Curse of the user

The iSeries is hard to beat when it comes to ease of management and security - until the first PC connection is installed. Chris...

The iSeries is hard to beat when it comes to ease of management and security - until the first PC connection is installed. Chris Youett considers solutions for maintaining system integrity in the Internet age

Then the AS/400 and its System 3X predecessors only handled traditional back-office workloads, system management was relatively simple. Usually, all sites had to do was switch on the machine, load the software and start keying in the commands, data, etc. The operating system contained all the necessary facilities for keeping the configuration on an even keel.
Then the e-commerce age dawned and changed the system management parameters forever. Boffins at IBM's Rochester plant recognised this early on. Former IBM System 3X and AS/400 security chief Wayne Evans acknowledges that, when used internally, the iSeries is hard to beat when it comes to ease of management and security - until the first PC connection is installed.
"With PC connections and LPar [logical partitions], systems automatically become more complex to manage." he says. "LPar is great as it allows sites to run multiple virtual machines concurrently. However, all of these have to be managed to ensure overall system integrity.
"For example, suppose you can access your site's payroll via a PC. You can download anything because it is coming from an authorised user. IBM has built-in exit points, but leaves it to sites to write exit programs. Most do not have the skills to write them, so they will need third-party software. This will include basic facilities such as managed password synchronisation and user profiling. Network management will also become more important because the AS/400 is a very good Internet box."
Most suppliers now regularly receive inquiries from sites about system management tools and strategies. Steve Bradshaw, technical manager at JBS Computer Services, says a lot of pressure is coming from sites with multi-supplier servers. "They tend not to have the skills to implement comprehensive system management policies, so they see iSeries as the way forward - and then they find that they don't have the AS/400 skills to create secure networks," he explains.
"IBM has recognised this with Ops Navigator and Management Central; but the marketing to date has been hazy. Both tools are generally very good for medium to large installations. We could do with optimised versions for SMEs as response times can be poor."
There is also a growing demand for better remote management. For example, if a major user such as Microsoft wants to manage its 20 systems around the world from a central point. "This can be tricky, especially if some of the traditional green-screen functions have been put into Management Central," says Bradshaw. "If you want to move a lot of data between two points and the job falls over half-way through, this can take time to recover. Such a scenario does not happen in green-screen mode, though.
"We would like to write APIs so that our applications and complementary packages can be managed as easily as applications are under Lotus Domino. This is difficult to do at present. The support for DHCP [Dynamic Host Configuration Protocol] and DNS [Domain Name System] is now very good. These used to be a pain to configure, but Ops Navigator is superb at handling them."
The IBM Computer Users Association is concerned about poor marketing of Rochester's system management products. Chairman Ray Titcombe says, "I am not aware that IBM is pushing Ops Navigator any more. It almost competes against Big Blue's business partners. "The longer-term users see the main issue as extending system management out to Lans and servers connected to their AS/400s. IBM is pushing Integrated PC Server and Linux hard as this brings many networks back under OS/400 control.
"Sites are pushing IBM hard over Management Central because they see this as a way of delivering better management. The UK has a lot of the key mainframe-class accounts that IBM is targeting."
At its 2001 briefings for users and the media, IBM said it would be targeting mainframe-class users with Ops Navigator and Management Central. These are only available to sites that have migrated to OS/400 version 4.5 or above. So how does the world's largest channel, the JBA wing of Geac, rate these products?
Geac Enterprises' corporate technical manager Graham Hope sees them as extending the automation of iSeries server processes. New features include supporting unattended systems management via wireless devices. Sites on version 5.1 or higher also get support via integrated xSeries servers.
"Packages like Robot from Help/Systems are used at many iSeries sites to automate functions such as job scheduling, back-up and recovery, print management, storage management and performance monitoring," says Hope. "IBM sees Ops Navigator and Management Central as its chosen graphical operations management interface. Each product can function in a standalone environment or within an enterprise while supporting many endpoint systems.
"However, automated operations can no longer be thought of as purely message monitoring and alert processing. IBM's statement of direction says it will substantially enhance the products to provide comprehensive systems management."
In the short term, many sites will opt for third-party products covering the likes of 24x7 operations, automation and remote system management. However, Hope believes that as sites become more familiar with the native systems management available under OS/400 and its associated licensed packages, they will increasingly opt for a total IBM solution.
This could present many sites with a confusing message. However, Ray Wright of CCSS, IBM's main business partner in the systems management market, warns there are no "silver bullets". "Most sites will need a multi-supplier approach. Currently, less than 5% are doing so - there needs to be a major education campaign," he says.
"We specialise in the management of performance and messaging - both on-site and remotely. We have found that because of IBM's 'plug and go' policy, which dates back to the System 3X era, Big Blue has never really pushed systems management.
"IBM has tried to resolve this by getting into bed with Candle, but it didn't work. Sites have tried TNG and HP Open View, while Big Blue bought Tivoli. None of these found much favour with AS/400 sites.
"So it is now trying to fill the gap with the System Management Partner Group. IBM is currently pushing data replication hard (eg, Data Mirror) but this replicates problems onto the next system. We have already identified that many sites will need mainframe skills to manage their systems effectively."
Different groups also want different features. Operators, for example, want management of messaging and scheduling, while the business wants good security and back-up.
"The heart of the AS/400 architecture is messaging, so we believe the first steps to good system management are to implement message and event management," says Hope. "There are a lot of cheap-and-cheerful products out there that cost about £20,000, depending on CPU size. It would help if IBM gave clearer recommendations."
A threat to IBM's mainframe-class revenues comes from analysis and service assurance supplier Aprisma, whose software was recently lauded by analyst firm IDC for giving up to 97% return on investment (ROI) with an average payback time of 37 days.
Ian Baxter, Aprisma's marketing director, says the days of "one size fits all" are gone. Concepts such as ROI and TCO (total cost of ownership) are back in fashion. "Most products only tell you that the system is not running efficiently, rather than pinpointing the cause. Our software uses intelligent agents on the network and will co-exist with the likes of Tivoli and CA Universe," he says.
"Initially, early adopters did not trust our software because there were fewer red lights. Now we can show them the knock-on effect, which is more important. Apart from IDC's own figures, we also expect to see 40% to 70% reductions in downtime."
Sites also need to remember that before they roll out any new systems management regime it needs to be tested fully. Andy Crosby, field marketing director at Mercury Interactive, says, "Our software does not depend on the model being used, and our Loadrunner RTE technology will test any size of box.

"Sites will increasingly find that they will have to validate performance improvements. Our tools can offer a wider view, enabling re-allocation of staff time and a reduction in the amount of hardware and bandwidth used on certain jobs. IBM has been using our products at its iSeries benchmark centre for some time."

Be vigilant
Former IBM AS/400 security consultant Wayne Evans, who is now a consultant with PentaSafe, warns that although the iSeries has excellent security features, many companies have not bothered to implement them fully. He says that all businesses should consider the following points:
  • Is there a security policy in force? More than 60% of sites have no coherent strategy
  • PC access creates security exposure, control access to sensitive data
  • Eliminate trivial passwords such as "test", "PC user", "FTP" and "user1"
  • Restrict command line access
  • Restrict the use of Operations Navigator
  • Set the QSECURITY feature below 40
  • Eliminate dormant and terminated accounts

  • Ensure consistent object ownership and authority coupled with regular reviews of the site's security baseline

  • Accept that logical partitions mean you are managing multiple system environments.

Read more on IT risk management