IBM i Security, PM400 & Power 10 Systems – What Changed?

IBM i is still boasting over its legacy of over 3 decades. And nothing comes closer to what it has delivered to date to the world of technology.

On a lighter note, IBM has made several changes to the hardware, operating system, security stature, and services offered.

Today, we are going to use this opportunity to spread light on the progression IBM has made as well as the omission that has happened as a part of the process.

Without any further ado, let’s begin!

How IBM iSecurity Protects IBM i from Ransomware?

IBM iSeries is not an isolated system, as it is connected to multiple devices, databases, and networks.

Almost every file or object stored on the IBM i has exposure to Ransomware as it does not discriminate.

It can harm each object that is easily accessible. Moreover, it can also damage the data of access connected devices and mapped network drives and leave organizations feeling paralyzed.

The iSecurity anti-ransomware will protect the organization’s data from attacks.

Let’s understand more about how iSecurity works.

What is IBM iSecurity Anti-Ransomware?

Ransomware can be defined as a malicious program that generally originates from a hacked PC device and contains the victim’s files using a public key generated from another computer.

That key is used to decrypt the encrypted files, and hackers demand money from the original data owner and release the ticket after a hefty amount is paid to them. iSecurity anti-ransomware is a program that protects IBM AS400 files and objects against a ransomware attack.

Features of IBM iSecurity Anti-Ransomware

How IBM iSecurity Anti-Ransomware Works?

A user switches on his/her PC and maps his device with the IFS files. In the process, the user clicks on an anonymous mail that contains malware, and this email triggers a ransomware program on the PC.

The virus starts encrypting the files on the PC as well as the mapped device.

iSecurity anti-ransomware from IBM AS400 can identify such files and respond to them in three ways:

Stop the Attack

The iSecurity anti-ransomware program detects and disconnects the connection between the infected system and IFS files.

It also blocks the IP address and stops the attack immediately. Due to blocked IP addresses, malware will not be able to map the network drive, and they will be removed easily with the help of IBM iSecurity.

Alert Responders

IBM AS/400 The iSecurity anti-ransomware sends instant alerts to all the designated responders, informing them about the attack. These alerts are sent using emails or messages to the system operator console (QSYSOPR).

Perform Additional Actions

The anti-ransomware program can automatically shut down the PC (generating the ransomware attack).

Ransomware files are updated regularly, and IBM AS400 iSecurity program scan the latest version of the ransomware release. The software has a unique matching algorithm designed to detect the zero-day ransomware releases for new ransomware codes that are yet to be identified.

iSecurity anti-ransomware allows organizations to exclude IFS objects from their scanning, producing false results or that are not accessible.

The IBM AS400 iSecurity program also includes attack simulator software that allows organizations to obtain details about their IFS setup. Information about any real attack can be saved in a log file. Furthermore, these details can be used to setup iSecurity anti-ransomware for triggering actions.

How to Detect a Ransomware Attack?

There is an old saying – “If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.”

The same pattern is used to detect Ransomware if it is attacking an IFS file. IBM iSecurity anti-ransomware uses different methods of detecting and stopping an attack.

• Continually run IBM AS400 ransomware detection servers that scan IFS folders and files when an IFS object is changed.
• In your IBM AS400, you can look for a specific order of activities linked with the malware. If your servers are showing suspicious behavior, like files are copied multiple times and the original file is deleted, this can indicate that ransomware has hit your system.
• iSecurity program also checks for IFS extension (looking for matches) in IBM AS400 listed in ransomware signature files.
• The iSecurity AR check for unusual changes in IFS files.
• The iSecurity anti-ransomware search for the virus’s unknown variants as per the indicator’s codes in the iSecurity algorithm.
• iSecurity AR can monitor files in IFS unknown source folders and look for ransomware modifications. The folder is loaded with so many files that look important but are worthless. Such folders are the first PoC before interacting with any other file folder and provide the time to iSecurity AR program to react. Due to this time gap provided by the honeypot, i.e., unknown source folder, iSecurity can stop the attack before it damages the entire production line.
• The iSecurity anti-ransomware program also includes an object integrity control method to check if your IBM AS400 license internal code (LIC) has been damaged or not. This method also runs an IBM AS400 API check as part of its routine scanning process.

