by Heather Beck, Product Support Manager, Bytware

If you have a well-implemented security plan, you have already identified your end users and have given careful consideration to their authorization roles. But what about security within your IT department? Have you restricted the authority of your IT staff members or software vendors who supply applications on your system? Do you have any IT consultants that have access to your system? Individuals within your IT department pose the greatest security threat of all. As with all other employees, IT staff members should only be authorized to those functions that require them to do their job. Generally, IT workers are trusted; but you can’t base your security on trust.

An obvious first step in taking control (remember security is a business function), is to ensure that all users are properly authorized to perform their jobs AND are otherwise restricted. You must identify the authorization roles within the IT department as well. Consider your operator who must coordinate with end users to resolve workstation issues, job issues, and printing problems. They may even schedule daily batch jobs. Do you have a communications administrator who maintains device descriptions and network configurations? Are they the same person as your operator or network administrator? After you’ve defined roles for your own IT staff members, you mustn’t forget about those vendors and consultants. They are an integral part of your IT environment.

There is also a looming threat regarding profile swapping. Profile swapping is a common technique used to elevate a user’s authority only when they need it. Using the IBM-supplied User Profile Swap APIs is a good way to temporarily gain control of another user profile. Once a job has been changed to run under a new user profile, every activity happening after that will fall under that new profile. For example, if you were to display spooled files, you would see the spooled files for the new user profile that you swapped to even though you signed on under your own user profile. And if you submitted a new job, it would be submitted under the new profile. There are many business reasons to use this technique but it can also come at a heavy price.

So you’ve defined your profiles and granted and revoked authorities, but your system and users aren’t static. Employees and business requirements change. And even if their authorities are well-defined and will never change, there are times they could potentially be acting like someone else (profile swapping!). Therefore you must also take steps to constantly audit these users and authorities to ensure your security is effective over time. You need a peek into your system on a periodic basis to be sure you’re not still relying on trust with your IT staff.

The System Audit Journal allows you to perform user level event auditing. You can audit an IT staff member’s actions or their use of particular objects, or both by using the CHGUSRAUD command. This command gives you an excellent tool to spot-check users with *ALLOBJ special authority. QAUDJRN even logs a PS audit journal entry when a profile swap has taken place.

To enhance your security and assist in investigating suspicious activity, a screen-capture utility like Bytware’s PeekPlus can be invaluable. PeekPlus gives you the ability to view another user’s screen in real time, up to the last keystroke. Screen activity can even be recorded to a file to provide a permanent audit trail or it can be imported to any word processor to document incidents. Security administrators need tools that allow them to investigate security matters from their own terminal, and PeekPlus allows them to view another user’s screen with or without their knowledge.

Although you trust your IT staff, you may still need to monitor their activity or record their screens for evidence gathering, internal HR-related investigations, or just general security auditing. Have you ever wondered what exactly your night operator is doing when you’re not there? Wouldn’t it be nice to keep track of their screens to review the following morning? Or do you have trouble with someone answering messages incorrectly on the Console during day-end operations? Wouldn’t it be helpful if your IT consultants or software vendors knew they were being watched when they accessed your system? You can use PeekPlus to document the screen contents of any interactive job and send the screens to a file or printer. You can submit a job to capture screens to a database file, and that job will run until the device is signed off. You can then import the file into another application or download to your PC. You can also automate the screen capturing process using a CL program or job schedule entry.

Just because you have a well-implemented security plan, doesn’t mean trust will get you far. Consider the users in your IT department, define their roles clearly, and get tools to help you minimize the risk.

If you would like to find out more about PeekPlus contact us at 775.851.2900 or visit http://www.bytware.com/pp.

How to Prevent IFS Worms from Making Off with Your Critical Data

By Sandi Moore, Technical Consultant, Bytware

Throughout the day, we all receive hundreds, if not thousands, of emails in our Inbox from various sources—including co-workers, customers, vendors, and more. We rely on our corporate mail server and our local PC virus scanning to protect us from threats that may be hiding in those emails. Our mail admins remind us time and again to avoid opening unsolicited attachments or clicking on links from unknown persons. Data is constantly flowing through web browsers, FTP servers, shared network drives, removable media, and many other avenues. Knowing that these are all paths to infection, we scan and secure them as well. But what about your IBM i?

In recent months, we have seen a rash of virus infections that have had a frustrating impact on the IFS for many customers. W32/autorun.worm.aaeh is a worm that spreads by making copies of itself on removable drives and mounted network shares (i.e. your mapped drive to the IFS) and embeds copies of itself in ZIP and RAR files. It will hide the directories on removable drives and replace those directories with copies of itself—using the same filename as the hidden directory—so that when a user opens the mapped drive, it looks like their folder; but it is really the virus. It also checks for certain file types, changes the attributes to hidden, and creates a copy of itself with the same filename as the hidden file. The result? When you try to access your file, you are instead launching the virus. And this is just on your IBM i. The issues caused on PCs run even deeper.

The clean-up process ties up massive man-hours and involves using WRKLNK to find the affected directories and remove the bad files, as well as running CHGATR command to change the attributes of all the hidden files back to their correct state. Along the way you must try to prevent users from launching copies of the worm again and undoing the cleanup already done. The good news is that the damage from this virus is superficial, if not annoying. The next one could be more like the MyDoom virus that deleted files from any mapped drive it found.

Can this be prevented? Yes, the spread and damage of a virus can be prevented with a combination of strategies. First, limit who has the ability to map a drive to your system. For those who do need this ability, limit what functions they are allowed to perform through that mapped drive. A virus launched on a PC has all of the authority of the User who launched it, so if you have someone with SECADM mapping a drive that connects automatically, you have the potential for big problems.

Second, implement a native anti-virus software package on your IBM i to scan your directories for viruses. StandGuard Anti-Virus allows you to take advantage of the IBM-supported on-access scanning to prevent the virus from spreading. On-access scanning is done in real-time as the file is accessed through the File Server and any file found to be infected is stopped dead in its tracks. It also allows you to scan your full system on a regularly scheduled basis to look for files that enter through the many other means available such as FTP, optical drives, backups and other.

You never know what is hiding on your system until you scan it. And with regulatory standards such as PCI-DSS requiring the deployment of anti-virus software, you’ll not only be cutting off threats such as W32/autorun.worm.aaeh at the pass, but also ensuring that your organization is fully prepared for reporting and audits.

Find out more about protecting your IFS! Register for our May 15 webinar “3 IFS Weaknesses You Must Secure—Now!”

12 Ways MessengerPlus and Robot/SCHEDULE Can Work Together!

By Chuck Losinski

The scheduling functionality built into IBM i can help you take control of the jobs running on your system. But if you truly want to unleash the power of MessengerPlus for automated systems management, combining it with Robot/SCHEDULE from Help/Systems is the perfect solution. Robot/SCHEDULE takes you beyond the basics of IBM i scheduling with the ability to create finely tuned workflows that match perfectly to the unique requirements of your environment. Here are 12 ways that MessengerPlus and Robot/SCHEDULE can enhance your operations.

