IBM eServer iSeries Migration: A Guide to
Contents
1. Figure 6 51 Select a Certificate Authority window Chapter 6 Tape data encryption in i5 OS V5R4 173 3 In the Create Certificate window select 1024 for the Key size and enter the certificate key label You can choose the name yourself but make sure that you specify the same label as the alias1 key label in the EKM configuration file Complete the other fields and click Continue Figure 6 52 Digital Certificate Manager Create Certificate Certificate type Server or client Certificate store EKM KEYSTORE_I KDB Selecta Certificate Store z k i Use this form to create a certificate in the certificate store listed above Expand All Key size 1024 imi bits gt Fast Path Certificate label keylabel_certreq_1 required m Create Certificate n Create New Certificate Store Certificate Information Install Local CA Certificate on Your PC Common name EKMCertificate required gt Manage Certificates Organization unit b Manaze Certificate Store Organization name MyCompany required pinsapo CRL IE Locality or city State or province MyCity required minimum of 3 characters 5 Manage PRIN Request Location Country or region US required Retum to i5 0S Tasks Figure 6 52 Creating a certificate 4 In the next window the certificate request is displayed Figure 6 53 Copy the request data including the BEGIN and the END REQUEST lines and paste them into the2. Figure 6 18 Creating self signed key Chapter 6 Tape data encryption in i5 OS V5R4 151 2 The Create New Self Signed Certificate window Figure 6 19 opens Specify a Key Label of your choice but make sure that it does not contain any blanks Select X509 V3 from the Version menu and 1024 from the Key Size menu The Common Name field defaults to the computer name but you can change it Specify a value in the Organization field Verify the Country or region and Validity Period fields All other fields are optional Click OK fit Create New Self Signed Certificate Please provide the following Key Label keylabel_selfsigned_1 Version x509 V3 v Key Size 1024 v Common Name admin w6xapirqs Organization MyCompa ny Organization Unit optional Locality optional State Province optional Zipcode optional Country or region US v Validity Period 365 Days OK Reset Cancel Figure 6 19 Creating self signed key window 3 The key labels for the keys you create are displayed in the IBM Key Management window In this example we created two keys as shown in Figure 6 20 fe IBM Key Management C EKM keystore_x jck Key Database File Create View Help OSH R Key database information DB Type JCEKS database file FileName C EKM keystore_xjck Token Label Key database co
3. Location CAlmported Keystore Cancel Figure 6 26 Export Import Key dialog box 156 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 3 Authenticate to the keystore from which you want to import the keys by entering the password Figure 6 27 Click OK Password Prompt x Password to open the source key database OK Clear Cancel Figure 6 27 Password Prompt 4 The Select from Key Label List window Figure 6 28 opens listing the key labels for all of the keys stored in the keystore Select the key labels you want to import and click OK Select from Key Label List of C Imported Keystore keystore jck Please select keys from the following key list of the source key database OK verisign class 1 public primary certification authority g3 verisign class 4 public primary certification authority g3 verisign class 1 public primary certification authority g2 verisign class 4 public primary certification authority g2 jverisign class 2 public primary certification authority entrust net global client certification authority rsa secure server certification authority verisign class 2 public primary certification authority g3 verisign class 2 public primary certification authority g2 verisign class 3 secure server ca verisign class 3 public primary certification authority verisign class 1 ca individual subscribe
4. 100 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 4 2 4 Neoware Connection Manager Figure 4 7 shows the GUI screen for the configuration of the keyboard and the monitor Use Ctrl Alt End to switch from the 5250 screen to the configuration screen To go back to the 5250 screen double click the 5250 Console connection ezConnect Neoware Connection Manager Connection Settings Help Eannect Erid Edit Delete Cay mic Connection Name ol Ready Ls Figure 4 7 GUI configuration screen Chapter 4 System i5 consoles in i5 OS V5R4 101 4 2 5 Physical installation and cabling On the System i5 server side you do not have to install any hardware The Thin Console connects directly to one of the HMC ports of the Service Processor SP instead of connecting to an IOA card Perform the following tasks to install the Thin Console 1 Verify the hardware that came with your order It must contain the Neoware c50 thin client a keyboard a mouse and a power cable and optionally a display 2 Connect the display keyboard mouse power cable and Ethernet cable to the ports on the Thin Console Figure 4 8 IPHAHS80 1 Figure 4 8 Thin Console back view 3 Plug in the monitor and power it on 4 Plug in the Thin Console It automatically powers on It boots from the pre installed Linux software image you do not have to install any software 5 Select the keyboard
5. Server Information IP 192 168 3 147 Type Model 9405 520 Serial LOESOCC State FFFF Server state is unknown Reference code Connection status 20 00 of 100 Server found Figure 4 12 Thin Console connection status 20 nn 104 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Figure 4 13 shows Thin Console connection status 40 nn Server Information IP 192 168 3 147 Type Model 9405 520 Serial 1LOE80CC State OOOF Server firmware ready Reference code Connection status 40 01 of 100 Server firmware is ready to communicate Figure 4 13 Thin Console connection status 40 nn Figure 4 14 shows Thin Console connection status 60 nn Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State OOOF Server firmware ready Reference code Connection status 60 01 of 100 Requesting console access Figure 4 14 Thin Console connection status 60 nn 10 When the connection to the server is completed the Thin Console 5250 session behaves like any other 5250 console Figure 4 15 Dedicated Service Tools DST Sign On System S1LOE80CC ATTENTION This device can become the console Type choices press Enter Service tools user Service tools password Figure 4 15 DST Sign On screen Chapter 4 System i5 consoles in i5 OS V5R4 105 11 When you power down the system or IPL the FSP port remains powere
6. Upgrade load source utility Rebuild disk unit data Reclaim IOP cache storage wrmrrxa nuh WNE rerep WwnrF Oo More Selection F3 Exit F11 Display disk configuration status F12 Cancel Figure 3 19 The Work with Disk Unit Recovery screen 72 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 10 In the Disk Unit Problem Recovery Procedures screen Figure 3 20 enter 1 Initialize and format disk unit Disk Unit Problem Recovery Procedures Select one of the following 1 Initialize and format disk unit 2 Display change page data 3 Analyze disk unit surface Selection F3 Exit Fii Display disk configuration status F12 Cancel Figure 3 20 The Disk Unit Problem Recovery Procedures screen 11 In the screen that is displayed select the new nonconfigured drive to initialize and confirm 12 Return to the Work with Disk Unit Recovery screen Figure 3 19 on page 72 and enter 9 Copy disk unit data 13 In the screen that is displayed Figure 3 21 select the load source disk unit disk unit 1 as the unit to copy Select Copy from Disk Unit Type option press Enter 1 Select Serial Resource OPT Unit ASP Number Type Model Name Status 1 1 68 OELF75A 4326 050 DD002 Active F3 Exit F5 Refresh F11 Display non configured units F12 Cancel Figure 3 21 The Select Copy from Disk Unit screen Chapter 3 System i5 disk ati5 OS V5R4 73 14 In the Select Copy
7. Use Dedicated Service Tools DST System S1LOE80CC Select one of the following Perform an IPL Install the operating system Work with Licensed Internal Code Work with disk units Work with DST environment Select DST console mode Start a service tool Perform automatic installation of the operating system Work with save storage and restore storage Work with remote service support Work with system partitions Work with system capacity Work with system security End batch restricted state wwmrrwanurhr WNE PRPPRPeR BWNHEO Selection F3 Exit F12 Cancel Figure 3 17 The Use Dedicated Service Tools DST screen Chapter 3 System i5 disk at i5 OS V5R4 71 8 In the Work with Disk Units screen Figure 3 18 enter 2 Work with disk unit recovery Work with Disk Units Select one of the following 1 Work with disk configuration 2 Work with disk unit recovery Selection F3 Exit F12 Cancel Figure 3 18 The Work with Disk Units screen 9 In the Work with Disk Unit Recovery screen Figure 3 19 enter 6 Disk unit problem recovery procedures Work with Disk Unit Recovery Select one of the following Save disk unit data Restore disk unit data Replace configured unit Assign missing unit Recover configuration Disk unit problem recovery procedures Suspend mirrored protection Resume mirrored protection Copy disk unit data Delete disk unit data
8. 2 Set CHGIPLA CPRJOBATR back to its previous value 3 Perform a test 4 Return the system to the users Chapter 5 i5 OS V5R4 software 135 136 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Tape data encryption in i5 OS V5R4 This chapter describes the new hardware based tape encryption support available in i5 OS V5R4 The IBM TotalStorage TS1120 tape drive supports hardware based encryption The encryption key is supplied by an external key manager that can run either on i5 OS or ona Windows based PC This chapter also describes the TS1120 and shows how to set up and use the Encryption Key Manager EKM Copyright IBM Corp 2007 All rights reserved 137 6 1 Using the Encryption Key Manager and TS1120 tape drive Many clients are aware of possible ways to protect the system and the data on it to gt Avoid data loss which can be caused by a disaster such as fire or hurricane or simply by a person accidentally deleting the wrong library gt Protect the confidentiality of data from malicious intrusion or even theft gt Comply with governmental security regulations such as the Sarbanes Oxley Act SOX The following means of physical security and logical security can help accomplish these needs High Availability HA and disk mirroring solutions Journaling Daily backups Site security Network security firewall i5 OS built in security functionalities vvvvvy When you
9. 20 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 As with the i520 there are LAN SPCN HSL and USB ports The USB ports are not available for use by the i5 OS The LAN ports are available for partition use but they are not available for Operations Console LAN Multi adapter Bridge 1 570 Rear Locations P1 C8 T1 HMC1 __ _ Bipt c3_ P1 C8 T2 HMC2 P1 C8 T3 SPCNO P1 C8 T4 SPCN1 12C P1 T1 Serial Port P2 H P1 T2 Serial Port P1 Multi adapter Bridge 2 D POF ia ah io eo jP1 T8 0 P1 T9 1 j P1 T10 HSL 2 RIO G System Connect P4275 USB Not usable i5 OS Rack Ind Port P1 T7 Ethernet 1 P1 C7 T1 1 HSL 2 RIO G P1 pee Second HSL 2 RIO G Loop f Base fl Hot Plug Capable Not usable if optional second HSL 2 RIO G loop P 1 C7 is installed If optional second HSL 2 RIO G loop P1 C7 is installed Proc 2 and both Proc Reg 2 and 3 are required 4 1827 Serial UPS Conversion Cable connects to the P2 serial port Not usable i5 OS Figure 1 9 i570 rear view If you look at the front of the i570 you see two DVD device drive bays However there is no bay for an internal tape drive If a tape is required it must be internal in an expa