Your IBM i Hit with Ransomware Attack? Here are the Choices you Have

We will discuss 3 fair choices you can make after being hit by a ransomware attack.

Next, let’s understand about the security features of IBM i RCAC.

The Latest Security Features of IBM i RCAC

Have you heard of the latest security features of IBM i RCAC?

Every data resource is susceptible to theft or tampering in today’s hacker-infested world. Data protection can be expensive but being hacked is even more so.

This is where the AS400 iSeries Row and Column Access Control (RCAC) comes in!

IBM i RCAC is essential because several companies are looking for effective solutions to regulate security, specifically database security.

IBM i RCAC enables database security managers to restrict who can access information in the database. Even better is that most of these security features can be enabled without requiring any changes to the software applications themselves.

Let’s understand why it is necessary to use IBM i RCAC and the several benefits it offers.

Why Use Row and Column Access Control with IBM i Systems?

Data must be protected in every business firm, and only users authorized to access that data should be able to access it. Based on the employment position, several information segments should not be accessible.

Of course, one could apply SQL Views to a database, but this needlessly complicates and notifies users that there may be information that is not available. It also increases the difficulty of maintaining the database.

Application logic could be employed, but it has a host of problems. However, a person might walk inside the tables and see all restricted data with either views or access permissions.

This is not a good situation!

Consequently, for ease of usage and implementation, we require Row and Column Access Control.

Ways to Implement RCAC for IBM i

Several older business application software was not designed with field security in mind. GDPR, CCPA, and other data security regulations emphasize the necessity for a much stronger data protection structure.

RCAC permits a specific and accurate extension of this protection, restricting access to critical information without drastically rearranging user authorization.

Furthermore, the initial query does not produce an error notification when authorization for a specific row or column is prohibited.

Instead, asterisks are displayed. This feature ensures that the IBM iSeries application that authenticates this data continues to function appropriately; only access to protected data is affected.

As a consequence, RCAC authorizations allow for more targeted accessibility.

It implies that IBM i RCAC authorizations give a tailored solution for safeguarding sensitive data that does not necessitate extensively altering existing software applications.

Implementing a new database storing orders stripped of detailed financial information and then upgrading the software to use the new table is one strategy for keeping this data secure.

However, this strategy is more time-consuming and expensive than implementing some RCAC protections in general.

Secure authorization to a few financial data sectors provides a clear approach for data security in this situation. And it does it without invalidating a presumably complex set of authorizations for marketing, finance, and customer support.

This ability to protect specific information without compromising software performance opens up new possibilities for companies seeking to optimize data security without completely redesigning data access.

As a fully integrated business technology platform, the IBM AS400 iSeries provides a compelling business model for companies seeking a decreased operational workload for IT systems.

RCAC is appropriate for this sort of operation since it enables a single admin to set up control quickly and easily without affecting the absolute reliability of the system.

The IBM i RCAC implementation is intended to address where modifying data access rights for mission-critical applications can be complicated and time-consuming.

How Does IBM i RCAC Work?

The security capabilities of IBM i RCAC become available after installing the free IBM advanced data security module:

Users appointed as database administrators can grant row and column-level authentication.

Permissions could be focused on single users or group profiles for role-based management.

The same database table can have unlimited criteria, allowing for overlapping regulations.

Advantages of Using Security Features of IBM i RCAC

Initially, only menu or option level security was supported and enabled by AS400 iSeries software applications. It essentially means that only certain menus or functionalities could be accessed.

However, once a user gets access to a specific system section, no additional specific controls could be enforced without major software application changes.