1. Have MessengerPlus monitor for the SLA messages that Robot/SCHEDULE can generate. (See Figure 1.)

Robot/SCHEDULE has a built-in job monitoring function that can monitor for and detect if:

a. Your job did not complete on time or ran too long
b. Your job ran too quickly (file might be empty)
c. Your job did not start on time

Figure 1: Job monitors

2. Let Robot/SCHEDULE fetch your PTF updates for MessengerPlus by scheduling the MPRUNUPD command at the best time for YOU. Possibly make this process dependent upon your month end process completing. This is called “Reactivity” in Robot/SCHEDULE and allows simple or complex dependency processing depending upon your needs. See the example job flow diagram from Robot/SCHEDULE (Figure 2).

Figure 2: Job flow diagram showing job dependencies

3. Have MessengerPlus monitor the critical Robot/SCHEDULE jobs that constitute the engine of Robot/SCHEDULE in the RBTSLEEPER subsystem. Critical jobs:

a. ROBOT
b. ROBOTREACT
c. ROBOTJM
d. ROBOTAUDIT
e. ROBOTSBMJ

4. Have MessengerPlus monitor the RBTSLEEPER subsystem to make sure it is active and running the various Robot products.

5. Monitor for the RB16404 message from your Robot/SCHEDULE jobs which indicates that one of your Robot jobs ended abnormally. These jobs can also be displayed in the Robot/SCHEDULE Schedule Activity Monitor for a visual indication that a job has ended abnormally. The Schedule Activity Monitor shows you a 24-hour forecast of your job schedule, the jobs that are queued or running, and the completed jobs. It automatically refreshes to give you an up-to-the-minute status of your Robot jobs. (See Figure 3.)

Figure 3: Schedule Activity Monitor

6. Embed the MessengerPlus command to send an email (SNDPGRMSG) when your job stream is starting, you’ve reached a critical checkpoint, or your job stream has completed. Unlike the native IBM i scheduler, Robot/SCHEDULE jobs can contain multiple commands and can stop processing the job if any of the commands fail. (See Figure 4).

Figure 4: Command entry in Robot/SCHEDULE

7. Schedule the MessengerPlus commands to hold (HLDMON) and release (RLSMON) resource monitoring during a month end process or another time.

8. Schedule the MessengerPlus Event Monitoring (PRTEVT) report giving you a detail report of the exceptions to the resource monitoring, job monitoring or message history. Use Robot/SCHEDULE Reserved Command Variables to fully automate the date range submission for the report. (See Figure 5).

9. Schedule the MessengerPlus command to delete Event History based on days old, monitor name, status, type, originating system, and severity.

10. Schedule the MessengerPlus command to end (ENDMP) then restart (STRMP) MessengerPlus due to the limitation on the number times and ILE program can be called. We recommend doing this on a weekly basis.

11. Using the “EVERY” option in Robot/SCHEDULE to run a job every X minutes, schedule a “heartbeat” message using the SNDPGRMSG that MessengerPlus is active. Send that to the operations team responsible for monitoring all systems. There are many advanced scheduling options built into Robot/SCHEDULE to handle all of your complex scheduling needs. (See Figure 6).

12. And last but not least use the conversion from the native scheduler to import all your batch jobs into Robot/SCHEDULE. This will allow you can take advantage of all the great features of Robot/SCHEDULE described above to automate, monitor, and control your scheduled jobs using the Robot/REPLAY plug-in and the Enterprise plug-in for Windows, Unix, and Linux. (This last one has nothing to do with MessengerPlus but we wanted an even dozen!)

Want to try combining MessengerPlus and Robot/SCHEDULE for yourself? Try Robot/SCHEDULE free for 30 days.

Q&A

How can I secure Telnet by User ID if no User ID was sent upon connection?

The Telnet server normally allows clients to connect without providing a User ID and password. This makes it easier for users to try different User IDs and passwords using the sign-on screen. Additionally, it would prevent your system security tool from being able to enforce Telnet policies based on User ID, because no User ID was sent.

StandGuard Network Security builds upon the OS design and requires a User ID and password to be sent upon connection. The option is provided to require the Telnet Client to send a valid User ID and password on the connection request. This makes it more difficult for users to try different User IDs and passwords, and prevents devices from being automatically selected and subsequently disabled due to invalid sign-on attempts. It allows StandGuard Network Security to enforce Telnet policies based on User ID (or group).

Do I have to run StandGuard Anti-Virus under user QSECOFR or can I use my own profile?

Several parts of the application need *SECOFR authority from time to time and the functions are submitted by default under the STANDGUARD user profile, but when STANDGUARD needs more authority it swaps to QSECOFR. The profile that STANDGUARD swaps to is listed in a data area. If you don’t want STANDGUARD swapping to QSECOFR when necessary, you can change the user profile that is used. Please use a profile that has *ALLOBJ, *SECADMN and has a directory entry. To make the change:

CALL PGM(STANDGUARD/AVCHGAO) PARM(userprofile STANDGUARD)

The program needs 2 parms, the preferred user profile name, and the STANDGUARD library name.

Messenger 8 adds improved job management and easier compliance reporting

Bytware, a division of Help/Systems, LLC and provider of systems management and security solutions for IBM Power Systems servers, is pleased to announce a new version of their IBM i message monitoring tool, Messenger 8. This latest update adds new ease-of-use enhancements in the areas of job management and compliance reporting.

These enhancements help users and managers of IBM Power Systems servers—including AS/400, iSeries, and System i—more easily identify jobs running on their systems that are critical to business operations. By facilitating fine-tuned searches, helping IT staff collaborate on incident response, and enhancing the built-in capabilities of IBM i, Messenger 8 brings message monitoring in line with the latest approaches to server management.

As Bytware Product Support Manager Heather Beck explains, “More and more of our customers are deploying virtualization technologies, and our products need to support that flexible infrastructure. Messenger now supports Live Partition Mobility to guarantee there is no outage with their systems monitoring while they are performing that load balancing act.”

Messenger 8 also adds new tools to streamline compliance audits and reporting. Managers can easily create detailed lists of all devices associated with the system, along with their numbers, to whom they belong, and schedules configured for them. These reports make it simple to satisfy auditors by clearly presenting all information up front.

Lastly, with security at the forefront in today’s corporate environment, a new enhancement brings support for servers that require SSL authentication. This feature gives managers the freedom to encrypt communications through any server or mail service—including Gmail—and satisfy important aspects of auditing and compliance.

Messenger 8 is available now, and a free trial can be requested through the Bytware website at www.bytware.com/m8.

