Spectre and Meltdown – What Do You Do for IBM i?

Spectre And Meltdown Threats

The Spectre (Variant 1 & 2) and Meltdown (Variant 3) threats that target speculative execution on all CPU’s will affect IBM Power7, Power7+, Power8, and Power9 systems and IBM has stated that it will have firmware patches for Power Systems available but does not state if its patches will cover all three variants of the vulnerabilities. IBM has not issued fixes for Power6, Power6+, and Power7 systems.

What is not known at this time is what kind of performance impact the fixes for Spectre and Meltdown will have. It will probably depend on the nature of the CPU

architecture, the way the memories are isolated and checked to keep users out of kernel space, and the way the applications make use of speculative execution.

It is possible that systems that are CPU or memory bound are going to thrash after the fixes are applied. Our advice is to benchmark the throughput of your system for some period of time before applying the patches, apply the patches and then run the tests again so that you fully understand and can document the impact.

As of January 13th, IBM has released operating system patches for IBM i 7.1, 7.2 and 7.3 to compliment the firmware patches for POWER7+, and POWER8 processors already released. The specific PTF’s required by release are as follows: Release 7.1 – MF64553, Release 7.2 – MF64552, Release 7.3 – MF6 4551.  Both the IBM i and firmware patches must be applied in order to mitigate the Spectre and Meltdown vulnerabilities.

Don’t leave your keys in the lock!  Know how to protect your company from threats.

As well, please keep watching the PSIRT blog for further developments.

The good news is that you have to be an authorized user in order exploit these vulnerabilities. Security from the IBM i level to your firewall is more important than ever. While there has been no documented case of someone breaching IBM i security without a user ID and password, there are many ways to gain access to an IBM i partition if adequate security measures are not followed. Hardening IBM i isn’t just moving from QSECURITY level 30 to 40. A properly hardened system should include, but certainly not limited to, the following basic measures:

Password level security – Ensure your system can use up to 128 characters for a password. The default 10 character limit of QPWDLVL 0 is not good enough.

NetServer – Ensure that no guest account exists for IBM NetServer. This will allow anyone access to your IBM i partition file shares without a user ID and password. This, combined with sharing the root (/) of your IFS can be extremely dangerous. Furthermore, if you’re on 7.1 or older version of IBM i then you are using the SMB1 protocol for file sharing. SMB1 has been deemed insecure for many years now.

Encryption – If you communicate to and from your IBM i in plain text then the length of your password does matter. There is no excuse not to encrypt your IBM i communication for any service accessed over the network which passes user IDs, passwords or other confidential information.

PTF and operating system currency –Technology that has not been patched or updated runs the risk of being compromised. This is especially true if you use open technology such as Java, OpenSSL and Apache. Java 6 and Apache 2.2 went out of support two weeks ago…have you removed Java 6 yet? Have you upgraded to 7.2 to move to Apache 2.4?

The Spectre and Meltdown vulnerabilities are perhaps the biggest security problems in the history of modern computing, but if you’re not covering the basics you may have bigger and more pressing security problems to worry about.

iTech Solutions will be applying these PTF’s for all Managed Services and OS Subscription customers in their next PTF cycle.  If you need help with your PTF’s or OS upgrades please contact us.

Identifying the Real Threat in Today’s Cyber World

Everywhere we go these days the topics below are being discussed, not only in IT circles, everywhere.

  • Security
  • Hacking
  • On-Line confidentially
  • Malware and viruses
  • Ransomware

Who among us hasn’t been concerned about the Equifax breach and the subsequent fraudulent verification site? Remember a couple of years ago when Target and Home Depot POS systems were hacked within weeks of each other and during the holidays? I spent so much time without my credit and debit cards I actually was forced to regress into using cash (gasp!) at physical stores to complete Christmas shopping. It was not a heartwarming holiday experience to say the least especially in the grip of a typical New York December.