• User permissions were maintained exclusively through table-level authorization in previous versions of IBM i, but this degree of access control expanded over time to the database layer. A user would either have complete or partial access to the data in a table.
• IBM i RCAC offers far more granular controls that can be used to augment table-level rights on a case-by-case basis. It allows IBM i access control to be expanded and enforced to individual rows and columns.
• This feature uses SQL rules implemented directly at the database layer. When a query is made to the database, ground-level permissions are verified. If the question originates from an IBM i application software or a third-party system, it makes no difference.
• If the user with authorization does not have access to a specific row or column, their query will not yield any information from these protected sections.
• The row and column access control rules apply to every database user by default. These regulations apply to even higher-level authorities, such as users with data access authorization.
• Only users with security administrator privileges can handle or supervise row and column access controls within a system. As a result, you can employ security features of IBM i RCAC to prevent Data Access authority users from freely viewing all information from the database.
• Irrespective of how a database is accessed via SQL, database information is safeguarded. RCAC regulations apply to software applications, upgraded analytic tools, and report generation tools. The implementation is data-driven.
• The security features of IBM i RCAC provide an added layer of data protection. No updates to the application are required to benefit from it. Access controls are developed and defined at the row and column levels in a method that is not noticeable in existing programs.
• IBM i RCAC, on the other hand, marks a major fundamental shift in the respect that it is no more about what is being inquired but rather who is inquiring what. The response ranges for the same query differ depending on the context in which the inquiry was made. The solution’s exact goal is reflected in this outcome.

It means that app developers and database administrators must be aware that, unless given certain rights, inquiries don’t see the complete overview of the information in the database.

Having discussed at a greater depth about IBM i security, next let’s understand about performance management for AS400, PM400.

IBM PM400 – Performance Management for IBM i

IBM discontinued the services of its historical reporting offering, i.e., PM400, on 30th September 2020.

What does it mean for the loyal group of customers and other service providers who depend upon the PM400?

Anyone who has previously relied on the old but trusted AS400 systems offering will experience a break. After discontinuing this, they will not produce the same results, and the recording of historical data will stop.

If you are one of those, feeling a little lost, today you will gain some insightful tips to maneuver the AS400 landscape ahead.

Let’s have a quick look back at IBM Performance Management.

What is IBM Performance Management (PM400)?

PM400 used IBM AS400 systems collection services data, which is simplified by default and runs softly and effectively in the background ahead of the data is transferred to an IBM server where it inhabited.

Here users can view, interrogate, and report valuable and historical data through a web browser.

As of now, users have access to this data, but it’s still unknown for how long this service will be available with IBM AS400 systems.

Performance management for power systems was an exceptionally automated facility service where users feel like they are on autopilot mode. And now it’s the appropriate time to re-examine the strategy you’re reporting on and determine which system will help you to do the job better.

PM400 uses IBM AS400 applications and automated performance analysis, capacity planning program, performance analysis reports, and graphs that enable the users to analyze performance and data capability without providing the actual time associated with the collection of data and preparation of data.

Moreover, a helpdesk from IBM AS400 consultants was available to make the skilled specialist available on call daily. (As per charges) All the services provided include a customer satisfaction guarantee, and help is offered to protect customer investment.

What were the Benefits of PM400?

• Non-techie users can easily understand detailed graphs and reports and easily understandable AS400 systems performance and capacity issues.
• IBM AS400 services specialists were available to assist and recommend changes where system performance can be improved.
• Increased AS400 systems performance and enhanced user productivity.
• Decreased the involvement of technical staff in performance management tasks.
• PM400 protected the user investment with a satisfaction guarantee.
• Increased system performance and better resource planning that ensure investment is optimized.
• Trend analysis information-enabled customers to join for AS400 system needs.
• Optimized system performance to concentrate on business objectives.

What were the Key Advantages of Performance Management?

Relying on performance management for your AS400 systems was indeed a great deal. It had multi-faceted advantages to offer in terms of finding the performance gaps, improving overall system efficiency, and making data-driven shifts.

Let’s look at the advantages one-by-one.

System Management

PM400 helped in improving customer’s ability to manage the AS400 systems by performing manual tracking and recording the completed tasks weekly and monthly.

This was done to maintain optimal system performance and plan capability requirements. PM400 would eliminate the need for system analysts to detect the time required for preparing a performance analysis on an on-going basis.

Moreover, it allowed users to specify the weekdays and hourly period on which data would be collected.

User Productivity

PM400 helped users maintain high-level performance on their AS400 systems consistently and helped them keep productivity at the top level.

