AS 400 Training Program Overview

AS 400 Administration Training Program
(Vikas Vats)
v.vats@tcs.com
+91 9663394043
TCS Internal 1
18/11/2009
Index :-
1. od!"e 1 : AS#400 $vervie%s
&. od!"e & : S'stem (once)ts
*. od!"e * : S'stem Administration
4. od!"e 4 : S'stem Sec!rit'
+. od!"e + : ,ack!) and -estoration
TCS Internal 2
od!"e :- 1
AS#400 $vervie%s
TCS Internal 3
Introd!cing t.e AS#400 S'stem :-
The AS/400 system is a family of midrange computers ased on a single soft!are
architecture"AS/400 is using #S/400 as an operating system" $t pro%ides many
integrated features that from the foundation of computer systems"
$t is designed and uilt as a total system" $t means that facilities such as a
relational dataase and net!or&ing capaility 'and much more( are fully
integrated into the #perating System and the machine" The user communicates
!ith all these functions through a single control language) or y using system
menus and prompts"As/400 is designed as a general purpose usiness computer*
it is optimi+ed for that en%ironment" $ts design reflects the dominant re,uirements
of that en%ironment"
Advantages o/ As#400 :-
0a'ered ac.ine Arc.itect!re :- This insulates users from hard!are of the
system" $t enales the users to mo%e to!ards ne! hard!are technology at any
time) !ithout disrupting their application programs"
$12ect $rientation :- -%erything that can e sa%ed or restored on the
system is &no!n as an .#/ect0" 1ser can find the re,uired o/ect !ithout
&no!ing it2s location on the system" #/ects e3ist to ma&e users independent
of the internal structure of the machine"
Sing"e-0eve" Storage :- 4ain storage and 5is& storage appears contiguous"
An o/ect is sa%ed or restored on the system %ia a de%ice6independent
addressing mechanism" This means e3tra main storage or dis& storage can e
added to the system and used !ithout affecting the application programs and
dataase" A user or a programmer is not concerned as to !here a program or
a file is* if they !ant to use it) they simply name it"
3ierarc.' $/ icro)rocessors :- As !ell as the main system processor)
AS/400 has a large numer of microprocessors" -%ery $nput / #utput '$/#(
de%ice type on AS/400 has its o!n microprocessor" This means that re,uests
for data to or read from any $/# de%ice can e delegated to the processor in
charge of that de%ice" 4ean!hile) the main system processor e3ecutes another
application"
4as' To 5se :- 7rom operators and the end users point of %ie! the menu
dri%en structure of AS/400 ma&es it %ery easy to operate"
Aility to gro! and impro%e the system !ithout disruption"
TCS Internal 4
AS#400 3ard%are :-
,asic ,"ock 6iagram $7 AS#400 S'stem
The system hard!are includes the processor and the main storage) the $/#
de%ices
and controllers) and the rac&s) cales and controllers that ma&e up the AS/400
system"the hard!are design allo!s system components to e located throughout
the enterprise to meet the need of the !or&place" System components) such as
additional rac&s) $/# controllers and storage and !or&station de%ices can e
added incrementally !ithout reconfiguring the entire system"
0a'ered ac.ine Arc.itect!re :-
AS/400 insulates users from hard!are characteristics through the layered
machine architecture" This layered architecture raises the le%el of the machine
interface) creating a high6le%el machine instruction set is independent of the
underlying hard!are implementation"
7igure 1 sho!s the hard!are !ith the licensed internal code that comprises the
high6le%el machine" AS/400 is unusual in that the machine is defined y soft!are)
not y hard!are" The instructions presented to the machine interface undergo a
further process of translation efore they are .1nderstood0 y the hard!are" This
process of translation is carried out y the licensed internal code" 8ard!are
TCS Internal 5
I/O
Processor
I/O
Processor I/O
Processor
I/O
Processor
Main
Memory
System
Processor
DASD
Storage
Service
Processor
characteristics change as the technology changes* the user) ho!e%er) still .sees0
the same interface"
7urthermore) some fre,uently6e3ecuted routines 'that !ould reside in the
operating system of a con%entional machine( ha%e een mo%ed into licensed
internal code" This runs faster than a higher le%el languages) so any application
using these routines !ill reali+e a performance gain"
7ig!re 1 : AS#400 0a'ered Arc.itect!re
-3amples of some asic super%isory and resource management functions that are
in licensed internal code are %alidity and authori+ation chec&s" The high6le%el
machine pro%ides the user !ith the aility to address 9:64 ytes of storage on
the Po!erPc ased 4odels of the As/400"
;ayered machine architecture means that as ne! hard!are and soft!are
technologies emerge) they can e employed !ithout affecting applications"
The strength of this architecture !as e%ident !ith the introduction of the ne!
range of Po!erPc ased AS/400 4odels in <une 199=" The System Processor
changed from eing a 4>6it ?$S? to 646it @$S?" Aet e3isting customer
applications can run on the ne! processors and ta&e full ad%antage of the 646it
capacity !ithout any recompilation or re!rite needed of the application"
3ierarc.' $/ icro)rocessors :-
$n As/400 system along !ith the main system processor) there is a range of other
processors) each dedicated to a particular $/# de%ice" Bhat this means is that
!hen the main system processor encounters a re,uest for data to e !ritten to or
read from any $/# de%ice) that re,uest is delegated to the particular
microprocessor dedicated to that $/# de%ice"4ean!hile) the system processor
continues !ith another application program"
This design pro%ides As/400 !ith its outstanding performance in the commercial)
transaction6ased) en%ironment" $t also means that the latest microprocessor
TCS Internal 6
Applications
Applications
OS/400
OS/400
Technology Independent Machine Interface
Licensed Internal ode
4!"#it IS Processor
SLI" O$%ect #ased &ernel
'4"#it (IS Processor
technology can e easily utili+ed at any time !ithout disrupting the rest of the
system"
1sing the C D !ay multiprocessor capaility of the As/400) the larger modes of
As/400 can ha%e up to 4 processors"
3ierarc.' $/ icro)rocessors
TCS Internal 7
Main
Storage
System
Processor
Service
Processor
I/O
Processor
I/O
Processor
I/O
Processor
I/O
Processor
od!"e: - &
S'stem (once)ts
TCS Internal 8
$12ect $riented Tec.no"og' :-
-%erything on AS/400 that can e stored or retrie%ed is contained in an .#/ect0"
#/ects e3ists to ma&e users independent of the implementation techni,ues used
in the machine" The . ?reate #/ect . instruction estalishes the o/ect2s name
and its type" All o/ects are structured !ith a common o/ect header) and a type6
dependent functional portion" An o/ect thus comines the data and the %alid
methods of using that data into one entity" Therefore only %alid methods of using
that data are allo!ed"
This impro%es o%erall integrity of the system and its data" Thus also permits the
system to perform standard o/ect6le%el functions %ery efficiently* the o/ect type
then determines the !ay in !hich a specific o/ect can e used !hen retrie%ed"
The architecture supports multiple e3tends to an o/ect"
$n other !ord) a user is not concerned !ith the space his o/ect occupies" The
system allocates space automatically"
#/ect orientation gi%es a strong foundation for ne! technologies such as artificial
intelligence" The o/ect6oriented AS/400 architecture lends itself %ery !ell to the
utili+ation of o/ect6oriented techni,ues for the representation of &no!ledge in an
e3pert system"
Bith the Po!erPc ased 4odels of the AS/400) the ;icensed $nternal ?ode that
sits ao%e the hard!are has een !ritten as System ;icensed $nternal ?ode !ith
an #/ect Eased Fernel" The Fernel has een !ritten in ?++ and is fully #/ect
#riented gi%ing all the ad%antages of fle3iility) code reuse) programming
efficiency) and error reduction that come from #/ect #riented Programming"
Sing"e 0eve" Storage :-
The AS/400 system is a shared system in !hich all portions of main and au3iliary
storage are addressed as though they are !ithin a single area 'or le%el(" The
system uses the o/ect name to determine !here the o/ect e3ists in the system"
This means that the user can find o/ects y name rather than y storage
locations" Eecause operations cannot e performed on an o/ects y name rather
than y storage locations" Eecause operations cannot e performed on an o/ect
that is not in main storage) the system mo%es a part or all of the o/ect into main
storage as it is needed and mo%es it ac& into au3iliary storage !hen it is not
needed" This transfer is controlled y the system and does not re,uire control y
the user or programmer
TCS Internal 9
All system storage 'Bhether main storage or dis& storage( is addressed in the
same !ay" This single) de%ice6independent addressing mechanism means that to
run a program) a user calls its name" All o/ets are treated as if they reside in a
9: 64 yte address space"
The AS/400 system2s %irtual addressing is independent of an o/ect2s physical
location) and the type) capacity and numer of dis& units on the system"
Bhat this means is that application programs do not re,uire modification in order
to ta&e ad%antage of ne! storage technologies" 1sers can lea%e all storage
management entirely to the machine"
$)erating S'stem
The #S/400 licensed program supports the $E4 AS/400 system" $t controls the
operation of programs and pro%ides ser%ices such as controlling resources)
scheduled /os) controlling input and outputs) and managing data" The #S/400
program is designed to designed to complement and e3tend the ad%anced
capailities of the AS/400 system to pro%ide fully integrated support for
interacti%e applications" To supplement the full range of the interacti%e
en%ironment) the AS/400 system also processes multiple atch applications at the
same time"
4any of the functions of the #S/400 program are directly applicale to interacti%e
data processing" Among these functions are G
5ataase support to ma&e up6to6date usiness data a%ailale for rapid
retrie%al
from any !or&station"
Bor& management support to schedule the processing of re,uests from all
!or&station users"
Application de%elopment support that allo!s online de%elopment and testing of
ne! application programs to run at the same time as normal production
acti%ities"
System operation support that allo!s the user responsile for system
operations to
perform !or& from the display station using a single control language)
complete
!ith prompting and help for all commands"
4essage handling support that allo!s communication et!een the system) the
user
responsile for system operations) !or&station users and program running in
the
system"
Security support to protect data and other system resources from
unauthori+ed
access"
TCS Internal 10
Ser%ice support that allo!s ser%ice representati%e to diagnose prolems and
install
ne! functions !ith minimal affect on the normal flo! of !or&"
The system can e set up and installed using system defaults for asic functions"
As the need of the usiness gro! the use of controls and functions can e increased
!ithout disrupting applications that are already on the system"
The #S/400 functions are accessed either through the use of a comprehensi%e set
of menus or through the control language ?;" #ther AS/400 licensed programs
such as high6le%el languages and the applications de%elopment tools also use
#S/400 menus and ?;"
The AS/400 system is controlled through a single consistent control language that
is supported y the #perating System" The ?ontrol ;anguage pro%ides the
operations normally associated !ith controlling the operation of a system such
as G
?ontrolling the operation of input and output de%ices attached to the
system"
Sumit atch /os"