We have become smarter about data! Finally. The ramifications of our reliance on credit/debit cards and mobile devices have wrought implications on our personal identity security. In response many of us have made changes in how we divulge and store our personal data. We use stronger encryption on our home wireless networks, check for HTTPS and the lock icon before entering payment information, guard our SSN numbers, even refuse to allow our driver’s license to be copied without good cause. This awareness and proactive behavior is crucial as we allow electronic transactions to take over our financial lives.

Of course, these trends haven’t gone unnoticed by our employers or the businesses we deal with. Security was an overwhelming focus of many of the conferences I attended this year and I have been asked often about penetration testing and ethical hacking protocols. If you are an IBM i professional you are aware of the debate over the safety of the system. You have heard, “there has never been a single line of malicious code run on an i.” However, you probably have also heard about the security threats to our organizations and the adage that the system is the most “securable” not necessarily properly secured. Responsible and knowledgeable professionals are needed to configure, monitor, and respond to the threats we face on our platform.

As we look at the headline grabbing/fear inspiring stories recurrent patterns emerge. First and foremost, the greatest threat to our organization comes from within. Anyone reading this blog surely has at least one example from personal experience of using back doors and working around an application or system setting to achieve a goal that was prohibited. This is the same mentality we see in one of the most common data manipulation techniques. FTP files off the system, modify the data, FTP back altering the original tables. As FTP isn’t logged on the IBM i the way legitimate changes are in Db2 this is an easily exploited vulnerability. How often do we have a health check or a security assessment performed only to ignore the findings? We will change the settings or amend the authorizations just as soon as we have time. Or worse, we make recommended changes and jobs stop running properly, an important user gets locked out, or business is interrupted in some way and we change everything back quickly. This tends to lead to becoming fearful of trying to address security issues at all. No one wants to be responsible for interruptions and outages especially when it seems to indicate lack of ability or competence in our skill set. As a result default passwords remain unchanged while Bertha in the warehouse keeps her *ALLOBJ authority (in spite of being woefully ignorant of the implications and prone to walking away from her workstation while signed in with the screen unlocked.) We can’t even begin to implement best practices until we are honest about our own worst practices.

I doubt I was the only one who reviewed what happened at Equifax and had little difficulty seeing how easy it would be to have been involved. Whose responsibility was it to maintain the Apache Struts infrastructure? Obviously not upper management who couldn’t spell PTF much less know what was released and why, nor if applicable to their system. The developers in the trenches? Maybe, but if the task wasn’t assigned to someone specifically who would assume the responsibility? IT Management? They would have visibility to what is needed and relevance to the environment but how hard is it to prioritize routine updates? Especially when downtime and off hours effort is needed? How often do we say “After we catch up, after this deadline, when someone comes back from vacation…”

We need to educate ourselves about threat intelligence. One of the very foundations of quality assurance itself is the impossibility of eliminating risk entirely. We all accept varying degrees of exposure at all times in our connected culture. My kids are on line every night to complete homework and collaborate via Google Docs on an iPad provided from their school. I control the heating and air conditioning of my house from my smart phone regardless of where I am in the world although my mom can’t understand the interface well enough to control in person.  I share photos with far off friends and family creating a crystal clear indicator that I am on vacation and my home is empty. We – as business and individuals – trade security for efficient productivity and convenience every day. Using my above example involving FTP; how many would answer “there is a legitimate business need for transferring files and I have to get my orders/update inventory/allocate resources/etc.”? I take a risk every time I use a credit/debit card but remain as committed to Amazon Prime and paying at the pump when I buy gas as the next person.

So, what exactly is Threat Intelligence? Simply put it is knowledge based on evidence about risks, hazards, or menaces we face. More importantly it means using that insight to inform our responses to same. We can’t protect ourselves against a threat we can’t comprehend exists or deny affects us. We need to think about how current threats will evolve and impact business in the years to come. Further as we plan, design, andimplement security conscious secure systems with complimentary applications we need to be realistic.

The most potent opportunity for exploitation is the combination of inadequate measures in our infrastructure technically, an authorized user who is careless or disenfranchised, and a corporate culture that is blind to these factors and their ramifications.