The performance analysis report offered a graphical representation of the system’s current activities that allowed the analysts to figure out areas of problem in the process.

Furthermore, trend analysis would enable customers to plan for business growth and expansion while maintaining the performance of IBM AS400 systems.

Growth Enablement

Irrespective of choosing the month or year of the annual report, PM400 decreased the involvement in execution and capability management.

Time saved in this process would help customers to concentrate on business operations in a better way. Performance analysis report (PM400) would also provide valuable trend as per future business needs.

Detailed performance and capacity analysis would be available to provide better assistance in helping customers to provide better assistance.

Product Positioning

PM400 was an IBM AS400 systems improved service solution meant for users who were looking for support in performance and capacity planning management.

PM400 was designed in a way so that the services could be used by all the AS400 co and customers, regardless of their relevant experience with AS400.

PM400 was designed to complement existing support and review system performance and receive recommendations to keep their AS400 system running efficiently.

Is there a Replacement for IBM PM400?

Genuinely if you want to replace PM400, you will need help from an AS400 technology partner to replace PM400.

Realize that PM400 data is generally stored somewhere on an IBM server, and you will lose access to it at some stages when replacing the service. A team of professionals from your technolgy partners’ side will help you gather the historical data split across the files.

Our Recommendation: Integrative Systems

IBM AS400 systems techies and hundreds of customers, cloud providers, and business partners rely on Integrative systems for all the support and services related to IBMi.

They will help schedule reports to run automatically and arrive as JPGs or those who want to crunch the data in another tool—a CSV file.

Apart from reporting they will utilize historical data to pinpoint issues, understand the reason behind the change, and set a cloud plan if necessary. Moreover, the experts will look at other different problems and how the AS400 system’s workload will look like with various configurations.

Next, let’s understand why Power 10 Systems is a superior successor to AS400. Let’s go!

IBM Power 10 Systems – A Superior Successor?

From the second half of 2021, IBM begun shipping of new Power10 servers.

The AS400 / iSeries Power10 processors have extraordinary features and 3X performance, and 2.6X efficiency gain compared to Power9.

As per IBM, it will bolster AI, security loads, and security in upcoming years.

Thinking, “What makes IBM Power 10 systems a superior successor to AS400?”

Let’s understand!

Power10 for IBM i, AIX, and Linux

Power10 offers impressive performance improvement and hardware features over the existing AS400 iSeries power9 software.

After the hardware availability, IBM AS400 iSeries planned to release a new OS version and technology in terms of capabilities, processing speed, data transfer, virtual machine, encryption, and in-memory workload improvements.

Impressive Architecture Specs

The specs on AS400 / iSeries Power10 are quite exciting, and the architecture is more than that, even if it is not what chip-watchers were expecting. Based on a 7nm processor, IBM was able to pack 18 billion transistors onto a 602 sq mm piece of silicon, up from 8 billion with Power9 (which was built on a 14nm process).

The new chip features 128 MB of L3 cache, 32 MB of L2 cache, but the area in which it shines is its memory sharing capabilities that will expand IBM’s lead in that area.

IBM has partnered with Samsung Electronics, and Samsung manufactures the two versions of the AS400 I-series. The high-performing SMT8 features 8 SMT per core and 16 physical cores.

IBM launched Power10s in a single-chip setup, with 16 sockets on board, and each socket would deliver 15 SMT8 cores running at 4GHz. Moreover, IBM also developed dual-chip modules, featuring four dual-chip sockets and 30 SMT8 cores running at 3.5 GHz. This allowed IBM AS400 / iSeries to deliver up to 240 threads per socket.

Data Transfer Enhancements

For keeping the processors fed with data, IBM has provided an array of mechanisms, and this is where AS400 Power10 architecture shines.

The Power10 starter pack features two PCI-Express 5.0 controllers, each having 16 lanes running at a speed of 32GT/s, and this can reach up to 128 GT/s across all lanes.

The PCI 5.0 controller was finalized in the year 2019, and this new architecture supports the new bus (which feature double bandwidth in comparison to PCI-express 4.0).

The PCI-Express 5.0 is fast, but IBM AS400 / iSeries Power10 is much faster than that.