-nding a session !ith the system
$n addition) many ad%anced functions used in data processing are pro%ided" 7or
e"g" 5ata files and programs are created) the running of programs is controlled
and !or&station user can communicate !ith each other y using functions
re,uested through the control language"
Although the control language is the interface through !hich the functions of the
operating system are controlled" $t is not the only interface a%ailale to the user"
The data is accessed and updated y high le%el language programs using #S/400
functions"
$12ect anagement
The term o/ect refers generally to named items 'such as programs and files( that
are stored in the system" The o/ect management functions allo! o/ects to e
grouped and arranged in the system" The o/ect management system functions
allo! users to create) update) and delete o/ects y name) !ithout needed to
specify the e3act storage location of the o/ects"
8ork anagement
The Bor& 4anagement functions pro%ides the frame!or& through !hich the
system and all the !or& performed on the system and controlled" These functions
support an en%ironment running more than one computer at a time and manage
competition et!een /os for main storage and other system resources" The !or&
management function allo!s !or& to e sumitted y the user presented to the
machine to the processed) and controlled y the user responsile for system
operations"
6ata anagement
TCS Internal 11
The data management functions support documents) dataase) files and de%ice
files" 5ata management for documents and dataase pro%ides the functions
re,uired for creating and updating dataase files and performing input and output
operations on them" 5ata 4anagement for the de%ices pro%ides input and output
operations for oth local and remote de%ices attached to the system) including
many uni,ue functions to support the display and printer de%ices"
S'stem anagement
The AS/400 system integrates most ma/or functions y ma&ing them a part of the
operating system" 7or e"g" a user can control the operations of /os and
susystems) respond to system messages) perform sa%e and restore operation
and so on" These operations can e performed from any !or&stations y
authori+ed users and are not restricted to a single person"
(ontro" 0ang!age
Bhile the menu system is the primary interface to the #S/400 program functions)
the ?ontrol ;anguage is also a%ailale to directly access system functions and can
e used at the same time y users from different !or&stations" A single ?ontrol
;anguage statement is called a command" ?ommands can e entered G
$ndi%idually from a !or&station"
A part of atch /os"
As source statements to create ?ontrol ;anguage programs"
To simplify the use of ?ontrol ;anguage) all the commands use a consistent
naming con%ention" $n general) the first three letters refers to the action to e
ta&en) the ne3t three refers to the o/ect of that action and the last character if
any) pro%ide an additional descriptor of the tas& to e performed" 7or e"g"
B@F<#EH command tells the system that the user !ants to !or& !ith a /o
description" $n addition) the #perating System pro%ides prompting support for all
commands) default %alues for most commands parameter) and synta3 chec&ing to
ensure that a %alue is typed correctly efore the function is performed" Thus) the
?ontrol ;anguage pro%ides a single) fle3ile interface to many different system
functions"
(omm!nications
The communication structure supports multiple architecture in a fle3ile and
e3tendale fashion) y supporting multiple communications architecture
implementations and the sharing of physical resources" 5ocuments) 5ata and files
can e e3changed !ith remote system as !ell as allo!ing remote users to access
files and applications program on the AS/400 system"
9!er' # 400
Huery/400 is an $E4 ;icensed Program and a decision support utility that can e
used to otain information from the As/400 dataase" $t can otain information
from any dataase file that ha%e een defined on the system using #"S"/400 5ata
5escription Specification '55S() #"S"/400 $nteracti%e 5ata 5efinition 1tility
'$551( or the $E4 Structural Huery ;anguage/400 '5E9/400( program" Aou use
,uery to select) arrange or analy+e information 'data( stored in one or more
dataase files to produce reports and other data files" Aou can create your o!n
,uery definitions and then run them or you can run e3isting ,ueries" Aou
determine !hat data the ,uery to retrie%e) the format of the report and !hether it
should e printed) displayed or sent to another dataase file"
TCS Internal 12
Aou can use ,uery to otain information from a single file or a comined set of 39
files" Aou can select all the fields or a fe! of the fields and organi+e them as you
!ant them to appear in the type of output chosen" Aou can ha%e all reports in the
files included in the output ) or you can select only a fe! to e included using
selected tests"
AS#400 $12ects:
The o/ect6ased architecture of the machine is fundamental to the o%erall design
of the functions pro%ided y the AS/400 system" -ach type of o/ect on the
system has a uni,ue purpose !ithin the system" -ach has an associated set of
commands !ith !hich to process that type of o/ect"
5ifferent o/ect types ha%e different operational characteristics" These differences
ma&e each o/ect type uni,ue" -ach o/ect has a name" The o/ect name and the
o/ect type are used to identify an o/ect" The o/ect name is e3plicitly assigned
y the system for system supplied o/ects or y the user !hen creating an o/ect"
The o/ect type is determined y the command used to create it"
0i1raries:
A lirary is an o/ect that is used to group related o/ects and to find
o/ects y name" Thus a lirary is a directory to a group of o/ect" The no
of o/ect contained in a lirary and the no of liraries on the system are
limited only y the amount of storage a%ailale" T!o different o/ects !ith
the same can e3ist in the same lirary) only if
their o/ects types differ" 8o!e%er) t!o o/ects !ith the same name and
type can e3ist in different liraries"
There are three types of liraries G
1" Systems
9" 1ser
3" Product
7o"ders:
A folder is a named o/ect that is used as a directory for documents and
other folders" 7olders can e filed !ithin another folder" 7older !ithin
folders is similar to a filing cainet" A folder path is a list of the folders
!ithin folders needed to find a document or o/ect !ithin folder"
7i"es:
7ile is an o/ect that contains either a set of related records handled as a
group or a stream of data" #ne of the most common types of files that
contains records is the dataase file" A document is the type of file that
contains only a stream of data" There are different type of files on the
system as follo!sG
1" Physical file
9" ;ogical file
3" 5isplay file
4" Printer file
TCS Internal 13
=" Tape file
6" 5is&ette file
I" 4essage file
>" Sa%e file
Programs:
A program is an o/ect containing a set of instructions that tell the system !here to
get information) ho! to process it and !here to put the results" Bhen the system
compiles the program description) the o/ect type identifies it as a program" Eecause
it is program o/ect) the system egins to read the lines of code and to process the
commands"
:o1 9!e!e:
The system handles multiples operations at the same time and super%ises the sharing
of the system resources" The /o, manages the atch re,uest sumitted y the
users" A user can then continue to !or& at the !or&station on other tas&s !hile the
system processes the re,uest"
$!t 9!e!e:
As the /o processes a re,uest to print data it gets data from a dataase file and uses
the print de%ice file to format the data" The formatted print files are placed on an
output ,ueue until the !riter is ready to send the information to the printer" #ut
,ueue can e arranged y priority depending on users needs"
essage 9!e!e:
?ommunication et!een programs et!een /os) et!een users) et!een users and
programs and et!een users and the system occurs through messages" Bhen a
message is sent to program or to a system user) it is placed on a ,ueue associated
!ith that program or user" The #S/400 program) automatically pro%ides message
,ueues for G
1" !or&station on the system
9" user enrolled on the system
3" users responsile for the system operation
4" system history log
The users to meet any special application program re,uirement can create additional
message ,ueues"
6ata 9!e!e:
Bhen running an application consisting of se%eral programs) it is often necessary to
pass data and %ariales to other programs" Programs can set up data ,ueues to e
used y the entire application so that all programs can refer to a single set of data
and %ariales passed to the programs through the ,ueue"
5ser Pro/i"es:
TCS Internal 14
A user profile is an o/ect that identifies a particular user or a group of user to the
AS/400 system" The user is &no!n in the system y user profile name" Bhen a
!or&station signs on) the user id is used to find the user profile setting" The pass!ord
is defined in the user profile" All AS/400 system security functions rely on the user
profile to descrie each user" The user profile identifies the authorities to that user"
A group profile is used to pro%ide the same profile for a group of users" This
eliminates the need to assign the authority to each user indi%idually"
en!:
The menu allo!s users to select the tas& they !ould li&e to perform !ithout ha%ing to
use the system commands" This tas& menus pro%ides users !ith a more defined
group of choices regarding tas&s or o/ects a%ailale"
S!1s'stem:
A susystem is a single) predefined operating en%ironment through !hich
the system coordinates the !or& flo! and resource use" The system can
contain se%eral susystems) all operating independently of each other"
Susystems manage resources" The run6time characteristics of a
susystem are defined in an o/ect called a susystem description" -ach
susystem can run uni,ue operations" 7or instance) you can set up one
susystem to handle only interacti%e /os) !hile another susystem
handles only atch /os" Susystems can also e designed to handle many
types of !or&" The system allo!s you to decide the numer of susystems
and !hat types of !or& each susystem !ill handle" The system relies on
susystem descriptions !hen starting susystems" Therefore) if you !ant
to change the amount of !or& 'numer of /os( coming from a /o ,ueue)
for e3ample) you only need to change the /o ,ueue entry in the
susystem description"
TCS Internal 15
od!"e :- *
S'stem Administration
TCS Internal 16
S!1s'stem :
A s!1s'stem descri)tion is a system o/ect that contains information defining
the characteristics of an operating en%ironment controlled y the system" The
system6recogni+ed identifier for the o/ect type is JSES5" A susystem
description defines ho!) !here) and ho! much !or& enters a susystem) and
!hich resources the susystem uses to perform the !or&" An acti%e susystem
ta&es on the simple name of the susystem description" ;i&e a set of detailed
lueprints) each susystem description is uni,ue) containing the specific
characteristics descriing the susystem" The description includes !here !or&
can enter the susystem) ho! much !or& the susystem can handle) ho! much
main storage 'memory( !ill e used) and ho! ,uic&ly /os in the susystem can
run" Aou can use a susystem description supplied !ith your system '!ith or
!ithout ma&ing changes to it() or you can create your o!n"
A susystem description consists of three partsG
1" Susystem attriutes 'o%erall susystem characteristics(
9" Bor& entries 'sources of !or&(
3" @outing entries
(reating a S!1s'stem 6escri)tion
Aou can create a susystem description in t!o !ays" Aou can copy an e3isting
susystem description and change it) or you can create an entirely ne!