Click here to get your guide

The experts at iTech have produced a new guide 5 Tips for Monitoring IBM i Critical Events to help you ensure that you are monitoring some of the most critical IBM i events.  Get your copy here.

Will your IBM i Be Ready When Disaster Strikes?

Mother Nature has been letting us know that she is in charge lately. With Hurricane Harvey’s recent destruction in Texas, we are reminded of how important it is to be prepared for a disaster. Today, Hurricane Irma is threatening Florida and we felt that now is the time for companies to be sure that they are prepared in the event of a disaster. As a result, we have created a guide with 25 steps to help ensure that you are prepared before a disaster strikes.

If you’re fortunate enough to not be in the path of Irma, now is a good time to verify that your disaster recovery plan is in good order. Mother Nature may not be a threat to your business today, but tornadoes, wild fires, and major snow storms can also wreak havoc on your availability. If you don’t have a plan, then how will you ever recover from a disaster? If you don’t test your plan, how do you know it will work?

Having high availability is by far the best way to protect your business and ensure that you can keep the business running in the event of a disaster. Companies often think that high availability is cost prohibitive, this isn’t the case anymore. iTech Solutions can offer high availability in our Tier III data center for a low monthly fee. This includes the software for replication.

You may think you have everything covered with your backups, but are you sure that you can recover from your existing backup tapes? When is the last time you did a full system save? If it’s been awhile you may be more exposed than you think. If you do a full system save regularly, you could still be exposed if your tapes are not stored offsite. If they are stored offsite, do you know how to get them in the event of a disaster?  

In the event that you don’t have high availability and can’t just do a role swap and keep the business running, we have created a guide with 25 tips to help you to be prepared in the event of a disaster. Here are a few of the topics we discuss:

  • Have a decision matrix
  • Access to tapes
  • Contact lists
  • Encryption
  • Alternative method for employees to charge their cell phones

Click here to get your guide

You can read all of our tips in our Will your IBM i Be Ready When Disaster Strikes white paper.  We want to help you be prepared before a disaster strikes, so you don’t have to worry about your IBM i when Mother Nature decides it’s time for a storm.  We want you to be able to focus on what is most important during these times, your family and your own safety. We hope all of our customers in Florida fair well from the storm and we’re thinking of those who have been affected by Harvey.  

If you need help to ensure that you are ready before disaster strikes contact iTech Solutions at sales@itechsol.com. We’re happy to help you develop a disaster recovery plan that works for your company.

3 Common Problems From Your OS Being Out of Date

We’ve recently written about how important it is to keep your IBM i current with OS releases and PTF’s in order to ensure that your system is secure, available and performing at its peak.

Through years of working with customers and prospects, we have found three things that tend to effect whether or not companies keep their OS current; time, knowledge and money.

Keeping these things in mind, we have developed different services that can help you to keep current.

A common problem we uncover when talking to companies is they don’t have the human resources to complete the tasks on a more regular basis.
When you have a small team of people supporting the platform, everyone is usually stretched thin with little time for other tasks.  Having a partner who you can offload these tasks to can be a huge benefit.

If you lack the knowledge or feel it’s just been too long since the last time you did an upgrade, you are not alone.
This is another common problem company’s face in regards to keeping their OS current. The good news is that iTech Solutions does 100’s of OS upgrades and PTF applications a year, which means we know exactly what needs to be done already. No need to stress over it, we can keep you current.

The final problem is the cost of having someone assist you with OS upgrades and PTF’s. 
Often the business thinks that if you are in IT, you should be able to handle the task without help. They don’t understand the time and effort required to ensure a smooth upgrade or PTF process. When IT requests to have a consultant do work, the business often pushes back.

Costs become an instant barrier and as a result the OS gets further and further behind. iTech Solutions offers a new service that can help you keep your OS current for a very low monthly fee. The best part is the monthly fee is so low, that the business can easily justify the cost of the service.