On both sides of the Power10 chip, there are a total of 16 open memory interfaces (serializer and deserializer). Each memory interface has eight lanes wide (i.e., X8) and can deliver 32GT/s and up to 1TB/s of bandwidth. The open memory interface originally debuted with Power9 Kicker and will talk to DDR4 memory in the future.

There are four PowerAXON interfaces in each AS400 /iSeries Power10 chip that can connect to OpenCAPI interfaces or for grouping processors in a scale-up NUMA configuration.

There are 16 PowerAXON serializer and deserializer blocks in an 8x configuration, providing 32 GT/s, or 1 TB/s of bandwidth, same as the OMI blocks.

An Order-of-Magnitude Increase for Memory

IBM introduced “memory inception” architecture with this chip, and PowerAXON powers it. Some people refer to this new architecture as the “Holy Grail” of microelectronics.

It has enabled customers to share PB of memory among various Power10 systems, generating a single pool of collected memory balances to 2 petabytes, far outperforming the 64 TB of addressable memory of the most effective X86 strategies.

According to IBM, this new method will deliver data at a tiny proportion of the expectancy compared to other memory-sharing techniques, such as RDMA.

According to IBM, the AS400/iSeries memory initiation platform architecture will position Power10 as the ideal platform for the strongest in-memory workloads.

They also pointed out German ERP vendor SAP and SAS institute as the potential beneficiaries from this new server.

IBM Power10 Machine Learning Workload

For the new processors, machine learning workloads were expected to be some of the most common workloads, particularly those based on the latest deep learning models, in addition to the traditional transaction processing in Power10 servers.

IBM AS400/iSeries also included new dedicated accelerators on the Power10 server.

This consists of an implanted medium accelerator that will deliver 10X to 20X speed for machine learning inference management compared to Power9.

Up to 40% Increase in Encryption and 4X the Number of Encryption Engines

In AS400 / iSeries Power10, IBM has focused on security.

According to them, the expanded memory of the Power10 server will permit each chip to support four times more the number of AES encryptions in comparison to Power9. It will encrypt data 40% faster.

New Security and Isolation for Containers

To maximize the security of the containers, IBM has developed a new chip. Moreover, AS400 /I-Series will also provide isolation between virtual machines running on the same chip.

IBM further hardware-enforced container protection and separation capabilities recital with the Power firmware, which will be enhanced to save containers operating with Red hat OpenShift. Therefore, it will bolster AS400/I-Series Power10’s effectiveness in a hybrid environment.

IBM Power10 will deliver 3X greater energy efficiency and capacity in comparison to predecessors, which will allow high performance and more work than earlier.

According to IBM, the AS400 iSeries Power10 processor is a crucial evolution for the Power product line.

Moreover, the company has registered thousands of new and previously pending patents on the latest architecture. Apart from this, it will deliver up to 20 times better performance in comparison to IBM Power9, for AI inference workloads.

For the last five years, AS400 / iSeries Power10 has been into making, and it is the result of lots of patience and hundreds of dollars invested by IBM and Samsung. With its revolutionary I/O and other memory-sharing capabilities, Power10 will set standards for processors in upcoming years.

Next, let’s understand why IBM stopped support for 7.2 version and way forward.

IBM Stopped Support For 7.2 Version! What’s Next?

IBM announced that it would end the program support for IBMi 7.2 by April 30, 2021. The market support had already stopped the support on April 30, 2020.

In the current scenario, this is one of the most frequently asked questions regarding IBM iSeries.

Most of the CTOs ask — “Should we upgrade to IBMi 7.3 or 7.4?”

The one-word answer to this question is — it depends!

While deciding on the upgrade, you need to consider dependencies, life expectancy, and features into consideration.

Let’s understand how you can choose your upgrade, correctly.

Identify the IBM i Version Your Hardware can Support

Before you reach any conclusion, verify the version your IBM i can support.

As described earlier, there are dependencies between the hardware on which your current system is running and the OS it can help.

If you have limited hardware, then there is no choice left for you. But as per our suggestion, upgrade your system to the latest hardware and OS.

POWER7 and POWER7+ servers support IBM i 7.1, 7.2, and 7.3.

