Admin Alert: How System i Boxes Impersonate Each Other, Part 2

Last week, I began covering how to change the communications identity on an i5/OS box so that it can impersonate another system and take its place on the network. This week, I’ll conclude demonstrating my i5/OS impersonation techniques and offer a checklist for making one System i box look like another System i box on your network.

Why We Impersonate?

As covered last issue, system impersonation techniques come in handy in the following situations:

• When replacing an existing System i machine with a new box. During testing, setup, and cutover, both systems may need to run side-by-side and you may have to change system identities to complete the migration process.
• When a System i box fails over to a Capacity BackUp (CBU) system for testing or in the event of an emergency. The CBU will have to assume the role of the i5/OS machine it is temporarily replacing on the network. On fail back, both the CBU and the production machine it impersonates will need to run side-by-side to resynchronize their databases.
• When failing back in a disaster recovery situation. Here you may also temporarily need to run the recovered machine and the disaster recovery machine side-by-side in order to restore and restart the production box.

Seven Steps To a Successful Impersonation

As I also covered last week, you will need to perform the following steps to enable one System i box to impersonate another System i box on the network:

1. Set up a new IP interface for the IP address, subnet mask, and TCP/IP routes (if necessary) that you want the machine to run under.
2. If necessary, change the Local Adapter Address (Ethernet) on the line description that you’re using for communicating with the network.
3. Change the TCP/IP Host Name and Domain Name for the machine.
4. Change the machine’s network attributes.
5. If necessary, change any relevant system distribution directory entries that are used by i5/OS or application programs to exchange information on the machine.
6. If necessary, check and change/create any necessary Relational Database Directory entries that are machine and IP address specific.
7. Change the Server name and the Domain name for your iSeries NetServer configuration, if you have users and applications that access NetServer to retrieve data.

Last week, I went through the first three items on the list. This week, I’ll cover the rest of the list and present a checklist that you can use when you perform your own system impersonations. Where available, I’ll show you how to change these settings from both the green screen and through iSeries Navigator (OpsNav). Be warned, however, for many of these steps, you will only be able to change these settings through a 5250 green screen; many of these impersonation techniques don’t have comparable change options in OpsNav.

Step 4: Changing the Machine’s Network Attributes

The System i’s network attributes contain control information about the system’s communication environment.

To start changing a system’s network attributes, print the network attribute values from the source machine that you want to impersonate. Inside a 5250 green screen, you can view and print a system’s network attributes by typing in the following Display Network Attributes (DSPNETA) command.

DSPNETA OUTPUT(*PRINT)

To change any of a system’s network attributes on a 5250 screen, type in the Change Network Attributes (CHGNETA) command and press the F4 key to prompt for the fields that you want to change.

CHGNETA

There are approximately 41 different network attribute values that you can change inside i5/OS, so you will need to check all the values on the DSPNETA list that you retrieved from your source machine to make sure the target machine values match the source values. In particular, you will want to ensure that the following network attributes are changed to match the source system.

• System name–The name assigned to the system. This name shows up on the system sign-on screen, the job name of every job that is started on the system, and in many other places. System name is a core value that must be changed for an effective impersonation.
• Local network ID, local control point name, default location name–These values are used by a number of different applications, particularly when talking between two System i partitions.
• Various other values used for IBM’s Advanced Peer-to-Peer Networking (APPN) protocol and for System Network Architecture Distribution Service (SNADS).

In writing this article, I searched for a place in iSeries Navigator (OpsNav) where you can change a system’s network attributes, but I was unable to find if or how you can use OpsNav to change these values.

Step 5: Change Relevant System Distribution Directory Entries

Many applications in i5/OS use system distribution directory entries to locate information about where to direct object distributions generated by an application or a program. This can be especially important for a number of applications so it’s best to review the directory on your source system so that you can add or replace any entries on the target system needed for your applications to function after impersonation.