description" The follo!ing are t!o approaches you can useG
1" ?opying an e3isting susystem description
1" ?reate a duplicate o/ect) ?@T51P#E<) of an e3isting susystem
description" 'Aou can also use the B@F#E< or B@F#E<P54
commands"(
9" ?hange the copy of the susystem description"
9" ?reating an entirely ne! susystem description
1" ?reate a susystem description '?@TSES5("
9" ?reate a /o description '?@T<#E5("
3" Add !or& entries to the susystem description"
a" A55BS- 'Add !or&station entry(
" A55<#EH- 'Add /o ,ueue entry(
c" A55?4C- 'Add communications entry(
d" A55A<- 'Add autostart /o entry(
e" A55P<- 'Add prestart /o entry(
4" ?reate a class '?@T?;S("
=" Add routing entries to the susystem description 'A55@TK-("
TCS Internal 17
Starting a S!1s'stem
To start a susystem) use the Start Susystem 'ST@SES( command or the Bor&
!ith Susystem 5escription 'B@FSES5( command" To use the ST@SES command)
specify the follo!ingG
ST@SES SES5 'SES5 L lirary/susystem description name(
7or exam)"e
ST@SES 4A;$E/4AST#@-
4nding a S!1s'stem
To end a susystemG
1" 1se the -nd Susystem '-C5SES( command -C5SES SES #PT$#C 'SESLthe
acti%e susystem name(
7or exam)"e
-C5SES 4AST#@- J$44-5
9" Specify) using an option) !hen you !ant the susystem to end"
;I46
-nd the susystem immediately" 1se this option if there are no
users on
the system and no atch /os running"
;(<T-06
Allo! acti%e /os to end themsel%es 'if they are chec&ing to see if
the
/o is eing ended(" 1se this option !hen users or atch /os are
running in the susystems to ensure the /os finish efore the
susystem ends"
6e"eting a S!1s'stem 6escri)tion
To delete a susystem description) use the 5elete Susystem 5escription
'5;TSES5( command" To use the 5;TSES5 command) the susystem cannot e
acti%e"
Active and Inactive S!1s'stems
An acti%e susystem is one that has een started) for e3ample) !ith the Start
Susystem 'ST@SES( command" An inacti%e susystem is one that has een
ended) for e3ample) !ith the -nd Susystem '-C5SES( command or has not een
started" Aou cannot remo%e pools from an acti%e susystem"
:o1 anagement:
<o is a unit of !or&"#n AS/400 <o is a 1nit of Bor& 5one" There are 9 types of
/os on the system)
1" $nteracti%e
TCS Internal 18
9" Eatch
3" Prestart
4" Autostart
=" ?ommunication
1ser can do the follo!ing acti%ities !ith the /o"
1" -C5
9" 8#;5
3" @-;-AS-
4" ?8ACK-
-%ery /o is ha%ing priority to run on the system"1 is highest priority and 99 is
lo!est priority" Administrator can e%en change the /o, of the /o"
1" 1se follo!ing command to trac& a particular userMs /os)
8-=5S-:$,
9" 1se follo!ing command to find out /os in <#EH)
8-=:$,9
3" 1se follo!ing command to find scheduled /os
8-=:$,S(64
4" To sumit a /o in atch use follo!ing command"
S,:$,
=" To find total numer of acti%e /os on the system use the command as)
8-=A(T:$,
6" To find /os running in particular susystem use)
8-=S,S:$,
5ser Pro/i"e anagement:
(reate 5ser Pro/i"e
The create 1ser Profile '?@T1S@P@7( command identifies a user to the system and
allo!s you to customi+e the !ay the system appears" Bhen the profile is created)
the profile is gi%en J?8ACK- and J#E<4KT authorities for the profile itself" The
system relies on the profile ha%ing these authorities to itself and they should not
e remo%ed"
Restriction : The user of this command must ha%e
'1( JS-?A54 special authority)
TCS Internal 19
'9( J1S- authority to the initial program) initial menu) /o description) message
,ueue) output ,ueue) and attention6&ey6handling program if specified) and
'3( J?8ACK- and #/ect 4anagement Authorities to the group profile and
supplemental group profiles if specified"
6e"ete 5ser Pro/i"e :
The 5elete 1ser Profile '5;T1S@P@7( command allo!s a user to delete a user
profile from the system" $f a 1ser Profile is damaged y system failure) it can e
deleted y using the 5elete 1ser Profile '5;T1S@P@7( command and re6created y
using the ?reate 1ser Profile '?@T1S@P@7( command" After a user profile is re6
created) the o!ned o/ects and primary group o/ects can e transferred ac& to
it"
Restriction :
'1( The user must ha%e use 'J1S-( and o/ect e3istence'J#E<-N$ST( authority to
the
1ser Profile"
'9( The 1ser must ha%e e3istence) use) and delete authorities to delete a message
,ueue associated !ith and o!ned y the user profile"
The 1ser Profile cannot e deleted if a user is currently running under the profile)
or if it o!ns any o/ects and #BC#E<#PT'JC#5;T( is specified" All o/ect in the
user profile must first either e transferred to ne! o!ners y using the ?hange
#/ect #!ner '?8K#E<#BC( command or e delete the o/ects or
#BC#E<#PT'J?8K#BC( user profile name( to change the o!nership" Authority
granted to the user does not ha%e to e specifically re%o&ed y the @e%o&e #/ect
Authority '@OF#E<A1T( command* it is automatically re%o&ed !hen the user
profile is deleted"
,asic $)erationa" commands
1. ASSISTA<T 4<5
The #perational Assistant is a series of user D friendly menus" Ey selecting menu
options) the user can perform asic tas&s"
Bor& !ith printer output
Bor& !ith /os
Send 4essages
Po!er #n/#ff tas&s
System Eac&up
The options displayed on your #perational Assistant 4enu !ill %ary) depending on
the pri%ileges granted to your profile"
Accessing t.e $)erationa" Assistant en!
There are t!o !ays to access the #perational Assistant 5isplay"
TCS Internal 20
The first method is to type go assist on the command line and )ress t.e
4<T4- ke'. After a short !ait the menu should e AS/400 #perational
Assistant 4enu" To "eave t.e $)erationa" Assistant men! and ret!rn
to t.e )revio!s men!> ta) t.e ?71&@ ke'.
The second method of is to ta) t.e ATT4<TI$< ke'. $f you ha%e mapped
your &eyoard using ?lient Access or 4ocha =9=0 and are using the
standard $E4 mapping the ATT4<TI$< ke' %i"" 1e t.e 4S( ke' on
'o!r P( ke'1oard. $f you tap the ATT-CT$#C &ey and the #perational
Assistant 4enu does not display go ac& to the section in Ketting Started
'?lient Access( or Ketting Started '4ocha( that taught you ho! to change
the &eyoard mapping" To "eave t.e $)erationa" Assistant en! and
ret!rn to 'o!r )revio!s screen> ta) t.e ?71&@ ke'.
