Admin Alert: Did You Lose ECS on February 1?
February 3, 2010 Joe Hertvik
On February 1, 2010, some i/OS V5R3Mx, V5R4Mx, and V6R1Mx systems lost their ability to call IBM service. On that date, IBM changed some of the Host Names and IP Addresses that i/OS systems use to automatically call service via ECS and ESA. As a result, many iSeries, System i, and Power i systems can no longer automatically contact service unless certain PTFs are installed. Was your system affected?
I discovered this change too late to publicize it before February 1. But better late than never, and this article tells you how to detect if your partitions have lost IBM service connectivity and how to restore it, if necessary. Here’s the situation.
Using a TCP/IP connection or a modem, most shops set up their i/OS systems to automatically call IBM service using Electronic Customer Support (ECS) and the Electronic Service Agent (ESA) when there is a problem. The connection information, including host names, IP addresses, and telephone numbers, is embedded in operating system files in the AS/400 Integrated File System (AS/400 IFS). IBM recently started changing the Host Names and IP addresses that your iSeries, System i, or Power i machines use to connect to IBM service, and the final change was scheduled for February 1 deployment. To prepare i/OS machines to contact IBM’s new service locations, Big Blue enabled support for its updated connection information in the following PTFs.
If these fix PTFs aren’t loaded on your partition, your system may no longer be able to call for service via ESA/ECS and any connection attempts might fail. In researching the issue, it was unclear which systems were going to lose connectivity so you may want to test your system first to see if it still can connect to IBM service before you apply PTFs.
Testing Your Connection
You can test your connection in one of two ways. First, you can use the operating system’s Electronic Service Agent to verify your ESA/ECS connection. Open the ESA by running the following Go to Menu (GO) command.
On the ESA menu that appears, select option 17 (Verify Service Agent Connection). This option will test the connection between your system and IBM service. If the connection was successful, the system will issue the following message to your job.
CPIEF84 - Verify operation completed successfully
In addition to testing your connection with option 17, you can also verify that your connection is working correctly by running the following Send Service Request (SNDSRVRQS) command.
If successful, this command will establish a communications session with IBM service, similar to what occurred with the Verify Service Agent Connection menu option. If successful, SNDSRVRQS will return the following status message to your job.
CPZ8C02 - Test request complete
If your system isn’t able to connect to IBM service, order and install the proper PTF at your earliest convenience to restore connectivity.
If You Need PTFs
You should note that some of the IBM and business partner communications designate loading PTF SI34505 to fix the problem for V5R4Mx systems. While you can try to download SI34505, it has been superseded by SI37079 and SI37079, which will also fix the issue for V5R4Mx. So you can download either PTF (if available) for V5R4Mx systems. Both PTFs will work.
Only one PTF (SI34552) is currently designated to fix ECS/ESA connection problems on V6R1Mx systems.
The connection fixes are available for individual download from IBM; they are also available in cumulative PTF package C9111610 and above for i/OS V6R1Mx or cumulative PTF package C9104540 and above for i/OS V5R4Mx. If you’re applying the proper individual ECS/ESA PTF, be sure to check its cover letter and make sure that you also download and install all the prerequisite and co-requisite PTFs that go along with your PTF.
Also note that you’re out of luck if your system is running i/OS V5R3Mx or below. IBM is no longer supporting these versions, and Big Blue is NOT issuing PTFs to provide connectivity to the new Host Names and IP addresses for those operating systems. Pre-V5R4Mx systems will no longer be able to automatically call out to IBM service when there is a problem.
To verify whether you have the PTFs installed, run the following Display Program Temporary Fix (DSPPTF) command and look for the designated system PTF in the list that appears.
After download, read and perform the installation instructions IBM provides in the cover letters for each PTF:
However, you’re not necessarily out of the woods after the PTF is installed. You may still have to adjust your firewall settings to allow traffic to and from the new IBM service destinations.
After installing your system’s designated PTF, the following file will be present in this AS/400 IFS location.
The location definition file contains all the IP addresses and TCP ports that the operating system uses to call IBM service. To open this file and view the IP addresses and ports that you may need to update in your firewall configuration, use the following Display File (DSPF) command on a 5250 green screen.
DSPF STMF('/qibm/userdata/os400/universalconnection/ serviceProviderIBMLocationDefinition.txt')
This file contains three different tables listing out IP addresses and TCP ports to add to your firewall to ensure that IBM service connections go through. The first table is a direct 1-to-1 mapping between the IBM service destinations and the IP addresses and TCP ports your applications will use to reach each destination. There may be duplicate addresses in this table. The second table contains all the unique IP addresses and ports that ECS/ESA use to reach IBM service destinations. These addresses and ports are the ones that you may need to add to your firewall to allow remote connectivity with IBM service. The third table only contains a few VPN addresses.
This location definition file is only available after your ECS/ESA connection change PTF is loaded. If you don’t see this file on your system, the correctional PTF may not be loaded.
For more information on firewall settings and ECS/ESA, see IBM’s Software Technical Document 419109186, Electronic Service Agent (ESA) and ECS VPN and HTTP Firewall Settings.
A Problem Detected and Averted
The information in this article should allow you to detect whether your partitions have lost IBM service connectivity and allow you to fix the problem, if necessary. The fix is relatively easy to perform and because the corrective PTFs can be applied immediately, you may not even have to IPL your system to get things back to normal.
Cover Letter for PTF SI37079 for i/OS V5R4Mx
Cover Letter for PTF SI34552 for i/OS V6R1Mx
IBM Software Technical Document 419109186, Electronic Service Agent (ESA) and ECS VPN and HTTP Firewall Settings