Security Enhancements in IBM i 7.6 TR1 and IBM i 7.5 TR7

IBM continues to provide new and enhanced features to help us secure IBM i. TR1 (Technology Refresh) has been announced for IBM i 7.6 and TR7 for 7.5. Both will be available November 21, 2025. This TR announces several security-related enhancements. This article focuses on the Db2 for i and Navigator for i security enhancements.

Db2 for i
New security-related IBM i Services added:

• QSYS2.CERTIFICATE_USAGE_INFO has been added providing insight into the digital certificates assigned to applications (e.g., ftp, telnet, etc) within DCM (Digital Certificate Manager) including the protocols and ciphers used. A MUCH easier than writing to the QYCDRCUI API!
• The list of audit journal entry helper functions becomes more complete with each new version and TR. This TR sees helper functions added for the RP (restoring programs that adopt authority) and VO (Validation list entries) audit journal entries.
• A user’s DRDA authentication entries can now be retrieved using SYSTOOLS.USER_DRDA_AUTHENTICATION_ENTRIES rather than running the DSPSVRAUTE (Display Server Authentication Entries) command. These entries are used when DDM / DRDA connections are made to specify which profile the user will run as on the target system.

In addition, incredibly helpful enhancements have been made to several existing IBM i Services:

• The CREATE_TIMESTAMP, CHANGE_TIMESTAMP and LAST_ACCESS_TIMESTAMP columns have been added to the SERVER_SHARE_INFO view, giving us even more information to aide in file share analysis. If file shares aren’t being used, they should be removed. This information allows us to do that with even more confidence.
• The PTF_GROUP_APPLY_TIMESTAMP column has been added to the QSYS2.GROUP_PTF_INFO and SYSTOOLS.GROUP_PTF_CURRENCY views.
• While not explicitly a security function, the GENERATE_SPREADSHEET scalar function has been enhanced with many options when creating the spreadsheet. This, together with the SYSTOOLS.SEND_EMAIL() scalar function, allows you to more easily automate the review of your IBM i security configuration. 
• Thanks to our own Steve Riedmueller’s suggestion, the Db2 for i team added the Object_Attribute column to the AUTHORITY_COLLECTION, AUTHORITY_COLLECTION_OBJECT, AUTHORITY_COLLECTION_LIBRARIES, AUTHORITY_COLLECTION_FSOBJ and AUTHORITY_COLLECTION_DLO views.

These Db2 for i enhancements are available with the DB group PTF SF99960 Level 2 for IBM i 7.6 and SF99950 Level 11 for IBM i 7.5.

Navigator for i
Navigator for i delivers its new features and enhancements quarterly. From a security perspective, the major security-related enhancement you’ll see is the management of authorization lists. You can now fully manage authorization lists from Navigator for i. Previously, you could only see the list of authorization lists. Now you can create and delete lists as well as manage authorities to the lists.

One of the major enhancements in Navigator for i this quarter is the move of the web administration function into Navigator for i. While not strictly security-related, this addition provides a new wizard which makes creating a new web instance much easier and specifically makes it easier to ensure the connection is secure (encrypted.) Applause to the Navigator for it team for this enhancement!

Navigator for i delivers its features via the HTTP group PTF. You’ll need to apply SF99962 Level 5 for IBM i 7.6 and SF99952 Level 24 for IBM i 7.5.

Summary
Don’t forget that IBM recently provided a new release of ACS. Here’s a KiscoU article describing some of the important security enhancements included in ACS1.1.9.9. Finally, here’s the complete list of Db2 for i enhancements included in these Technology Refreshes. And the list of enhancements for Navigator for i can be found here.
 

Contributed by:
Carol Woodbury
IBM i Security SME
Kisco Systems