Contact iTech about an OS Upgrade or PTFs

The good news is that regardless of which problem you face when trying to keep your OS current, iTech Solutions can help you. 

We’ve developed a process that makes it easy for us to assist our customers with OS upgrades and PTF maintenance.  We can offer these services either on an as requested basis or through our proactive subscription offering. Regardless of which option works best for you, we can help your company to take advantage of the benefits of paying SWMA. Why wouldn’t you want to improve security, ensure availability and take advantage of new features?

What the End of IBM i 7.1 Support Means For You


IBM i 7.1 is going to be headed for the IBM i support graveyard very soon.  IBM recently announced that IBM i 7.1 will be end of life on April 30, 2018, which means it’s time to move to 7.2 or 7.3.  We all know that you can stay on 7.1 and pay the service extension fees to IBM, but I’m not sure why you would throw your money away on that.

IBM i 7.3 has been GA for over a year and it is a stable release. In fact, iTech was a beta site for 7.3 and this release has been rock solid since the beta release. We’ve been busy helping our customers move to this release for a year now and we’re hearing from more and more of them every day that they want us to move them to 7.3.

The biggest challenge to every upgrade is the planning.  It’s not just about what version of Java you are running, or whether or not you have WebSphere, LAN Console, size of the load source, expanding the license internal code space, or having the correct preparation PTFs on. You have to be worried about vendor applications.  By now your vendors should have their applications supported on 7.3.

Should you go to IBM i 7.2 or skip to IBM i 7.3?

The answer should be to get to the latest and greatest version, if at all possible. You can make the move from 7.1 directly to 7.3, so that won’t be an issue. If your vendor applications can go to 7.3 then you really should make that jump now. We also have to insure that your hardware is capable of supporting 7.3

Upgrading will allow you to take advantage of the new features in 7.3 and will prevent you from having to make another upgrade when 7.2 is end of life. Also, the features in 7.3 that support temporal support and row and column access control can help you to provide the business with improved business intelligence and increased security.

When’s the last time you performed an upgrade?

How long has it been since you’ve done an OS upgrade?  If there answer is, it’s been a while, than we suggest you contact us for help.  We do multiple OS upgrades every week.  So, chances are we have encountered any issues your upgrade may encounter before, which means we already know what to do to solve it.

Why do I need to keep Current with OS Release and PTFs?

The rate of change in IT is staggering.  We all know that the IBM i is a solid platform, which is why people often are not as concerned with updating their OS levels.  The mentality has become, if it’s not broken then don’t fix it. This attitude has caused a lot of misconceptions about IBM i. Those who are not familiar with the platform think it is dead, old technology that needs to be replaced. They don’t realize all the new things that you can do with IBM i. They think it’s a green screen platform that has nothing new to offer to the business. This can’t be further from the truth. By not keeping your OS current, you could actually be working yourself right out of a job.

IBM has invested in support for Open Source, which offers you the ability to modernize your user interfaces utilizing modern programming languages like PHP, Java, Node.js, Python, Chroot with gcc, Git, along with various open source tools. This allows you to provide modern interfaces through multiple devices. It also allows you to bring in young programmers who can breathe new life into your applications.

Security is another major concern. A lot has changed since 2010 and you need to keep your OS current to ensure that your system is as secure as it can be.  Row and column access controls add a new layer of security to your data, which allows users to have access to information they need, while masking information they should not see. If you are using encryption, it’s even more important to stay current, as the new ciphers are maintained in the most current release of the OS only.

If you’re not keeping up, then you are behind. If you’re behind, then Management may think that the IBM i isn’t offering a new business value. This couldn’t be further from the truth. Protect your company’s investment in IBM i by ensuring that management understands what the platform has to offer. Educate them on everything they can do with today’s versions of the software and hardware. Invite them to attend conferences like COMMON, NEUGC, and others.

We are happy to be a resource. Contact us to provide an executive briefing to your management team.  If we’re not promoting the platform, the mentality that it is old and should be replaced will continue, despite the fact that it is the best business computer available!