10. Following is the upgrade process 1 Develop an implementation plan to prepare for the upgrade including asking the following questions ls there a supported path for the new system Is there any hardware that must be migrated or ordered Are there enough DASD capacity and slots Predefine the system console this is important if you are planning LPARs Note For MES upgrades the Customized Upgrade Installation Instructions CUII must be used in conjunction with the implementation plan and the steps described here These instructions are available to the hardware service representatives Upgrade model 840 to i5 OS V5R4 with the latest PTFs This function can be performed by your hardware representative 3 The client tests the current environment 4 The client performs a full system backup perform two sets and do not forget to clean the tape drive before and after each backup Verify that all the disks are reporting in by performing the following tasks a In the iSeries main menu type STRSST and press Enter b Type 1 Start a Service Tool and press Enter c Type 3 Work with disk units and press Enter d Type 1 Display disk configuration status and press Enter In the disk unit details display you can see the bus number the ASP number the serial number and the status of the unprotected disks Print the system rack configuration using SST STRSST a In the iSeries main men
11. unknown terminal type 1 Snapshot_Thin_Console_to_USB 6 View_ARP_Cache 2 Restart_Proxy 7 View_Active_Connections 3 Exit 8 View_USB_Connectins 4 View_IP_configuration 9 Ping_host 5 View_Ethernet_Port_Configuration 10 Service_processor_address_override Figure 4 33 Appliance Console Menu screen Settings menu Connection properties To change the terminal settings select Settings Connection properties gt Global IBM Terminal Settings Figure 4 34 ezConnect Neoware Connection Manager Connection Settings Help r Aae enina ee r E IBM active Figure 4 34 Neoware Connection Manager Global IBM Terminal Settings Chapter 4 System i5 consoles in i5 OS V5R4 113 An example of customization is the color mapping for the 5250 session Perform the following tasks to customize color mapping 1 From the 5250 Settings tab select Advanced against Custom Colors and select the check box against Option Menu as shown in Figure 4 35 Global IBM Terminal Settings Enabled Yes Advanced Figure 4 35 Neoware Connection Manager 5250 Settings tab 114 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 Restart the 5250 console session for the changes to take effect After the restart the Option menu Figure 4 36 is available in the 5250 session Option Keypad Dedicated Service Tools DST Sign On Custom
12. 3 Adding the new logical partition LPAR configuration and the new components which in turn results in the final configuration A combination of the SPT and the System Plans on the HMC allows the deployment of SPT LPAR configurations At present the deployment of upgrades is not supported Overview of the System Planning Tool The SPT is a tool for designing logically partitioned System i and IBM System p environments and is the replacement for the LPAR Validation Tool LVT However it can also be used for planning and documenting nonpartitioned systems The SPT is a browser based tool that runs on your PC For download and installation information refer to Appendix A in IBM Virtualization Engine TS7700 Tape Virtualization for System z Servers SG24 7312 The graphical user interface GUI and the order of operations are quite different from the LVT but its purpose is the same The tool has help text and a link to the IBM System Hardware Information Center The SPT can be found at the following Web site http www ibm com servers eserver support tools systemplanningtool You can design new systems from the existing performance data from the planned workloads from the sample systems and by using the advanced mode that lets you design the system at the component level SPT creates a system plan that is saved as a sysplan file That system plan may be just one system or it may contain multiple systems each with a unique sy
13. A new type of disk drive draw is now available This disk draw is available only in a 4U rack mounted enclosure It is SCSI connected rather than HSL This offers a longer cable length 20m that might be attractive to customers wishing to install many disks on one system where a short HSL cable length might cause physical arrangement limitations The 24 drives in the EXP24 enclosure can be arranged in four six disk packs or two 12 disk packs These packs can be allocated to different logical partitions The pack arrangements and protection depend on the I O adapters controlling them I O adapters controlling the disk in an EXP24 can be in an I O expansion located in the same rack as the EXP24 or the CEC 3 4 Disk protection types An i5 OS disk can have a variety of protection methods Typically a protection method is implemented throughout the system However in some instances you might choose to mix the protection types For example a partitioned system may have different types of protections in different partitions based on level of availability The production partition may have mirrored protection because it requires the highest level of protection but the development partition may have Redundant Array of Independent Disks RAID protection because this is a less critical environment The following sections provide an overview of the different protection methods Unprotected Disks can be added to auxiliary storage pools ASPs without
14. Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State 0000 Server powered off Reference code C1112000 Connection status 30 00 of 100 Waiting for server to power on Figure 4 19 Power off 30 00 2 of 4 Server Information IP 192 168 3 147 Type Model 9405 520 Serial LOE8OCC State 0005 Server powering on Reference code C100C1FF Connection status 30 00 of 100 Waiting for server to power on Figure 4 20 Power off 30 00 3 of 4 Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State 0001 Server powering on Reference code C700406E Connection status 30 00 of 100 Waiting for server to power on Figure 4 21 Power on 30 00 4 of 4 Figure 4 22 shows power on 40 01 Server Information EP 192 168 3 147 Type Model 9405 520 Serial LOE80CC State OOOF Server firmware ready Reference code Connection status 40 01 of 100 Server firmware is ready to communicate Figure 4 22 Power on 40 01 Chapter 4 System i5 consoles in i5 OS V5R4 107 Figure 4 23 shows power on 50 00 Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State OOOF Server firmware ready Reference code C2003150 Connection status 50 00 of 100 Searching for operating system Figure 4 23 Power on 50 00 Figure 4 24 shows power on 60 01 Server Information Tp 192 168 3 147 Type Mod
15. 2 B or 3 D 1 Manual 2 Normal 3 Secure or 4 Auto IPL source 2 IPL mode 1 Press Enter to change the IPL attributes and return to the main DST menu Press F8 to set the IPL attributes and restart the system Machine processing will be ended and the system will be restarted Press F10 to set the IPL attributes and power off the system Machine processing will be ended and the system will be powered off Press F12 to return to the main DST menu without changing IPL attributes F3 Exit F8 Restart F10 Power off F12 Cancel Figure 3 24 The Operator Panel Functions screen 18 Find the old load source disk unit and slide the disk unit out of the system 19 Move the new load source disk to the load source position 20 If you removed a drive in step 3 on page 70 reinstall it 21 Perform an IPL on the system 3 5 3 Load source migration Mirrored system This section describes load source migration of a mirrored system Notes Ensure that you record the serial numbers and the locations at relevant points Be very careful when repositioning disks Wrong placement of disks can lead to unpredictable results and might require a full system reload from the backup tapes Follow these steps 1 Perform a full system save 2 Locate the load source unit Unit 1 and its mirrored pair and make a note of the locations and the serial numbers of the drives Power down the system Install the two new disk drives Note the seri
16. CEC The System i595 is the exception because it does not have any disk drive slots in the CEC 3 3 1 System i 515 525 520 and 550 These systems all have eight disk slots that can be arranged in one or two buses allowing either a single bus arrangement of one to eight disks or two buses that can each have one to four disks This means the disk in the CEC can be available for one or two logical partitions The available protection type depends on the disk adapter being used or the embedded IOP 3 3 2 System i 570 The System i 570 can accommodate one to six disks in the CEC arranged on one bus and therefore only one logical partition These disks can use all protection types depending on the chosen disk adapter or the imbedded IOP 3 3 3 System i 595 The System i 595 similar to the earlier high end iSeries model 890 cannot have any disk drives in the CEC 3 3 4 I O expansion The System i5 has several expansion frames that can house disk drives These expansion frames connect to the System i5 or iSeries via the high speed loop The models used are the 52 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 5094 5294 and the 5095 expansion towers The 5294 is merely a two high 5094 Each 5094 can house 45 disk drives and the I O cards that drive them The 5095 expansion tower is a smaller unit that can be floor or rack mounted It houses up to 12 disk units along with the I O adapters that drive them
17. First Boot Device USB HDD Iten Help Second Boot Device USB ZIP Boot Up NunLock Status Gal Typenatic Rate Setting Bisabled Security Option Setup Video BIOS Shadow Enabled Full Screen LOGO Show Enabled Summary Screen Show Disabled ise Hove Enter Select PU PD Value F10 Save ESC Exit Fi Geseral Help F5 Previous Values F7 Optinized Defaults Figure 4 43 Advanced BIOS Features screen Chapter 4 System i5 consoles in i5 OS V5R4 121 10 In the Advanced BIOS Features screen Figure 4 44 ensure the following The First Boot Device is set to USB HDD The Second Boot Device is set to HDD 0 Press F10 to save your BIOS changes and press Enter to confirm SAVE to CMOS and EXIT Phoenix AvardBlOS CHOS Setup Utility Advanced BIOS Features First Boot Bevice US8 HDB Second Boot Device HDD 6 Boot Up NumLock Status 0a lenu Leve Typenatic Rate Setting Disabled tic Rate Char c select Your Boo ic Belay Hsec 260 Device Priority Security Option Setup Video BIOS Shadou Enabled Full Screen LOGO Show Enabled Sunaary Screen Show Disabled isecflove Enter Select PU PB Value F10 Save ESC Exit Fi Gemeral Help FS Previous Values F7 Gptinized Defaults Figure 4 44 Boot devices 11 The Neoware Thin Console recognizes the memory key and boots from it You will receive the following message The image on the console is about to be overwritten Do you wish to proceed with the update yes
18. IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 3 In the Certificate Store and Password panel enter the keystore file name you created earlier enter the complete path name and the password as shown in Figure 6 46 and click Continue Selecta Certificate Store Collapse All m Create Certificate Create New Certificate Store Install Local CA Certificate on Your PC gt Manage User Certificates gt Manage CRL Locations Manage LDAP Location m Manage PKIX Request Location Retum to i5 OS Tasks Secure Connection Digital Certificate Manager Certificate Store and Password Enter the file name and password for the certificate store that you want to open Certificate type Server or client Example certificate store file name MYDIRECTORY MYFILE KDB Certificate store path and filename EKM keystore_ikdb Certificate store password eee Continue ResetPassword Cancel Figure 6 46 Certificate Store authentication 4 The Current Certificate Store window opens Figure 6 47 You are now inside the keystore you selected and can start managing it Selecta Certificate Store Expand All Collapse All b Fast Path m Create Certificate Create New Certificate Store a ad a gt Manage Certificates gt Manage Certificate Store gt Manage CRL Locations Manage LDAP Location Manage PKIX Request Locatio