?hec& the system %alue for the AAttention ke' )rogramB
a) Type go define on any Selection or ?ommand line to reach the
.5efine or ?hange the System0 menu"
( 7rom the .5efine or ?hange the System0 menu) se"ect C> 8ork
%it. S'stem Va"!es"
c( Ta) PAD4 6$8< !nti" 'o! /ind t.e s'stem va"!e 9AT<PD.
The system %alues are arranged alphaetically) and they all start
!ith H"
d( Position your cursor on the option line in front of HATCPK4 and
enter = on the option line" Tap the -CT-@ &ey"
e( The %alue of 9AT<PD s.o!"d 1e ;ASSIST. This may not e the
case on other systems ut K?$E49 is configured so the system
%alue for HATCPK4 is JASS$ST"
Ce3t !eMll confirm that your profile is set up to use the system %alue" Press
719 'cancel( to return to any display !ith a Selection or ?ommand line"
a( #n any Selection or ?ommand ;ine) type (3DP-7 and press 74 to
prompt for %alues"
( Press the 710 /!nction ke' to display Additional Parameters"
c( <otice t.e %ord ore E at the ottom right corner" 5isplay
another screen of parameters y tapping the PAD4 6$8< &ey on
your &eyoard"
d( ;oo& do!n the left column until you 0ocate t.e descri)tion>
AAttention ProgramB.
e( The parameter for AAttention ProgramB should e ;SFSVA0. $f
the parameter is not JSASOA;) please position the cursor on the
first character of the %alue and type JSASOA; remo%ing any e3tra
characters in the field" Then press the -CT-@ &ey"
f( (.anges to t.e 5ser Pro/i"e do not take a//ect !nti" 'o! sign
o// and sign 1ack on. I/ 'o! made c.anges in ste) e> )"ease
signo// and start ne% session. So you can utili+e the -S? &ey to
access the AS/400 #perational Assistant 4enu"
TCS Internal 21
8ork %it. Printer o!t)!t. Position cursor on the line laeled .Type a menu option
elo!0" T')e t.e o)tion n!m1er /or 8ork %it. Printer $!t)!t and t.en )ress
4<T4-. The ne3t screen !ill display a list of spooled files 'if you ha%e any() These are
files that are ready to print"
S'stem $)erations :
An administrator continuously re,uires to 4onitor follo!ing on the system"
1" P ASP 1SAK- #7 T8- SAST-4G
To find out the Percentage ASP utili+ed use follo!ing commandG
8-=SFSSTS
9" ?8-?F$CK A?T$O- <#ESG
1se follo!ing command to chec& acti%e /os as !ell as ?P1 utili+ation)
8-=A(T:$,

3" ?8-?F$CK S1ESAST-4 STAT1SG
1se the follo!ing command to chec& all the acti%e susystems)
8-=S,S
4" T# ?8-?F T8- ;#KG
1se follo!ing command to find out the log on the system"
6SP0$D
Aou can use same command to find log of a fi3ed time span"
=" T# ?8-?F STAT1S #7 J;$C)J5-O)J?T; G
1se follo!ing commands to find status of ;ines) 5e%ices and ?ontrollers
respecti%ely)
8-=(7DSTS ;0I<
8-=(7DSTS ;64V
8-=(7DSTS ;(T0
6" ?8-?F$CK 5$SF STAT1S G
1se follo!ing command to chec& the dis& status)
8-=6S=STS
essage 3and"ing :
4essage is a means of communication et!een system and user" These are system
messages Q 1ser 4essage" $n 1ser 4essages users can send their o!n messages"
System 4essages and 1sers 4essages are put in the userMs message ,ueue"
4essages may e
a( $nformational 'Co reply Ceeded(
( $n,uiry '@eply Ceeded(
-%en users can send messages to each other using follo!ing commands)
1" SC5E@F4SK
9" SC54SK
TCS Internal 22
4essages may or may not rea& your screen depending upon its setting in the
system) Aou can change message ,ueue y command ?8K4SKH HSAS#P@ del
'Jrea&(" 4essage may ha%e se%erity codes"
0 $nformational) Co reply needed
9 Barning) A potential error condition
90 -rror) -rror found) Automatic reco%ery procedures applied) processing
continued
30 S-O-@- -@@#@ G 6 -rror for se%ere for automatic reco%ery) error is source
data or program"
40 Se%ere -rror* anormal end of program or function) operation ends"
=0 Anormal end of /o or program D The /o failed to start
60 System Status D $ssued only to System #perator 4essage ,ueue) de%ice)
susystem or system !arning"
I0" 5e%ice $ntegrity D $ssued to System #perator 4essage ,ueue) de%ice failed"
>0" System $ntegrity D $ssued to System #perator 4essage ,ueue) a condition
!hen susystem or system cannot function"
99 4anual Action @e,uired
Ey default e%ery message gi%en to the administrator goes into HSAS#P@ message ,ueue"
Administrator can change this default message ,ueue"
To see the messages of any message ,ueue use follo!ing command)
6SPSD
To chec& system operators message ,ueue use)
6SPSD 9SFS$P-
-e)"' 0ist :
The system reply list contains the replies that are automatically sent in response
to in,uiry messages" The reply list is only used !hen an in,uiry message is sent
y a /o that has the in,uiry message reply attriute of the system reply list
specified" 1se follo!ing command for this
8-=-PF04
anaging $5T9Gs and SP$$0 7i"es :
All the spool files created y the user as !ell as system goes into a #1TH"HP@$CT
is the default out, of the system" Administrator can set default ,ou, for each user
so that the spool files created y that users goes to that out, only"
To !or& !ith all the out, use follo!ing command)
8-=$5T9
To clear the out, use the follo!ing command )
(0-$5T9 ? o!tH name @
To !or& !ith spool files created y particular user use follo!ing command)
8-=SP07 ? !ser id @
Aou can do follo!ing acti%ities !ith the spool file)
1" 5-;-T-
9" 8#;5
TCS Internal 23
3" @-;-AS-
4" ?8ACK-
=" SAO-
1ser can change the out, of the spool file"Spool file is assign to a printer to
print"1ser can print the spool file page!ise as per the the re,uirement"
0IST $7 ($$< ($A<6S
1. I<ITAP (@esource Came( TAP01
Oolume $dentifier Ki%en any name
?lear JAes
;oad #ption J1nload
&. 8-=(7DSTS Jde%
Jctl
Jlin
Jde% Jprt
Jde% Jdsp
Jde% JprtJ '5isplays printer !ho name starts !ith prt(
*. 8-=8T- Bor& !ith Printers
4. 8-=SP07 Bor& !ith Spooled 7iles
+. 8-=A(T:$, Sho!s /os currently acti%e in the system"
J. 8-=SFSA(T Sho!s !hich act /o occupies ho! much space
K. 8-=SFSSTS Sho!s P ?P1 used) memory capacity) hdd P used
C. 8-=S,S Sho!s no" of acti%e /os in each su system
L. S<6,-=SD Send a message to user terminal" 8is screen gets
interrupted temporarily ut his /o continues
10. 83$ Ki%es Bor&6Station Came
11. 6SPSD 5isplay messages sent and recei%ed y users"
1&. 6SP0$D 5isplay log generate y system
1*. S<6SD Send a message to user terminal !ithout any interruption"
14. 8-=:$,9 5isplay ho! many /os are in ,ueue"
,asic $S M S'stem anagement ($S#400)
1" Ko Assist #ption '#perational Assist 4enu(
9" Assistance ;e%el !r&msg Press 79 a( Easic Assist ;e%el
( $ntermediate
Ad%" Assist le%el a%ailale only for some displays"
3" Assistance le%el can e set for the follo!ing ?; ?ommands G
5isplay 4essage 5SP4SK 8andling 4essage
TCS Internal 24
5isplay System Status 5SPSASSTS System Status
Bor& !ith configuration Status B@F?7KSTS 8andling
5e%ice Status
Bor& !ith 4essages B@F4SK 8andling 4essages
Bor& !ith spooled files B@FSP;7 Printer #utput
Bor& !ith System Status B@FSASSTS System Status
Bor& !ith 1ser <os B@F1S@<#E 1ser <o
Bor& !ith 1ser Profiles B@F1S@P@7 1ser enrollment
Bor& !ith !riters B@FBT@ ?hec& Printers
4" The .K#G ?ommands
'D$ ;a"")
Ko Assist Koes to #perational Assist 4enu
Ko Eac&up Koes to ac&up menu '$CR Q SAO-(
Ko cleanup Koes to cleanup menu '?leanup for deletes old /o
logs) history logs)
messages(
Ko 5e%iceSts Koes to ?onfig Status Screen
Ko 8ard!are Koes to hard!are resources menu
Ko file Allo!s you to !or& on files in a system
Ko ;irary ;irary menu allo!s you to !or& !ith liraries
Ko 4anageSys 4anage System) 1sers) 5e%ices '5isplays !hat acti%ity
is going on in
system(
Ko Po!er Aou can display and change po!er on6off schedule
Ko @estore Allo!s you to restore info from tape or SAO7'Sa%e file(
on the
system"
Ko runc&up Specify type of ac&up you !ant to run
Ko Setup ?ustomi+e System) 1sers) 5e%ices
Ko Status 5isplay Status of /os) de%ices Q system acti%ities
Ko Tape 1se and ?ontrol tape de%ices"
TCS Internal 25
od!"e :- 4
S'stem Sec!rit'
TCS Internal 26
System security is an integrated function of the AS/400 system" $t is $mplemented at the
instruction le%el and controls all AS/400 soft!are functions" 1sers are
identified and authenticated y a single security mechanism) at the
system le%el) for all functions and en%ironments a%ailale on an AS/400)
including program de%elopment and e3ecution) data ase applications)
office applications) and so forth" All o/ects on an AS/400 system are
under security control) including liraries and files) display stations)
operator console functions)
programs) menus) and so on"
S'stem Va"!es
The first topic descries the system %alues that control security on your system"
The security system %alues are ro&en into four main groupsG
S Keneral system %alues
S #ther system %alues related to security
S System %alues that control pass!ords
S System %alues that control auditing
Denera" Sec!rit' S'stem Va"!es
The system %alues listed elo! can e changed through the ?hange System
Oalue '?8KSASOA;( command or using the Bor& !ith System Oalues
'B@FSASOA; JS-?( command" ?hanges to the system %alues ecome effecti%e
immediately) e3cept for the security le%el 'HS-?1@$TA( %alue) !hich ecomes
effecti%e only after the ne3t $P;"
9A08$,:-ST Allo! o/ects that are security6sensiti%e to e restored to the
System" Specifies !hether system state o/ects or o/ects that
adopt their o!nerMs authority may e restored to the system"
9A085S-6< Allo! user domain o/ects in the liraries" Specifies !hich liraries
are allo!ed to contain user domain o/ects of type J1S@SP?)
