpenSSL for IBM i is affected by CVE-2021-3711 and CVE-2021-3712

OpenSSL is provided as an API available to application developers on IBM i. The OpenSSL APIs on IBM i are vulnerable to the issues described in the vulnerability details section. The applicability of each vulnerability is determined by an application’s specific use of OpenSSL. IBM i has addressed the vulnerability for applications by addressing the CVEs in the OpenSSL API implementation.

PML Packages in New Navigator

Performance Data Investigator (PDI) uses PML packages for the definition of the charts and queries used to perform the chart display and interaction with the Collection Services data. With the New Navigator for i, the delivery of the packages has changed. The packages are now included in the JAR file for PDI. This document explains how the changes affect any custom or modified packages you use.

Avoid automatic startup of the controlling subsystem at the end of save entire system option on operating systems older than IBM i V7R4

Last Updated on 24 September 2021 by Roberto De Pedrini

In IBM i V7R4, the SAVE and RESTORE menus have been enhanced with the new Start controlling subsystem option. Previously, the controlling subsystem always started automatically after the save or restore operation was completed. In IBM i V7R4, it is now possible to leave the system in a restricted state after the save or restore operation by not starting the controlling subsystem. This can be useful if you want to install PTFs, perform system maintenance, or IPL the system.

In this post, we’ll see how to do the same on previous operating system versions (I’ve been using this method since i5/OS V5R4) by focusing on save entire system option (option 21 of the SAVE menu).

Target operating system: from i5/OS V5R4 to IBM i V7R3.

Let’s start by creating a data area called STRCTLSB, where we will store the information on whether to start (*YES) or not (*NO) the controlling subsystem at the end of save entire system option:

CRTDTAARA DTAARA(library/STRCTLSBS) TYPE(*CHAR) LEN(4) AUT(*USE)

Edit the contents of the STRCTLSBS data area as follows:

if we want the system to remain in restricted state at the end of the save operation:CHGDTAARA DTAARA(library/STRCTLSBS *ALL) VALUE(‘*NO’)

if we want the system to go into normal state at the end of the save operation (IBM default behavior):CHGDTAARA DTAARA(library/STRCTLSBS *ALL) VALUE(‘*YES’)

Create a source file that supports double-byte characters (DBCS) to store the sources of the various versions of the QMNSRBND program:

CRTSRCPF FILE(srclib/QCLSRCDBCS) CCSID(937)

Note. You must use a source file that supports double-byte characters because a file of that type was used to create the QMNSRBND CL program (otherwise the command ends with the error message CPF0565). In my experience, the CCSID 937, which combines an EBCDIC single-byte character set with a ‘Traditional Chinese’ multi-byte character set, seems to be ok.

Retrieve the source from the QMNSRBND CL program into the QMNSRBND member of the source file we just created:

RTVCLSRC PGM(QSYS/QMNSRBND) SRCFILE(srclib/QCLSRCDBCS) SRCMBR(*PGM)

Make a backup copy of QMNSRBND member to QMNSRBND_I member:

CPYSRCF FROMFILE(srclib/QCLSRCDBCS) TOFILE(srclib/QCLSRCDBCS) FROMMBR(QMNSRBND) TOMBR(QMNSRBND_I)

Modify the source of the QMNSRBND CL program to use the information stored in the STRCTLSBS data area (see the statements in red in the source excerpt below) as follows:

insert the declaration of the &STRCTLSBS variable, which will store the contents of the STRCTLSBS data area, immediately after the &CPYR variable declaration:insert the statements to read the STRCTLSBS data area, to define a default value for the &STRCTLSBS variable in case of problems reading the data area and an IF statement which conditions the starting of the controlling subsystem based on the value of the &STRCTLSBS variable.STRSEU SRCFILE(srclib/QCLSRCDBCS) SRCMBR(QMNSRBND) TYPE(CLP) OPTION(2) TEXT(‘My QMNSRBND’)

[…]
DCL VAR(&CPYR) TYPE(*CHAR) LEN(90) VALUE(‘5761-SS1 (C) COPYRIGHT-
IBM CORP 1980, 2007. LICENSED MATERIAL – PROGRAM PROPERTY OF IBM’)
DCL VAR(&STRCTLSBS) TYPE(*CHAR) LEN(4)
[…]
END:
[…]
IF COND(&CANCEL *EQ N) THEN(DO)
RTVDTAARA DTAARA(library/STRCTLSBS *ALL) RTNVAR(&STRCTLSBS)
MONMSG MSGID(CPF0000) EXEC(CHGVAR VAR(&STRCTLSBS) VALUE(‘*YES’))

IF COND(&STRCTLSBS *NE ‘*NO’) THEN(DO)
IF COND(&PROMPT *EQ ‘Y’) THEN(DO)
? *SYSTEM/STRSBS SBSD(&CTLSBSLIB/&CTLSBSD)
[…]
ENDDO
ELSE CMD(DO)
*SYSTEM/STRSBS SBSD(&CTLSBSLIB/&CTLSBSD)
[…]
ENDDO
ENDDO
ENDDO
[…]

Rename the original IBM CL program to keep it:

RNMOBJ OBJ(QMNSRBND) OBJTYPE(*PGM) NEWOBJ(QMNSRBND_I)

Finally, create the CL program:

CRTCLPGM PGM(QSYS/QMNSRBND) SRCFILE(objlib/QCLSRCDBCS) SRCMBR(*PGM)

We finished! Now, setting the date area to *NO, we can finally back up the entire system and then install the PTFs or power off the system without having to bring the system back to restricted state at the end of the save operation.

Important. After each installation of PTFs (especially in the case of installation of a cumulative) it is necessary to check whether the QMNSRBND program has been replaced. In case of replacement, it is necessary to extract the new CL source (in order not to lose any changes introduced), modify it, as just described, and recompile it. First, however, remove the backup of the previous version of the program:

DLTPGM PGM(QSYS/QMNSRBND_I)

Automate the Customer Buying Experience, Without Coding It Yourself

Interested in finding new customers and improving your customers’ buying experience? Would it save you money and increase responsiveness if you could automate the order entry, invoicing, and fulfillment business processes? Would you like functions like shopping carts, instant price and shipping quotes, automated acknowledgements and customer reviews?

Many IBM i users are getting all of these capabilities by integrating their IBM i applications with eCommerce platforms like Magento Commerce. But the real power of using an eCommerce site comes from automating the integration between the eCommerce site and your back end IBM i applications.

Verified by MonsterInsights