19. Symbols 14 inch 2 5GB 12 14 inch 13GB 12 Numerics 5250 console 91 A acceptUnknownDrives 140 ASMI 90 backup and recovery considerations 140 C Capacity on Demand 91 CEC 91 D data are encrypted by the host 138 define keystore 140 E EKM 137 configure 140 server 140 encryption components 139 encryption methods 138 encryption capable tape drive 138 F FC 5592 139 FC 5596 139 FC 9592 139 FC 9596 139 Fibre Channel Disk Adapter 12 Fibre Channel Disk adapter 12 Fibre Channel Tape Adapter 12 Fibre Channel Tape adapter 12 FSIOP 9 11 G graphical user interface 2 H Hardware Management Console 3 90 machine code 93 Copyright IBM Corp 2007 All rights reserved l IBM 5250 emulator 97 IBM Encryption Key Manager 139 IBM Java 140 IBM Software Development Kit 140 IBM TotalStorage TS1120 137 IBM Workload Estimator 3 IBMKeyManagementServer 140 Integrated xSeries Server 12 IPCS 11 J Java Runtime Environment 140 JCEKS type keystore 149 K key management 150 KeyManagerConfig 140 keystore 140 L LPAR Validation Tool 2 LVT 2 N Neoware Connection Manager 101 Neoware Thin Client 97 O operations console 90 overview of the System Planning Tool 2 P planning for tape encryption 140 PTF 92 R Redbooks Web site 196 Contact us x RPQ 847102 12 S sample configuration File 140 Sarbanes Oxley 138 SDK 140 server firmware 92 update policy 93 service partition 92
20. The client must check the cost of migrating for example disks against the cost of new drives with faster and higher capacities Table 1 2 LSPD features that can be converted to PCI HSL SPD features Description PCI HSL feature How to convert them to PCI tower that towers conversion PCI HSL will support them 6717 6817 8 58 GB disk unit 10k rpm Request for price 5065 5066 8617 and 8817 quotation RPQ 847102 5074 and 5079 or through the configurator 6718 6818 17 54 GB disk unit 10k rpm 4318 RPQ 847102 or through 5065 5066 8618 and 8818 the configurator 5074 and 5079 5065 Storage PCI expansion unit Storage PCI expansion unit unit 5074 o 5074 Through the configurator Through the configurator configurator foe 1 8 m Storage PCl 5079 Through the configurator expansion unit 1 If you are adding a new disk to an installed 8xx system it is recommended that you also take advantage of the situation to convert the installed 10k rpm disk to 5065 or 5066 towers 1 3 Disk migration Disk migration to new hardware might have considerable cost savings above the purchase of new disks However great care must be taken when planning the movement of disks Consider the following factors Disks with capacity less than 8 GB are not supported Disks of speeds less than 10k rpm are not supported i5 OS V5R4 requires any load source drive to be at least 17 GB Disks that are RAID protected can only be moved wher
21. This section describes the EKM program running on a PC desktop or a PC server Software requirements Table 6 1 shows the minimum Windows operating system versions and the minimum SDK version Table 6 1 Minimum software requirements for Windows Operating system Runtime environment bundled with IBM TotalStorage Productivity Center Limited Edition TPC LE LPP 5608 VC6 Windows 2000 IBM 64 bit runtime environment for Windows on AMD64 EM64T Windows 2003 architecture Java 2 Technology Edition V5 0 IBM 32 bit runtime environment for Windows Java 2 Technology Edition V5 0 IBM 64 bit SDK for Windows on Intel Itanium architecture Java 2 Technology Edition V1 4 2 a This product can only be installed from CD It is not available for download For more infor mation visit http www ibm com servers storage software center 1limited index html After you have the required Windows operating system and the correct IBM Java Runtime Environment JRE for Windows installed refer to Installing the IBM Java Runtime Environment for Windows on page 143 gt Install the IBM Java unrestricted policy files refer to Installing the unrestricted policy files on page 146 gt Install the IBM EKM Application and the IBM EKM Sample Configuration file refer to Installing the Encryption Key Manager jar and sample configuration file on page 147 gt Install the proper tool to manage the keys in your type of keystore In
22. f Done Local intranet Figure 6 77 Changing encryption method Chapter 6 Tape data encryption in i5 OS V5R4 189 5 As soon as you change the encryption method to Library Managed a new field appears on the page the key manager address selection Figure 6 78 This is normal when you enable a tape drive for encryption the tape drive has to know where to get its keys By using this field you can point the tape drive to the keystore addresses you selected earlier as described in 6 7 1 Defining the keystores to be used by the TS3500 on page 184 After specifying the IP addresses of your choice click Apply to confirm Encryption Method Microsoft Internet Explorer ON Encryption Method Encryption Method Select up to four IP address Select IP Address Port v 9 5 53 92 3801 v 9 5 53 94 3801 lt gt Advanced Encryption Settings for Engineering Support use only Advanced Method No Advanced Setting x Scratch Cartridge Encryption No Advanced Setting x Density Code are No Advanced Setting Key Path No Advanced Setting ix Apply Cancel Done Y Local intranet Figure 6 78 Library managed encryption 6 7 3 Setting up a scratch encryption policy In this last stage define to the TS1120 tape drive the cartridges or ranges of cartridges that are eligible for encryption This policy only applies to scrat
23. or both there may be limited use of the MES hardware for a short time to carry out extended user testing thereby reducing the total upgrade risk and possibly reducing the downtime The benefit of this method is that the production machine is unavailable only during the normal backup routines The source system supports V5R3 or later This method is used to test the upgrade process and gives the users the time to test the new environment This is the sequence of events in the upgrade process 1 The client reviews the information Request for Price Quotation RPQ and orders upgrade services and side by side time through a special bid process 2 The required hardware is ordered to duplicate most or all of the environment 3 The source system is upgraded to V5R3 or later in all the partitions Note If you are upgrading the source system to i5 OS V5R4 a 17 GB load source is required for any i5 OS V5R 4 partition 4 The MES is installed as a stand alone system 5 The LPAR configuration is created on the target server 6 Existing full system backups are used to create the new test system using the recovery procedures described in Backup and Recovery V5R4 SC41 5304 08 which is available at http www elink ibmlink ibm com publications servlet pbi wss SSN 07AHN00275429 11678 amp FNC PBL amp PBL SC41 5304 08PBCEEB0200012125 amp TRL TXTSRH 7 The client tests the current environment for up to 56 days 8 Any production objects th
24. publib boulder ibm com infocenter ese rver v1r3s index jsp IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Task Brief description Due date task owner Task Has the HIPER PTF list been reviewed and the PTF ordered Task Are there any unsupported software licensed program product LPP programming request for price quotation PRPQ that have to be replaced or altered Are alternatives known and have they been ordered for example OV 400 client access or fax ____ Task Has the memo to user section titled Licensed products that are no longer supported been reviewed Task Check the current installed client software for compatibility that is iSeries access Task Plan to upgrade the client software to the latest release and service pack Task If the upgrade is a side by side where all the client applications libraries and data will be restored to a new system have alternative provisions been made to capture information contained in OUTQ DTAQ and MSGAQ if necessary Site preparation tasks Task Is the site preparation on schedule Task Has proper power installation been ordered for all the systems the new I O towers and the additional equipment required during the upgrade only or any external equipment Are the power connectors correct Refer to the iSeries for the new system unit and the physical planning Web I O tower site at http
25. 45 seconds enter function 21 Otherwise the system will not tie both the functions together and consider the function 21 as a regular force DST to console If function 65 and function 21 are entered in less than 45 seconds you must see SRC A6nn500A where nn represents the current console type you might have to enter function 11 to display the SRC 00 No console defined 01 Twinax console 02 Direct attached Operations Console 03 LAN Operations Console 3 Enter function 65 followed by function 21 again to enter the edit mode The operator panel displays SRC of A6nn500B to confirm the edit mode You might have to enter function 11 to display the SRC To cancel any changes and exit the edit mode use function 66 4 Repeat the functions 65 21 11 until you reach the console type you require If you exceed 45 seconds between 65 and 21 when in the edit mode SRC A6nn500D is presented indicating a timeout condition The system is no longer in edit mode 5 When you have reached the correct console type enter only function 21 11 to confirm your choice SRC A6nn500C is displayed to indicate that the change is accepted 6 Enter function 21 once more to force DST to the console An example of a console change would be changing from twinax console type 01 to LAN console type 03 65 21 11 A601500A You are in display mode and the console mode is 01 65 21 11 A602500B You entered edit mode and incremented
26. 9405 520 Serial LOES8OCC State FFFF Server state is unknown Reference code Connection status 10 00 of 100 Searching for server at Ethernet port HMC1 or HMC2 F8 Reset search for server Figure 4 10 Thin Console connection status 10 nn Chapter 4 System i5 consoles in i5 OS V5R4 103 8 On the next screen Figure 4 11 authenticate the device to the FSP by entering the HMC access password The default password is abc123 This authentication ensures protection for the FSP network interfaces After being entered the access password is stored locally on the Thin Console so that subsequent connections to the same FSP do not require you to re enter it Thin Console 1 0 0 142 Console Information Ethernet 00 E0 C5 56 0E FB IP 192 168 3 1 Gateway 192 168 3 1 Subnet 255 255 255 0 Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State FFFF Server state is unknown Reference code Connection status 10 01 of 100 Searching for server at Ethernet port HMC1 or HMC2 1 Enter HMC access password F8 Reset search for server Figure 4 11 Thin Console connection status Authentication 9 If you have not done so already power on the System i5 The following figures Figure 4 12 Figure 4 13 on page 105 and Figure 4 14 on page 105 show the Thin Console cycling through some of the different connection states Figure 4 12 shows the Thin Console connection status 20 nn
27. CA certificate into this certificate Mists Nex Ganificne S store and enable or disable a CA certificate in this certificate store gt Ww i i Bc oad CA CREE a Work with user certificates Your PC You can create delete view or assign a user certificate v e Certificates Work with certificate requests pu You can view or delete certificate requests for the certificate store Renew certificate AU A Work with CRL locations Import certificate Export certificate You can add view update or remove a Certificate Revocation List CRL for the certificate store Delete certificate ee Check expiration a Set CA status m Update CRL location assignment Assign a user certificate gt Manage Certificate Store fs s mM 2 Figure 6 48 DCM Fast Path window Alternatively select Manage Certificates in the left panel Figure 6 49 ans P Digital Certificate Manager Manage Certificates Select the type of action that you want to perform View certificate View information pertaining to a certificate Selecta Cestfioaie Store Renew certificate Replace an existing certificate with a new certificate Expand All Collapse An Import certificate Add a certificate to this certificate store Export certificate Copy a certificate to a file or another certificate store gt Fast Path Delete certificate Remove a certificate from th
