Admin Alert: Did You Lose ECS on February 1?

February 3, 2010 Joe Hertvik

On February 1, 2010, some i/OS V5R3Mx, V5R4Mx, and V6R1Mx systems lost their ability to call IBM service. On that date, IBM changed some of the Host Names and IP Addresses that i/OS systems use to automatically call service via ECS and ESA. As a result, many iSeries, System i, and Power i systems can no longer automatically contact service unless certain PTFs are installed. Was your system affected?

What Happened?

I discovered this change too late to publicize it before February 1. But better late than never, and this article tells you how to detect if your partitions have lost IBM service connectivity and how to restore it, if necessary. Here’s the situation.

Using a TCP/IP connection or a modem, most shops set up their i/OS systems to automatically call IBM service using Electronic Customer Support (ECS) and the Electronic Service Agent (ESA) when there is a problem. The connection information, including host names, IP addresses, and telephone numbers, is embedded in operating system files in the AS/400 Integrated File System (AS/400 IFS). IBM recently started changing the Host Names and IP addresses that your iSeries, System i, or Power i machines use to connect to IBM service, and the final change was scheduled for February 1 deployment. To prepare i/OS machines to contact IBM’s new service locations, Big Blue enabled support for its updated connection information in the following PTFs.

SI34552 for i/OS V6R1Mx systems–This PTF can be applied immediately or on a delayed basis at the next IPL
SI37079 or SI34505 for i/OS V5R4Mx systems–These PTFs can also be applied immediately or on a delayed basis at the next IPL

If these fix PTFs aren’t loaded on your partition, your system may no longer be able to call for service via ESA/ECS and any connection attempts might fail. In researching the issue, it was unclear which systems were going to lose connectivity so you may want to test your system first to see if it still can connect to IBM service before you apply PTFs.

Testing Your Connection

You can test your connection in one of two ways. First, you can use the operating system’s Electronic Service Agent to verify your ESA/ECS connection. Open the ESA by running the following Go to Menu (GO) command.

GO MENU(SERVICE)

On the ESA menu that appears, select option 17 (Verify Service Agent Connection). This option will test the connection between your system and IBM service. If the connection was successful, the system will issue the following message to your job.

CPIEF84 - Verify operation completed successfully

In addition to testing your connection with option 17, you can also verify that your connection is working correctly by running the following Send Service Request (SNDSRVRQS) command.

SNDSRVRQS ACTION(*TEST)

If successful, this command will establish a communications session with IBM service, similar to what occurred with the Verify Service Agent Connection menu option. If successful, SNDSRVRQS will return the following status message to your job.

CPZ8C02 - Test request complete

If your system isn’t able to connect to IBM service, order and install the proper PTF at your earliest convenience to restore connectivity.

If You Need PTFs

You should note that some of the IBM and business partner communications designate loading PTF SI34505 to fix the problem for V5R4Mx systems. While you can try to download SI34505, it has been superseded by SI37079 and SI37079, which will also fix the issue for V5R4Mx. So you can download either PTF (if available) for V5R4Mx systems. Both PTFs will work.

Only one PTF (SI34552) is currently designated to fix ECS/ESA connection problems on V6R1Mx systems.

The connection fixes are available for individual download from IBM; they are also available in cumulative PTF package C9111610 and above for i/OS V6R1Mx or cumulative PTF package C9104540 and above for i/OS V5R4Mx. If you’re applying the proper individual ECS/ESA PTF, be sure to check its cover letter and make sure that you also download and install all the prerequisite and co-requisite PTFs that go along with your PTF.

Also note that you’re out of luck if your system is running i/OS V5R3Mx or below. IBM is no longer supporting these versions, and Big Blue is NOT issuing PTFs to provide connectivity to the new Host Names and IP addresses for those operating systems. Pre-V5R4Mx systems will no longer be able to automatically call out to IBM service when there is a problem.

To verify whether you have the PTFs installed, run the following Display Program Temporary Fix (DSPPTF) command and look for the designated system PTF in the list that appears.

For i/OS V6R1MX systems, DSPPTF LICPGM(5761SS1)
For V5R4Mx systems, DSPPTF LICPGM(5722SS1)

After download, read and perform the installation instructions IBM provides in the cover letters for each PTF:

However, you’re not necessarily out of the woods after the PTF is installed. You may still have to adjust your firewall settings to allow traffic to and from the new IBM service destinations.

Firewall Considerations

After installing your system’s designated PTF, the following file will be present in this AS/400 IFS location.

/QIBM/UserData/OS400/UniversalConnection/
serviceProviderIBMLocationDefinition.txt

The location definition file contains all the IP addresses and TCP ports that the operating system uses to call IBM service. To open this file and view the IP addresses and ports that you may need to update in your firewall configuration, use the following Display File (DSPF) command on a 5250 green screen.

DSPF STMF('/qibm/userdata/os400/universalconnection/
serviceProviderIBMLocationDefinition.txt')

This file contains three different tables listing out IP addresses and TCP ports to add to your firewall to ensure that IBM service connections go through. The first table is a direct 1-to-1 mapping between the IBM service destinations and the IP addresses and TCP ports your applications will use to reach each destination. There may be duplicate addresses in this table. The second table contains all the unique IP addresses and ports that ECS/ESA use to reach IBM service destinations. These addresses and ports are the ones that you may need to add to your firewall to allow remote connectivity with IBM service. The third table only contains a few VPN addresses.

This location definition file is only available after your ECS/ESA connection change PTF is loaded. If you don’t see this file on your system, the correctional PTF may not be loaded.

For more information on firewall settings and ECS/ESA, see IBM’s Software Technical Document 419109186, Electronic Service Agent (ESA) and ECS VPN and HTTP Firewall Settings.

A Problem Detected and Averted

The information in this article should allow you to detect whether your partitions have lost IBM service connectivity and allow you to fix the problem, if necessary. The fix is relatively easy to perform and because the corrective PTFs can be applied immediately, you may not even have to IPL your system to get things back to normal.

RELATED RESOURCES

Cover Letter for PTF SI37079 for i/OS V5R4Mx

Cover Letter for PTF SI34552 for i/OS V6R1Mx

IBM Software Technical Document 419109186, Electronic Service Agent (ESA) and ECS VPN and HTTP Firewall Settings

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”1

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com