Mastering IBM i Security - Technology Overview

IBM i (OS/400, i5/OS)
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Before we get into examples of using these technologies, I want to make sure you know how to access them as well as provide some tips for using them.

By Carol Woodbury

Editor's Note: This article is excerpted from chapter 1 of the NEW security book, Mastering IBM i Security, by Carol Woodbury.

IBM i Access Client Solutions

Access Client Solutions (ACS) is the client software IBM provides for us to access IBM

i. I am shocked when I repeatedly see IBM i shops continuing to use the ancient Client Access for Windows software. You must migrate to ACS if you haven’t already done so! It’s only a matter of time before Microsoft issues a patch that breaks the software or there’s a new security vulnerability identified that affects the product. Because IBM no longer supports it, you’ll then be scrambling to migrate your users to ACS. Do you really want to be explaining to your management why you’re running software that hasn’t been supported in literally years and are now panicking when you could have had a controlled rollout of the currently supported product? And just because you’re running ACS doesn’t mean you shouldn’t pay attention to IBM Security Bulletins. Older versions of ACS have been identified as being exposed to the log4j vulnerability. In other words, you need to stay current! OK, I’ll get down off my soapbox now and explain some features of ACS.

While I use many of the ACS features, the main feature I’ll be using throughout this book is Run SQL Scripts. See Figure 1.1.

Mastering IBM i Security - Technology Overview - Fig1.1

Figure 1.1: Run SQL Scripts in Access Client Solutions.

Launching Run SQL Scripts opens a window that allows you to run SQL that you write as well as take advantage of the SQL examples IBM provides and–bonus!–save your work so you don’t have to re-create the SQL every time you want to run it.

First, let’s see how you can take advantage of the shipped examples. After launching Run SQL Scripts, go to the toolbar and choose Edit > Examples > Insert from Examples. Using the dropdown list, choose IBM i Services. I’ve scrolled down to the Security section of the list. Clicking on the name of the service produces an SQL example in the right window as shown in Figure 1.2.

Mastering IBM i Security - Technology Overview - Fig1.2 

Figure 1.2: Use Insert to add the SQL example to your Run SQL Scripts window.

I learned how to write SQL by first using these examples. I found an example that was close to what I wanted, clicked on the Insert button to add it to my Run SQL Scripts window, and either ran it as is or, more often, modified it to meet my needs. I encourage you to check out these examples, especially if you’re an SQL novice.

The second feature I want to point out in Run SQL Scripts is the ability to save your work. I know that, as an administrator, you don’t have time to re-create your SQL every time you want to use it. To save your work, click on File in the toolbar, then Save As> PC File. You can save the file on your PC or on a common server so your teammates can also access the file. To use the saved file, click on File > Open > PC File. I use this feature ALL.THE.TIME. I have one saved for each presentation in which I’m using SQL examples, I’ve created files for clients and then sent the file to the client for their use, I have another file that I use when investigating new features but don’t want to start from scratch, and so on. In fact, I have saved the SQL examples used throughout this book and you can download and use them yourself!

Finally, many times the results of running the SQL statement need further review or analysis. When this happens, I send the results to a spreadsheet. Here are the directions to accomplish this. Depending on the version of ACS, you’ll either choose Options from the toolbar and then Enable Save Results… > For This Session. Rerun your SQL, click on a cell in the output section, right-click, and choose Save Results. Or for more recent versions of ACS, choose Edit > Preferences. Then, on the General tab, check the box labeled Enable Saving of Results and click OK. In this case, you’ll have to close down your Run SQL Scripts window, reopen it, rerun your SQL, right-click on a cell in the output section, and choose Save Results.… Or right-click on the Results tab (the tab at the bottom of Run SQL Scripts that shows the SQL that was run) and you’ll also get the Save Results option. With either method, you’ll see various formats you can save your output to (.txt, .csv, .xlsx, etc.) as well as be able to specify where the output is to be saved. Saving the results to a spreadsheet allows me to send the results of my analysis to my clients for their review, allows me to document a “before” picture before changes are made, provides documentation for submission to a change-management committee to document upcoming changes, and more. I’m sure you’ll find many ways to use this feature!

New Navigator for i

Next, the new Navigator for i browser-based interface. “New Nav” as it’s fondly referred to first became available in Technology Refreshes (TRs) IBM i 7.3 TR11 and IBM i 7.4 TR5. At that time, it wasn’t the default, and you had to access it using the URL http:// your-system-name:2002/Navigator/login. But as of IBM i 7.5 and IBM i 7.3 TR12 and IBM i 7.4 TR6, New Nav has officially replaced Heritage Nav (the politically correct term for the old, and quite frankly ugly, previous Navigator for i interface). Now, using the URL http://your-system-name:2001 or clicking on the Navigator for i feature in Access Client Solutions (ACS) will launch New Nav.