28. Create Certificate Select the type of certificate that you want to create S Server or client certificate Selecta Ceriicala Sire Server or client certificate for another server running i5 OS or OS 400 Expand All Collapse All User certificate p Fast Path Create Certificate m Create New Certificate Store a Install Local CA Certificate on Your PC gt Manage Certificates gt Manage Certificate Store gt Manage CRL Locations Manage LDAP Location m Manage PKIX Request Location Retum to 15 OS Tasks Secure Connection Figure 6 50 Create Certificate window 2 Select VeriSign or other Internet Certificate Authority CA and click Continue Figure 6 51 Digital Certificate Manager Select a Certificate Authority CA Certificate type Server or client Certificate store EKM KEYSTORE_IKDB Selecta Certificate Store Expand All Collapse All gt Fast Path fS VeriSign or other Internet Certificate Authority CA Select the type of Certificate Authority CA that will sign this certificate Local Certificate Authority CA Create Certificate Create New Certificate Store Install Local CA Certificate on Your Continue Cancel PC gt Manage Certificates gt Manage Certificate Store gt Manage CRL Locations a Manage LDAP Location Manage PKIX Request Location Retum to i5 OS Tasks Secure Connection
29. Cryptography Extension JCE Cryptography Architecture Specification Cryptography Extension Specification How to implement a provider for the Java Cryptography Architecture The IBM Java Cryptography Extension API Guides linked above are supplemented by the Javadoc HTML documentation for the JCE API and code samples in jceDocs samples zip The JCE provides a framework and implementations for encryption key generation and key agreement as well as Message Authentication Code MAC algorithms Support for encryption includes symmetric asymmetric block and stream ciphers The software also supports secure streams and sealed objects JCE supplements the Java 2 platform which already includes interfaces and implementations of message digests and digital signatures Certified JCE FIPS Guide PDF file The IBM Java JCE Java Cryptographic Extension FIPS provider IBMJCEFIPS version 1 2 for Multi platforms is a scalable multi purpose cryptographic module that supports FIPS approved cryptographic operations by means of the Java 2 Application Programming Interfaces APIs The IBM Java JCE FIPS provider is certified at Federal Information Processing Standards FIPS 140 2 Level 1 The Security Policy linked above is supplemented by Javadoc HTML documentation for the module IBM SDK Policy files IBM s SDKs ship with strong but limited jurisdiction policy files Unlimited jurisdiction policy files can be obtained from the link above
30. DSPIPLA CPRJOBATR To change enter CHGIPLA CPRJOBATR NONE 10 Enter the following command and select option 5 GO LICPGM 11 Create a customized list of software to install with the option 12 Check for items not found on the media 13 Add any additional programs to the list 14 Delete any unsupported products 15 Delete any products or product options that are no longer required 16 Accept the software agreements 17 Clean up the disk storage space and remove unwanted products and data 18 Allocate additional space for LIC Important The additional space is reserved during the next IPL This IPL must occur prior to upgrading a required step for each partition 19 If you have nonconfigured disks set the Keep disk configuration option to YES 20 Set the console mode in the DST 21 If you are upgrading IBM Cryptographic Access Provider 128 bit and currently have 40 bit or 56 bit versions installed remove them 22 Vary off Integrated xSeries servers and other application servers such as Lotus Domino servers 23 Check whether the installation device you want to use is available to this partition and is a suitable alternative IPL device Chapter 5 i5 OS V5R4 software 133 Performing a full system save To perform a full system save type the following command GO SAVE Select option 21 Important After you begin to upgrade the Licensed Internal Code LIC to the next release the process must complete If it is not possib
31. Dynamic Logical Partitioning http www ibm com servers eserver iseries par Expansion unit conversions in a partitioned environment for 8xx and 270 iSeries server models http www 1 ibm com servers eserver iseries migration pdf LPARexpansionupgrade FINAL pdf Copyright IBM Corp 2007 All rights reserved 195 gt HSL Rules High Availability and Clusters http www 1 ibm com servers eserver iseries ha systemdesign html gt IBM CUII Home page http w3 rchland ibm com projects WCII cgi bin wciireq p gt IBM System i5 Benchmark Center http www ibm com servers eserver iseries benchmark cbc index htm gt IBM Systems Workload Estimator http www 304 ibm com jct01004c systems support tools estimator index html gt IBM eServer iSeries Information Center http www iseries ibm com infocenter gt iSeries Memorandum to Users Release R530 Preventive Service Planning http www 912 ibm com s_dir sline003 nsf 2d3aff1c6b4d6ce086256453000d97 le e832 6cald7b29aa486256eac005dc19f 0penDocument How to get IBM Redbooks You can search for view or download Redbooks Redpapers Hints and Tips draft publications and Additional materials as well as order hardcopy Redbooks or CD ROMs at this Web site ibm com redbooks Help from IBM 196 IBM Support and downloads ibm com support IBM Global Services ibm com services IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Index
32. Locality optional State Province optional Eo o oo Zipcode optional eooo Country or region US v ISI Enter the name of a file in which to store the certificate request CAProgram FilesWiBMiWJava5O jretbinicertreg arm Browse OK Reset Cancel Figure 6 22 Create New Key and Certificate Request window 3 An Information window opens Figure 6 23 which mentions that you must send the certificate request to a CA Click OK The CA then provides you with a signed certificate I x Anew certificate request has been successfully created in the file C Program Files lBMiJava50ijreibinicertreg arm You must send the file to a certification authority to request a certificate p Figure 6 23 Information dialog box IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 4 The IBM Key Management window shows the key labels for the certificate requests you create In this example we created two certificate requests as shown in Figure 6 24 fa IBM Key Management C EKM keystore_x jck Key Database File Create View Help Die ee RL Key database information DB Type JCEKS database file FileName C EKMikeystore_xjck Token Label Key database content Personal Certificate Requests keylabel_certreq_1 A certificate request is used to request a certificate from a certi
33. Representatives or IBM Business Partners to design a possible new server or upgrade solution This initial plan might be an iterative process as the alternatives for components and availability options are considered 4 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 The e Config output also leads to a discussion of whether the server configuration is suitable in terms of commercial processing workload CPW main storage auxiliary storage LAN WAN connectivity availability requirements console requirements physical dimensions and power and cooling requirements During this consideration phase both the system and application software must be considered The new IBM System i5 models require IBM i5 OS V5R3 or later depending on the model that is whether the server is partitioned All of the logical partitions must also be at i5 OS V5R3 or later Some functions require i5 OS V5R3M5 or i5 OS V5R4 such as initial program load IPL system across system area network SAN or input output processor less lIOP less adapter cards Initial plan and schedule At this stage the client looks at the issues described until now and along with application considerations at whether the proposed solution is worth pursuing LPAR clustering and high availability solutions might form a part of the planning at this stage The result of these activities is an initial plan and schedule for the upgrade Physical planning
34. Size 957 Date 9 1 2006 Figure 6 37 EKM downloads When SR3 becomes available it contains the EKM code Therefore you do not have to download the IBMKeyManagementServer jar file 6 4 4 Installing Digital Certificate Manager In this example we define an IBMi5OSkeystore type keystore The interface to manage this type of keystore is the DCM GUI The ikKeyman utility enables you to create the JCEKS keystore type Installing the ikKeyman utility on page 148 Perform the following tasks 1 Verify that these licensed programs are installed on your system If not install them first 5722SS1 option 34 DCM 5722DG1 IBM Hypertext Protocol Server HTTP Server for i5 0S 2 Open iSeries Navigator and select on your system Chapter 6 Tape data encryption ini5 OS V5R4 165 3 Select Network Servers gt TCP IP and check in the right pane to see whether the HTTP Administration server is started If not right click HTTP Administration to start it Figure 6 38 iSeries Navigator A AX File Edit View Help 2 o m E moe 1 minutes old Environment My Connertinne 192 168 4 1 TCP IP Management Central 9 36 188 17 a Description My Connections fa QoS Stopped QoS Server fl 10 10 10 4 fa RADIUS NAS None RADIUS Network Access Server fl 192 168 4 1 fa WebFacing Stopped WebFacing Server a System Debug Stopped Graphical Debug Server a Management Central Started Management Central fs DL
35. The ZIP file should be unpacked and the two JAR files placed in the JRE s jre lib security directory These policy files are for use with IBM developed SDKs The same files are used for the Version 1 4 and Version 5 SDKs Details of downloads of unlimited jurisdiction policy files for the Solaris and HP platforms can be found in the IBM Security Guide for those platforms Java Generic Security Services JGSS JGSS User Guide J Developer Guide The IBM Java Generic Security Services Guides linked above are supplemented by the Javadoc HTML documentation for the JGSS and code samples in jgssdocs sample zip JGSS is used to exchange messages securely between communicating applications The Java GSS API contains the Java bindings for the Generic Security Services Application Program Interface GSS API defined in RFC 2853 GSS API offers application programmers uniform access to security services built on a variety of underlying security mechanisms including Kerberos TRMISSF Guide Figure 6 10 Java security site 146 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 Download the zip file for V1 4 2 Figure 6 11 The same files are used for V1 4 and V5 Home Products Services amp industry solutions Support amp downloads My IBM Unrestricted JCE Policy files for SDK 1 4 7 To properly configure your download please review the information below Warranty info Select the approp
36. are displayed as MHnnnnn When you upgrade to a new release the process is always disruptive that is the managed system and not just the partitions have to be shut down and restarted in order to accept the new release level The fix updates within the same release can be but are not always concurrent It is recommended that after you have started an update or upgrade process you do not interrupt it or perform any other tasks For details about the update or upgrade process refer to the topic obtaining firmware updates in the IBM Systems Hardware Information Center which is available on the Web at http publib boulder ibm com infocenter eserver vlr3s topic ipha5 fix_serv_firm_k ick htm Note The HMC machine code must be equal to or greater than the server firmware level The sequence in which you install fixes or updates is very important Install the HMC updates before you install the server firmware updates in order to ensure that the HMC machine code can handle the server firmware level that you are applying See Supported combinations of server firmware and HMC code on page 96 You can use either the HMC to manage download and install your firmware level and fixes which is the default setting or the program temporary fix PTF functions of the i5 OS These options are referred to as Update policy set to HMC versus Update policy set to operating system If you decide to set the update policy to the operat
