Admin Alert: How System i Boxes Impersonate Each Other, Part 1
March 26, 2008 Joe Hertvik
There are three specific instances where System i administrator need to change the communications identity of an i5/OS box so that it impersonates another box and can take its place in the network. Unfortunately, there isn’t a readily available procedure to make sure that this process is easily accomplished. To help, this week and next I’m presenting a procedure for modifying a System i box to impersonate another machine.
Why Bother To Impersonate?
It’s handy to know how to modify a System i or iSeries box to impersonate another box in the following situations.
These situations don’t come up often, but for at least two of them, speed is of the essence and the quicker you can change your machine’s communications identity, the better.
Because of these situations, it’s become more important to know the procedure for turning one box into another. This week and next, I’ll detail how to reconfigure an i5/OS partition so that it can look, talk, and act like another i5/OS system to the network. Also check out the bottom of next week’s article where I’ll put all these concepts together into a single checklist that you can use the next time you need to make one system impersonate another.
What Needs To Change?
In my experience, you will need to change the following items to have one i5/OS partition impersonate another i5/OS partition on the network.
These are the basic building blocks for changing a machine’s communications identity. Before you start, be sure to make a list of all the new settings that you will be changing these items to. If you’re planning to change the machine back to its original identity when you’re finished with the impersonation, make sure to write down the original values that you changed so that you can restore those settings later.
This week, I’ll cover the first three items on the list. Next week, I’ll cover the rest of the items and present the complete checklist for changing your network identity.
Step 1: Changing the IP Address, Subnet Mask, and TCP/IP Routes
Obtain the values listed in step 1 from your network administrator or copy them from the machine you want to impersonate.
As with many of the values in these articles, you can change these settings from either a 5250 green screen or from iSeries Navigator (OpsNav). To change these settings on the green screen, open the Configure TCP/IP menu (GO TCPCFG). To add or activate another IP address, take option 1 off the menu, Work with TCP/IP Interfaces. This option shows you all the existing IP interfaces on the system, where each interface is used to start or stop an IP address on your communications line.
Select option 1 (Add) off the Work with TCP/Interfaces menu to enter a new interface. You’ll need the IP address that you want to add to the system, the name of the line description that you want to associate the new address with, the subnet mask that defines the network where this interface operates, and any other TCP/IP parameters that you want to define. If you want the interface to come up whenever the TCP/IP stack is activated, make sure to set the AUTOSTART parameter to *YES. When you are finished, press ENTER and the new interface will be added to your machine. To start the interface manually, select 9 (START) in front of the interface and press ENTER.
If you want to disable your existing interface when the TCP/IP stack is started, select option 2 (CHANGE) in front of the interface and press ENTER. In the Change TCP/IP Interface screen for that interface, change the AUTOSTART parameter from *YES to *NO and TCP/IP will no longer start this interface when the stack is activated. To end this interface manually, enter 10 (END) in front of the interface and press ENTER.
If you need to add or change TCP/IP routes for this machine, go back to the Configure TCP/IP menu and select Option 2, Work with TCP/IP Routes. Here you can change the default route (*DFTROUTE) for routing TCP/IP traffic or you can add other routes to direct traffic through your local network or over the Internet.
If you prefer to use OpsNav to change your IP interface and routing properties, you can get to these properties through one of two paths.
Step 2: If Necessary, Change the Local Adapter Address on Your Communications Line
As I explained in an earlier article about network card Media Access Control (MAC) problems, i5/OS network cards can be configured either to use the default MAC address that is burnt into the card or you can override the default address with a MAC address of your own. While it isn’t common practice in the non-System i world to override a MAC address, it is fairly common for System i machines to use an overridden address. This is done for several reasons but it was most commonly done so that older System Network Architecture Distribution (SNADS) controllers could use consistent addresses between machines and so that the MAC addresses for those controllers could be portable when you are changing hardware. So for the purposes of impersonating a System i box, custom MAC addresses for your lines are perfect because you won’t have to reconfigure other controllers on different systems in order to keep using certain older features, like SNADS.
If your Ethernet communications line needs a custom MAC address to impersonate another box, you can change that parameter on the green screen by varying off the line and going into the Change Line Description (CHGLINETH) command (Ethernet) and entering the new MAC address into the Local Adapter Address (ADPTADR) parameter. Once changed, the new adapter address will become active the next time you vary on the Ethernet line.
Unfortunately, there isn’t any option for changing the MAC address in the iSeries Access for Windows V5R4M0 version of OpsNav that I tested for this article. While you can change your Ethernet line description for other parameters when the line is down (which could be problematic if you’re trying to use OpsNav to access the box through an existing Ethernet connection), the OpsNav communication line properties panel does not have a place for changing the adapter’s MAC address. So if you need to change this parameter on your system, make sure to change it by using the CHGLINETH command, not OpsNav.
Step 3: Change the TCP/IP Host Name and Domain Name For the Machine
If you’re truly trying to have one machine impersonate another machine on the network, you also have to change the TCP/IP Host Name and Domain Name. The Host Name and Domain Name form a fully qualified domain name that helps identify this machine on the network.
To change the host name on the green screen, once again enter the Configure TCP/IP menu by typing in the GO CFGTCP command.
Select option 12, Change TCP/IP Domain Information, from the menu that appears. This option can also be accessed directly by running the Change TCP/IP Domain (CHGTCPDMN) command. On the Change TCP/IP Domain screen, you can change both the Domain Name and the Host Name for your machine. Changes will take effect the next time the machine is restarted.
If you’re moving the machine to another sub-domain and you need to specify different Domain Name Servers (DNS) to be used by the machine, you can also change the DNS search list on this screen.
To change these parameters in OpsNav, right-click on the Network→TCP/IP Configuration node for your partition and select Properties from the pop-up menu that appears. The Host Name, Domain Name, and DNS search list can also be changed from the TCP/IP Configuration Properties screen that appears.
Three-Quarters Of the Way There?
In most cases, these three changes will get you 60 to 75 percent of the way to impersonating another machine, but by themselves, they aren’t quite enough to put you over the top. I’ll cover the remaining System i impersonation tasks in our next issue and provide an easy-to-follow checklist for running through the process.
About Our Testing Environment
Configurations described in this article were tested on multiple i5 550 boxes running i5/OS V5R3 and V5R4. They were tested during six months of high availability exercises for failing over to a replicated CBU running MIMIX software. They were also tested during the migration of two system i520 partitions to a new i550 machine. Most of the commands shown here are available in earlier versions of the operating system running on iSeries or AS/400 machines. The OpsNav functions were tested using the iSeries Navigator software that comes with iSeries Access for Windows V5R4M0. If a command or function is present in earlier versions of the i5/OS or OS/400 operating systems, you may notice some variations in the pre-V5R4 copies of these commands. These differences may be due to command improvements that have occurred from release to release.