One of my goals is to show you how to take advantage of this new and improved interface. If you happen to be on a system that is still using Heritage Nav, I encourage you to upgrade as soon as possible, not only to take advantage of the examples I’m going to show you but also to distance yourself from any vulnerabilities that may be identified in the future but not fixed (since Heritage Nav is no longer supported by IBM). To keep up to date with information regarding New Nav, see

IBM i Services

I’ll be using IBM i Services extensively in this book, so I suggest that you bookmark a couple of websites. One is the support page that lists all of the services that are available as well as the release/Technology Refresh in which they were introduced:

Services are categorized by the area of the system to which they pertain—for example, Journal Services, PTF Services, Security Services, etc. (Hint: Sometimes I find it easier to find the service I’m looking for by searching the webpage using a specific term rather than attempting to find the service in its category.) If you click on the name of a service, you may be taken to an intermediate page that lists any updates to the service along with a link to its IBM Information Center page. If no updates, you’ll be taken directly to the service’s page on the IBM Information Center, which details the purpose of the service, the output that will be generated, and, at the very bottom of the page, an example of using the service. An added benefit: if you want to use the SQL example they’ve provided, you can easily click on the icon in the upper right corner of the box containing the example to add the SQL to your clipboard!

New and enhanced services are being provided with each new version of IBM i but also with most, if not all TRs. Here’s one website that helps me keep track of the enhancements:

Authority Collection

Several of my examples will show how to use Authority Collection. Authority Collection for user profiles was introduced in IBM i 7.3 and enhanced to provide collection of individual objects in both libraries and directories in IBM i 7.4. If you’re unfamiliar with the concept and configuration of the Authority Collection feature, I suggest that you read Chapter 16 in my book IBM i Security Administration and Compliance, Third Edition for details.

IBM i Audit Journal

Since the introduction of Authority Collection, I don’t use the audit journal as much as I used to, but it remains a vital tool for investigating and solving security issues. I’ll be showing numerous examples of its use throughout this book. Again, if you are unfamiliar with the basic concepts of the IBM i audit journal, please see Chapter 15 in IBM i Security Administration and Compliance, Third Edition. I will be using both the Copy Audit Journal Entry (CPYAUDJRNE) command, which I describe extensively in my book, as well as the IBM i audit journal table functions that allow me to bypass gathering the information into an outfile and allow me to use SQL to get information directly out of the audit journal.

I prefer using the table functions for a couple of reasons. First, I may be looking for entries for only one specific user or object, but when using CPYAUDJRNE I first must gather all entries of that type. The other reason I prefer using the SQL table functions is that timestamp arithmetic is so easy using SQL. You’ll understand what I mean when you see the examples I provide. It’s likely I would switch and never use CPYAUDJRNE again, but IBM hasn’t yet provided the SQL table functions for all audit journal entry types. You can keep track of which audit journal types are supported at the following link (simply substitute the 7.5 for the 7.X version you’re running): docs/en/i/7.5?topic=services-audit-journal-entry. Check this after each TR as this is not a static list! IBM has provided most of these table functions via TRs.

Finally, New Nav has added the ability to examine the audit journal. If you’re new to the audit journal, or even if you’re not, this is an easy way to examine audit journal entries without having to know one iota of SQL! In this book, I’ll show examples of using New Nav to examine the audit journal.

Want to learn more?  You can pick up Carol Woodbury's book, Mastering IBM i Security, at the MC Press Bookstore Today!

Carol Woodbury

Carol Woodbury is President and CTO of DXR Security and has over 30 years’ experience with IBM i Security. She started her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies – SkyView Partners and DXR Security. Her current company - DXR Security - specializes in penetration testing for IBM i. Her practical experience together with her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known world-wide as an author and award-winning speaker on security technology, specializing in IBM i Security topics. She has written seven books on IBM i Security. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

IBM i Security Administration and Compliance: Second Edition IBM i Security Administration and Compliance: Second Edition
Get the must-have guide by the industry’s #1 security authority.
List Price $71.95

Now On Sale

IBM i Security Administration and Compliance IBM i Security Administration and Compliance
For beginners to veterans, this is the definitive security resource.
List Price $69.95

Now On Sale

More Articles By This Author


Support MC Press Online





  • White Paper: Node.js for Enterprise IBM i Modernization

    SB Profound WP 5539

    If your business is thinking about modernizing your legacy IBM i (also known as AS/400 or iSeries) applications, you will want to read this white paper first!

