Admin Alert: Dealing with Inactive Jobs
by Joe Hertvik
Unattended interactive jobs (also called inactive jobs) present a knotty administrative problem because they can create security exposures on your system, as well as place persistent object locks on files and records. Fortunately, OS/400 provides system values that automatically disconnect or end inactive jobs. Inactive jobs, where a sensitive application is sitting open and unattended on a user's desktop, can be dangerous. Since a lot of fraud and computer abuse happens inside a company, it's wise to lock down these jobs in a reasonable time frame.
While the techniques for dealing with inactive jobs are a little kludgy to implement on a green screen, the concepts are easy to grasp. OS/400 offers a trio of system values that tell your system when to take action on an inactive job (system value QINACTITV); what action the system should take--disconnecting the job, ending the job, or sending a message to a specific message queue (value QINACTMSGQ); and how long the operating system should take before ending disconnected jobs (QDSCJOBITV). Here's my drill for setting up your OS/400 system to track and manage inactive jobs.
Step One: Finding the Culprits
To identify inactive jobs that have been idle too long, OS/400 uses the QINACTITV (inactive job time out) system value. QINACTITV tells OS/400 what length of time, in minutes, an inactive job should sit before the system takes action. QINACTITV is basically a timer that allows you to either specify a time-out value of between 5 and 300 minutes (five hours) or tell OS/400 to ignore inactive jobs altogether. To set QINACTITV to take action on jobs that have been inactive for 120 minutes or longer, for example, you could use the Change System Value (CHGSYSVAL) command to alter QINACTITV:
CHGSYSVAL SYSVAL(QINACTITV) VALUE(120)
To turn off the QINACTITV timer entirely, you would set QINACTITV to a value of *NONE:
CHGSYSVAL SYSVAL(QINACTITV) VALUE(*NONE)
Note that *NONE is the timer's default value, so you would need to set QINACTITV to activate your inactive-job time-out resolution. A change to QINACTITV takes effect immediately.
Keep in mind that the best value for this timer will vary from shop to shop. High-security environments may set the timer extremely low, requiring users to either sign off or secure open 5250 sessions every time they leave their desks. Other shops may be more liberal and allow a terminal session to remain unused for several hours before changing the job's status. There are no set rules for setting QINACTITV's proper value. This timer should be set in accordance with your organization's security policies and the lowest degree of risk your shop is willing to tolerate when unattended interactive jobs are present.
Step Two: Taking Prudent Action
Once an inactive job passes the QINACTITV timer value, it's time for the system to take action. OS/400 uses the QINACTMSGQ (inactive job message queue) system value to determine what to do with inactive jobs that have timed out. There are three ways that the system deals with inactive jobs that have exceeded QINACTITV standards. It can end the job, disconnect the job, or send a message to a system-message queue for manual or custom processing.
To set up OS/400 so that it automatically ends timed-out interactive jobs, set QINACTMSGQ to *ENDJOB:
CHGSYSVAL SYSVAL(QINACTMSGQ) VALUE(*ENDJOB)
This kills the timed-out inactive job once the QINACTITV timer is reached. It also kills any secondary or group jobs associated with the target job. Killing the job releases all system resources the job was holding. *ENDJOB is the default value for QINACTMSGQ.
If you want the system to disconnect your timed-out inactive jobs along with any secondary or group jobs associated with each job, you can set QINACTMSGQ to *DSCJOB:
CHGSYSVAL SYSVAL(QINACTMSGQ) VALUE(*DSCJOB)
Disconnected jobs are still active on the system, but the 5250 terminal sessions they run on will now display a sign-on screen. The user will then be able to claim and reactivate the disconnected job after he signs on to the system again, using the same device and user profile name as the disconnected job. The disconnected job will be reactivated at the exact point at which it was disconnected.
But there are some hazards in disconnecting inactive jobs. The disconnected job may be holding a file or record lock that other OS/400 jobs need in order to complete their processing. To make matters worse, it may not be obvious that the disconnected job is even on the system. It's also worth noting that disconnected jobs could also prevent your system from going into restricted mode during a full system backup. So it's important to do some housecleaning on unclaimed disconnected jobs.
To view disconnected jobs on your Work with Active Jobs (WRKACTJOB) screen, press F14 (Include) inside WRKACTJOB, and it will show you any disconnected jobs on the system (disconnected jobs have a status of DSC). Once you find your target disconnected job, you can end it manually by using option 4=End. There is also an automatic system method for ending disconnected jobs, which I'll explain in the next section.
The third option for dealing with timed-out inactive jobs is for OS/400 to send a message with message ID CPI1126--which reads "Job number/user/name has not been active"--to a specific message queue. You can then monitor the message queue manually or set up a program to retrieve and read incoming messages and act on the timed-out jobs accordingly. For this option, you cannot use the CHGSYSVAL command to designate the target message queue; rather, use the Work with System Values (WRKSYSVAL) command as follows to bring up the QINACTMSGQ system value:
And then press option 2=Change to designate the name and library of the message queue to send your CPI1126 notifications to.
It's also worth noting that if the target message queue does not exist or if it is damaged, OS/400 will send the CPI1126 messages to the QSYSOPR message queue.
Step Three: Automatically Ending Disconnected Jobs
In the previous section, I mentioned that you can end unclaimed disconnected jobs manually in WRKACTJOB. Our final inactive job system value, QDSCJOBITV (time interval before disconnected jobs end), is another timer that tells OS/400 how long it should wait before it ends a disconnected job that hasn't been reactivated by the user. Like QINACTITV, QDSCJOBITV is a timer that can be turned off (with a value of *NONE) or set to a value of between 5 minutes and 1,440 minutes (24 hours). Once set, OS/400 ends a disconnected job after the job has been disconnected for the amount of time specified in QDSCJOBITV.
To set QDSCJOBITV to 120 minutes, for example, you could run the CHGSYSVAL command in the following configuration:
CHGSYSVAL SYSVAL(QDSCJOBITV) VALUE(120)
To turn off QDSCJOBITV, you would set its value to *NONE:
CHGSYSVAL SYSVAL(QDSCJOBITV) VALUE(*NONE)
The default value for QDSCJOBITV is 240 minutes. Also note that if QINACTITV is activated with a timer value and QINACTMSGQ is equal to *DSCJOB, it would be unwise to set QDSCJOBITV to *NONE, because unclaimed disconnected jobs might never be ended by the system.
This is the basic skinny on setting up OS/400 to automatically deal with inactive jobs. QINACTITV identifies which inactive jobs are timed out. QINACTMSGQ tells OS/400 what to do with the timed-out inactive jobs, and QDSCJOBITV tells OS/400 how long to wait before it ends a disconnected job. Using these three system values, you can set up a reasonable system for protecting application programs and data inside unattended interactive jobs.
Contact the Editors
Last Updated: 9/30/02
Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.