37. are six Peripheral Component Interconnect X PCI X card slots and eight memory dual inline memory module DIMM slots The side panel of the i520 can be removed to install and remove features The i520 is available as a desk side unit or a rack mounted unit P1 C9 JOA P1 C10 JOB P1 C11 JOC C12 JOD Removable Media Processors up to 2 Power Supply E2 Gb Ethemet T6 T6 P1 C13 J2D USB Ports P1614 J2C P1 C15 J28 Hi t P1 C16 J2A DASD CCIN 2802 P1 C7 SP B1 C1 P1 C2 P1 C3 9793 9794 RAID Card P1 C4 A P1 C8 5709 P1 05 979349794 tt ae j DASD 6574465846594 P1 C8 9844 i O n BASE Hot Plug Capable Figure 1 5 i520 plan view 16 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Figure 1 6 shows the rear of the i520 550 You can see the connections for the HMC the high speed link HSL the system power control network SPCN local area network LAN and the service ports There are also Universal Serial Bus USB ports These are not usable by i5 OS Both of the Ethernet ports are available for allocation to partitions but cannot be used for Operation Console LAN connection SPCN is a loop on i5 servers Therefore both of the ports will have a cable connected if an expansion tower is a part of the system Port An 1827 Serial UPS Conversion Cable connects to the top serlal
38. arm must move across the entire platter even when the disk is partially full This increases the seek time for data access and consequently the overall response time RAID Data Read Write Arm Figure 3 43 The existing RAID 5 arrangement 86 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Figure 3 44 shows the new RAID 5 available with the new PCI X RAID disk IOAs In this configuration the disk platter is subdivided into 16 subarrays Each subarray has a user data area and a RAID data area You can see that the Read Write arm only has to move across a fraction of the disk platter at low levels of capacity This vastly improves the seek time and consequently the response time Read Write Arm Figure 3 44 RAID 5 arrangement PCI X RAID IOAs This new RAID arrangement is implemented by the IOA as soon as any drive under it is started The major implication of this setup becomes apparent during upgrades Here are the two scenarios where the new RAID is implemented gt When RAIDed disks are moved from under the control of an existing PCI RAID IOA to a system unit or expansion unit containing PCI X RAID Disk IOAs gt When anew PCI X RAID Disk IOA replaces an existing PCI RAID Disk IOA controlling RAIDed disks in an existing system unit or expansion tower There is no user control over the change to the RAID arrangement Because the system runs an IPL for the first
39. built over virtual devices is the simplest environment provided the OS environments are upgraded You can vary off the Linux server and vary it back on after the upgrade assuming that none of the resource naming is changed Chapter 1 Planning for upgrades to System i5 hardware 23 1 5 1 Migrating a Linux logical partition from iSeries Migrate a Linux logical partition from iSeries as follows 1 In your existing server upgrade to a version of Linux that supports the System i5 servers Contact the Linux distributor for detailed instructions In your existing server replace the existing I O device drivers with the iSeries virtual I O device drivers From the new Linux distribution retrieve the Linux kernel that supports the System i5 POWERS processors and store it in the OS 400 file system 1 6 Windows migration This section provides a brief overview of the Windows server migration process Moving the Windows server installations to new hardware is much simpler in an Integrated xSeries Server IXS or Integrated xSeries Adapter IXA environment than in an external stand alone server environment This section briefly outlines the upgrade process when the IXA or IXS card is physically moving to the new hardware Other scenarios are explained in the Windows migration chapter An IXS card located in 8xx CEC slots must be accommodated in an expansion when upgrading to a System i5 because they cannot be accommodated in any o
40. care must be taken to maintain bus numbering if there is an LPAR 12 Run the LPAR migration program 13 Power up 14 Fix any ownership and resource naming issues 15 Add the new resources to the system 16 Go live Consider these points gt Model 820 to model 520 550 upgrade The 820 has six disk bays and the 520 550 has four disk bays in the base configuration If this is not noticed circumstances where there are too many disks from the system unit to fit into the new system unit may arise The configurator will place the overspill hardware in another expansion unit This might result in the existing Redundant Array of Independent Disks RAID set being broken which causes the upgrade to fail The client will have to remove the overspill disks from the existing RAID set before the upgrade An additional consideration in this IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 scenario is that the overspill disk might force an unwanted expansion unit and significantly increase the MES price gt Bus cabling must be planned to ensure that buses retain their existing numbering wherever possible gt SPCN is cabled as a loop in the new hardware 2 1 5 Upgrade with load source migration This upgrade is primarily used to upgrade from a 7xx model to a new 5xx Because this is an unsupported upgrade path additional services must be purchased to perform this upgrade This can be u
41. certificate request form the CA has provided Click OK to complete the creation Digital Certificate Manager Certificate Request Created The certificate request data is shown below Copy and paste the request data including both the Begin request and End request lines into the form that the Certificate Authority CA provided Selecta Certificate Store Warning If you exit this page the certificate request data is lost Therefore make sure you carefully copy and paste the data into the Certificate Authority CA form or into a file for later use Expand All Collapse All a BEGIN NEW CERTIFICATE REQUEST gt Fast Path MIIBij CBSAIBADBLMQswCQYDVQQGEwJVUZEPMAOGA1UECBMGTX1DaXRSMRIWEAYD _ VQQKEw1NeUNvbXBhbnkxF ZAVBgNVBAMI DkVLTUNicnRpZm1 j YXRIMIGEMANGCSaqG u Create Certificate SIb3DQEBAQUAA4GNADCBi QKBgQD3 omAKW3YC mY2 JPqOuZPPy LvnSdTnQiCbvM z VwWHDAI4dD iUFTPBJGuUiE2fp224CI4 hNbqo1B AtTnqoGKPg1SIdMWeUvsqapziq Create New Certificate Store HOc1j yerzDsY1W9Rfci VwXXTPYOKF41yFo9kCOJnCE4DILD3 y75phpTr IROfgsB Install Local CA Certificate on Your Gp53MQIDAQABoAAWwDQYUKoZ InvcNAQEEBQADGYEAOCu6egPAzBgcfhD wBWIhtxG PC nnCeu6T8crxKBIXdCkwPkYnAFzj74bn n4ANQpQWRA3is9xeVRiN1771c99Lk913 FvK LveZ33L zyl fWewk3g 53F5LkbCOj nwYp6Xw31i Qy3QsW sBAfsCpQcOrYMki gt Manage Certificates YPy2SACNHqukZdLGUke gt Manage Certificate Store gt Manage CRI Locations a Manage LDAP Location u Manage PKIX Request Location
42. click Next To install to a different folder click Browse and select another folder Destination Folder C Program Files IBM Java50 Browse InstallShield Figure 6 4 JRE destination folder Chapter 6 Tape data encryption in i5 OS V5R4 143 4 Click No when the installation wizard asks you whether you want to make this JRE the System JVM as shown in Figure 6 5 Figure 6 5 JRE as system JVM 5 The Start Copying Files window Figure 6 6 is displayed Click Next IBM 32 bit Runtime Environment for Java 2 5 0 InstallShield Wizard i x Start Copying Files Review settings before copying files InstallShield Figure 6 6 Start Copying Files window 144 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 The Browser Registration window Figure 6 7 is displayed Select a browser to be associated with EKM Click Next IBM 32 bit Runtime Environment for Java 2 5 0 InstallShield Wizard gt a xi InstallShield Figure 6 7 Browser Registration window 7 The InstallShield Wizard Complete window Figure 6 8 is displayed Click Finish to complete the installation IBM 32 bit Runtime Environment for Java 2 5 0 InstallShield Wizard E InstallShield Wizard Complete Setup has finished installing IBM 32 bit Runtime Environment for Java 2 v5 0 on your computer Figure 6 8 InstallShield Wizard Complete window Chapter 6 Tape data encryption in i5 OS V5
43. client data libraries assuming the program libraries are unchanged Scratch installing from up to date source system saves Follow the disk migration upgrade path outlined in 2 1 4 Upgrade with converted or relocated disks on page 38 Note Although scratch install is the safest way to ensure that all o the objects are synchronized it might take an excessive amount of time The method allows for an intermediate stage where the target system is refreshed with the changed data to test the final upgrade method When using the save changed objects command the client must be sure that the testing process does not change the data objects Otherwise data mismatches occur Refer to Backup and Recovery V5R4 SC41 5304 08 for detailed procedures 44 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 2 5 Model 840 to model 570 system upgrade with no LPAR or Hardware Management Console The source system is a model 840 with a 9079 base I O tower 9840 sb3 The target system is a model i570 with a 5294 expansion unit using the Operations Console LAN In this scenario only the disks in the source system unit are moved Note This is a disk only migration which has two RAID sets hanging off one RAID controller RAID set 1 is made up of six disks and RAID set 2 is made up of eight disks This means that the disks can be moved straight across to the new system without any reconfiguration of disks
44. components been labeled Task Have adequate training and update sessions been scheduled 30 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Task Brief description Due date Where to find task owner additional information Task Has training for the HMC been scheduled Task Will programmers be trained to take advantage of the new functions and the OS 400 unique features and functions Task Has a standard for the application s documentation been established Task Has a standard for the operations been documented in a particular HMC Task Are plans in place for ongoing management of disk space usage Task Are there defined change management procedures in place Task Are non IBM software impacts known and documented Task Are schedules in place for preventive maintenance for both hardware and software Task Does the client understand the use of electronic customer support ECS Web based support and other IBM supplied problem determination tools Task Is the save restore strategy adequate for the new system Task Are the quantity and speed of tape devices adequate for the client to complete daily backups within the required window Task Have the networking options been reviewed Task Has the communication network been checked to ensure compatibility across all the products in the network Chapter 1 Planning for upgrades to System i5 hardware 31 Task Brief descript
45. disks Add the remaining new disks into the system ASP ON OO Ff Remove the rest of the old load source RAIDset from configuration by using the Remove disks from configuration option in the Work with ASP Configuration screen 9 Power down the system 10 Physically remove the old load source disk and its RAIDset from the system 11 Move the new load source disk to the load source position 12 Perform an IPL on the system Load source migrate Insufficient spare disk slots in the system If there are spare disk slots in the system but the numbers are insufficient to allow the installation of a new RAIDset for example three or four depending on the storage IOA Perform a full system save Perform an IPL to the DST Switch off RAID Install the new drive Follow the basic procedure described in the earlier section for unprotected systems Restart RAID OaRWN 3 5 5 RAID 5 arrangement on Peripheral Component Interconnect X I O adapters On January 2003 new PCI X RAID I O adapters were announced These new IOAs support a new form of RAID 5 The new format provides significant performance improvements over the existing PCI RAID IOAs This also applies to the new i5 servers The existing RAID 5 arrangement had the disk platter as one subarray that was split into two sections the first part of the outer ring of the disk for user data and the inner ring for RAID data As seen in Figure 3 43 the Read Write
