Admin Alert: When Was The Last Time That Library Got Backed Up And More

February 6, 2013 Joe Hertvik

This week, I’ll cover some new information about IBM i library backups, tell you how to specify which TCP/IP servers start whenever TCP/IP is started, and demonstrate a second technique for preventing unauthorized FTP access to your server. Let’s get started.

Determining The Last Time A User Library Was Backed Up

Checking the last time a user library was backed up is easy. You can check it from the green-screen by running the following Display Library Backup List (DSPBCKUP) command.

DSPBCKUPL BCKUPL(*LIB)

This command will display a screen that looks something like this.

(Click graphic to enlarge.)

This shows the last date each user library was backed up (the Last Backup column) and whether the library has been changed since the last backup (the Changed column). This is handy when you’re running a customized nightly backup program, so that you can ensure you’re saving all relevant user data.

You can also use System i Navigator (OpsNav) to find the last saved date for an IBM i library by opening the File Systems→Integrated File System→QSYS.LIB path to list out all your native DB2 IBM i libraries. Right-click on the library name you want to check, and then click on the Properties option on the pop-up menu that appears. Click on the Save tab on the library Properties screen that appears, and the system will show you the last date and time that the library was saved. Your Properties screen will look something like this.

(Click graphic to enlarge.)

The only difference between this information and the green-screen DSPBCKUPL information is that the green-screen will tell you whether the library has been updated since the last save. OpsNav doesn’t provide that information. Other than that, the two options show the exact same information.

Specifying Which TCP/IP Servers Start When TCP/IP Starts

Whenever TCP/IP is started, the IBM i operating system will also start all TCP/IP servers that are configured to start when TCP/IP is started. This is helpful because you don’t have to specifically start your TCP/IP servers in your system startup program every time you IPL the system or the system restarts after a full system backup (GO SAVE, option 21).

Your TCP/IP server startup list can be viewed and maintained through System i Navigator (OpsNav). Do the following to view and update this list in the OpsNav version that comes with IBM i Access for Windows 7.1.

1. In your target system in OpsNav, right-click on the Network→TCP/IP Configuration node. Select Properties from the pop-up menu that appears.

2. This will bring up the following TCP/IP Configuration Properties screen for your partition. Select the Servers to Start tab.

(Click graphic to enlarge.)

3. This screen shows all the TCP/IP servers that can be started on your system. Any server that has a checkmark next to it will restart whenever TCP/IP is started. Review the list and add or remove checkmarks next to the servers you want to associate with TCP/IP starting.

And that’s how easy it is to specify which TCP/IP servers should be started whenever TCP/IP is started.

Controlling FTP Access Through OpsNav

In my January 23 column, I presented a technique for stopping unauthorized user profiles from FTPing to your IBM i machine. After posting that column, reader and IBM i guru Patrick Botz emailed me with another way to shut off FTP access from a client machine. Patrick’s technique is much easier to implement than coding a custom-written FTP exit point, as I described in the previous article. Here’s how it works.

This technique involves using some predefined FTP configuration parameters in the System i Navigator program that comes with IBM i Access for Windows 7.1. These parameters are defined under the Host Applications tab of the OpsNav Application Administration function. You can open the Application Administration function by right-clicking on your partition name in OpsNav and selecting the Host Applications tab. You’ll see a screen that looks like this.

(Click graphic to enlarge.)

To control who can and cannot start an FTP session with this server, open the TCP/IP Utilities for iSeries→File Transfer Protocol (FTP)→FTP Server path in this Windows dialogue box. Highlight the Logon Server entry and click on the Customize button to bring up the following Customize Access screen for controlling FTP access.

(Click graphic to enlarge.)

Looking at this screen, you’ll see two boxes that you can use to: 1) define which user profile names can start an FTP session with your partition (the Access Allowed area); or 2) define which user profile names cannot start an FTP session on your partition (the Access Denied area). Whenever a user profile name is added to the Access Denied area, the IBM i operating system will reject any FTP user logon requests coming from that user. You can add users to the Access Denied list by opening the All Users node under Users and Group, selecting the user you want to deny FTP access to, and clicking on the Add→ button next to the Access denied area. In this example, I’m telling the FTP server to reject any logon attempts coming from the “joeh” user. After I click on OK, “joeh” will no longer be able to start an FTP session with my IBM i partition.

Similarly, you can add users to the FTP Access Allowed list by highlighting the user name and then clicking on the Add→ button next to the Access Allowed area. But be aware that to set up an Allowed Access list, you have to turn off the Default Access check box on the Customize Access screen. Default access specifies that any users that are not explicitly defined in the Access Allowed or Access denied lists will be able to start an FTP session. You can completely lock down FTP access for any unauthorized users by turning off the Default access check box AND by adding all the authorized FTP users to the FTP Access Allowed list. With that configuration, only authorized users can access your system.

If you want to add users to either the Access Allowed or Access Denied list without constantly updating that list, you can easily do that by specifying group profile names in each list by using the following technique.

Create an i OS user group called FTPALLOW or FTPDENY, depending on whether you want to allow or deny FTP access to the proper group. Add any users that you want to allow or deny FTP access for to the proper group.
On the Customize Access screen for FTP Logons, open the Groups node under the Users and Groups area to list out all the user groups on your partition. If you want to specify a group of users who are allowed to use FTP, specify the FTPALLOW user group name in the FTP Access Allowed list and turn off the Default access check box.
If you want to specify a group of users who will always be denied FTP access, add the FTPDENY user group to the FTP Access Denied list area and leave the Default access check box on. Any users not in the FTPDENY group will not be allowed to start an FTP session.
Click OK to save your FTP logon settings.

While writing a custom-written exit point program as I demonstrated in my previous article will also allow you to lock down FTP access, I find this technique is much more elegant and easy to implement for allowing or denying FTP access. Thanks again to Patrick Botz for telling me about it.

Joe Hertvik is the owner of Hertvik Business Services, a service company that provides written marketing content and presentation services for the computer industry, including white papers, case studies, and other marketing material. Email Joe for a free quote for any upcoming projects. He also runs a data center for two companies outside Chicago. Joe is a contributing editor for IT Jungle and has written the Admin Alert column since 2002.

Stopping Unauthorized Users From FTPing To Your IBM i

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot