Features announced for IBM i 7.5 and 7.4 via TR 5 and 11 respectively include the following security enhancements to be delivered on November 22, 2024:
One new audit journal helper function was added this TR - SYSTOOLS.AUDIT_JOURNAL_VP(). This is for the VP audit journal entry type. The VP audit journal entry type is generated when someone enters an invalid password when mapping a network drive. In IBM i 7.5 a VP entry is also generated when the NetServer or an individual file share has been secured with an authorization list and the user doesn’t have authority to it when attempting to map a drive (use a file share.)
Helper functions have also been added to help you manipulate validation list entries as an alternative to the validation list APIs. Validation lists are commonly used by applications that want to provide user validation but don’t want to require an IBM i user profile (Think web applications where application users need to be able to log into the application but not IBM i itself.)
The last Technology Refresh introduced the concept of a Data mart for individual audit journal entry types. The benefit of using a data mart for audit journal information is to keep audit journal information on the system for a longer time than you typically could when leaving the information in audit journal receivers. The latest Technology Refresh enhances your ability to be even more selective about what information you have in the data mart. A parameter has been added that accepts SQL, allowing you to filter the results. Look for more details about this coming soon in Kisco U.
Also added to Navigator for i is the ability to perform web administration. If you are the person responsible for configuring http and other servers to use TLS, you’ll be happy to know that a TLS configuration wizard has been added to this interface. Go to the Network icon -> Web Administration to find this new feature.
As a reminder, Navigator for i hasn’t been shipped to use https (a secure connection) for a while now due to browsers not accepting self-signed certificates. Obviously, you don’t want your log in information (user id and password) flowing in cleartext, so you need to configure Navigator for i to use TLS. Here are updated instructions showing how to use the new TLS wizard to configure Navigator for i to run over an encrypted session.
Although not necessarily security-related but incredibly important are the new ways to see when licenses are expiring. Navigator for i has added visual indications of license expirations to its dashboard (shown below), the table view listing the partitions as well as the Home panel. See the Kisco U article on Monitoring IBM i licensing for more information on proactively monitoring for license expiration as well as ways Kisco software can help.
Figure 2: Navigator for i Dashboard view showing license expiration warnings
To see the full list of enhancements for IBM i 7.5, see
For release to release compatibility considerations, we encourage you to review the Memo to Users for the release you’re running or plan to upgrade to. For example, in the most current IBM i 7.5 version, a note was added stating the requirement to be at ACS version 1.1.9.0 (or later) when the Password Level (QPWDLVL) system value is set to 4. ‘4’ is the best practice setting for QPWDLVL when the system is running IBM i 7.5 but the requirement for users to be running ACS 1.1.9.0 was not previously noted.
Equally notable are the authority requirements that have changed for some operations including authority requirements to use some SQL views as well as *PUBLIC authority changes for some commands. This reflects IBM’s ongoing effort to provide an operating system that is ‘secure by design’. To understand this approach further, see the white paper Securing IBM i: A Dual Responsibility by Carol Woodbury.
RELATED POSTS
BROWSE KISCO U
PRODUCT CONTENT