One popular misconception is that the IFS is a separate and distinct file structure that was added to store and serve PC files; and if you don’t store PC files on your IBM i system, there’s nothing to worry about. Part of this misconception comes from the fact that when the IFS first appeared, the entire system save (GO SAVE, option 21) procedure was expanded to include an IFS save in addition to saving native objects and DLOs (the original mechanism used to serve PC files).

The Real IFS

In reality, “IFS” is the umbrella term for all of the various file systems, including native objects in the /QSYS.lib folder and DLOs in the /QDLS folder. In fact, if you look at the help text for a full system save, you’ll see that an IFS save simply omits the paths to items already saved by traditional save commands. Technically, the entire server can be backed up by saving the IFS (although the Licensed Internal Code can’t restore the operating system if saved in that format).

IFS Security Risks are Real

So, why is there a security risk associated with the IFS? It starts with the fact that you work with the IFS using your normal IBM i credentials. The system interface doesn’t differentiate how a user profile accesses data. If you can sign on to a green screen application, you also can potentially access the IFS. As with network interfaces such as FTP and ODBC, if your native objects are secured using only menu or application-level security, a user may have sufficient object authority to read, change, or delete data—even basic read-only rights allow data to be leaked. This is because IBM i ships with a public authority default of *CHANGE. If your security administrators or application vendors haven’t secured your application objects (and most haven’t), users have unlimited access to the data.

It’s easy to access IFS directories using powerful tools like IBM Navigator for i and Windows Explorer, both of which provide users with the ability to exercise their full IBM i authorities. A user can casually delete a folder in Windows Explorer, only to find out later that it was an application library on the server. Unfortunately, there’s no recycling bin and no undelete for these folders. With permissive public authority and the common over-assignment of All Object (*ALLOBJ) special authority, this is an expensive mistake that can happen in the blink of an eye. If that’s not enough to make you sit up and take notice, be aware that activities that don’t violate the permission levels of an object typically aren’t audited!

Can You Secure the IFS?

Because IFS authority can be complex, time consuming, and prone to over-securing, the IFS often is ignored in a company’s security plan. It’s best if you make changes in manageable phases, and document changes so they can be undone if necessary.

So, what can you do and where do you start? The best security practices result from the synergy between three components: IBM i controls, Bytware solutions, and administrator deployment.

IBM i Controls

While it may seem that the “ball was dropped” with IFS security, the reality is that IBM i can protect an object (or “stream file” in IFS terminology) from any user or access method—but only if the authorities are configured correctly. IFS authority is built on a UNIX-type model and uses different terminology. Authority templates used to secure the data rights of native objects including *USE, *CHANGE, and *EXCLUDE are replaced with combinations of read (*R), write (*W), and execute (*X) permissions.

The following table shows a comparison between native IBM i and IFS data authorities.IBM ships public permission to the base IFS folder (commonly referred to as the “root”) as *RWX. Change this to *RX to prevent users from creating new objects and folder structures in the root. The other IBM-supplied folder structures under the root typically are configured correctly and should not be changed.

The /QSYS.LIB folder structure contains the operating system and user libraries, and is the most sensitive folder in the IFS. Users rarely require access to this structure via the IFS. This is fortunate because they can do extensive damage in a short amount of time. IBM i has a special authorization list, QPWFSERVER, designed to prevent anyone without *ALLOBJ special authority from accessing this critical folder. QPWFSERVER ships with public=*USE. Change this immediately to public=*EXCLUDE. You can grant users who have a business need to access this structure, but lack *ALLOBJ special authority, private authority to the authorization list. File shares should be mapped to specific libraries (or files) to reduce the amount of damage these users can do. Remember, users with *ALLOBJ special authority cannot be restricted from any object—native or IFS.

Add Bytware Solutions

Bytware’s popular exit point monitoring solution, StandGuard Network Security, enhances IBM i controls with powerful access and auditing functions. It allows you to observe and restrict activities such as copying, opening, and deleting stream files without the complexity and overhead of maintaining IBM i authorities. Using a simple object-based approach you can monitor IFS directories to notify security personnel if users attempt to access files to which they have no authority. And, because this functionality rides on top of the operating system’s authority checks, it’s effective with *ALLOBJ users.

StandGuard Network Security silently audits all IFS activities. Typically, organizations start using reports generated by StandGuard Network Security to build a knowledge base of legitimate access before they define access control rules. These rules can be based on the general activity (copy, delete, create), or on the stream file or directory affected. Rules can be for a single user, a group profile, or the IP address of a user’s workstation. You can make the rules as permissive or restrictive as you wish, and gain visibility and control that you can’t attain with IBM i alone. StandGuard Network Security also provides protection for your native objects by controlling user access through powerful interfaces such as FTP, ODBC/JDBC, and remote command.

Additionally, the product’s command security capabilities can secure the WRKLNK command and control IFS access from a user’s 5250 session. Its public authority default of *USE means that any user with command line permission can access the same structures as the desktop tools mentioned earlier. Other commands allow users to create and change directories, and work with, change, and display authorities. Authorize only the users who need legitimate access to these commands. Controlling how and when any command can be executed is the answer to command restriction requirements.

StandGuard Network Security can also evaluate conditions in the network environment and perform actions when a user—including those with *ALLOBJ special authority—invokes a monitored command. Actions include stopping the command from being executed, modifying the command, and sending a notification message. And, it maintains a complete command use audit trail for auditors.

You Can Secure The IFS!

Combining IBM i controls with Bytware’s StandGuard Network Security helps close the door on IFS vulnerability. By following a few simple recommendations, IFS security risks disappear. Enhance the security of your IBM server by looking to the most trusted partners in IBM i security: Bytware.

Learn more about StandGuard Network Security and request a free trial by visiting www.bytware.com/ns.

Fine-Tune Subsystem Monitoring with Messenger 8

by Sandi Moore, Technical Consultant, Bytware

At any given time, there can be hundreds, if not thousands of jobs running on your IBM Power Systems server in a variety of subsystems. If any one of those jobs or subsystems is missing, critical processes can halt and workflow becomes disrupted. The longer the job is down, the more it compounds the problem.

Messenger has long had the ability to monitor the WRKACTJOB screen for problems such as high CPU usage, status or response time, or for jobs and subsystems that should be running. But what if there are supposed to be three jobs with the same name running at the same time? Or five jobs with different names running in a subsystem?

This task has become easier with Messenger 8 thanks to a new Subsystem monitor. This new monitor allows you to watch a specific subsystem for a number of jobs running or not running, as well as for specific conditions such as greater than, less than, equal to, or not equal to any number of jobs with specific variables such as User, Type, Status, or Function. This new functionality allows you to pinpoint problems quickly and resolve them promptly.