J1S@$5N) and J1S@H" These o/ects are a potential security
e3posure on a system !ith high security re,uirements" The system
cannot audit the mo%ement of data to and from user domain
o/ects" HA;B1S@54C can e left at its default %alue at security
le%els elo! 40" $t must e considered !hen going to le%el 40 or
higher"
9(-TA5T Authority for Ce! #/ects" This %alue is used to determine the
pulic
authority of a ne!ly created o/ect) if the follo!ing conditions are
metG
T The create authority '?@TA1T( parameter for the lirary of the
ne!
o/ect is set to JSASOA;"
T The ne! o/ect is created !ith pulic authority 'A1T( of
TCS Internal 27
J;$E?@TA1T 'the default("
The default %alue is J?8ACK-" $t is recommended that you do
not change this %alue" $t is etter to change the ?@TA1T %alue
at the lirary le%el" $t may impact your day6to6day operations"
96SPSD<I<7 5isplay Signon $nformation" Specifies that the signon information
display is to e sho!n"This displays information such as the date of
last signon) in%alid signon attempts) and the numer of days until
the
pass!ord e3pires 'if applicale("This information can alert users
that there has een unauthori+ed attempt to access the system
using their user profile"7or users re,uiring a %alue different from the
system %alue) the 5SPSKC$C7 &ey!ord for an indi%idual user profile
can e set to
JA-S 'to display the information( or JC# 'for no information
displayed("
9I<A(TITV $nacti%e <o Time6#ut $nter%al" Specifies in minutes ho! long the
system allo!s a /o to e inacti%e efore ta&ing action" A
!or&station is considered to e inacti%e if is !aiting at a menu or
display) or if it is !aiting for some message input !ith no user
interaction" Bhen you specify a time6out inter%al) if a /o reaches
that inter%al the system !ill ta&e the action specified in the
H$CA?T4SKH system %alue" ;ocal /os that are currently signed on
to a remote system are e3cluded" P? Support/400 /os are also
included" An inacti%e !or&station might allo! unauthori+ed persons
access to the system" This system %alue helps you to pre%ent users
from lea%ing !or&stations inacti%e" Ee sure to discuss the impact of
a change of H$CA?T$TO !ith the users on the system and inform
them at the time you ma&e
the change"
9I<A(TSD9 $nacti%e <o Time6#ut 4essage Hueue"The H$CA?T4SKH %alue
specifies either the name of the message ,ueue to !hich a
notification message is sent) or the action the system ta&es !hen
an interacti%e /o has een inacti%e for a specified inter%al of time"
The time inter%al is
specified y the system %alue H$CA?T$TO" There are considerations
for P? Support/400 /os"
90T64VSS< ;imit 5e%ice Sessions" Specifies !hether users are limited to sign on
to more than one de%ice at one time"
90TS4($7- ;imit Security #fficer" @estricts pri%ileged users '!ith JA;;#E< or
JS-@O$?- authority( to specified !or&stations" A pri%ileged user
!ho lea%es the terminal unattended represents a considerale
security e3posure" 9ANSID< 4a3imum Cumer of Signon
Attempts"
5efines the ma3imum numer of in%alid signon attempts y local or
remote users" This also !or&s for P? @outer signon" $n%alid
attempts are any comination of in%alid pass!ord) in%alid user
profile) or inade,uate authority to the display station" #nce a user
has reached the ma3imum attempts %alue) the system !ill ta&e the
action specified in H4ANSKCA?C" The %alue should e high enough
to allo! correction for typing errors ut lo! enough to pre%ent
TCS Internal 28
opportunities to guess a %alid user profile and pass!ord" Aou can
use security auditing to log signon %iolations" Aou must create
a,uery) or you can use Security/400"
9ANSD<A(< Action Bhen Signon Attempts @eached"This system %alue
determines !hat the system does !hen the ma3imum numer of
signon attempts 'specified in H4ANS$KC( is reached"
Possile %alues for H4ANSKCA?C areG
S 3G 5isale oth the user profile and de%ice"
S 1G 5isale the de%ice only"
S 9G 5isale the user profile only"
Bith) P? Support/400) in%alid attempts !ill only disale the user
profile) ut not the de%ice" $f you create the message ,ueue
HSAS4SK in HSAS) messages aout critical system e%ents are sent
to that message ,ueue as !ell to HSAS#P@" Aou can use the
HSAS4SK message ,ueue to monitor any in%alid attempt to signon
to the system) /ust y seeing it or controlling it y a program" @efer
to Appendi3 A) .HSAS4SK 4essage Hueue0 on page A61 for more
details" The e%ents sent to HSAS4SK can also e logged in the audit
/ournal" $f HS-?#7@ is disaled) and no other user profile has the
authority to enale it) HS-?#7@ can still sign on from the system
console" $f the console is %aried off the system must e $P;ed"
9-TSID< @emote Signon ?ontrol" Specifies ho! the system handles remote
signon re,uests"
9S4(5-ITF System Security ;e%el" HS-?1@$TA controls the security le%el of the
system" AS/400 security offers fi%e le%els of securityG
S ;e%el 10G There is no user authentication) or resource
protection" Co pass!ord is re,uired to sign on"
The
system is shipped !ith this %alue" $t should e
changed immediately) preferaly to 30" $f you
!ish
to mo%e to a security le%el ao%e 30) you should
first
test your installation on le%el 30"
S ;e%el 90G Pass!ord 6 1ser authentication through user
profile
and pass!ord chec&ing* no resource protection"
S ;e%el 30G Pass!ord and @esource 6 1ser authentication and
resource protection" 1sers re,uire authority to
access
o/ects"
S ;e%el 40G Pass!ord) @esource and #perating System
$ntegrity
6 1ser authentication) resource protection) and
machine interface protection"
S ;e%el =0G Pass!ord) @esource and enhanced #perating
System
TCS Internal 29
$ntegrity 6 1ser authentication) resource
protection)
and machine interface protection" Security le%el
=0 is
intended for AS/400 systems !ith high security
re,uirements and to meet ?9 security
re,uirements"
S'stem Va"!e I, S.i))ed Va"!e Prod!ction S'stem 6omino S'stem
HA;B#E<@ST JA;; JA;; JA;;
H5SPSKC$C7 0 0 0
H$CA?T$TO JC#C- 30 JC#C-
H$CA?T4SKH J-C5<#E J5S?<#E J-C5<#E
H5S?<#E$TO 940 940 940
H;4T5-OSSC 0 0 0
H;4TS-?#7@ 1 0 0JJJJJJ
H4ANS$KC 3 = 10
H4ANSKCA?C 3 9 1
H@4TS$KC J7@?S$KC#C J7@?S$KC#C J7@?S$KC#C
H?@TA1T J?8ACK- J?8ACK- J?8ACK-
$t.er -e"ated S'stem Va"!es
The follo!ing system %alues) !hile not specifically security6related) affect system
functions !hen certain security system %alues are set"
9A5T$V-T Automatic ?onfiguration of Oirtual 5e%ices Specifies !hether
display station passthrough %irtual de%ices and T-;C-T full
screen %irtual de%ices are automatically configured"
96S(:$,ITV 5isconnected <o Time6#ut $nter%al" This system %alue
determines if and !hen the system ends a disconnected /o"
The inter%al is specified in minutes"
S'stem Va"!es /or Pass%ords
The follo!ing %alues apply to pass!ords" These %alues re,uire users to change
their pass!ords regularly as !ell as enforce rules for the creation of ne!