46. disks in the system unit on the 520 which may have all the eight disks on one RAID controller or four on each of the two RAID controllers This might result in disk reconfiguration services being need to be completed prior to the upgrade Make sure that there is space for the I O adapters to be relocated to the new server Perform a full system backup Power down the existing server Set up the Hardware Management Console HMC NO FP W Remove the disks and the I O adapters Ensure that you know which disk is the Load Source 8 Plug the disks into the new system unit 9 Install the I O adapters in the new system 10 Power on 11 Fix any bus ownership issues and hardware resource naming issues 12 Go live This upgrade is only complicated by disk migration issues potentially going from 18 disks to eight which must be performed before moving the disks across to the new system Example disk migration Gig Mig service The source system contains 18 8 58 GB disks in two RAID sets off the same IOP These must be migrated to eight 35 16 GB disks in a single RAID set All of the disks are in the system auxiliary storage pool ASP It is assumed that the disks are 85 full Eighteen 8 58 GB disks in two RAID sets 137 3 GB total storage and 85 of 137 GB 116 7 GB of data on the system Perform the following tasks 1 Perform a full system save 2 IPL to the dedicated service tool DST 40 IBM eServer iSeries Migration A
47. encrypt your data you take this a step further Not only does encryption protect your data from accidental loss such as somebody erasing active data from a tape but also from deliberate compromise including a theft of tapes during transport to or from a tape vaulting facility or unauthorized personnel accessing confidential data stored on tape However even as you build this level of security you want to be able to share parts of the confidential data with trusted parties such as clients and partners Until now tape encryption for the System i environment was possible only by implementing third party solutions The following Web site provides an overview http www ibm com support techdocs atsmastr nsf WebIndex WP100790 Another solution is now available based on a new encryption capable tape drive the TS1120 The encryption is managed by the TS3500 tape library The section that follows looks at tape encryption methods 6 1 1 Encryption methods There are four ways to manage data encryption gt System managed where data is encrypted by the host OS before being written to tape gt Application managed where encryption of data is performed by a specific application possibly running on another system An example of an IBM application that can manage encryption is IBM Tivoli Storage Manager gt Appliance managed where a hardware device sits between the host OS and the tape device Data is encrypted as it passes through the a
48. exiting and click Exit Figure 4 40 I IBM 5250 Console A Color Mapping Select the color mapping function Advanced Choose a color scheme ser NewColours Black background IBM Dark grey background MAR CI Exit Waring IBM Light b Exit Warning Eg Light b Colors in the emulator have been modified and saved but not applied wv Exit without applying changes Apply changes to this session before exiting Exit Cancel oise text hite text Yellow text Red text Status Line Save Delete Apply Changes To Session Exit Help Colors saved to file Default default Button Figure 4 40 5250 session Apply changes 118 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 7 At this point you still have the Option menu in the top left corner of the 5250 session Switch back to the Neoware Connection Manager to take the Option menu out of the 5250 session Figure 4 41 Global IBM Terminal Settings 3270 Settings 5250 Settings Locale m Allow use of Key Mapping Enabled S oe Command menu Hidden z Keypad Capability ves z 3 Print menu Hidden z Record Playback Hidden z Font menu No no resize move z Advanced E Custom Colors Appearance V Edit Menu T Control Menu M 132 Columns I Option Menu M Misc Prefs T Column Separators Tl Help Menu Deskt
49. file Specify a password for the certificate key store and click Create Important The keystore is now in a user directory of the i5 OS IFS Be careful not to back up the keystore to the encrypted tapes because you will not be able to recover the keys and without the keys you cannot access any of the data on your encrypted tapes There is no recovery from lost keys Digital Certificate Manager Certificate Store Name and Password Certificate store Other System Certificate Store Enter the path and filename for the certificate store you want created You must also specify a password for the certificate store Seeron Example certificate store file name MYDIRECTORY MYFILE KDB Expand All _ Collapse All Certificate store path and filename EKM keystore_ikdb required Create Certificate Certificate store password youn required Create New Certificate Store Confirm password required Install Local CA Certificate on Your z b Manage User Certificates gt Manage CRL Locations Manage LDAP Location Manage PKIX Request Location Retum to i5 OS Tasks Secure Connection Figure 6 43 Certificate Store name and password The Certificate Store Created window opens Figure 6 44 on page 170 Your keystore is created successfully Chapter 6 Tape data encryption in i5 OS V5R4 169 6 5 1 Creating keys To create your keys generate them with DCM Accessing the keystore to generate keys Perform t
50. gt amp Protection Start parity Figure 3 1 Changing RAID optimization using iSeries Navigator 58 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 In the page that is displayed Figure 3 2 use the Optimization drop down box to select the required optimization Confirm Changing Optimization 9 5 17 170 Oe Different disk units may be included in a new parity set based upon the RAID level and optimization you select These parameters affect all new parity sets created but have no effect on existing parity sets Select how you want the parity set optimized RAID Level RAID 5 Optimization Availability ba gt Change Optimization Cancel Help Figure 3 2 Selecting optimization Chapter 3 System i5 disk at i5 OS V5R4 59 3 On the same page use the RAID Level drop down box to select the required RAID type as shown in Figure 3 3 Click Change Optimization Confirm Changing Optimization 9 5 17 170 Different disk units may be included in a new parity set based upon the RAID level and optimization you select These parameters affect all new parity sets created but have no effect on existing parity sets Select how you want the parity set optimized RAID Level RAID 5 v RAID 5 Availability 16 Parity Set 2 3 Parity Set 3 3 Parity Set 4 4 m Change Optimization Cancel Help Figure 3 3 Changing the R
51. install the server firmware updates to ensure that the HMC machine code can handle the server firmware level that you are applying POWER 5 system firmware levels iSeries and pSeries HMC levels 210 Release Service Packs Service Packs Service Packs Service Packs no longer provided Service Packs no longer provided Service Packs no longer provided Not a supported combination Service Packs no longer provided HMC V4R4 Minimum HMC Level Service Packs no longer provided Service Packs no longer provided Service Packs no longer provided Not a supported 2 7 combination 7 n pported Not a supported Not a supported combination combination combination Not a supported Not a supported combination combination Required to Support POWERS Release Level 225 HMC V4R3 Minimum HMC Level Required to Support POWERS Release Level 222 HMC V4R2 Minimum HMC Level Required to Support POWERS Release Service Packs no longer Service Packs no longer provided Service Packs no longer provided Not a supported combination Service Packs no longer provided Level 220 HMC V4R1i Minimum HMC Level Not a sup combination Not a supported combination Not a supported combination Not a supported combination Service Packs no longer Required to Support POWERS Release Level 210 Matrix Key Latest Release Level Maximum Stability Release Level Red
52. into the server Resource management and production After the new server is powered on the CE connects the HMC The client loads the saved LPAR configuration from the diskette using the LPAR migration utility The CE applies the partition profiles created by the LPAR migration tool to the server where the partitions are created The CE then returns the server to the client who performs hardware resource management activities and tests the server before moving to production Any new applications are installed at this stage by the client an IBM Business Partner or an application vendor 1 2 Migration towers and SPD hardware This section discusses the migration towers and SPD hardware that might already exist on the 8xx server to be upgraded These hardware resources are not supported on the new 5xx servers The client must prepare a replacement strategy A migration tower 5034 5035 or 5077 is essentially a 7xx installed system unit converted to a tower This conversion enables the client to retain some of their existing SPD and older Peripheral Component Interconnect PCI hardware upon upgrade to a model 8xx models 810 825 870 and 890 only thus leveraging their existing investment When converted into a migration tower the new tower connects to the system unit using a high speed link HSL The existing SPD towers can be attached through a migration tower SPD hardware including migration towers is not supported on iSeries
53. is essential that you agree to the LIC and OS 400 software agreements otherwise the installation fails Agreeing to licenses before installing the licensed programs Perform the following tasks Ensure that the software agreement PTFs have been applied Ensure that a custom installation list is created Run the GO LICPGM command Select option 5 Prepare for install Select the Work with Software agreements option Select all of the agreements that you want to accept and press Enter Press F14 to accept each agreement NO OROND 5 2 i5 OS V5R4 software upgrade paths Some releases of OS 400 may not be upgraded directly to i5 OS V5R4 gt Direct upgrade to i5 OS V5R4 can be performed only from releases OS 400 V5R2 i5 OS V5R3M0 and V5R3M5 gt Systems at releases prior to OS 400 V5R2 must perform a two step upgrade first upgrading to release OS 400 V5R2 or i5 OS V5R3 and then upgrading to i5 OS V5R4 Chapter 5 i5 OS V5R4 software 131 Important All V5 releases V5R1 V5R2 and V5R3 require a minimum of 128 MB of main storage in each partition V5R3 requires a minimum of 256 MB in the primary partition Additional storage above these minimums might be required for reasonable system performance When upgrading across more than one release refer to iSeries Memorandum to Users Release R540 and the PSP information for each of the skipped releases to see how your installation might be affected 5 3 Intero
54. is one part of the process that is performed at this stage dimensions power and cooling requirements LAN WAN connectivity and so on The plan must identify all activities that are required to move from the client s current server to the proposed server for example a software upgrade is most likely to be required Depending on the vintage of the current server it is possible that there is hardware to be removed from the current server prior to the main upgrade and so on This results in a multipart upgrade where hardware is removed or added at different stages The final stage is to replace the existing central electronic complex CEC with a new one and any hardware not already installed No SPD system product division hardware may be attached to a System i5 Final e Config output and order Subsequent to the activities described until now the solution proposal might require refinement This refinement is input into the e Config and the upgrade order is finalized Order and schedule Place the order and move to the postsales planning stage 1 1 2 Postsales planning This section involves planning the actual upgrade procedures The final e Config output and the client requirements resulting from the presales phase give rise to a unique timeline and task list for this client s upgrade The IBM recommended upgrade flow is outlined Although it is tempting to merge many of these tasks into a much shorter timeline good project manageme