One good example of the need to check your directory entries occurs if you’re using SNADS to transfer spool files between systems. On an impersonated system, you may find that you cannot send spool files between systems unless the entry for the QNETSPLF user is correct in the distribution directory. This recently happened to me after I brought up a new production system on an i550 box and I was trying to transfer spooled files from the old system to the new system. The SNADS spooled files transfer would not work until I adjusted the QNETSPLF directory entry to contain the new system name that was now assigned to the partition.

On the green screen, you can view, add, and change directory entries by using the Work with Directory Entries (WRKDIRE) command. To individually add a directory entry, you can also use the Add Directory Entry (ADDDIRE) command. To delete individual directory entries, use “option 4=Remove” in front of the entry in the WRKDIRE command.

Step 6: Make Any Necessary Relational Database Directory Entries

i5/OS contains a relational database directory to define different database names (and their associated network parameters) that can be directly accessed by system applications. Its entries also specify whether database connections are made by using an Internet Protocol (IP) address and port or whether the database can be reached through an associated SNADS network identifier and logical unit name (LU).

When changing an i5/OS partition to impersonate another partition, it may be important to also change the mimicking partition’s Relational Database Directory entries to match the entries on the source system. To do that, print out all the relational database directory entries on your source system and add those same entries to the target system.

To locate and work with the relational database entries on the impersonating system, use the options in the Work with Relational Database Directory Entries (WRKRDBDIRE) command. Be sure to take printouts of any RDB entries that you delete or change on the target system so that they can be restored again if you are planning on returning the target system back to its original identity later on.

Step 7: Change the Server Name and the Domain Name for Your iSeries NetServer Configuration

The last impersonation parameter to change is the Server name and Domain that are assigned to your iSeries NetServer configuration. NetServer provides System i file folder support to Windows PCs. Many i5/OS applications such as Fax servers also make use of stream files located in the AS/400 Integrated File System (AS/400 IFS), and those applications use NetServer to locate and serve files.

Unlike some of our other steps, iSeries NetServer configuration can only be performed inside iSeries Navigator. There are no green screen commands to modify your NetServer configuration, and the only way that I know of to update NetServer on the green screen is to use the APIs listed in the iSeries NetServer API Guide.

Because you have to use OpsNav to change your NetServer parameters, the catch is that TCP/IP needs to be active in order to make the changes. To modify your NetServer Server name and Domain name, perform the following steps inside OpsNav.

• Under the OpsNav path that contains your target i5/OS partition, open the Network→Servers→TCP/IP node. This will show all the TCP/IP servers on your target system.
• Right-click on the iSeries NetServer entry that appears in the right-hand pane of OpsNav. Select Properties from the pop-up menu that appears.
• Select the General tab from the iSeries NetServer Properties menu. This will display the system’s current iSeries NetServer startup properties, including the NetServer Server name and Domain name. Click on the Next Start button on this screen.
• The iSeries NetServer General Next Start panel shows the Server name and Domain name that will be used the next time the iSeries NetServer server is started on this partition. Change these values to the values that you retrieved from your source system.
• Stop and restart your iSeries NetServer server and the server will start using your new values when it restarts.

And That’s All????

Although it’s been my experience that these seven steps cover the majority of tasks needed to make one System i box impersonate another, they may not be all inclusive for every situation. Use this checklist as a base but be sure to also perform your own investigation to uncover any addition impersonation techniques that are specific to your organization.

About Our Testing Environment

Configurations described in this article were tested on an i5 550 box running i5/OS V5R4. Many of the commands may also be available in earlier versions of the operating system running on iSeries or AS/400 machines. iSeries Navigator (OpsNav) features were tested with the OpsNav version that is shipped with iSeries Access for Windows V5R3M0. If a command is present in earlier versions of the i5/OS or OS/400 operating systems, you may notice some variations in the pre-V5R4 copies of these commands. These differences may be due to command improvements that have occurred from release to release.

Checklist: Enabling One System i Box To Impersonate Another on the Network