The QSYSWRK subsystem has numerous jobs that are critical for many applications to run properly and is automatically started by the OS after an IPL. The server job for a TCP/IP application must start in the QSYSWRK subsystem. If you are running MSF (Mail Server Framework), you need to have three QMSF jobs in the QSYSWRK subsystem. DRDA server jobs and their associated listener job run in this subsystem.

You can easily configure Messenger’s Subsystem monitor to notify you if the QSYSWRK subsystem has no jobs running in it by setting up a compare EQ 0 jobs.

To monitor for the three QMSF jobs that should be running in the QSYSMSG subsystem, you can add an Event monitor specifically for that condition. You will be notified if there are less than three occurrences of the QMSF jobs. Messenger can be configured to automatically start them for you, too.

Another potential problem on the system is when you have too many occurrences of a specific job. It’s possible that it has been submitted too many times, or the first occurrence of the job failed to end and now you have two. Messenger can notify you if you have more than one occurrence. Using a generic job name, you have the ability to check even if the job name changes with subsequent submissions.

With larger systems, you may run into a problem with too many jobs in a specific subsystem. If you have users who start multiple interactive sessions unnecessarily, that can put a drain on your resources. You can monitor for a threshold of jobs in the subsystem or narrow it down further.

The flexibility of Messenger allows you to define the focus of your monitoring to keep you up-to-date on what is critical for your system and your environment. With Messenger, there is no more guessing or hoping that your subsystems are running as they should.

If you’ve yet to upgrade to Messenger 8, contact us at 775.851.2900. We would be happy to help you take advantage of these latest enhancements.

Go Beyond Network Security to Tackle the Top Security Issues Facing the IFS

You understand that network security is critical for protecting the data stored on your IBM Power Systems server, and you understand that the Integrated File System is at the center of it all. But guarding against excessive user authority isn’t the end of protection. What you may not realize is that the IFS can quietly host and spread viruses and malicious code.
To help you learn more about this threat and other top security issues, we’ve put together an exclusive IFS Security Bundle. Comprised of an IFS Security White Paper, recorded IFS Security Webinar, and the StandGuard Anti-Virus Technical Packet, this bundle can help you identity areas of risk and ensure that you have all the proper protection in place.

Don’t let your organization make headlines following a security breach. Download the IFS Security Bundle today.

Q&A

I am getting ready to upgrade my OS. How can I tell what version of your software I am running and if it is compatible with my new OS?

To determine the version of a Bytware solution that is running on your system, use the following commands:

• For Messenger, run command DSPPTF 0MP2000
• For StandGuard Network Security, run DSPPTF 0SG3000
• For StandGuard Anti-Virus, run DSPPTF 0AV2000

For each product, after running the command refer to the “Release of base option,” which is the same as the version.

For PeekPlus, go to the PEEK screen and refer to the bottom of the display. Once you know your version, you can refer to the Compatibility chart on our website at http://www.bytware.com/support/compatibility-chart.html to see if the current version of your software is compatible with your new OS.

I need to create a custom report of my StandGuard Network Security Events and export them to a spreadsheet. How can I do this?

In order to create a report, you will need to use StandGuard Network Security’s IBM Navigator for i plug-in. (If you have not already installed the plug-in, please refer to the User Guide for easy instructions.)

Open Navigator for i, go to System > Security > StandGuard Network Security, and open the Events panel. Using the Search menu, narrow down the types of events you want to include. Select the File menu, Preferences, Fields in events table to select what event fields you want included in your report.

Once you have done this, you can go to the File menu, select Export, choose either all events or just selected events, and then export to a Comma-separated or Space-delimited file and save in any location you want. You are now ready to import that file into your spreadsheet to display in a chart or graph.

I have noticed that my JOBRUN monitor only notifies me once when it finds a Job not running on my system. Is there a way to have it notify me repeatedly until the job is started again?

You can have Messenger repeat the notification by adding a Repeat on the *PAGE action. Locate the *PAGE action on your JOBRUN monitor or Event monitor, do a “2” to change, define the “Repeat until acknowledged” minutes to set how long to wait between pages, and then press Enter twice to save the change. Messenger will now send your notification repeatedly (for all future occurrences) until the job is back up and running and the Event is acknowledged.

Today, the latest Power Systems™ have multiple IBM i, AIX, or Linux partitions—potentially fully virtualized micro-partitions—hosted on a single Power Systems server. These developments in IBM i and the POWER7® processor have put us in the middle of a consolidation revolution. Here are three technologies that can help you join it.

1. Subsystems
Thanks to subsystem technology, the IBM i operating system (and its predecessors OS/400 and i5/OS) could be designed to allow multiple environments to run concurrently. Subsystem definitions allow the administrator to segregate work (interactive, batch, server) into their own memory pools and their own separate and distinct job queues, all sharing a portion of processor time. This was the first form of consolidation technology and is still strong today. In fact, with the horsepower available on a single system today, it is quite possible to consolidate multiple systems and thousands of users onto a single Power Systems server with a single partition.
Do you have multiple companies or divisions? Break them apart by subsystem, with each user environment assigned to a specific job description that will direct them into the proper subsystem and the appropriate libraries and directories. For motivation, consider one of our customers who, thanks to subsystem technology, consolidated more than 800 dedicated store system AS/400s to six POWER7 partitions running IBM i. Imagine how much easier the administrator’s job got and how much energy was saved!

An additional consideration when consolidating is the security of your data. While the workload runs in distinct configurations, the server configuration and application data remain united. Depending on the nature of the data, it is critical that IBM i security controls are fully understood, deployed, and monitored. Privileged users can access the data across all of the workloads or applications, meaning that it becomes difficult to secure data across different companies or corporate divisions.

2. Independent Auxiliary Storage Pools
Independent ASP (iASP) technology is another form of consolidation. iASPs let administrators isolate data onto groups of disks that can switch between partitions. Multiple iASPs can be attached to a single system. For example, this could allow multiple divisions or customer workloads to be consolidated on a single partition. You could consolidate different business operations, multiple development or simulation environments, or even multiple versions of an application onto one partition using the same library names housed in separate iASPs while keeping the data totally isolated.

ASP technology allows for more segregation of the application data but usually requires program changes before it can be supported. This is because library and directory objects are referred to with the same name but with an iASP prefix. IBM supports full disk encryption (FDE) via disk pools that are assigned to an ASP. Although this is not a “silver bullet” for data encryption, it protects data transmission to and from the disk drive (important in a SAN environment), and when a disk unit is removed or stolen.

3. Virtualization
Consolidation via virtualization is not new to IBM i. The IBM i single-level storage technology is a form of virtualization and was first implemented on the System/38, allowing for virtual memory where the OS regards all primary (RAM) and secondary storage (DASD) as one large pool. Single-level storage allows processes and jobs to run without the programmer having to estimate how many programs or how much data to load into memory at one time. This greatly simplifies handling a large company’s “big data” needs and simplifies programming and database management.