Ensuring that your IBM i isn’t Vulnerable to Attacks

data_breachIf you believe your IBM i is 100% secure from attacks both inside and outside the firewall, then you are probably at risk. Many companies are under a false sense of security that their data is safe just because it resides on IBM i. A good IBM i administrator should be able to demonstrate that their systems are being proactively assessed and interrogated to minimize the risk of security vulnerabilities. Regardless of architecture, no system is 100% secure. However, when security is viewed as an operating strategy rather than a goal the chances of a breach with data loss is reduced substantially.

[Get 5 Tips to Improving Your IBM i Security]

Where is your system vulnerable?

The IBM i is probably the most securable system available, but it doesn’t come that way.  You have to know how to configure the system properly to make it secure.  This requires knowledge about proper security levels, password levels, authorities and more. Even a well-managed system may still be exposed, without you realizing it. Having your IBM i assessed by an IBM i Security expert can help ensure that your system is as protected as it can be.

Poorly implemented password policies are one of the most prevalent risks faced by IBM i shops. Limiting password lengths to only 10 characters is extremely risky.  It makes it easier for someone to hack into your system, therefore putting your data and business at risk. In addition to not requiring strong enough passwords, too many shops still have users with default passwords.  If you still have users with default passwords, you really should take the time to change them.  You’re not the only one who knows what the default passwords are, it’s like leaving your front door wide open.  Anyone can get it and harm your system.

Almost every system has users with elevated authorities, but the question is do they need that level of authority to perform their job on a day to day basis?  If the answer is no, then you should really reset their authority to the most appropriately level.  Too many users’ with *ALLOBJ authority or *SECADM rights expose your system to harm or loss.  Do you know how many users have elevated authorities on your system?

IBM i applications are notorious for having more authority granted to their objects than what is really necessary to execute the application functions.  Sometimes when trouble shooting a problem, the solution is to decrease the object level security and sometimes people forget to go back and reset it to the higher level. Excessive object level authorities really expose your system to threats.  It’s important to assess your object level security and set it to the lowest level possible in order to protect your business.

Another potential threat is due to the fact that the IFS is not secure out of the box.  It is up to you to ensure that your IFS directory is secure from external and internal threats. Defining access rights properly is crucial to protecting your companies IFS data.  Not only is your data exposed to loss, your IFS is exposed to infected files.  While it’s true that the IBM i can’t get infected by a virus, the IFS can carry a virus which can spread. It’s important to secure your IFS properly, so that you’re not at risk of losing critical company data or spreading a virus.  

These are just a few of the things you need to check in order to assess your system for security vulnerabilities.  There are others you need to consider such as, the version of Java you are running, whether or not your ciphers are current, is TELNET unencrypted and are you logging FTP access.

iTech Solutions offers a Security Assessment that will check these things and more. We can help you to determine which items put you at the most risk, so you can mitigate your vulnerabilities quickly.

Security is not set it and forget it

Companies often set their IBM I security and forget about it, thinking their job is done. The truth is you should be reviewing your security on a regular basis to ensure that things haven’t changed.  An administrator can change a system value or provide a user with elevated authorities to solve a problem and may not go back and clean up. Having a second set of eyes reviewing the state of your system security and providing you with a detailed report and in depth review, will improve your security and protect your data.

Download iTech’s “Five Tips for Improving your IBM i Security for some tips on how to improve your security.

New Call-to-action


How to Conquer the Challenge of IBM i Staffing


The use of Managed Services are predicted to continue to increase in 2017. Companies are realizing that focusing on what they do best can provide them with a competitive edge. This is especially true in IT. Whether you want to supplement your staff, become more proactive with your system maintenance or shorten your problem resolution time, Managed Services can help.

Supplementing your existing staff with an IBM i Certified Systems Administrator will allow your team to focus on core business strategies and innovation.

Often small companies don’t have a dedicated system administrator, instead a programmer has to pull double duty. This isn’t good for business because you’re getting the bare minimum for administration and that time is taken away from development activities. Focusing your existing resources where they have the biggest impact on your business, will help you to get the most out of your team.

