Admin Alert: How System i Boxes Impersonate Each Other, Part 2
April 2, 2008 Joe Hertvik
Last week, I began covering how to change the communications identity on an i5/OS box so that it can impersonate another system and take its place on the network. This week, I’ll conclude demonstrating my i5/OS impersonation techniques and offer a checklist for making one System i box look like another System i box on your network.
Why We Impersonate?
As covered last issue, system impersonation techniques come in handy in the following situations:
Seven Steps To a Successful Impersonation
As I also covered last week, you will need to perform the following steps to enable one System i box to impersonate another System i box on the network:
Last week, I went through the first three items on the list. This week, I’ll cover the rest of the list and present a checklist that you can use when you perform your own system impersonations. Where available, I’ll show you how to change these settings from both the green screen and through iSeries Navigator (OpsNav). Be warned, however, for many of these steps, you will only be able to change these settings through a 5250 green screen; many of these impersonation techniques don’t have comparable change options in OpsNav.
Step 4: Changing the Machine’s Network Attributes
The System i’s network attributes contain control information about the system’s communication environment.
To start changing a system’s network attributes, print the network attribute values from the source machine that you want to impersonate. Inside a 5250 green screen, you can view and print a system’s network attributes by typing in the following Display Network Attributes (DSPNETA) command.
To change any of a system’s network attributes on a 5250 screen, type in the Change Network Attributes (CHGNETA) command and press the F4 key to prompt for the fields that you want to change.
There are approximately 41 different network attribute values that you can change inside i5/OS, so you will need to check all the values on the DSPNETA list that you retrieved from your source machine to make sure the target machine values match the source values. In particular, you will want to ensure that the following network attributes are changed to match the source system.
In writing this article, I searched for a place in iSeries Navigator (OpsNav) where you can change a system’s network attributes, but I was unable to find if or how you can use OpsNav to change these values.
Step 5: Change Relevant System Distribution Directory Entries
Many applications in i5/OS use system distribution directory entries to locate information about where to direct object distributions generated by an application or a program. This can be especially important for a number of applications so it’s best to review the directory on your source system so that you can add or replace any entries on the target system needed for your applications to function after impersonation.
One good example of the need to check your directory entries occurs if you’re using SNADS to transfer spool files between systems. On an impersonated system, you may find that you cannot send spool files between systems unless the entry for the QNETSPLF user is correct in the distribution directory. This recently happened to me after I brought up a new production system on an i550 box and I was trying to transfer spooled files from the old system to the new system. The SNADS spooled files transfer would not work until I adjusted the QNETSPLF directory entry to contain the new system name that was now assigned to the partition.
On the green screen, you can view, add, and change directory entries by using the Work with Directory Entries (WRKDIRE) command. To individually add a directory entry, you can also use the Add Directory Entry (ADDDIRE) command. To delete individual directory entries, use “option 4=Remove” in front of the entry in the WRKDIRE command.
Step 6: Make Any Necessary Relational Database Directory Entries
i5/OS contains a relational database directory to define different database names (and their associated network parameters) that can be directly accessed by system applications. Its entries also specify whether database connections are made by using an Internet Protocol (IP) address and port or whether the database can be reached through an associated SNADS network identifier and logical unit name (LU).
When changing an i5/OS partition to impersonate another partition, it may be important to also change the mimicking partition’s Relational Database Directory entries to match the entries on the source system. To do that, print out all the relational database directory entries on your source system and add those same entries to the target system.
To locate and work with the relational database entries on the impersonating system, use the options in the Work with Relational Database Directory Entries (WRKRDBDIRE) command. Be sure to take printouts of any RDB entries that you delete or change on the target system so that they can be restored again if you are planning on returning the target system back to its original identity later on.
Step 7: Change the Server Name and the Domain Name for Your iSeries NetServer Configuration
The last impersonation parameter to change is the Server name and Domain that are assigned to your iSeries NetServer configuration. NetServer provides System i file folder support to Windows PCs. Many i5/OS applications such as Fax servers also make use of stream files located in the AS/400 Integrated File System (AS/400 IFS), and those applications use NetServer to locate and serve files.
Unlike some of our other steps, iSeries NetServer configuration can only be performed inside iSeries Navigator. There are no green screen commands to modify your NetServer configuration, and the only way that I know of to update NetServer on the green screen is to use the APIs listed in the iSeries NetServer API Guide.
Because you have to use OpsNav to change your NetServer parameters, the catch is that TCP/IP needs to be active in order to make the changes. To modify your NetServer Server name and Domain name, perform the following steps inside OpsNav.
And That’s All????
Although it’s been my experience that these seven steps cover the majority of tasks needed to make one System i box impersonate another, they may not be all inclusive for every situation. Use this checklist as a base but be sure to also perform your own investigation to uncover any addition impersonation techniques that are specific to your organization.
About Our Testing Environment
Configurations described in this article were tested on an i5 550 box running i5/OS V5R4. Many of the commands may also be available in earlier versions of the operating system running on iSeries or AS/400 machines. iSeries Navigator (OpsNav) features were tested with the OpsNav version that is shipped with iSeries Access for Windows V5R3M0. If a command is present in earlier versions of the i5/OS or OS/400 operating systems, you may notice some variations in the pre-V5R4 copies of these commands. These differences may be due to command improvements that have occurred from release to release.
Checklist: Enabling One System i Box To Impersonate Another on the Network