Another technology is virtual media, which allows backups without physical tapes and, thanks to CD image catalogs, product installs to run without physical CDs. Virtual media allows program installs and updates to be shared across multiple partitions with ease and without having to physically load media. Virtual tape can be combined with iASP technology for backup to a storage area network (SAN). This iASP could then be attached to another partition for recovery or archiving.
Virtual partition technology is available with PowerVM, which, in combination with iASP technology, adds tremendous capabilities to our IBM i world. But virtualized partitions weren’t invented on Power Systems—they have been around in the mainframe environment for years. Power just improved on the technology. And it is truly exciting technology, as it allows as many IBM i, AIX, or Linux partitions as are needed to be created and enabled. All you need is disk, memory, and CPU (and appropriate licensed programs from IBM).

Why might you create a virtual partition? Simple: To better utilize resources. For instance, a fully virtualized partition could be created to test a new cumulative PTF package or new version of the operating system, then deleted when the testing is complete. A test partition could be created to validate a new release of application software. Virtual partitions can be copied. Virtual partitions can be suspended when unneeded, thereby freeing up resources for other partitions. Suspended partitions are saved to disk much like a file or a directory. This is very similar to virtual memory technology, where pages of memory are sent to disk when not needed and brought back as required.

Virtualized partitions cut power consumption and allow for CPU and I/O resource sharing. Another feature is active memory sharing, which allows the dynamic exchange of memory between active virtual partitions. And then there is the crown jewel of virtualization: Live Partition Mobility, which allows you to move a virtual partition—while it is active—between frames, with no system outage to the end user.

Live partition mobility (LPM) is similar to PowerHA in that it copies the entire partition’s data at the disk level out to a SAN on your network, which in turn is attached to another Power Systems frame. The advantage is that you can activate this copied partition on the target frame in seconds; and any remaining updates happen after the partition comes up on the target. This is not a substitute for a high availability fail-over plan using PowerHA or another mirroring tool. LPM is used for planned system outages; workload balancing by moving a partition from light to busy systems; or for consolidation of multiple virtual partitions onto one hardware frame.

IBM i, Unix, and Linux Consolidation
One IBM Power Systems frame can host IBM i, Linux Red Hat or SUSE, or AIX Unix partitions in a single “footprint.” This is a great opportunity for server consolidation. However, this does cross “political” boundaries that may exist in your IT structure, since those systems are all supported in one place, from one PowerVM or HMC console, and are sharing CPU, memory, power, and rack space. This might be a great opportunity to consolidate those duties or, at a minimum, cross-train those administrators. Bring factions together to discuss the advantages of this consolidation: reduced power consumption; having a single vendor; and a simplified, more flexible environment.

An additional consideration when running multiple operating systems on a single Power Systems server is the possibility of virus and malicious code infestation. While IBM i is immune to viruses designed to attack Windows or Unix, it can serve as a quiet host to viruses and malicious code. Because IBM i cannot execute this code it can become a virtual Typhoid Mary, spreading malicious code to client PCs and to partitions that can execute it. In fact, this immunity makes it difficult to trace the infection back to its true source: IBM i. It is therefore important to monitor the integrity of IBM i Objects and all files stored on the Power Systems server—across mixed-OS partitions—to avoid costly infections and data loss.

xSeries Consolidation
One other opportunity for consolidation is to host your x86 Windows server disk on a Power Systems shared disk using iSCSI, so when your IBM i saves the integrated file system (IFS), it also saves the Windows storage environment. There’s nothing like the peace of mind you get from an IBM i backup.
Whether you use traditional subsystems, independent ASPs, or virtualization, it will take some time to learn how to use the technology and how to use it at your company. And plan ahead: Power Systems technology is moving so fast, IBM will no doubt release a new technology refresh, adding new features to the virtual environment, giving us more opportunities to consolidate, and more technology to study and implement.

Consolidating for Automation and Security
Automating the monitoring of system events and notification can improve the efficiency and productivity of your organization while at the same time saving you significant money. Such automation can also ease the burden of regulatory compliance. Likewise, taking steps to ensure the security and integrity of your data on mixed-platform Power Systems can help you avoid the types of data breaches that are impacting companies both large and small. Bytware’s Messenger and StandGuard solutions make it easy for to cover all of these bases with cost-effective monitoring, security, and anti-virus tools that have been trusted by companies worldwide for more than 20 years.

Ready to join the revolution? Learn more about automated monitoring and notification by downloading the Messenger Technical Packet and Interactive Calculator, which can show you exactly how much a period of downtime could cost your organization. And to learn more about preventing malicious code from impacting your operations, download the IFS Security Bundle, which includes a recorded webinar, IFS Security white paper, and the StandGuard Anti-Virus Technical Packet. These instant downloads are absolutely free. No forms required.

If you are given the task of Lotus Domino administration, you need a way to get the most out of your valuable time. Bytware’s Messenger can help you monitor Lotus Domino and assist you in taking steps to ensure a smooth and optimized environment.

When a Domino server runs out of disk space, users will experience trouble sending and receiving e-mail. Often times, e-mail will be deleted and “write” errors will appear. Using the supplied DISK monitor in MessengerPlus or MessengerConsole will allow you to detect sudden changes in disk growth or when disk space is reaching a specified threshold. When specified thresholds are reached, the software triggers an alert that tells the administrators of the impending disk disaster.

The health and stability of an application may rely upon a number of running Domino jobs. If the required jobs or subsystem fail to start or stay running, Messenger can alert you and can even restart the jobs or subsystems automatically. Within Messenger, use the supplied JOBRUN monitor to verify subsystem DOMINO0xx is active at all times. Or take advantage of the supplied JOBRUN monitor to verify each job in the Domino subsystem is active (for example, AMGR, HTTP, UPDATE, EVENT, ROUTER, SCHED, and SERVER jobs).

There are other job attributes relating to Domino jobs that will alert you to a potential problem, such as the job consuming too much CPU. Messenger’s preconfigured JOBMON monitor can detect any job consuming too much CPU or otherwise hogging resources. You can fine-tune the monitor to pay special attention to a job running under user QNOTES and alert the administrator of the condition.

All Domino data files should be owned by user profile QNOTES. And QNOTES must have read and write access to these data files. In addition, Domino writes temporary files to /tmp and QNOTES must have write access to this directory. Because many Domino jobs run under user QNOTES, an authority failure by that user could halt processing. Messenger supplies you with an Audit Journal monitor (QAUDJRN) that can detect any Authority Failures (AF entry type) from user QNOTES and alert the security administrator and the Domino administrator to the condition so it can be remedied quickly.