pass!ords !hich pre%ents the use of pass!ords that are tri%ial or easy to guess"
Bhene%er you !ant to change any of these system %alues) e sure to discuss the
impact !ith the users on the system" 5o rememer to inform them !hen any
change is made" The pass!ord composition system %alues are enforced only !hen
the pass!ord is changed using the ?hange Pass!ord '?8KPB5( command) the
ASS$ST menu option to change a pass!ord) the HSA?8KPB application program
interface 'AP$() or on signon !hen a pass!ord e3pires" $n addition to the %alues
elo!) pass!ords can e further %erified y a pass!ord %alidation program"
9P864NPITV Pass!ord -3piration $nter%al Oalue" This %alue forces users
to change pass!ord e%ery 1 to 366 days) or not at all" The
%alue must e set according to the companyUs security
policy" This inter%al can also e modified for each user
through the user profile pass!ord e3piration inter%al
parameter) PB5-NP$TO"
TCS Internal 30
9P860TA:( @estrictions of ?onsecuti%e 5igits in Pass!ords"
9P860T(3- @estricted ?haracters for Pass!ords"
9P860T-4P @estriction of @epeated ?haracter in Pass!ords"
9P86AN04< 4a3imum ;ength of Pass!ords"
9P86I<04< 4inimum ;ength of Pass!ords"
9P86P$S6I7 Position 5ifference of ?haracters in Successi%e Pass!ords"
9P86-966DT @e,uirement for Cumeric ?haracters in Pass!ords"
9P86-966I7 @e,uired 5ifference in Pass!ords"
9P86V06PD Pass!ord Oalidation Program"
Specifies the name of a %alidation program"
A!diting S'stem Va"!es
This topic discusses the system %alues for controlling auditing on your system and
a description of each"
9A56(T0 Auditing ?ontrol"
The HA15?T; system %alue determines !hether auditing is
performed"
9A564<6A(< Auditing -nd Action"
The HA15-C5A?C system %alue determines !hat action the
system ta&es if auditing is acti%e and the system is unale to
!rite entries to the audit /ournal"
9A567-(0V0 Auditing 7orce ;e%el"
The HA157@?;O; system %alue determines ho! often ne!
audit /ournal entries are forced from memory to au3iliary
storage 'dis&(" This system %alue controls the amount of
auditing data that may e lost if the system ends
anormally"
9A560V0 Auditing ;e%el"
The HA15;O; system %alue determines !hich security6
related e%ents are logged to the security audit /ournal
'HA15<@C("
9(-T$,:A56 Auditing for Ce! #/ects"
The H?@T#E<A15 system %alue is used to determine the
auditing for a ne! o/ect) if the auditing default for the
lirary
of the ne! o/ect is set to JSASOA;"
A!t.orities : -
TCS Internal 31
$n AS/400 terminology) an authority is the permission to access an o/ect" The o/ect
o!ner and the security officer 'or other JA;;#E< users( can grant or re%o&e authority to
an o/ect" $t is important to understand the difference et!een authority to an o/ect and
authority to the data in the o/ect" #perations such as mo%ing) renaming) sa%ing) or
deleting apply to the o/ect as such" $t is possile to ha%e authority for these operations
!ithout ha%ing access to the data stored in the o/ect" ;i&e!ise) one can ha%e full access
'read) !rite) update) delete) e3ecute( to the data in an o/ect !ithout ha%ing full
authority to manipulate the !hole o/ect"
Str!ct!re o/ a!t.orities"
Authorities
Pri%ate Pulic
Authorities Authorities
Special Specific
' > Cos"(
#/ect 5ata
' 6 Cos"( ' = Cos"(
S)ecia" A!t.orities
All security systems ha%e special user pri%ileges for certain security and system
administration functions" Special authorities allo! certain users to administer
AS/400 security and system tas&s" There are eight special authorities" These
special authorities are not hierarchical"
;A00$,: All o/ect authority is granted for accessing any system resource
;A56IT Allo!s the user to perform auditing functions
;:$,(T0 Allo!s manipulation of /o and output
;SAVSFS 1sed for sa%ing and restoring the system and data !ithout ha%ing
e3plicit authority to o/ects ,ueues and susystems
;S4(A6 Allo!s administration of 1ser Profiles and #ffice
TCS Internal 32
;S4-VI(4 Allo!s access to special ser%ice functions for prolem diagnosis
;SP0(T0 Allo!s control of spool functions
;I$SFS(7D Allo!s change of system configuration
S)eci/ic a!t.orities
Specific authorities are further di%ided into 9 types"
1" #/ect Authorities
9" 5ata Authorities
1. $12ect A!t.orities :
There are 6 o/ect authorities used in AS/400"Those are as follo!s"
a" J#E<#P@ ' #/ect #perational (
" J#E<-N$ST ' #/ect -3istence (
c" J#E<4KT ' #/ect 4anagement (
d" J#E<A;T-@ ' #/ect Alteration (
e" JA1T;4KT ' Authori+ation ;ist Authority (
f" J#E<@-7 ' #/ect @eference (
&. 6ata A!t.orities :
There are = data authorities used in AS/400"Those are as follo!s"
a" J@-A5 ' @ead 5ata (
" JA55 ' Add 5ata (
c" J5;T ' 5elete 5ata (
d" J1P5 ' ?hange 5ata (
e" J-N-?1T- ' @un a Program (
The follo!ing authorities are independent 'not hierarchical(" 7or some operations a
comination of authorities is re,uiredG
;$,:$P-: The o/ect operational authority controls the use of an o/ect and
the
capaility to loo& at the description of the o/ect" $t is needed to
open a file andtherefore usually assigned in comination !ith the
desired data rights"
;$,:DT: The o/ect management authority controls the mo%e) rename) and
change attriute functions for o/ect) and the grant and re%o&e
authority
functions for other users or groups"
;$,:4NIST: The o/ect e3istence authority controls the delete) sa%e) restore) or
transfer o!nership operations of an o/ect"
;A5T0DT: This authority is needed to manage the contents of an authori+ation
list associated !ith the o/ect" This is a speciali+ed security
authori+ation that is not usually grouped !ith the other se%en
o/ect authorities"
;$,:A0T4-: This authority is needed to alter the attriutes of data ase files
and change the attriutes of SH; pac&ages"
TCS Internal 33
;$,:-47: This authority is needed to specify a data ase file as the first le%el
in a referential constraint"
;-4A6: ?ontrols the aility to read data from the o/ect"
;A66: ?ontrols the aility to insert a ne! entry 'such as a ne! record in a
file(
into the o/ect"
;5P6AT4: ?ontrols the aility to modify e3isting entries in the o/ect"
;6404T4: ?ontrols the aility to remo%e e3isting entries 'for e3ample)
records(
in the o/ect" To delete the !hole o/ect re,uires J#E<-N$ST
authority"
;4N4(5T4: ?ontrols the aility to run a program) ser%ice program) or SH;
pac&age) and to locate an o/ect in a lirary or a directory" Some
common
cominations of authorities ha%e een gi%en special names as an
are%iated form" 7or e3ample) J1S- is the comination of
J#E<#P@) J@-A5) and J-N-?1T-"
;A00 Allo!s unlimited access to the o/ect and its data
;(3A<D4 Allo!s unlimited access to the data in the o/ect
;5S4 Allo!s data in the o/ect to e read
;4N(0564 Allo!s no access to the o/ect or its data
;P5,0I( A!t.orit'
Pulic authority is the default authority for an o/ect" $t is used if users do not
ha%e any specific 'pri%ate( authority to an o/ect) are not on the authori+ation list
'if one is specified( for the o/ect) or their group's( has no specific authority to the
o/ect"
A!t.oriOation 0ists
An authori+ation list is an important and commonly used security structure" $t is
used to authori+e a user or a group of users to different types of o/ects 'such as
files or programs( secured y the authori+ation list" An o/ect may ha%e only one
authori+ation list associated !ith it" An authori+ation list may secure more than
one o/ect" A user can appear on many different authori+ation lists" Authori+ation
lists are not affected !hen o/ects secured y the authori+ation list are deleted" $f
an o/ect is deleted and then restored to the same system) it is automatically
lin&ed to an e3isting
authori+ation list for the o/ect" This is an important ad%antage of authori+ation
lists"
Ado)ted A!t.orit'
?ertain programs or commands called y a user may re,uire a higher le%el of
TCS Internal 34
authority 'for the duration of the command( than is normally a%ailale to that
user" Adopted authority pro%ides a means for handling this situation" Adopted
authority allo!s a user to temporarily gain the authority of the o!ner of a
program 'in addition to the userUs o!n authorities( !hile that program is running"
This pro%ides a method to gi%e a user additional access to o/ects) !ithout
re,uiring direct authority to o/ects"
A!dit :o!rna"
The Security Audit <ournal is a facility that allo!s security6related e%ents to e
logged in a controlled !ay that cannot e ypassed" The follo!ing are some of the
e%ents that may e loggedG
S Authori+ation failures
S #/ect creations
S #/ect deletions
S ?hanges to /os
S 4o%e or rename of o/ects
S ?hanges to system distriution directory or office mail actions
S #taining authority from programs !hich adopt
S System security %iolations
S Printing actions) oth spooled and direct print
S Actions on spooled file data
S @estore operations
S ?hanges to user profiles) system %alues or net!or& attriutes
S 1se of ser%ice tools
S System management functions
S 1sersU access to audited o/ects
S ?; command strings
