A little more than a year ago, I wrote a security tip about automating your iSeries disaster recovery restore process. Of the many tips I've done over the last several years, none has drawn as much "fan mail" as this particular tip.
The essence of the tip was an implementation of the OS/400 command LODRUN to automatically restore a full system backup tape. The LODRUN searches the tape for a known program (named QINSTAPP), loads that program into the session QTEMP library and then calls it. Your QINSTAPP program can then load the contents of the tape. The only thing you have to do is create the QINSTAPP program and include it in the backup.
Well, I created that methodology quite a while ago, and a "fan" recently contacted me to let me know that, during testing, he found a problem with it. It seems that the current versions of OS/400 don't like it when the SAVLIB -- for *ALLUSR or *NONSYS libraries -- is not the first backup set on the tape. The tip clearly called for the QINSTAPP *PGM object to be the first object on the tape, so there was a conflict.
First, I have to commend my "fan" (Keith Scott at Hoover Materials Handlng Group) for putting the process to the test. Over the last year, I've given away hundreds of copies of the shell CL program for QINSTAPP and Keith was the only one to test it and find the problem. No matter where you get your code, testing should ALWAYS be a requirement, especially for something as important as a disaster recovery procedure. I tested this process long ago and it worked then, but it is problematic today.
The news is not all bad, however. With the current versions of OS/400, the LODRUN command supports a SEQNBR parameter where you can use a *SEARCH parameter. This will cause the process to scan the tape until it finds the QINSTAPP saved from QTEMP. At that point, it will load the program and run it. There is a downside though. Because the SAVLIB has to come first on the tape, there is a lot of tape searching going on before the actual save gets going. This could add 30 minutes or so to your restore process, depending on the kind of tape you're using. But, the restoration process is still fully automated, so there's a strong benefit.
The modified save process should now be changed to save your system in the following sequence:
- SAVLIB for the libraries you want to save (either *ALLUSR or *NONSYS)
- SAVOBJ for the QINSTAPP saved from QTEMP
- SAVSECDTA to save your security setup
- SAVDLO for your shared folder objects
- SAV for the IFS (other than shared folders)
The QINSTAPP has to be changed to first restore the security data, which will sit on the tape right after the QINSTAPP itself. Then, the restore should force a rewind on the tape and restore the libraries. When that's done, the remaining restores for the IFS will complete the process. When all is said and done, the last step must be a RSTAUT to restore object authorities.
To properly illustrate this, I've updated my sample QINSTAPP CL program and also created a companion QDRSAVE CL program to show the system save process in the right sequence. If you'd like to see these sample programs, send me an e-mail and I'll send you the shells that I recently created.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.
MORE INFORMATION ON THIS TOPIC
AUTOMATE DISASTER RECOVERY RESTORES
Part of the job of a security officer is creating, maintaining and testing your disaster recovery plan. A major part of disaster recovery is recreating your computing environment on a completely different system, and that always involves data and program restores. You might be one of the fortunate ones that has access to a comprehensive third-party save/restore application that automates the disaster recovery restore process for you.
IS THE LIGHT ON, BUT THE DOOR UNLOCKED?
iSeries owners regularly boast about the security built into their systems, and rightly so, but if you don't implement and use the features, they're not going to do anything for you. Be safe. Don't leave your system exposed; learn more about locking down your iSeries.xc
TESTING RESOURCE SECURITY
Rich Loeber takes a look at how you can go about testing your resource security setup. There are two things that you need to test and evaluate on your system. First, you have to make sure users have sufficient authority to get all of their work done without a problem. Once that has been established, you then need to go back and make sure users don't have too much authority, thereby compromising the confidentiality issues that prompted you to secure specific resources in the first place.
One user writes, "After being audited this year, the auditors have asked me to create a 'Security officers best practices guide'. Can you recommend any articles/documents or books that could help me get started with this?" Search400.com's security expert Carol Woodbury responds.