If Domino jobs are sharing the system with interactive jobs, they’ll have a Run Priority of 20, which makes them equal to interactive jobs. To guarantee users won’t complain that Domino jobs are stealing their resources, use the supplied JOBMON monitor to detect any job in the DOMINOxx subsystem with a Run Priority lower than 30. If found, Messenger can respond by running command CHGJOB JOB(&MN/&MU/MJ) RUNPTY(30) to automatically reprioritize the offending Domino job and keep your interactive users happy.

Even the best-built products may encounter problems that cause them to hang or crash. When this happens, the quicker you can isolate, analyze, and fix the problem, the quicker your user community will be up and running. When there is a Domino server failure, an NSD* job is created on the system. This job collects info about server failure and documents settings about the environment at the time of the crash to assist you in troubleshooting. At the time of a server crash, NSD begins to run and collect diagnostic information. Message LNT099C is sent to the IBM i QSYSOPR message queue to notify you of the crash. At this point the server will attempt to restart; however, if you have chosen not to restart the server automatically another message is sent to the QSYSOPR message queue stating “Enter a character to allow Domino job to continue.” You may need to answer the message in order for the server to restart. If the Domino server is configured to restart itself automatically, but fails to restart, message LNT0928 will contain error codes returned by the server and will also appear in QSYSOPR. MessengerPlus or MessengerConsole supplies you with a QHST monitor to detect any messages from job NSD* present in the History Log. It also ships preconfigured with a QSYSOPR monitor that will capture those LNT messages and respond automatically for you.

As a Lotus Domino administrator, you are faced with a plethora of challenges each day—users forgetting their passwords and applications not working as expected. Bytware’s Messenger will help you free up your time and give extra focus to your Domino environment so you can enjoy a smooth, reliable server.

The Event Dashboard gives you a snapshot of your Event Counts from four perspectives: Count by Date; Count by Severity; Count by Message Queue; and Total Events for the Month.

The Pager Dashboard provides critical paging information, including Pager Status, Pager Messages by Date, Today’s Pager Message Count by Status, and Total Pages Sent Today.

The Bytware Dashboard includes both the Event Dashboard and Pager Dashboard data to help you get a quick overview of what’s been happening on your system. It has Event Counts by Event Date, Count by Severity, Count by Message Queue, Pager Status, Pager Message Count by Pager Message Status, Pager Message Count by Pager Message Date, Total Events for the Month and Total Pages Sent Today.

With the flexibility of SEQUEL ViewPoint, you can easily add to, remove from, or tweak the Dashboards to give you the view that is most helpful. Want more event information? Create a new View for Current Events to show events that haven’t been acknowledged yet and drop it into your Event dashboard. Need to report on paging statistics? You can easily save or print your charts and export data results to an .xls file. The dashboards even have links to both the Bytware and Sequel websites so you can easily contact us for help if you need it.

Are you ready for a new point of view? The Messenger Dashboard for SEQUEL is available for download on the Bytware website at http://www.bytware.com/support/mp/sequel-dashboard.html. (Note: You will need your support access code to log in to the download page.) Installation instructions are provided on the website, so if you meet the minimum requirements you can install today!

As IBM’s midrange hardware and software have evolved, we’ve gone through trends of decentralization as well as centralization. The consolidation of IBM i infrastructure in a single location has brought a number of changes to the wadxy we manage our operations. At first, single data centers had multiple AS/400s with user environments controlled strictly through subsystem technology. Later, the trend changed to multiple partitions on a single iSeries running OS/400, which was connected to physical I/O adapters and possibly virtual TCP/IP interfaces.

Today, the latest Power Systems™ have multiple IBM i, AIX, or Linux partitions—potentially fully virtualized micro-partitions—hosted on a single Power Systems server. These developments in IBM i and the POWER7® processor have put us in the middle of a consolidation revolution. Here are three technologies that can help you join it.

1. Subsystems
Thanks to subsystem technology, the IBM i operating system (and its predecessors OS/400 and i5/OS) could be designed to allow multiple environments to run concurrently. Subsystem definitions allow the administrator to segregate work (interactive, batch, server) into their own memory pools and their own separate and distinct job queues, all sharing a portion of processor time. This was the first form of consolidation technology and is still strong today. In fact, with the horsepower available on a single system today, it is quite possible to consolidate multiple systems and thousands of users onto a single Power Systems server with a single partition.
Do you have multiple companies or divisions? Break them apart by subsystem, with each user environment assigned to a specific job description that will direct them into the proper subsystem and the appropriate libraries and directories. For motivation, consider one of our customers who, thanks to subsystem technology, consolidated more than 800 dedicated store system AS/400s to six POWER7 partitions running IBM i. Imagine how much easier the administrator’s job got and how much energy was saved!

An additional consideration when consolidating is the security of your data. While the workload runs in distinct configurations, the server configuration and application data remain united. Depending on the nature of the data, it is critical that IBM i security controls are fully understood, deployed, and monitored. Privileged users can access the data across all of the workloads or applications, meaning that it becomes difficult to secure data across different companies or corporate divisions.

2. Independent Auxiliary Storage Pools
Independent ASP (iASP) technology is another form of consolidation. iASPs let administrators isolate data onto groups of disks that can switch between partitions. Multiple iASPs can be attached to a single system. For example, this could allow multiple divisions or customer workloads to be consolidated on a single partition. You could consolidate different business operations, multiple development or simulation environments, or even multiple versions of an application onto one partition using the same library names housed in separate iASPs while keeping the data totally isolated.

ASP technology allows for more segregation of the application data but usually requires program changes before it can be supported. This is because library and directory objects are referred to with the same name but with an iASP prefix. IBM supports full disk encryption (FDE) via disk pools that are assigned to an ASP. Although this is not a “silver bullet” for data encryption, it protects data transmission to and from the disk drive (important in a SAN environment), and when a disk unit is removed or stolen.

3. Virtualization
Consolidation via virtualization is not new to IBM i. The IBM i single-level storage technology is a form of virtualization and was first implemented on the System/38, allowing for virtual memory where the OS regards all primary (RAM) and secondary storage (DASD) as one large pool. Single-level storage allows processes and jobs to run without the programmer having to estimate how many programs or how much data to load into memory at one time. This greatly simplifies handling a large company’s “big data” needs and simplifies programming and database management.

Another technology is virtual media, which allows backups without physical tapes and, thanks to CD image catalogs, product installs to run without physical CDs. Virtual media allows program installs and updates to be shared across multiple partitions with ease and without having to physically load media. Virtual tape can be combined with iASP technology for backup to a storage area network (SAN). This iASP could then be attached to another partition for recovery or archiving.
Virtual partition technology is available with PowerVM, which, in combination with iASP technology, adds tremendous capabilities to our IBM i world. But virtualized partitions weren’t invented on Power Systems—they have been around in the mainframe environment for years. Power just improved on the technology. And it is truly exciting technology, as it allows as many IBM i, AIX, or Linux partitions as are needed to be created and enabled. All you need is disk, memory, and CPU (and appropriate licensed programs from IBM).

