Netexpertise

Change Owner Through IBM i Terminal

There are many ways to change an object owner on IBM i. With CHGOBJOWN for a single object, or WRKOBJOWN then press 9 for each object if you want to start with all objects belonging to somebody.
Changing ownership of thousands of objects this way will be very painful and time consuming!
 
Specialised websites like itjungle suggest quicker ways like:

CHGOWN OBJ('/qsys.lib/mylib.lib/*.*') NEWOWN(new_owner) RVKOLDAUT(*YES)

which is a good way to change the owner of all objects within the same library.
 
But there is more powerful if you’re not against using QSHELL or PASE (run QSH or CALL QP2TERM), or connect with SSH.

Advanced Ownership Commands in QSH/PASE

You can move into the library’s directory with cd. Always append .LIB to your library

cd /QSYS.LIB/MYLIB.LIB

 
You can easily count the number of objects:

$ ls -1 | wc -l
    6228

 
Display all objects owner with ls and more to display one page at a time (can be slow if loads of objects)

$ ls -l | more
total 190672
drwx---rwx    2 owner    0             28672 Jan  5 10:37 $BUL100.FILE
drwx---rwx    2 owner    0             20480 Jan  5 10:37 $BUL200.FILE
[...]

 
Change owner for all objects is as easy as:

chown new_owner *.*

You can also be more specific with *.FILE or MY_*.PRG.
 
And this is where it gets interesting. You can change all objects that have no owner

find . -nouser | xargs chown newowner

Use with care, read on…
 
You can also change all objects belonging to somebody in particular

find . -user oldowner | xargs chown new owner

These commands can save you a lot of time!

AS400 Username Length and Other Tips

find will also search in subdirectories.
 
You may get an unknown username error:

$ chown lgusername AABL01WC.PGM
chown: lgusername is an unknown username.

You need to get the user id in his profile and use that number instead, if the username length is greater than 8 characters:

$ chown 1073 AABL01WC.PGM

See that note from IBM. You’re better off setting all usernames with 8 characters or less in iSeries.
 
Knowing the username length problem, the command “find . -nouser” will also return files/objects belonging to 9 or 10 character long profiles! Shame IBM didn’t set the username max length to 10 as well in PASE.
 
One last piece of advice: connect via SSH for a bigger terminal window.

 

Tags: AS400, IBM i, iSeries

QSHELL and PASE on IBM i are nice tools but remain quite limited with the fixed size 5250 window with no scroll bars. Let’s see how to make it better with a secure SSH connection and a few tricks.
 

Launch SSH Daemon

Considering SSH is installed on your AS400 ie 5733SC1 (OpenSSH, OpenSSL, zlib) in LICPGM, you can then start the SSH daemon with this command:

STRTCPSVR SERVER(*SSHD)

 
There is no autostart option for SSH TCP server.
I ended up adding above command to the QSTRUP program so it starts automatically upon IPL. From now on, you can connect to your AS400 with Putty that you can download for free.
 

SSH Default Shell

The default shell on AS400 is bsh which is quite limited, and uncommon on other operating systems. It can be changed in the sshd_config file (located in /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc), adding

#ibm pase for IBM i shell
ibmpaseforishell /QOpenSys/usr/bin/ksh

as mentioned on IBM website.
 
ksh is also nice to have so you can have command history in your terminal.
 

Command History

Once ksh is the default shell, you can configure arrow keys to move within command history. No need to type the commands over and over!

In the user homedir, create a .profile file, which will be loaded every time you ssh to the AS400:

if [[ $SHELL = "/QOpenSys/usr/bin/ksh" ]]; then
  set -o emacs
  alias __A=`echo "\020"`     # up arrow = ^p = back a command
  alias __B=`echo "\016"`     # down arrow = ^n = down a command
  alias __C=`echo "\006"`     # right arrow = ^f = forward a character
  alias __D=`echo "\002"`     # left arrow = ^b = back a character
  alias __H=`echo "\001"`     # home = ^a = start of line
  alias __Y=`echo "\005"`     # end = ^e = end of line
fi

Now restart the SSH daemon the same way you started it, and reconnect.
On the 1st line, we check the shell is ksh since the previous changes apply to SSH connections only. The .profile is also loaded in QSH and PASE (QP2TERM), which don’t run ksh by default.
 
Connecting with Putty is far more convenient than calling QP2TERM is the 5250 fixed size window!
You can even do the same with bash if it has been installed on your system. Hint: Install 5733OPS Option 3, gcc comes along with bash, perl or even rpm on postintallation.