Moreover, POWER8 and POWER9 can support 7.1, 7.2, 7.3, and 7.4, which means you have more choices with this hardware.

Check Compatibility Between Business Applications and IBMi

After hardware compatibility, things come to software compatibility, and things need to be considered as per setup availability.

It is essential to verify which IBM i versions your existing business applications can support. By now, multiple vendor applications should be ready to help 7.4. So, you may also check ancillary solutions like Java and WebSphere.

Vouch for Features that Offer Value

Once you have identified the issues with your existing setup and checked hardware compatibility, you should consider features available with the latest versions and how they can be beneficial for your business. IBM iSeries is evolving continuously and providing business value.

Have a look at few offerings of 7.3 and 7.4

IBM i 7.3 offers lots of functionality in temporal support, row and column access control, and support for languages like — Node.JS, Python, and Git. Such things prove that our platform is modern.

Authority Collection by the user was also implemented in 7.3. This permits you to evaluate the users’ current security level and what level they need to run the application. This helps certify your users that the minimum amount of authority is required.

IBMi 7.4 linked with DB2 Mirror for extending continuous support. One thing to notice here is — this is not about the availability of the environment, it’s only about the availability of data. If you need continuous availability, then 7.4 is the best choice.

The Authority Collection can be run on objects in 7.4, letting you look at security from an additional angle. Using Authority Collection for things, you will know what authorities are required to perform business tasks. This will permit you to increase security around your crucial activities to ensure no one has unnecessary rights.

These features are a trailer of what IBM iSeries can offer. To know about complete offerings, you need to go through the documentation and read about each available case. This will help you to decide what’s best for your business.

The Life Expectancy of Your IBM i OS

Despite what few techies are saying, IBM i is here to stay. IBM has published a roadmap till 2031. The final consideration is the life expectancy of the OS.

If you are like many other CTOs, who have not opted for the OS upgrade as often, you should do it now.

Integrative Systems – IBM i Technology Partner of Your Choice

We, at Integrative Systems, are an IBM silver business partner with over 2 decades of experience helping IBM i shops get a better hold of their IBM i systems.

May it be strengthening security for your IBM i applications or may it be the most-waited IBM i upgrade – we can do it all for you.

We are in to be the trusted and reliable IBM i technology partner of your choice.

We prioritize our customers’ success and believe in building technological partnerships that transcend.

Here’s a list of services that we offer –

• AS400/IBM i Integration
• AS400/IBM i Cloud Migration
• AS400/IBM i Automation Services
• AS400/IBM i Application GUI Modernization
• AS400/IBM i Support Services
• AS400/IBM i Consulting Services
• Hire IBM i Developers

Drop us a line at [email protected], and our team of IBM i experts shall get back to you within 2 business days.

Frequently Asked Questions about IBM i

1. What is IBM iSecurity?

Ans- IBM iSecurity is a suite of security features & tools, designed in particular to protect IBM i applications & systems. The primary role of IBM iSecurity is to guard IBM i assets against unauthorized access, ensure data integrity, and maintain compliance with industry standards.

2. What happened to IBM’s Performance Management for Power Systems (PM400)?

Ans- Unfortunately, IBM discontinued PM400 on September 30, 2020. If you are an existing AS400 user, seeking performance monitoring solutions, you can explore third-party performance monitoring tools with the help of reliable IBM i technology partners.

3. What are the key features of IBM Power10 systems?

Ans- IBM Power10 systems offer enhanced performance, improved energy efficiency, advanced security features, and support for hybrid cloud environments, catering to modern enterprise workloads.

4. How can I optimize performance on IBM Power10 systems running IBM i?

Ans- To optimize the performance of your IBM Power 10 systems, ensure your IBM i operating system is up to date, monitor system workloads, and utilize performance management tools to identify and address potential bottlenecks. This shall help you best optimize the performance of the Power 10 systems.

5. What are the security enhancements in IBM Power10 systems?

Ans- IBM Power10 systems offer advanced security provisions including transparent memory encryption and enhanced isolation capabilities, to protect data and workloads effectively. Precisely, the security aspect is something that makes Power 10 systems a superior successor to AS400.