Why might you create a virtual partition? Simple: To better utilize resources. For instance, a fully virtualized partition could be created to test a new cumulative PTF package or new version of the operating system, then deleted when the testing is complete. A test partition could be created to validate a new release of application software. Virtual partitions can be copied. Virtual partitions can be suspended when unneeded, thereby freeing up resources for other partitions. Suspended partitions are saved to disk much like a file or a directory. This is very similar to virtual memory technology, where pages of memory are sent to disk when not needed and brought back as required.

Virtualized partitions cut power consumption and allow for CPU and I/O resource sharing. Another feature is active memory sharing, which allows the dynamic exchange of memory between active virtual partitions. And then there is the crown jewel of virtualization: Live Partition Mobility, which allows you to move a virtual partition—while it is active—between frames, with no system outage to the end user.

Live partition mobility (LPM) is similar to PowerHA in that it copies the entire partition’s data at the disk level out to a SAN on your network, which in turn is attached to another Power Systems frame. The advantage is that you can activate this copied partition on the target frame in seconds; and any remaining updates happen after the partition comes up on the target. This is not a substitute for a high availability fail-over plan using PowerHA or another mirroring tool. LPM is used for planned system outages; workload balancing by moving a partition from light to busy systems; or for consolidation of multiple virtual partitions onto one hardware frame.

IBM i, Unix, and Linux Consolidation
One IBM Power Systems frame can host IBM i, Linux Red Hat or SUSE, or AIX Unix partitions in a single “footprint.” This is a great opportunity for server consolidation. However, this does cross “political” boundaries that may exist in your IT structure, since those systems are all supported in one place, from one PowerVM or HMC console, and are sharing CPU, memory, power, and rack space. This might be a great opportunity to consolidate those duties or, at a minimum, cross-train those administrators. Bring factions together to discuss the advantages of this consolidation: reduced power consumption; having a single vendor; and a simplified, more flexible environment.

An additional consideration when running multiple operating systems on a single Power Systems server is the possibility of virus and malicious code infestation. While IBM i is immune to viruses designed to attack Windows or Unix, it can serve as a quiet host to viruses and malicious code. Because IBM i cannot execute this code it can become a virtual Typhoid Mary, spreading malicious code to client PCs and to partitions that can execute it. In fact, this immunity makes it difficult to trace the infection back to its true source: IBM i. It is therefore important to monitor the integrity of IBM i Objects and all files stored on the Power Systems server—across mixed-OS partitions—to avoid costly infections and data loss.

xSeries Consolidation
One other opportunity for consolidation is to host your x86 Windows server disk on a Power Systems shared disk using iSCSI, so when your IBM i saves the integrated file system (IFS), it also saves the Windows storage environment. There’s nothing like the peace of mind you get from an IBM i backup.
Whether you use traditional subsystems, independent ASPs, or virtualization, it will take some time to learn how to use the technology and how to use it at your company. And plan ahead: Power Systems technology is moving so fast, IBM will no doubt release a new technology refresh, adding new features to the virtual environment, giving us more opportunities to consolidate, and more technology to study and implement.

Consolidating for Automation and Security
Automating the monitoring of system events and notification can improve the efficiency and productivity of your organization while at the same time saving you significant money. Such automation can also ease the burden of regulatory compliance. Likewise, taking steps to ensure the security and integrity of your data on mixed-platform Power Systems can help you avoid the types of data breaches that are impacting companies both large and small. Bytware’s Messenger and StandGuard solutions make it easy for to cover all of these bases with cost-effective monitoring, security, and anti-virus tools that have been trusted by companies worldwide for more than 20 years.

Ready to join the revolution? Learn more about automated monitoring and notification by downloading the Messenger Technical Packet and Interactive Calculator, which can show you exactly how much a period of downtime could cost your organization. And to learn more about preventing malicious code from impacting your operations, download the IFS Security Bundle, which includes a recorded webinar, IFS Security white paper, and the StandGuard Anti-Virus Technical Packet. These instant downloads are absolutely free. No forms required.

Using Messenger to Monitor Domino

Lotus Domino products typically run smoothly, and they are built to be very reliable. To ensure that they continue to run smoothly, administrators should be equipped with the right set of tools for analyzing problems when they occur. What can administrators do to improve efficiency and optimize their system?

If you are given the task of Lotus Domino administration, you need a way to get the most out of your valuable time. Bytware’s Messenger can help you monitor Lotus Domino and assist you in taking steps to ensure a smooth and optimized environment.

When a Domino server runs out of disk space, users will experience trouble sending and receiving e-mail. Often times, e-mail will be deleted and “write” errors will appear. Using the supplied DISK monitor in MessengerPlus or MessengerConsole will allow you to detect sudden changes in disk growth or when disk space is reaching a specified threshold. When specified thresholds are reached, the software triggers an alert that tells the administrators of the impending disk disaster.

The health and stability of an application may rely upon a number of running Domino jobs. If the required jobs or subsystem fail to start or stay running, Messenger can alert you and can even restart the jobs or subsystems automatically. Within Messenger, use the supplied JOBRUN monitor to verify subsystem DOMINO0xx is active at all times. Or take advantage of the supplied JOBRUN monitor to verify each job in the Domino subsystem is active (for example, AMGR, HTTP, UPDATE, EVENT, ROUTER, SCHED, and SERVER jobs).

There are other job attributes relating to Domino jobs that will alert you to a potential problem, such as the job consuming too much CPU. Messenger’s preconfigured JOBMON monitor can detect any job consuming too much CPU or otherwise hogging resources. You can fine-tune the monitor to pay special attention to a job running under user QNOTES and alert the administrator of the condition.

All Domino data files should be owned by user profile QNOTES. And QNOTES must have read and write access to these data files. In addition, Domino writes temporary files to /tmp and QNOTES must have write access to this directory. Because many Domino jobs run under user QNOTES, an authority failure by that user could halt processing. Messenger supplies you with an Audit Journal monitor (QAUDJRN) that can detect any Authority Failures (AF entry type) from user QNOTES and alert the security administrator and the Domino administrator to the condition so it can be remedied quickly.

If Domino jobs are sharing the system with interactive jobs, they’ll have a Run Priority of 20, which makes them equal to interactive jobs. To guarantee users won’t complain that Domino jobs are stealing their resources, use the supplied JOBMON monitor to detect any job in the DOMINOxx subsystem with a Run Priority lower than 30. If found, Messenger can respond by running command CHGJOB JOB(&MN/&MU/MJ) RUNPTY(30) to automatically reprioritize the offending Domino job and keep your interactive users happy.