    Download this paper and learn how Node.js can ensure that you:
    - Modernize on-time and budget - no more lengthy, costly, disruptive app rewrites!
    - Retain your IBM i systems of record
    - Find and hire new development talent
    - Integrate new Node.js applications with your existing RPG, Java, .Net, and PHP apps
    - Extend your IBM i capabilties to include Watson API, Cloud, and Internet of Things

    Read Node.js for Enterprise IBM i Modernization Now!


  • Profound Logic Solution Guide

    SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation.
    Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects.
    The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the companyare not aligned with the current IT environment.

    Get your copy of this important guide today!


  • 2022 IBM i Marketplace Survey Results

    Fortra2022 marks the eighth edition of the IBM i Marketplace Survey Results. Each year, Fortra captures data on how businesses use the IBM i platform and the IT and cybersecurity initiatives it supports.

    Over the years, this survey has become a true industry benchmark, revealing to readers the trends that are shaping and driving the market and providing insight into what the future may bring for this technology.

  • Brunswick bowls a perfect 300 with LANSA!

    FortraBrunswick is the leader in bowling products, services, and industry expertise for the development and renovation of new and existing bowling centers and mixed-use recreation facilities across the entertainment industry. However, the lifeblood of Brunswick’s capital equipment business was running on a 15-year-old software application written in Visual Basic 6 (VB6) with a SQL Server back-end. The application was at the end of its life and needed to be replaced.
    With the help of Visual LANSA, they found an easy-to-use, long-term platform that enabled their team to collaborate, innovate, and integrate with existing systems and databases within a single platform.
    Read the case study to learn how they achieved success and increased the speed of development by 30% with Visual LANSA.


  • The Power of Coding in a Low-Code Solution

    LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • Why Migrate When You Can Modernize?

    LANSABusiness users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
    In this white paper, you’ll learn how to think of these issues as opportunities rather than problems. We’ll explore motivations to migrate or modernize, their risks and considerations you should be aware of before embarking on a (migration or modernization) project.
    Lastly, we’ll discuss how modernizing IBM i applications with optimized business workflows, integration with other technologies and new mobile and web user interfaces will enable IT – and the business – to experience time-added value and much more.


  • UPDATED: Developer Kit: Making a Business Case for Modernization and Beyond

    Profound Logic Software, Inc.Having trouble getting management approval for modernization projects? The problem may be you're not speaking enough "business" to them.

    This Developer Kit provides you study-backed data and a ready-to-use business case template to help get your very next development project approved!

  • What to Do When Your AS/400 Talent Retires

    FortraIT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators is small.

    This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

    • Why IBM i skills depletion is a top concern
    • How leading organizations are coping
    • Where automation will make the biggest impact


  • Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

    Profound Logic Software, Inc.Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. In Part 2, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Attend this webinar to learn:

    • Different tools to develop Node.js applications on IBM i
    • Debugging Node.js
    • The basics of Git and tools to help those new to it
    • Using as a pre-built development environment



  • Expert Tips for IBM i Security: Beyond the Basics

    SB PowerTech WC GenericIn this session, IBM i security expert Robin Tatam provides a quick recap of IBM i security basics and guides you through some advanced cybersecurity techniques that can help you take data protection to the next level. Robin will cover:

    • Reducing the risk posed by special authorities
    • Establishing object-level security
    • Overseeing user actions and data access

    Don't miss this chance to take your knowledge of IBM i security beyond the basics.



  • 5 IBM i Security Quick Wins

    SB PowerTech WC GenericIn today’s threat landscape, upper management is laser-focused on cybersecurity. You need to make progress in securing your systems—and make it fast.
    There’s no shortage of actions you could take, but what tactics will actually deliver the results you need? And how can you find a security strategy that fits your budget and time constraints?
    Join top IBM i security expert Robin Tatam as he outlines the five fastest and most impactful changes you can make to strengthen IBM i security this year.
    Your system didn’t become unsecure overnight and you won’t be able to turn it around overnight either. But quick wins are possible with IBM i security, and Robin Tatam will show you how to achieve them.

  • Security Bulletin: Malware Infection Discovered on IBM i Server!

