The iSeries is hard to beat when it comes to ease of management and
security - until the first PC connection is installed. Chris Youett
considers solutions for maintaining system integrity in the
Internet age
Then the AS/400 and its System 3X predecessors only handled
traditional back-office workloads, system management was relatively
simple. Usually, all sites had to do was switch on the machine,
load the software and start keying in the commands, data, etc. The
operating system contained all the necessary facilities for keeping
the configuration on an even keel.
Then the e-commerce age dawned and changed the system management
parameters forever. Boffins at IBM's Rochester plant recognised
this early on. Former IBM System 3X and AS/400 security chief Wayne
Evans acknowledges that, when used internally, the iSeries is hard
to beat when it comes to ease of management and security - until
the first PC connection is installed.
"With PC connections and LPar [logical partitions], systems
automatically become more complex to manage." he says. "LPar is
great as it allows sites to run multiple virtual machines
concurrently. However, all of these have to be managed to ensure
overall system integrity.
"For example, suppose you can access your site's payroll via a PC.
You can download anything because it is coming from an authorised
user. IBM has built-in exit points, but leaves it to sites to write
exit programs. Most do not have the skills to write them, so they
will need third-party software. This will include basic facilities
such as managed password synchronisation and user profiling.
Network management will also become more important because the
AS/400 is a very good Internet box."
Most suppliers now regularly receive inquiries from sites about
system management tools and strategies. Steve Bradshaw, technical
manager at JBS Computer Services, says a lot of pressure is coming
from sites with multi-supplier servers. "They tend not to have the
skills to implement comprehensive system management policies, so
they see iSeries as the way forward - and then they find that they
don't have the AS/400 skills to create secure networks," he
explains.
"IBM has recognised this with Ops Navigator and Management Central;
but the marketing to date has been hazy. Both tools are generally
very good for medium to large installations. We could do with
optimised versions for SMEs as response times can be poor."
There is also a growing demand for better remote management. For
example, if a major user such as Microsoft wants to manage its 20
systems around the world from a central point. "This can be tricky,
especially if some of the traditional green-screen functions have
been put into Management Central," says Bradshaw. "If you want to
move a lot of data between two points and the job falls over
half-way through, this can take time to recover. Such a scenario
does not happen in green-screen mode, though.
"We would like to write APIs so that our applications and
complementary packages can be managed as easily as applications are
under Lotus Domino. This is difficult to do at present. The support
for DHCP [Dynamic Host Configuration Protocol] and DNS [Domain Name
System] is now very good. These used to be a pain to configure, but
Ops Navigator is superb at handling them."
The IBM Computer Users Association is concerned about poor
marketing of Rochester's system management products. Chairman Ray
Titcombe says, "I am not aware that IBM is pushing Ops Navigator
any more. It almost competes against Big Blue's business partners.
"The longer-term users see the main issue as extending system
management out to Lans and servers connected to their AS/400s. IBM
is pushing Integrated PC Server and Linux hard as this brings many
networks back under OS/400 control.
"Sites are pushing IBM hard over Management Central because they
see this as a way of delivering better management. The UK has a lot
of the key mainframe-class accounts that IBM is targeting."
At its 2001 briefings for users and the media, IBM said it would be
targeting mainframe-class users with Ops Navigator and Management
Central. These are only available to sites that have migrated to
OS/400 version 4.5 or above. So how does the world's largest
channel, the JBA wing of Geac, rate these products?
Geac Enterprises' corporate technical manager Graham Hope sees them
as extending the automation of iSeries server processes. New
features include supporting unattended systems management via
wireless devices. Sites on version 5.1 or higher also get support
via integrated xSeries servers.
"Packages like Robot from Help/Systems are used at many iSeries
sites to automate functions such as job scheduling, back-up and
recovery, print management, storage management and performance
monitoring," says Hope. "IBM sees Ops Navigator and Management
Central as its chosen graphical operations management interface.
Each product can function in a standalone environment or within an
enterprise while supporting many endpoint systems.
"However, automated operations can no longer be thought of as
purely message monitoring and alert processing. IBM's statement of
direction says it will substantially enhance the products to
provide comprehensive systems management."
In the short term, many sites will opt for third-party products
covering the likes of 24x7 operations, automation and remote system
management. However, Hope believes that as sites become more
familiar with the native systems management available under OS/400
and its associated licensed packages, they will increasingly opt
for a total IBM solution.
This could present many sites with a confusing message. However,
Ray Wright of CCSS, IBM's main business partner in the systems
management market, warns there are no "silver bullets". "Most sites
will need a multi-supplier approach. Currently, less than 5% are
doing so - there needs to be a major education campaign," he says.
"We specialise in the management of performance and messaging -
both on-site and remotely. We have found that because of IBM's
'plug and go' policy, which dates back to the System 3X era, Big
Blue has never really pushed systems management.
"IBM has tried to resolve this by getting into bed with Candle, but
it didn't work. Sites have tried TNG and HP Open View, while Big
Blue bought Tivoli. None of these found much favour with AS/400
sites.
"So it is now trying to fill the gap with the System Management
Partner Group. IBM is currently pushing data replication hard (eg,
Data Mirror) but this replicates problems onto the next system. We
have already identified that many sites will need mainframe skills
to manage their systems effectively."
Different groups also want different features. Operators, for
example, want management of messaging and scheduling, while the
business wants good security and back-up.
"The heart of the AS/400 architecture is messaging, so we believe
the first steps to good system management are to implement message
and event management," says Hope. "There are a lot of
cheap-and-cheerful products out there that cost about £20,000,
depending on CPU size. It would help if IBM gave clearer
recommendations."
A threat to IBM's mainframe-class revenues comes from analysis and
service assurance supplier Aprisma, whose software was recently
lauded by analyst firm IDC for giving up to 97% return on
investment (ROI) with an average payback time of 37 days.
Ian Baxter, Aprisma's marketing director, says the days of "one
size fits all" are gone. Concepts such as ROI and TCO (total cost
of ownership) are back in fashion. "Most products only tell you
that the system is not running efficiently, rather than pinpointing
the cause. Our software uses intelligent agents on the network and
will co-exist with the likes of Tivoli and CA Universe," he says.
"Initially, early adopters did not trust our software because there
were fewer red lights. Now we can show them the knock-on effect,
which is more important. Apart from IDC's own figures, we also
expect to see 40% to 70% reductions in downtime."
Sites also need to remember that before they roll out any new
systems management regime it needs to be tested fully. Andy Crosby,
field marketing director at Mercury Interactive, says, "Our
software does not depend on the model being used, and our
Loadrunner RTE technology will test any size of box.
"Sites will increasingly find that they will have to validate
performance improvements. Our tools can offer a wider view,
enabling re-allocation of staff time and a reduction in the amount
of hardware and bandwidth used on certain jobs. IBM has been using
our products at its iSeries benchmark centre for some time."
Be vigilant
Former IBM AS/400 security consultant Wayne
Evans, who is now a consultant with PentaSafe, warns that although
the iSeries has excellent security features, many companies have
not bothered to implement them fully. He says that all businesses
should consider the following points:
- Is there a security policy in force? More than 60% of sites
have no coherent strategy
- PC access creates security exposure, control access to
sensitive data
- Eliminate trivial passwords such as "test", "PC user", "FTP"
and "user1"
- Restrict command line access
- Restrict the use of Operations Navigator
- Set the QSECURITY feature below 40
- Eliminate dormant and terminated accounts
- Ensure consistent object ownership and authority coupled with
regular reviews of the site's security baseline
- Accept that logical partitions mean you are managing multiple
system environments.