Forget the Future; ACS Is Now

System Administration
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

IBM i Access Client Solutions’ requirement for LAN console may finally force tension for change.

A few short years ago, IBM released Access Client Solutions (ACS): a lightweight, Java-based application for basic user necessities like 5250 emulation and spooled file management. It had a link to the web-based Navigator for i product, data transfer, plus the ability to do 5250 console and access a virtual control panel. It also provided a link to the Hardware Management Console (HMC) web interface…so technically two features were links. Check out one of the original how-to videos describing what it did. Very bare bones compared to what the product does now. But you have to start somewhere.

Fast-forward five years.

Access Client Solutions has been updated with additional features for accessing the Integrated File System (IFS), a link to any locally installed SSH terminal (think Putty or the like), and schema support for the IBM i database guru, including Run SQL Scripts and the SQL Performance Center. Plus there’s all the neat stuff in the background, such as the ability to check for updates, add watermarks to your IBM i partitions, or automatically capture screen history every time an action key is pressed.

Not only is it feature-rich, it’s also going to be the only supported “Access” product going forward.

IBM i Access for Windows is going away. We knew it wasn’t going to be supported past Windows 8, although it does “work” on Windows 10. We also knew that the old IBM i Access for Windows was not supported as a LAN console option for IBM i 7.3. In that case, “supported” and “will work” are two very different things. If you’re using IBM i Access for Windows for LAN console and you do an upgrade to 7.3, as soon as the system does an A-mode IPL, you’ll lose the console. This is because the Service Tools protocols in 7.3 remove support for SSLv3, which is what Access for Windows uses. Now, your D-mode installation will work, but you will not have a 5250 console. This is very important if you still have PTFs to apply (you should) or you’re coming up in a restricted state to verify the installation was successful (you’d better).

Of course, IBM i Access for Windows will still work if you have an HMC for POWER6, POWER7, POWER8, or POWER9. Once support for the Access for Windows goes away, I’d imagine that IBM will remove that support by way of an HMC fix pack for recent or supported HMCs. Either way, the elimination of SSLv3 should be up there on your list as it is highly insecure. Removing Access for Windows as your console is now very much a necessity rather than a matter of preference. Considering that the majority of IBM i customers do not have HMCs, the community will be forced to choose Access Client Solutions for their console choice. That’s definitely not a bad thing.

With that being said, a few weeks ago IBM announced the end-of-support date for Access for Windows as April 19, 2019. This was not unexpected considering IBM i 7.1 was slated to go end of support (and it did) on April 30, 2018.

We’ve talked about the 5250 console. Now let’s talk about regular user clients. I do see a lot of customers still running IBM i Access for Windows or one of the variant names. I’d say the majority are running 7.1, but I do run into a few running 6.1 on all clients.

One thing I hear a lot when we do an upgrade and install ACS for the new console is the following: “I don’t have to roll this out to all users, do I?”

No, you do not.

However, the benefits of ACS and the ease of rollout are drastically different from upgrading the old Access for Windows clients. You could easily spend an hour upgrading a single Access for Windows installation, so I understand why people were a little gun shy. Updating the client has never been easy until now.

First, it’s about 84MB. Very easy to deploy because of its size. No big image you have to worry about downloading.

The installation is simple: You can quite literally run through the install process in about two minutes. There’s no real install per se. It’s more of a configuration. It’ll ask questions like “Do you want to install 5250 emulator?” or “Do you want to install Run SQL Scripts?” and then present the configured client to you. Now, you can do this and then just copy the customized application package to a user’s desktop. Voila. You’re done.

Updating it is a cinch too. You update the source package locally and then just copy over the new, updated configuration on a user’s desktop.

Let’s say you wanted to implement Transport Layer Security (TLS) encryption for Telnet or maybe Enterprise Identity Mapping (EIM). Both are a heck of a lot harder to configure on every desktop with Access for Windows. With ACS, you can preconfigure those settings and then roll it out en masse. That’s what we’re seeing a lot of people do in fact, given the focus and interest on security in the IBM i community as of late. It’s much easier to implement these types of changes with ACS, so admins are rolling that into their initial deployment plans.

Some customers will be forced to upgrade because their business simply won’t allow unsupported software to be installed. That’s a good thing. But for the rest of the customer base (especially those running Access for Windows 6.1), it may take a little more effort to get the word out about ACS and its benefits in order to force people to upgrade. If it’s not broke, then why fix it? It’s like an AC/DC album. It’s the same 4/4 rock n’ roll since the 1970s. The band has evolved a little and of course there’s a difference in the sound of Bon Scott and Brian Johnson, but for the most part they’re meat-and-potatoes rock albums. But if all you listen to is “Let There Be Rock,” then you lose something by not exploring what’s new.

The real value for ACS is for the users. Yes, the admins and database guys get the cool admin and database features. But rolling out EIM makes life simpler, and it gives the users single sign-on (SSO). Rolling out TLS encryption over Telnet makes the users more secure. Don’t think they care? Ask your CFO if he thinks his laptop to IBM i session is encrypted. I bet he thinks it is. Based on what I see in the wild, the majority of 5250 sessions are not encrypted. Again, these features are easily rolled out with ACS, so here’s your chance.

What about users who print 200-page reports and then scan them to PDF files and email them to themselves? It does happen. The spooled file support gives them either text or PDF support for spooled files automatically.

If we can make our users’ jobs just a little easier, then why wouldn’t we do it if the effort is minimal? It is, and we should.