    SB PowerTech WC GenericMalicious programs can bring entire businesses to their knees—and IBM i shops are not immune. It’s critical to grasp the true impact malware can have on IBM i and the network that connects to it. Attend this webinar to gain a thorough understanding of the relationships between:

    • Viruses, native objects, and the integrated file system (IFS)
    • Power Systems and Windows-based viruses and malware
    • PC-based anti-virus scanning versus native IBM i scanning

    There are a number of ways you can minimize your exposure to viruses. IBM i security expert Sandi Moore explains the facts, including how to ensure you're fully protected and compliant with regulations such as PCI.



  • Encryption on IBM i Simplified

    SB PowerTech WC GenericDB2 Field Procedures (FieldProcs) were introduced in IBM i 7.1 and have greatly simplified encryption, often without requiring any application changes. Now you can quickly encrypt sensitive data on the IBM i including PII, PCI, PHI data in your physical files and tables.
    Watch this webinar to learn how you can quickly implement encryption on the IBM i. During the webinar, security expert Robin Tatam will show you how to:

    • Use Field Procedures to automate encryption and decryption
    • Restrict and mask field level access by user or group
    • Meet compliance requirements with effective key management and audit trails


  • Lessons Learned from IBM i Cyber Attacks

    SB PowerTech WC GenericDespite the many options IBM has provided to protect your systems and data, many organizations still struggle to apply appropriate security controls.
    In this webinar, you'll get insight into how the criminals accessed these systems, the fallout from these attacks, and how the incidents could have been avoided by following security best practices.

    • Learn which security gaps cyber criminals love most
    • Find out how other IBM i organizations have fallen victim
    • Get the details on policies and processes you can implement to protect your organization, even when staff works from home

    You will learn the steps you can take to avoid the mistakes made in these examples, as well as other inadequate and misconfigured settings that put businesses at risk.



  • The Power of Coding in a Low-Code Solution

    SB PowerTech WC GenericWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed.
    Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

    • Discover the benefits of Low-code's quick application creation
    • Understand the differences in model-based and language-based Low-Code platforms
    • Explore the strengths of LANSA's Low-Code Solution to Low-Code’s biggest drawbacks



  • The Biggest Mistakes in IBM i Security

    SB Profound WC Generic The Biggest Mistakes in IBM i Security
    Here’s the harsh reality: cybersecurity pros have to get their jobs right every single day, while an attacker only has to succeed once to do incredible damage.
    Whether that’s thousands of exposed records, millions of dollars in fines and legal fees, or diminished share value, it’s easy to judge organizations that fall victim. IBM i enjoys an enviable reputation for security, but no system is impervious to mistakes.
    Join this webinar to learn about the biggest errors made when securing a Power Systems server.
    This knowledge is critical for ensuring integrity of your application data and preventing you from becoming the next Equifax. It’s also essential for complying with all formal regulations, including SOX, PCI, GDPR, and HIPAA
    Watch Now.

  • Comply in 5! Well, actually UNDER 5 minutes!!

    SB CYBRA PPL 5382

    TRY the one package that solves all your document design and printing challenges on all your platforms.

    Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product.

    Request your trial now!

  • Backup and Recovery on IBM i: Your Strategy for the Unexpected

    FortraRobot automates the routine tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
    - Simplified backup procedures
    - Easy data encryption
    - Save media management
    - Guided restoration
    - Seamless product integration
    Make sure your data survives when catastrophe hits. Try the Robot Backup and Recovery Solution FREE for 30 days.

  • Manage IBM i Messages by Exception with Robot

    SB HelpSystems SC 5413Managing messages on your IBM i can be more than a full-time job if you have to do it manually. How can you be sure you won’t miss important system events?
    Automate your message center with the Robot Message Management Solution. Key features include:
    - Automated message management
    - Tailored notifications and automatic escalation
    - System-wide control of your IBM i partitions
    - Two-way system notifications from your mobile device
    - Seamless product integration
    Try the Robot Message Management Solution FREE for 30 days.

  • Easiest Way to Save Money? Stop Printing IBM i Reports

    FortraRobot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing.
    Manage your reports with the Robot Report Management Solution. Key features include:

    - Automated report distribution
    - View online without delay
    - Browser interface to make notes
    - Custom retention capabilities
    - Seamless product integration
    Rerun another report? Never again. Try the Robot Report Management Solution FREE for 30 days.

  • Hassle-Free IBM i Operations around the Clock

    SB HelpSystems SC 5413For over 30 years, Robot has been a leader in systems management for IBM i.
    Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
    - Automated batch, interactive, and cross-platform scheduling
    - Event-driven dependency processing
    - Centralized monitoring and reporting
    - Audit log and ready-to-use reports
    - Seamless product integration
    Scale your software, not your staff. Try the Robot Job Scheduling Solution FREE for 30 days.