Even the best-built products may encounter problems that cause them to hang or crash. When this happens, the quicker you can isolate, analyze, and fix the problem, the quicker your user community will be up and running. When there is a Domino server failure, an NSD* job is created on the system. This job collects info about server failure and documents settings about the environment at the time of the crash to assist you in troubleshooting. At the time of a server crash, NSD begins to run and collect diagnostic information. Message LNT099C is sent to the IBM i QSYSOPR message queue to notify you of the crash. At this point the server will attempt to restart; however, if you have chosen not to restart the server automatically another message is sent to the QSYSOPR message queue stating “Enter a character to allow Domino job to continue.” You may need to answer the message in order for the server to restart. If the Domino server is configured to restart itself automatically, but fails to restart, message LNT0928 will contain error codes returned by the server and will also appear in QSYSOPR. MessengerPlus or MessengerConsole supplies you with a QHST monitor to detect any messages from job NSD* present in the History Log. It also ships preconfigured with a QSYSOPR monitor that will capture those LNT messages and respond automatically for you.

As a Lotus Domino administrator, you are faced with a plethora of challenges each day—users forgetting their passwords and applications not working as expected. Bytware’s Messenger will help you free up your time and give extra focus to your Domino environment so you can enjoy a smooth, reliable server.

A New Point of View for Messenger Customers

For years you have been using Messenger to monitor your systems and send notifications, and you’ve been using the power of SEQUEL to access information on your System i. Both have become invaluable management tools. Now you can bring them together with a new way to view events and messages using a SEQUEL ViewPoint Dashboard for Messenger. We worked closely with the SEQUEL group to create three Messenger dashboards for you to use as-is or to customize to meet your own unique needs.

The Event Dashboard gives you a snapshot of your Event Counts from four perspectives: Count by Date; Count by Severity; Count by Message Queue; and Total Events for the Month.

The Pager Dashboard provides critical paging information, including Pager Status, Pager Messages by Date, Today’s Pager Message Count by Status, and Total Pages Sent Today.

The Bytware Dashboard includes both the Event Dashboard and Pager Dashboard data to help you get a quick overview of what’s been happening on your system. It has Event Counts by Event Date, Count by Severity, Count by Message Queue, Pager Status, Pager Message Count by Pager Message Status, Pager Message Count by Pager Message Date, Total Events for the Month and Total Pages Sent Today.

With the flexibility of SEQUEL ViewPoint, you can easily add to, remove from, or tweak the Dashboards to give you the view that is most helpful. Want more event information? Create a new View for Current Events to show events that haven’t been acknowledged yet and drop it into your Event dashboard. Need to report on paging statistics? You can easily save or print your charts and export data results to an .xls file. The dashboards even have links to both the Bytware and Sequel websites so you can easily contact us for help if you need it.

Are you ready for a new point of view? The Messenger Dashboard for SEQUEL is available for download on the Bytware website at http://www.bytware.com/support/mp/sequel-dashboard.html. (Note: You will need your support access code to log in to the download page.) Installation instructions are provided on the website, so if you meet the minimum requirements you can install today!

Q&A

Q1. My company recently upgraded its mail server, and the name was changed. Now my e-mail pages aren’t going out. Is there a setting in MessengerPlus that needs to be updated with the new mail server information?

A1. Yes. You will need to update the *SMTP Paging Company to reflect the new mail server name. Go into MPLUS, 50 Setup menu, option 3 Work with paging companies, 2 to change on *SMTP, press Enter to the second screen, update the server name, and press Enter to save your change. If DNS is not enabled on your system, you may also have to create a Host Table Entry for the mail server in CFGTCP Option 10.

Q2. Why don’t I see some of my old events in MessengerPlus when I go to Work with Events?

A2. When certain conditions are resolved, such as a job in MSGW or CPU too high, MessengerPlus recognizes that it is no longer a current condition and automatically acknowledges the event. You can find these events by going to Work with Events, F17=Subset view, Display old messages Y, and press Enter.

Q3. My virus scan detected an infected file in one of my IFS directories during my full system scan last weekend. The file was moved to the /Quarantined folder, but now I don’t know what to do with it.

A3. You will need to review the files in the Quarantined folder and remove them before your next full system save. Once a file has been identified as infected and can’t be cleaned, the file attribute for Scan status is changed to *FAILURE and the OS won’t allow a file with this status to be saved.

Lotus Domino 8.5, released by IBM in May, provides greater scalability and functionality, easy administration, and additional application capabilities, including:

• Identity management, such as Shared Logon and ID Vault
• Storage reduction required for file attachments through Domino Attachment and Object Service (DAOS)
• XPages and Eclipse-based Domino Designer features
• Calendar federation and flexibility
• Nokia S60 device platform support for IBM Lotus Notes Traveler

StandGuard Anti-Virus is completely compatible with the new Domino version. Support for Domino includes:

• Mail Scanning
  Dynamically scans e-mail for viruses and other types of malicious code to protect Domino mail users from receiving infected and potentially harmful e-mail.
  
• Database Scanning
  On-demand scanning of Domino databases allows users to detect viruses and malicious code embedded within document attachments and OLE objects.
  
• Quarantine
  Moves infected attachments to a quarantine database where an administrator can further investigate their origin and integrity by submitting a sample to McAfee’s AVERT Labs threat center.
  
• Real-time Alerts
  Users can configure alerts to notify IT staff when specific events occur, such as when infected messages and documents are detected, or when automatic activities take place. These alerts allow administrators to continually monitor the health and status of the system.
  
• Automatic Updating
  The database of virus definitions is automatically updated daily from McAfee’s servers or from specified computers on the local network.
  
• Scheduling
  Administrators can schedule automatic database scanning and updating to occur at user-configurable times when activity is low, such as nights and weekends.
  
• Logging
  Logs all activity to a central database—including details of infected objects detected during scans and when automatic activities occur—allowing administrators to maintain an audit trail for investigations and regulatory compliance.
  
• Easier Management
  Remote Domino servers can be configured and managed from a central administration server, reducing the time and effort required to manage them. The log database offers a consolidated view of all events occurring across multiple servers. In addition to the traditional Notes interface, StandGuard Anti-Virus also provides a browser-based interface for viewing and managing all activities across multiple remote servers.

Bytware also offers Lotus Domino support in Japanese with its Tokyo-based partner Solpac.
For more information about StandGuard Anti-Virus 6.0 support for Domino 8.5, or to request a free trial, contact Heather Richards, Bytware Technical Consultant, at 775-851-2900 or visit www.bytware.com/products/av/.

Read the full story >

(Source: BBC)

The hacker made more than 400 calls on a Federal Emergency Management Agency voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski.

Learn more about this breach in security. Read the full AP article.

(Excerpted from the Associated Press, written by Eileen Sullivan)