Since the IBM i is so reliable and just seems to run, companies have been lax in replacing staff in some cases.  Whether someone retires or they leave the company for a new opportunity, some of those people are not replaced. Eventually, shops have no one who is actively managing the IBM i, instead they are just reacting to problems. Problem resolution times are increased when you wait for the users to report problems, which can have a negative effect on your business.

This leads to another issue; putting all your eggs in one basket. When you have one resource who has the knowledge and the skills to maintain your IBM i, you are at risk. If that person leaves for any reason, you have to try to transfer the knowledge to another resource, if that is even possible. With Managed Services you have a team of people who are familiar with your environment and you never have to worry about someone leaving.

Without a real time monitoring solution, your staff has to either react to user complaints or spend their time manually looking through logs to ensure that everything is working as expected. Sometimes, not even finding the problems. None of these options are good.  With Managed Services companies you gain the benefit of having proactive monitoring, without the cost of licensing and maintaining a monitoring solution.

Proactive monitoring notifies the Provider when a problem occurs and allows them to take action or notify the right person. 

With a Certified IBM i Administrator receiving the alerts, you also gain the benefit of the experience the provider has from solving problems for other customers. Both of these benefits allow for faster problem resolution, increasing system performance and availability.

System Maintenance tasks like IBM i OS upgrades and PTF Maintenance are things that usually have to be done after hours, and they require tons of planning. When you are already short staffed, or you have your programmer doing system maintenance, it seems like updates get further and further apart.  If at all. Having a regular maintenance schedule performed by a Managed Services provider helps ensure that your system remains healthy, optimized, and secure.

If you are in one of these situations, you’re not alone. That’s why Managed Services will continue to grow this year. The good news is that iTech Solutions can help you.

Learn more about our MSP services by getting a copy of the MSP benefit guide


7.3 Items to Be Aware of When Upgrading to IBM i 7.3 – Part 4

This is part 4 of a 4 part series on the new IBM i 7.3 Upgrade. See the first posts in this series below:

know the minimum releases to run on IBM i 7.37. Supported Versions

There are certainly Licensed Program Products (LPPs) which will need to have minimum releases to run on IBM i 7.3, and some releases are no longer supported on IBM i 7.3.  In either case, how did you think I was going to provide 7.3 items to consider? This next item is the seventh item, Supported Versions, and I have 3 points under this last highlight.

  1. Java.  IBM Developer Kit for Java 5770-JV1 will be removing IBM Technology for Java 6.0 (options 11 and 12) on IBM i 7.3.  Therefore, before upgrading use the WRKJVMJOB command to ensure that all your jobs are using a newer version of a JVM.  By the way, the default JVM for IBM i 7.3 is Java 8.0 32bit, which is option 16.
  2. Domino.  For 7.3 the minimum release of Domino has yet to be published by IBM, we know the minimum release for IBM i 7.2 is Domino 9.0.1.  Most of the time the compatibility is related to the dependent release of Java.  If you are below version 9.0.1, you will need to be looking at an upgrade, and we are waiting for IBM to update the website. (Collaboration and Social(Lotus) Software for IBM i Compatibility Guide)
  3. IBM WebSphere Application Server.  Versions 8.0 and earlier versions are not supported and will not function on IBM i 7.3.  You will need to be on version 8.5 or later of WebSphere Application server, with fix pack You must upgrade to a supported version before upgrading to 7.3.

This isn’t the actual upgrade guide, but some of the issues that people may run into during an upgrade which they have to address prior to the upgrade in their planning process.  There are other issues like with iSCSI, WebSphere MQ minimum releases, IBM Content OnDemand minimum releases, and changes to Universal Connection hostnames.

In any upgrade, planning is one of the most important steps and should never be rushed or glossed over.  If you need help, would like iTech to do the upgrade for you, or just want to have peace of mind knowing that a company that does more upgrades in a week than you will do in a decade is working for you, then contact sales@itechsol.com to enlist our help.