$nformation from the audit /ournal can e e3tracted into a dataase file) then
e3amined y an auditor using a tool such as Huery/400 to locate security
%iolations or e3posures"
A!t.orit' 3o"der
An authority holder is an o/ect that specifies and reser%es an authority to a
program6descried dataase file efore the file is created" Bhen the file is
created) the authority specified in the holder is lin&ed to the file" The authority
holder is for use mainly in the System/36 -n%ironment"
P.'sica" Sec!rit'
Physical and procedural security controls pro%ide the asis on !hich other controls
such as soft!are security are uilt" $n addition to physical access control and
output distriution procedures) !hich are necessary controls in any computing
en%ironment and therefore not mentioned here) the AS/400 has t!o uni,ue
hard!are features) !hich are important for physical securityG
S System Feyloc& 6 to enale or disale certain system ser%ice functions
S 5isplay Station functions 6 &eyloc&) and play/record &eys
TCS Internal 35
T.e 3istor' 0og (93ST)
The history log 'H8ST( contains a suset of messages that are sent aout system
operational e%ents to the system operator message ,ueue" Some messages
relating to system security are !ritten in the system history log" 8o!e%er) this
function is no! superseded y support offered y the security audit /ournal" H8ST
should not e used as a source for trac&ing security6related e%ents as it may ha%e
een in the past"
5ser Pro/i"es
1ser Profiles contain information descriing a system user) that userUs pri%ileges
and limitations !hen using the system) and lists of o/ects the user o!ns or is
authori+ed to use" 7or o/ects o!ned y a user) the profile also contains lists
ofother usersU authori+ations to those o/ects"
Dro!) Pro/i"es
A 1ser Profile may e lin&ed to a group profile" This allo!s all the memers of the
group to share common attriutes) common access to selected o/ects) and
common o!nership of o/ects" A user is not re,uired to e a memer of a group"
$n O3@1 a user may e a memer of up to 16 different groups" $n earlier releases
the user can only e a memer of one group" $n addition) only one le%el of
grouping is permissile" 7or e3ample) if user profile 7@-5 elongs to group profile
5-PTA) 5-PTA cannot elong to another Kroup Profile" Kroup profiles are used to
organi+e users along /o functions and to simplify the assignment and
administration of o/ect authorities y authori+ing users through a smaller numer
of group entries" Bhen designing groups) it is important that the group o!nership
concepts are !ell understood and that good naming con%entions are used"
A group profile is implemented as a user profile* that is) it is created /ust li&e a
user profile) and !hen granting authority) the AS/400 does not treat groups any
differently than user profiles" The t!o uses may e intermi3ed" 7or easy
management it is etter that user and group profiles e used as separate entities"
#ne !ay to enforce this is to set the group profile pass!ord to JC#C-" This
pre%ents any sign on to the profile"
0imited (a)a1i"it'
A user may e assigned limited capaility" This is done !hen creating or
changing a user profile" ;imited capaility) !hen used !ith an appropriate
initial program or initial menu) can restrict a user to a desired suset of the
systems functions" Some local programming 'or the use of a pac&aged
application( is necessary to accomplish this" ;imited capaility ';4T?PE &ey!ord
of ?@T1S@P@7 or ?8K1S@P@7 commands( may e set to no) partial) or full" The
selected %alue !ill affect initial program) initial menu) current lirary) the current
attention program 'associated !ith the attention &ey on the terminal() and access
to general system commands"
TCS Internal 36
5ser ("asses
There are fi%e user classes !hich are hierarchical in authority" The classes
represent different roles in the 5P en%ironment" These are con%enient !ays to
assign the special authorities listed ao%e to different types of users" A higher
class can perform all the
functions of a lo!er class* for e3ample) JS-?#7@ includes the pri%ileges of
JS-?A54 y default" The follo!ing are the fi%e user classes"
;S4($7- Security #fficer
;S4(A6 Security Administrator
;PD- Programmer
;SFS$P- System #perator
;5S4- -nd 1ser
The user class also affects !hat options are sho!n on the system menus" A user
!ith higher authorities !ill see more of the system menu options" A user !ith less
authorities !ill only see the menu choices allo!ed y the user class" A user may
e gi%en any of the special authorities regardless of his user class" ;etting the
special authorities e assigned automatically to match the user class is a
con%enient !ay to get started" Special authorities can e assigned specifically) y
the security officer or security administrator) !hen one of the standard user
classes does not ha%e the desired comination of authorities"
TCS Internal 37
od!"e :- +
,ack!) And -estoration
TCS Internal 38
$E4 iSeries and AS/400e ser%ers offer a !ide range of reco%ery and a%ailaility options"
Aour hard!are or soft!are includes some of the options" #thers are ordered separately"
They are intended to help you do the follo!ingG
1"4a&e your sa%e operations faster and more efficient"
9"Feep your system a%ailale for your users"
3"Plan and manage your ac&up and reco%ery"
Aour #perating System/400 '#S/400( licensed program includes menus and commands
for sa%e and restore" Aou can use the sa%e operations and restore operations on the
system to do the follo!ingG
1" @eco%er from a program or system failure"
9" -3change information et!een ser%ers"
3" Store infre,uently used o/ects offline"
Aou can use commands and menu options to sa%e indi%idual o/ects and groups of
o/ects" Aou can use some sa%e and restore operations !hile your system is acti%e" #ther
sa%e and restore operations re,uire that no other acti%ity is occurring on the system" Aou
can sa%e and restore o/ects y using dis&ette) magnetic tape) optical media) or a sa%e
file" Aou can also use communications capailities or an optical connection to sa%e and
restore o/ects !ith another system" $f your system is usy most of the time) you can
use the sa%e6!hile6acti%e function
to reduce the time period that the system is una%ailale !hile you are performing sa%e
operations"
,ack!) -ecover' and edia Services /or iSeriesP$vervie%
The Eac&up @eco%ery and 4edia Ser%ices for iSeries 'E@4S/400( licensed program
offers a set of functions for defining and performing these tas&sG
1" Eac&up
9" @eco%ery
3" Archi%ing
4" @etrie%al
=" 4edia management
Starting !ith O=@1) Eac&up @eco%ery and 4edia Ser%ices pro%ides a graphical user
interface for ac&up and reco%ery that is integrated into iSeries Ca%igator" Aou can use
Eac&up @eco%ery and 4edia Ser%ices to simplify and automate your ac&ups and to
manage your media" Eac&up @eco%ery and 4edia Ser%ices &eeps trac& of !hat you ha%e
sa%ed) !hen
you sa%ed it) and !here it is sa%ed" Bhen you need to do a reco%ery) Eac&up @eco%ery
and 4edia Ser%ices helps ensure that the correct information is restored from the correct
tapes in the correct se,uence"
Tivo"i Storage anagerP$vervie%
Aou can use Ti%oli Storage 4anager to protect data on your !or&stations and ;AC file
ser%ers" The Ti%oli Storage 4anager can automatically ac& up critical ;AC and
TCS Internal 39
!or&station data and archi%e files that are used infre,uently" $t pro%ides a disaster
reco%ery solution for ;ACs and !or&stations" Administer the Ti%oli Storage 4anager from
a client !or&station that is attached to an iSeries ser%er" $t can ac& up data from a
%ariety of !or&station platforms" Aou can use the Eac&up @eco%ery and 4edia Ser%ices
'E@4S/400( program to ac& up user data to any Ti%oli Storage 4anager !hen the
ser%er in a client/ser%er en%ironment" Aou can use Eac&up @eco%ery and 4edia Ser%ices
for iSeries to manage the data that you sa%e on the Ti%oli Storage 4anager and to
manage the ac&up of the system data to local media"
Save 'o!r server %it. t.e D$ SAV4 command
1se Ko SAO- menu to ta&e the ac&up on your As/400"
TCS Internal 40
$vervie% o/ t.e D$ SAV4 command men! o)tions :
Access the K# SAO- command menu y typing K# SAO- from any command line" 7rom
the Sa%e menu) you see option 91) option 99) and option 93 along !ith many more sa%e
options" A single plus sign '+( indicates that the option places your ser%er into a
restricted state) !hich means that nothing else can e running on your system !hen the
menu option is selected" A doule plus sign '++( indicates that your ser%er must e in a
restricted state efore you can run this option"
Save en!P7irst 6is)"a'
Page do!n on the Sa%e menu to see additional optionsG
TCS Internal 41
Save en!P Second 6is)"a'
TCS Internal 42
Page do!n on the Sa%e menu to see additional optionsG
Save en!P T.ird 6is)"a'
Save men! de/a!"ts %it. D$ SAV4: $)tion &0
Aou can use sa%e menu option 90 to change the default %alues for the K# SAO-
command) menu options 91) 99) and 93" This option simplifies the tas& of setting your
sa%e parameters and helps to ensure that operators use the options that are est for
your system" $n order to change the defaults) you must ha%e J?8ACK- authority for oth
theH1S@SAS lirary and the HS@57;TS data area in the H1S@SAS lirary" Bhen you
enter the K# SAO- command) then select menu option 90) the ser%er displays the default
parameter %alues for menu options 91) 99) and 93" $f this is the first time you ha%e used
option 90 from the Sa%e menu) the ser%er displays the $E46supplied default parameter
%alues" Aou can change any or all of the parameter %alues to suit your needs" 7or
e3ample) you can specify additional tape de%ices or
change the message ,ueue deli%ery default" The ser%er sa%es the ne! default %alues in
data area HS@57;TS in lirary H1S@SAS" The ser%er creates the HS@57;TS data area
only after you change the $E46supplied default %alues" #nce you define ne! %alues) you
no longer need to !orry aout !hich) if any) options to change on suse,uent sa%e
operations" Aou can simply re%ie! your ne! default options and then press -nter to start
the sa%e !ith the ne! default parameters"
$f you ha%e multiple) distriuted ser%ers !ith the same sa%e parameters on each ser%er)
this option pro%ides an additional enefit" Aou can simply define the parameters from the
Sa%e menu) using option 90 on one ser%er" Then) sa%e the HS@57;TS data area)
distriute the sa%ed data area to the other ser%ers) and restore it"
TCS Internal 43
Save 'o!r %.o"e server %it. D$ SAV4: $)tion &1
#ption 91 sa%es e%erything on your ser%er and allo!s you to perform the sa%e !hile you
are not there" #ption 91 does not sa%e spooled files" #ption 91 sa%es all of your data for
additional licensed programs) such as 5omino or $ntegration for Bindo!s Ser%er !hen
you select to %ary off your net!or& ser%ers" Also) if you ha%e ;inu3 installed on a
secondary logical partition) you can ac& up that partition !hen you select to %ary off
your net!or& ser%ers" #ption 91 puts your ser%er into a restricted state" This means that
!hen the sa%e
egins) no users can access your ser%er and the ac&up is the only thing that is running
on your ser%er" $t is est to run this option o%ernight for a small ser%er or during the
!ee&end for larger ser%ers" $f you schedule an unattended sa%e) ma&e sure your ser%er
is in a secure location* after you schedule the sa%e) you !ill not e ale to use the
!or&station !here the ac&up is initiated until the sa%e is complete"
1The command omits HSAS";$E file system ecause the SAOSAS command and the
SAO;$E ;$E'JC#CSAS( command oth sa%e it" The command omits the H5;S file system
ecause the SAO5;# command sa%es
Save s'stem data %it. D$ SAV4: $)tion &&
#ption 99 sa%es only your system data" $t does not sa%e any user data" #ption 99 puts
your ser%er into a restricted state" This means that no users can access your ser%er) and
the ac&up is the only thing that is running on your ser%er"
TCS Internal 44
Save !ser data %it. D$ SAV4: $)tion &*
#ption 93 sa%es all user data" This information includes files) records) and other data that
your users supply into your ser%er" #ption 93 puts your ser%er into a restricted state"
This means that no users can access your ser%er) and the ac&up is the only thing that is
running on your ser%er"
14enu option 93 omits the HSAS";$E file system ecause the SAOSAS command) the
SAOS-?5TA command) the SAO?7K command) and the SAO;$E ;$E'JA;;1S@( command
sa%e it" The command omits the H5;S file system ecause the SAO5;# command sa%es
it"
4enu option 93 also omits the /H$E4 and /H#penSys/H$E4 directories ecause these
directories contain $E4 supplied o/ects"
Save )arts o/ 'o!r server %it. ot.er D$ SAV4 command men! o)tions
Aou may perform the follo!ing K# SAO- command menu options"
TCS Internal 45
Save Sec!rit' 6ata (SAVS4(6TA)
The Sa%e Security 5ata 'SAOS-?5TA( command sa%es all security information !ithout
re,uiring a system in a restricted state" The SAOS-?5TA command sa%es the same
security information that is sa%ed !hen a SAOSAS command is run including the
follo!ingG
1ser Profiles
Authori+ation ;ists
Authority 8olders
$nformation sa%ed !ith the SAOSAS or SAOS-?5TA command can e restored using the
@ST1S@P@7 and @STA1T commands) ut a dedicated System is re,uired"
Save (on/ig!ration 6ata ( SAV(7D)
T.e Save (on/ig!ration (SAV(7D) command saves a"" con/ig!ration and s'stem
reso!rce management (S-) o12ects %it.o!t reH!iring a s'stem in a restricted
state. T.e in/ormation saved inc"!des t.e /o""o%ing
;ine descriptions ?onfiguration lists
?ontroller descriptions 8ard!are resource data
5e%ice descriptions ?onnection lists
?lass6of6Ser%ice description 4ode description
Cet!or& interface description CetE$#S descriptions
Cet!or& ser%er description
Save (.anged $12ects:
The Sa%e ?hanged #/ect 'SAO?8K#E<( command sa%es a copy of each changed o/ect
or group of o/ects located in the same lirary" Bhen JA;; is specified on the #/ects
prompt '#E< parameter() o/ects can e sa%ed from all user liraries or from up to 300"
Specified liraries" Bhen sa%ing to a sa%e file) only one lirary can e specified"
TCS Internal 46
$vervie% o/ t.e D$ -4ST$-4 command men! o)tions :
7igure elo! sho!s the menu options and commands that are a%ailale for restoring
information" $t also sho!s the normal se,uence for restoring information) !or&ing from
top to ottom"
TCS Internal 47
Save )roced!res and restore )roced!res /or /i"e s'stems
TCS Internal 48
-e"ations.i) ,et%een Save and -estore (ommands
-estoring 5ser Pro/i"es :
1" Sign on as HS-?#7@"
9" -nsure the system is in a restricted state"
3" 7ind the most recent sa%e media that has your user profiles" $t may e a
SAOSAS
media %olume or a SAOS-?5TA media %olume" The file on the sa%e media
%olume is called H7$;-1P@"
4" $f you are using a SAOSAS media %olume) typeG
-ST5S-P-7 64V(media-device-name) 5S-P-7(;A00) 4<6$PT(;04AV4)
$f you are using a SAOS-?5TA media %olume) typeG
-ST5S-P-7 64V(media-device-name) 5S-P-7(;A00) 4<6$PT(;5<0$A6)
-estoring t.e (on/ig!ration
1" 7ind the most recent sa%e media that has your configuration" $t may e a SAOSAS
media %olume or a SAO?7K media %olume" The file on the sa%e media %olume is
called H7$;-$#?"
9" $f you are using a SAOSAS media %olume) typeG
-ST(7D $,:(;A00) 64V(media-device-name)$,:TFP4(;A00)
4<6$PT(;04AV4)
TCS Internal 49
$f you are using a SAO?7K media %olume) typeG
-ST(7D $,:(;A00) 64V(media-device-name) $,:TFP4(;A00)
4<6$PT(;5<0$A6)
-estoring 6oc!ment 0i1rar' $12ects
1" 7ind your most recent sa%e media %olume that you used to sa%e all of the
documents in the system ASP" Aou may ha%e specified ASP'1( or ASP'JACA(
for the sa%e operation" The media %olume should ha%e the lirary H5#? on it"
9" 1se the follo!ing command to restore the 5;#sG
-ST60$ 60$(;A00) 70-(;A<F) ASP(1)
-estoring 0i1raries
@estoring entire liraries is a common !ay to reco%er user information" 1se the
@estore ;irary '@ST;$E( command to restore a single sa%ed lirary or a group of
liraries" The @ST;$E command restores the entire lirary) including the lirary
description) o/ect descriptions 'only descriptions are restored for logical files) /o
,ueues) message ,ueues) output ,ueues) user ,ueues) and data ,ueues() and the
contents of other o/ects" This command also restores status information for
programming temporary fi3es 'PT7s( that !ere in the lirary at the time the
lirary !as sa%ed" Bhen you use the @ST;$E command) you can use the #PT$#C
parameter to specify !hich o/ects in a lirary are restoredG
Possible Values for the OPTION Parameter of the RSTLIB Command:
;A00 #ld o/ects are replaced and ne! o/ects are added to a lirary"
JA;; is the default"
;$06 #nly old o/ects that already e3ist on the system are replaced in a
lirary"
;<48 #nly o/ects not found on the system are added to a lirary" The
old o/ects are not replaced"
;7-44 #nly those o/ects that ha%e their storage freed on the system are
restored"
-estoring a 0i1rar' 7rom a Previo!s -e"ease
Bhen you are restoring a lirary that !as sa%ed on a system at an earlier release)
you can use the Force object conersion '7@?#E<?OC( parameter to specify
!hether programs are translated !hen they are restored" This can significantly
impact the time it ta&es to restore the lirary"
-estoring !"ti)"e 0i1raries
Aou can use the @ST;$E command to restore liraries in these groupsG
;<$<SFS All liraries that !ere sa%ed !ith SAO;$E ;$E'JC#CSAS( command)
including the $E46supplied liraries HKP;) H1S@SAS) and licensed
program liraries"
;A005S- All user liraries that !ere sa%ed !ith SAO;$E ;$E'JA;;1S@( or
SAO;$E ;$E'JC#CSAS("
TCS Internal 50
;I, All $E46supplied liraries that !ere sa%ed !ith SAO;$E ;$E'J$E4(
or SAO;$E'JC#CSAS(" #nly $E46supplied liraries that contain $E4
o/ects are restored"
et.ods /or -estoring A"" 0i1rariesP!"ti)"e Save $)erations
TCS Internal 51

AS 400 Training Program Overview

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

AS 400 Training Program Overview

Загружено:

Авторское право:

Доступные форматы

AS 400 Administration Training Program

Вам также может понравиться