55. language and press Enter Figure 4 9 on page 103 102 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 US English 15 German fustrian UK English 16 Gerson fustrian preEuro UK Euglish preEuro 17 Swiss Gerran Danish 10 Itallan Banish preBuro 19 Italian preEuro butch 20 Norwegian Dutch preEuro Zi Portuguese Finnish Portuguese preEuro Finnish preEuro Spanish French Spanish preEuro Canadian French LA Spanish Belgiun French Swedish Belgium French preEuro Swedish preEuro Swiss French I 3 4 5 6 E 8 ae Select a keyboard language Figure 4 9 Thin Console Select a keyboard 6 Plug the other end of the Ethernet cable directly into either one of the HMC ports on the server The ports are labeled HMC1 and HMC2 Although it is recommended that you attach the Thin Console before powering on the server the console session must be able to connect regardless of the connection sequence Note Do not attach another console device to the remaining HMC port When you use a Thin Console only one HMC port on the FSP can be connected at a time 7 The 5250 session comes up and displays the progress of the connection status Figure 4 10 shows connection status 10 nn Thin Console 1 0 0 142 Console Information Ethernet 00 E0 C5 56 0E FB IP 192 168 3 1 Gateway 192 168 3 1 Subnet 255 255 255 0 Server Information IP 192 168 3 147 Type Model
56. logo xSeries iSeries System i zSeries i5 OS System i5 1350 The following terms are trademarks of other companies Java JDK JRE JVM J2SE Sun Java Ultra and all Java based trademarks are trademarks of Sun Microsystems Inc in the United States other countries or both Microsoft Windows Server Windows and the Windows logo are trademarks of Microsoft Corporation in the United States other countries or both Intel Itanium Intel logo Intel Inside logo and Intel Centrino logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States other countries or both Linux is a trademark of Linus Torvalds in the United States other countries or both Other company product or service names may be trademarks or service marks of others viii IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Preface Planning an upgrade from an existing IBM AS 400e or IBM eServer iSeries server to anew model IBM System i5 can range from a very simple disk migration to a complex task involving many components and OS upgrade steps This IBM Redbook discusses the various topics that are involved in migrating to the new Peripheral Component Interconnect X PCI X and IBM POWER5 processor technology Upgrade scenarios are included to assist your planning IBM i5 OS V5R 4 contains additional components functions and features w
57. model 5xx As part of the planning process you must remove all existing SPD hardware before or during the upgrade and sufficient resources must be available in the upgraded system to perform the function of the removed hardware When planning the change from SPD to PCI features some PCI replacements have differing functions and requirements that you might have to address for example the fax adaptor requires reconfiguring and might have implications for any fax applications you use Some resources have no PCI alternative for example 6141 American Standard Code for Information Interchange ASCII adaptor and 2644 channel attach tape IOP For most tape input output adapter IOA replacements you have to change the cable or interposer that is used to connect the tape drive to the Small Computer System Interface SCSI It is possible to upgrade 5065 and 5066 towers to their PCI equivalents 5074 and 5079 respectively which gives an upgrade path from SPD and migration towers That is convert SPD hardware to the PCI equivalent install in 5065 5066 towers and then upgrade these towers as part of the main upgrade process 1 2 1 SPD features and their replacements Table 1 1 on page 8 lists the existing SPD features that you might have and their possible PCI replacements Chapter 1 Planning for upgrades to System i5 hardware 7 Table 1 1 SPD features and towers that must be replaced SPD Card description and properties Suggested f
58. no 12 Reply yes to the message and press Enter Follow the instructions when the following message is displayed on the screen Please remove the USB key and press Enter 122 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 13 In the next screen Figure 4 45 select a keyboard language US English 15 Germanfustrian UK English 16 German fustrian preeuro UK English preEuro 17 Swiss Gerran Banish 10 Itallan Banish preBuro 19 Italian preEuro Dutch 20 Norwegian Dutch preEuro Zi Portuguese Finnish 22 Portuguese preEuro Finnish preEuro 23 Spanish Freach 24 Spanish preEuro Canadian French 2 LA Spanish Belgiun French 26 Swedish Belgium French preEuro 27 Swedish preEuro Suiss French 1 3 4 5 6 2 8 F Select a keyboard language Figure 4 45 Keyboard language 14 When the connection status screen is displayed the update is complete 4 2 8 Backup recovery and availability considerations No backup tools are provided with the Thin Console The Linux image is a stable environment but if you ever find yourself in a situation where you have to recover a corrupted image the procedure is to flash the Thin Console with the image that is available for download from the Web Refer to 4 2 7 Maintenance on page 119 for more details Reloading the image implies a reset to factory settings meaning that your customizations are lost However because t
59. or altered and are required on the new system are saved 11 The target server is then synchronized with the source system This can be performed ina number of ways Installing only the changed objects saved with the save changed objects command Installing the client data libraries only Scratch installing from up to date source system saves Important Although scratch install is the safest way to ensure that all of the objects are synchronized it might take an excessive amount of time The side by side method allows for an intermediate stage where the target system is refreshed with the changed data to test the final upgrade method When using the save changed objects command the client must be sure that the testing process does not change data objects Otherwise data mismatches might occur Refer to Backup and Recovery V5R4 SC41 5304 08 for detailed procedures 12 Move the required hardware if any from the source system to the target system 13 Perform full system backups you require system saves in V5R4 for recovery 14 Go live Chapter 2 Migration examples 43 2 2 4 Model 720 to model 520 or 525 550 There is no supported upgrade path from model 720 to model 520 but in this case the source system can be upgraded to V5R3 Note that model 720 does not support 17 GB load source drives and therefore cannot have i5 OS V5R4 installed on the source system i5 OS V5R4 must be installed during an interm
60. port on a rack mounted system or the right hand garial port to a deskaide system BASE Hot Plug Capable Figure 1 6 i520 rear view The front view presents you with a standard SCSI bay for an internal tape drive There are two integrated development environment IDE drive bays for a DVD device The lower bay is IDE but it has a SCSI converter to allow connections to the i5 OS The second or upper bay can have a DVD device that is IDE connected In the control panel there is a USB and an Ethernet port Neither of these items is available for use by the partitions The controls for accessing the display messages and entering the options are very similar to the current 8xx operation panel There are eight disk drive bays arranged in two groups of four With the 5709 feature the bays P3D1 P3D4 can run with no protection or mirroring The 5709 feature is located behind the drill panel beneath the disk bays This adapter can have a 6574 feature added as a daughter card This enables these four disks to run RAID protection To include the other four disk bays a 6594 feature must be added This provides the disk bay back plane for bays P2D1 P2D4 The protection for these disks can be RAID or mirroring P3D1 is the first disk slot for an i5 OS load source device The configurator forces you to put a disk in the load source position but in a partitioned server there is no requirement for a load source disk in the CEC Chapt
61. processor that drives 2824 PCI IOA adapters Integrated fax adapter 2761 4761 2772 See note 10 2773 or 2805 2666 High speed communications 27452 47459 4745 supports up to two adapter multiple protocol communication ports 2699 and Two line WAN IOA 2745 4745 4745 supports up to two 9699 multiple protocol communication ports 2617 and Ethernet Institute of Electrical and 28387 4838 PCI 100 10 Mbps Ethernet IOA 6181 Electronics Engineers IEEE 802 3 adapter 2618 Fibre distributed data interface N A adapter 2619 2626 16 4 Mbps token ring adapter 4744 PCI 100 16 4 Mbps token ring and 6149 IOA 2665 Shielded twisted pair distributed N A data interface adapter 2663 and I O attachment processor wireless N A 2668 LAN adapter 2810 LAN WAN IOP 2843 9943 or PCI I O processor that drives 2824 PCI IOA adapters FSIOP Integrated PC server IPCS 2790 2791 or 27994 6616 6617 Integrated PC server 2790 2890 gt 700 MHz Integrated xSeries and 6618 2791 2891 850 MHz Integrated xSeries 2799 2899 gt 1 0 GHz Integrated xSeries 2792 28924 gt 1 6 GHz Integrated xSeries Chapter 1 Planning for upgrades to System i5 hardware 9 SPD Card description and properties Suggested Card description and feature replacement PCI properties code feature 8664 and Base shielded twisted pair N A 8665 distributed data interface adapter 1312 1322 gt One byte 1 03 GB disk unit gt 8 58 GB disk unit 10k 1325 1327 gt Two
62. publib boulder ibm com infocenter ese rver vlr3s index jsp Chapter 1 Planning for upgrades to System i5 hardware 29 Task Brief description Due date Where to find task owner additional information Task If using side by side is power available to run both the systems at the same time Task Have all the preparations for cooling and grounding been met Task Has the client considered contracting an IBM Installation Planning Representative ____ Task Have all the physical planning Refer to the iSeries check lists from the physical physical planning Web planning Web site been site at completed http publib boulder ibm com infocenter ese rver v1r3s index jsp Task Does the client understand that it is their responsibility to order install and assemble all the twinaxial coax telephone twisted pair Ethernet and IBM cabling system cables Task Have all the cables and Refer to the iSeries connectors been ordered and physical planning Web confirmed site at http publib boulder ibm com infocenter ese rver v1r3s index jsp Task Has the floor plan layout been completed Task Is there adequate storage space for manuals tools and cleaning kits Task Is the client aware that a relatively short power outage can cause a significantly long system outage Has a UPS been installed or ordered Has the physical planning and capacity planning for the UPS been done System management tasks Task Have the system