 

Tags: AS400, IBM i, iSeries, ksh, QSH, SSH

You have configured in Exchange EAC (Exchange Admin Center) or with Powershell a retention policy that is supposed to clean up your deleted items for instance. But it does not apply to your mailboxes, nothing gets deleted.
 
As suggested on Microsoft, the default policy is applied when you create an archive for the mailbox. But you’re unlucky: the archive feature in Exchange 2010 and 2013 requires an enterprise Client Access License (CAL) or a Microsoft Office Professional Plus product and you did not subscribe to that option you could not afford.
 
All is not lost!
You’re still able to create your own retention policy that you can apply to all of your mailboxes quite easily.
To do so, navigate to:
– Compliance Management
– Retention Tags and then
– Retention Policy, to create your own rules.

You can then apply the new policy, directly into your mailbox properties.
To avoid spending some extra time in this or forgetting some mailboxes, you can automate the process to all within a powershell script. You can then schedule the script every weekend if you wish.
 

add-pssnapin Microsoft.Exchange.Management.PowerShell.SnapIn

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited | 
Set-Mailbox -RetentionPolicy "My Retention Policy"

Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize unlimited | 
Set-Mailbox -RetentionPolicy "My Retention Policy"

Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize unlimited | 
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize unlimited | 

Start-ManagedFolderAssistant

 
The last command “Start-ManagedFolderAssistant” is not mandatory, but it lets you process mailboxes immediately.

 

Tags: Exchange, Powershell

IBM i Client Access – also called Client Access for iSeries – is Windows traditional heavy client to connect to AS400 platforms. While upgrading Client Access, I get a language version mismatch error some time to time.
 

The primary language version Mri2924 that is currently installed does not match the language version MRI2924 to which you are trying to upgrade. The upgrade cannot continue. To change the language to MRI2924, remove the product and restart the install.

 
IBM recommend on their website to remove the software and reinstall. But the case in the version needs to be fixed beforehand. As shown in the “Language version mismatch” error message, it needs to be in uppercase.
This should be changed in the registry to match the new name. Either do it manually or with the following command lines (MRI2924 is for English, replace with your own version) in a DOS command prompt. The location in the registry is different for 32 and 64 bits clients.
 

@echo off
SETLOCAL ENABLEDELAYEDEXPANSION

REM 32/64 bits client access install
set v=0

for /f "usebackq tokens=* delims= " %%I in 
(`reg query "HKLM\SOFTWARE\IBM\Client Access\CurrentVersion" 
/v version ^| findstr "REG_SZ"`)
do (for /f "tokens=3" %%i in ("%%I") do set v="%%i")

if %v% == "5" reg add "HKLM\SOFTWARE\IBM\Client Access\CurrentVersion" 
/v SourceInstallMRI /t REG_SZ /d MRI2928 /f

REM 32 bits install on 64 bits Windows OS
set v=0

for /f "usebackq tokens=* delims= " %%I in 
(`reg query "HKLM\SOFTWARE\Wow6432Node\IBM\Client Access\CurrentVersion" 
/v version ^| findstr "REG_SZ"`)
do (for /f "tokens=3" %%i in ("%%I") do set v="%%i")

if %v% == "5" reg add "HKLM\SOFTWARE\Wow6432Node\IBM\Client Access\CurrentVersion" 
/v SourceInstallMRI /t REG_SZ /d MRI2928 /f

 

Tags: AS400, IBM i, iSeries

Apache configured as a reverse proxy forwards requests to a web backend. But your browser throws an enigmatic 503 error: “Service temporarily unavailable”.

The first thing I do is looking at the http logs in /var/log/httpd/ssl_error_log, where I am getting some permission issue:
(13)Permission denied: proxy: HTTP: attempt to connect to 192.168.1.250:8080 (*) failed

You may also get this error in the logs:
AH01114: HTTP: failed to make connection to backend

If SELinux i enabled on your system, it is most likely the root cause of your problem. SELinux denies Apache from initiating connections to the outside. You can check temporarily by turning off SELinux in /etc/selinux/config. A reboot is required.

If confirmed, turn it back on to keep a higher security level, and add this rule exception:

$ sudo setsebool -P httpd_can_network_connect 1

This variable allows HTTPD processes and modules to connect to the network. There are other boolean variables adding restrictions to HTTPD. To get a list of them, run getsebool -a | grep httpd.
You will find some interesting variables in that list such as:
– httpd_can_network_connect_db (default off)
– httpd_enable_ftp_server (default off)
– httpd_enable_cgi (default on)
etc…

The -P switch makes the change persistant across reboots. You may need to restart Apache:

$ sudo systemctl restart httpd

This error is known and documented on the Apache website.

 

Tags: Apache, linux, Proxy