Don’t forget to grab your copy of The IBM i State of the Union, Pete’s Predictions for 2016.

Have questions about your next upgrade? Schedule an Upgrade Assessment with the iTech Solutions team.


7.3 Items to Be Aware of When Upgrading to IBM i 7.3 – Part 3

This is part 3 of a 4 part series on the new IBM i 7.3 Upgrade. Links to the rest of the series are listed a the bottom of this article.

5. IBM i NetServer Shared Printer Changes

be prepared for the IBM i 7.3 upgradeNetServer Shared Printers will behave differently after upgrading to IBM i 7.3. There is a new version of the Server Message Block (SMB) protocol. Version 2 (SMB2) has been added and is now the default that is negotiated with IBM i NetServer clients. The new protocol handles printing differently and printer functions will no longer work as they did in prior releases. Documents can still be printed to shared printer queues from Windows clients, but additional steps are required to configure the printer.

SMB2 support can be disabled on the system if the printing limitations are incompatible with existing network printer use.

6. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Changes

It may seem that you have issues every day on your PC when using Java and your browser, especially when it comes to SSL and TLS. There are so many vulnerabilities that what we thought was once secure, just is no longer.  So, for IBM i 7.3, only cipher suites considered secure are included.

The system value QSSLCSL cipher specification list generated when system value QSSLCSLCTL is *OPSYS has changed from the previous release. The IBM i 7.3 list contains only cipher suites considered okay for use by security compliance definitions at the time 7.3 was released. It is impossible for an application using System SSL/TLS to use a cipher suite not listed in QSSLCSL. Administrators can control the ciphers supported by System SSL/TLS via the system value QSSLCSL when QSSLCSLCTL is set to *USRDFN.(Learn more about SSL/TLS changes for IBM i 7.3 here.)

List change highlights:

  • The Rivest Cipher 4 (RC4) 128-bit ciphers are removed.
  • The Galois/Counter Mode (GCM) ciphers are now listed first, which makes them preferred over the Cipher Block Chaining (CBC) ciphers.
  • All ciphers with less than 128-bit are removed.


This was Part 3 of a four part series. See the following posts below:

7.3 Items to Be Aware of When Upgrading to IBM i 7.3 – Part 2

This is part 2 of a 4 part series on the new IBM i 7.3 Upgrade. Links to the rest of the series are listed a the bottom of this article.

things to know before you upgrade to IBM i 7.33. Increase the Licensed Internal Code space

If you are upgrading from 7.1 to 7.3 you need to increase the Licensed Internal Code space on the load source disk.  All server models with IBM i 7.1 or earlier releases require more reserved storage before IBM i 7.2 or 7.3 can be installed. Your upgrade will stop during the installation if you do not allocate the additional space.

You can do this by issuing the GO LICPGM on the command line, selecting option 5 on the menu to Prepare for upgrade, and then selecting the option to increase License Internal Code space.  Remember, your load source will need to be at least 70GB for a physical disk drive and 35GB for a virtual disk drive.

4. Required PTFs

While I think it goes without saying that you should always get to the latest PTFs on the release you are upgrading from before starting your upgrade, this release of IBM i 7.3 is no different.  As you plan for your IBM 7.3 installation or upgrade ensure that you review the “Required PTFs for upgrading to IBM 7.3” topic within the IBM i and Related Software section of the IBM developerWorks® wiki.

To review the “Required PTFs for upgrading to IBM i 7.3”, go to this wiki and select Updates and PTFs.

If you are upgrading from IBM i 7.1 for example, you need to load and apply certain PTFs to be able to accept online software agreements. If you are using image catalogs to upgrade from either IBM i 7.1 or IBM i 7.2 certain PTFs are required. Both of these preparation steps are included in the Installing, Upgrading, or Deleting IBM i Guide. You always want all the IBM i fixes that have resolved known problems installed before you start the upgrade.

This was Part 2 of a four part series. See the following posts below: