Automated disaster recovery revisited

A little more than a year ago, I wrote a security tip about automating your iSeries disaster recovery restore process. Of the many tips I've done over the last several years, none has drawn as much "fan mail" as this particular tip.

The essence of the tip was an implementation of the OS/400 command LODRUN to automatically restore a full system backup tape. The LODRUN searches the tape for a known program (named QINSTAPP), loads that program into the session QTEMP library and then calls it. Your QINSTAPP program can then load the contents of the tape. The only thing you have to do is create the QINSTAPP program and include it in the backup.

Well, I created that methodology quite a while ago, and a "fan" recently contacted me to let me know that, during testing, he found a problem with it. It seems that the current versions of OS/400 don't like it when the SAVLIB -- for *ALLUSR or *NONSYS libraries -- is not the first backup set on the tape. The tip clearly called for the QINSTAPP *PGM object to be the first object on the tape, so there was a conflict.

First, I have to commend my "fan" (Keith Scott at Hoover Materials Handlng Group) for putting the process to the test. Over the last year, I've given away hundreds of copies of the shell CL program for QINSTAPP and Keith was the only one to test it and find the problem. No matter where you get your code, testing should ALWAYS be a requirement, especially for something as important as a disaster recovery procedure. I tested this process long ago and it worked then, but it is problematic today.

The news is not all bad, however. With the current versions of OS/400, the LODRUN command supports a SEQNBR parameter where you can use a *SEARCH parameter. This will cause the process to scan the tape until it finds the QINSTAPP saved from QTEMP. At that point, it will load the program and run it. There is a downside though. Because the SAVLIB has to come first on the tape, there

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT OS/400 Top 10 backup commands Take control of your iSeries How to save time using the CPYTOPCD and CPYFRMPCD commands Top Q&A's on the OS/400 Top 10 security tips Use caution when providing access to file shares How to set up an autostart job How does Sarbanes-Oxley affect you? Top 10 Administrator Tips User profile exit points make administrators' lives easier iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

is a lot of tape searching going on before the actual save gets going. This could add 30 minutes or so to your restore process, depending on the kind of tape you're using. But, the restoration process is still fully automated, so there's a strong benefit.

The modified save process should now be changed to save your system in the following sequence:

The QINSTAPP has to be changed to first restore the security data, which will sit on the tape right after the QINSTAPP itself. Then, the restore should force a rewind on the tape and restore the libraries. When that's done, the remaining restores for the IFS will complete the process. When all is said and done, the last step must be a RSTAUT to restore object authorities.

To properly illustrate this, I've updated my sample QINSTAPP CL program and also created a companion QDRSAVE CL program to show the system save process in the right sequence. If you'd like to see these sample programs, send me an e-mail and I'll send you the shells that I recently created.

Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

AUTOMATE DISASTER RECOVERY RESTORES
Part of the job of a security officer is creating, maintaining and testing your disaster recovery plan. A major part of disaster recovery is recreating your computing environment on a completely different system, and that always involves data and program restores. You might be one of the fortunate ones that has access to a comprehensive third-party save/restore application that automates the disaster recovery restore process for you.

IS THE LIGHT ON, BUT THE DOOR UNLOCKED?
iSeries owners regularly boast about the security built into their systems, and rightly so, but if you don't implement and use the features, they're not going to do anything for you. Be safe. Don't leave your system exposed; learn more about locking down your iSeries.xc

TESTING RESOURCE SECURITY
Rich Loeber takes a look at how you can go about testing your resource security setup. There are two things that you need to test and evaluate on your system. First, you have to make sure users have sufficient authority to get all of their work done without a problem. Once that has been established, you then need to go back and make sure users don't have too much authority, thereby compromising the confidentiality issues that prompted you to secure specific resources in the first place.