63. required software fixes software acceptance PTFs and others identified by the PSP 6 If you have nonconfigured disks a PTF that enables you to set the disk configuration option exists 7 Print a list of all the system values 8 Gather performance data 9 Ensure that the server has sufficient disk storage space 10 Ensure that the load source disk is 17 GB or larger on each partition 11 Ensure that IBM supplied product libraries are not in a user ASP 12 Ensure that there are no user created subdirectories in the QIBM ProdData CA400 Express path or the QIBM ProdData path 132 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 13 Delete the PTF cover letters in QGPL QAPZCOVER Preparing the server in the current release The following tasks are involved in preparing the server in the current release 1 Load and install the PTFs identified earlier 2 Permanently apply all of the PTFs 3 Change the system values QSYSLIBL and QUSRLIBL to remove any licensed program libraries or secondary language libraries Do not remove libraries QSYS QGPL QUSRSYS QTEMP or QSYS2 Change the system value QALWOBJRST to ALL Change the system value QVFYOBJRST to 3 Set the time zone data area Verify the system objects Ensure two phase commit integrity Oo ON DOO Ff If there are a lot of spool files on the system set the compress job tables IPL attribute to none To view enter
64. rver vir3s index jsp Chapter 1 Planning for upgrades to System i5 hardware 25 Task Brief description Due date Where to find task owner additional information Task Have the software and the any hee Validate with your local publications been ordered on IBM Software Order CD ROM organization Task Has the user based pricing been Validate with your local specified with the correct number IBM Software Order of users organization Hardware configuration tasks Task Was an IBM supplied configurator tool used for hardware and software configuration Task If LPARs are going to be used was the LVT used Task Will Linux or AIX partitions be installed Task With Linux or AIX will direct I O or virtual I O be used What tape will be used for the Linux AIX partition backup Task Does the configured system meet or exceed any capacity planning tool recommendations Task Are the number of DASD arms and DASD IOAs sufficient for the client s planned DASD protection Task Has the appropriate feature code for mirroring or RAID protection been ordered Task Will the quantity and speed of the tape devices be able to meet the client s backup window requirements Task Will all the products be delivered by the planned installation date Task Is there an established timetable for software and hardware setup and installation Task Has the appropriate amount of main storage memory been ordered 26 IBM eServer iSeries Migrati
65. service processor 91 197 SPD feature code 5072 8 1360 10 5073 8 1379 10 5074 12 1380 10 5079 12 2609 8 5082 8 2612 9 5083 8 2617 9 6050 8 2618 9 6112 11 2619 9 6141 8 2620 9 6146 11 2621 10 6149 9 2623 9 6153 9 2624 10 6180 8 2626 9 6181 9 2629 8 6325 10 2644 11 6368 10 2654 9 6380 10 2664 12 6385 10 2665 9 6390 10 2666 9 6425 10 2686 8 6485 10 2688 8 6490 10 2695 8 6501 12 2699 9 6502 11 2745 11 6512 11 2748 12 6513 11 2757 12 6517 11 2765 12 6518 11 2766 12 6519 11 2778 12 6532 11 2782 12 6533 11 2790 12 6534 11 2791 12 6605 10 2792 12 6606 10 2799 12 6607 10 2810 9 6616 9 2820 9 6617 9 2892 12 6618 9 2899 12 6650 10 3584 D22 139 6652 10 3584 D23 139 6713 10 3584 L22 139 6714 10 3584 L23 139 6717 12 3592 E05 139 6718 12 4317 12 6806 10 4318 12 6807 10 4482 12 6813 10 4483 12 6817 12 4582 12 6818 12 4583 12 6824 10 4745 11 6906 10 4748 12 6907 10 4778 12 8617 12 5044 8 8664 10 5052 8 8713 10 5055 8 8714 10 5057 8 8817 12 5058 8 9748 12 5065 12 9778 12 5066 12 SSH 90 198 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 sysplan file 2 system plan 2 3 T tape encryption 137 Thin Console 97 5250 emulation screen 98 customization settings 110 Tivoli Storage Manager 138 TS1120 137 139 TS3500 tape library 138 system 139 twinax console 90 U using EKM and TS1120 tape drive 138 W WebSM 90 Workload Estimator 3 Index 199 200 IBM eServer iSeri
66. the GO LICPGM command and select option 11 Install licensed programs 2 Select the required options Tip If the required option or program is not in the list go to the blank line at the top of the list and add the program identifier 3 Insert CDs as required Installing secondary languages if required To install the secondary languages perform the following tasks 1 Enter the command GO LICPGM and select option 21 Install secondary languages 2 Place the CD in the drive 134 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 3 Select the language you require Installing PTFs To install PTFs perform the following tasks ON DOA FP WN Insert the first Cumulative Package CD Enter the command GO PTF and select option 8 Insert the other CDs when prompted IPL PWRDWNSYS OPTION IMMED RESTART YES IPLSRC B I Wait for the INZSYS to complete Install the HIPER DATABSE and PTF groups that are relevant to your installation IPL PWRDWNSYS OPTION IMMED RESTART YES IPLSRC B Verify the correct installation of the PTFs by running the GO LICPGM command and selecting option 50 Preparing the system for normal use Follow these steps to prepare the system for normal use 1 Change the system values back to their original settings with the help of the printout you took earlier in particular reset QSYSLIBL QUSRLIBL QVFYOBJRST QALWOBJRST and QSTRUPPGM
67. the counter 65 21 11 A603500B You incremented the counter again 21 11 A603500C You invoked the action set the console mode to 03 vvvy 128 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 15 OS V5R4 software This chapter describes how to identify IBM software licensed programs that may impact an iSeries migration to a new IBM System i5 and System i5 hardware It also identifies the supported upgrade paths and interoperability with existing systems Copyright IBM Corp 2007 All rights reserved 129 5 1 i5 OS V5R4 software requirements and information This section deals with some of the i5 OS V5R4 specific considerations for upgrades to the new model 5xx hardware gt i5 O0S V5R4 requires a minimum of 128 MB of main storage in each partition with 256 MB in the primary partition Additional main storage higher than these values might be required for acceptable system performance gt i5 OS V5R4 requires that the load source disk in each OS 400 partition is 17 GB or larger gt i5 OS V5R 4 Licensed Internal Code LIC requires more storage space than the earlier releases All of the partitions with V5R3M0 or earlier installed require additional storage space that is reserved before the installation Important Failure to reserve additional space results in the upgrade stopping during the installation of the LIC gt Before upgrading to i5 OS V5R4 some program temporar
68. the system or partition as follows a Enter 7 Start a service tool Use Dedicated Service Tools DST Select one of the following FPOWAMOOAN OUBRWNRE PR BPR Bw Selection F3 Exit Perform an IPL Install the operating system Work with Licensed Internal Code Work with disk units Work with DST environment Select DST console mode Start a service tool Perform automatic installation of the operating system Work with save storage and restore storage Work with remote service support Work with system partitions Work with system security End batch restricted state F12 Cancel System Figure 3 35 b At the screen shown in Figure 3 36 enter 7 Operator panel functions The DST main screen Attention to data in this system Start a Service Tool System Incorrect use of this service tool can cause damage for assistance Select one of the following ONOURWNE Selection F3 Exit Display Alter Dump Licensed Internal Code log Trace Licensed Internal code Hardware service manager Main storage dump manager Product activity log Operator panel functions Performance data collector Fi2 Cancel Contact your service representative Figure 3 36 The Start a Service Tool screen Chapter 3 System i5 disk at i5 OS V5R4 81 82 c On the Operator Panel Functions screen Figure 3 37 press F10 to power off Operator Panel Functions System IPL s
69. this example we define a JCEKS keystore Valid tools to manage this are the ikKeyMan utility or the standard Java tool keytool refer to Installing the iKeyman utility on page 148 142 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Installing the IBM Java Runtime Environment for Windows Perform the following tasks 1 Load the correct CD from the IBM TotalStorage Productivity Center Limited Edition TCP LE LPP 5608 VC6 and select the JRE you want to install In this example we install JRE V5 0 SR2 Windows IA32 When the installation wizard opens click Next as shown in Figure 6 3 Welcome to the InstallShield Wizard for IBM 32 bit Runtime Environment for Java 2 5 0 The InstallShield Wizard will install IBM 32 bit Runtime Environment for Java 2 v5 0 on your computer To continue click Next Cancel Figure 6 3 JRE InstallShield Wizard 2 Accept the license agreement 3 The Choose Destination Location window Figure 6 4 is displayed You can change the destination folder if you want Make a note of the folder path because you require it to start the EKM server at a later step Click Next IBM 32 bit Runtime Environment for Java 2 5 0 InstallShield Wizard Choose Destination Location Select folder where setup will install files Setup will install IBM 32 bit Runtime Environment for Java 2 v5 0 in the following folder To install to this folder
70. to Disk Unit Data screen Figure 3 22 select the nonconfigured unit that you installed in step 3 on page 70 as the unit to copy to Select Copy to Disk Unit Data Disk being copied Serial Resource Unit ASP Number Type Model Name Status 1 1 68 OE1F75A 4326 050 DDOO2 Active 1 Select Serial Resource Option Number Type Model Name Status _ 68 0E35989 4327 050 DD004 Non configured 68 0E38897 4327 050 DDO03 Non configured F3 Exit F11 Display disk configuration status F12 Cancel Figure 3 22 The Select Copy to Disk Unit Data screen 15 This displays the Copy Disk Unit Data Status screen Figure 3 23 Copy Disk Unit Data Status The operation to copy a disk unit will be done in several phases The phases are listed here and the status will be indicated when known Phase Status Stop compression if needed Completed Prepare disk unit 4 Complete Start compression if needed Copy status Number of unreadable pages Figure 3 23 The Copy Disk Unit Data Status screen 16 Wait for copy to complete 17 Power off the system From the DST main screen Figure 3 17 on page 71 enter 7 Start a service tool Oron the Service tools screen enter 7 Operator panel functions 74 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 When you see the screen in Figure 3 24 press F10 to power off Operator Panel Functions System RCHASMO5 1 A
71. units each The process of selecting the RAID optimization strategy can be performed using the iSeries Navigator or the dedicated service tools DST Chapter 3 System i5 disk ati5 OS V5R4 57 Selecting the RAID optimization strategy using the iSeries Navigator Perform the following tasks to select the RAID optimization strategy using the iSeries Navigator 1 In iSeries Navigator expand Disk Units right click Parity Sets and select Change Optimization as shown in Figure 3 1 iSeries Navigator OK Fie Edit View Help tie xe SeHs Environment My Connections System Values 80 minutes old 9 5 17 170 Disk Units Description Sf History Log QAI Disk Units All disk units Time Management fi By Location Disk units organized by physical A Hardware Disk Pools Disk units organized by disk pool y Al Hardware Disk Pool Groups Disk pools organized by disk pool ES Parity Sets Disk units organized by parity set 4 Communications y Nonconfigured Disk Units Nonconfigured disk units System Adapters 43 LAN Resources workstation Resources Processor Information Sy Cryptography Resources Optical Units Disk Pool Groups 83 Pa Explore Open Create Shortcut Customize this Vi gt TaHardware tasks Add a connection gt Configuration gt availabilty Install additional co Graphical View Recovery and Maintenance D Graphical View p p
72. 00653 if you are already using the update images from MH00594 to update your HMC to VSR2 1 If you are currently at HMC V4R1 1 through HMC V5R1 0 you must use the Recovery media PTF MH00653 to upgrade your HMC to V5R2 1 After the upgrade the output from the Ishmc V command will show a base_version string of V5R2 1 HMC V5R2 1 contains fixes from MH00586 and MHO0610 Select another HMC Release gt gt gt gt POWERS code matrix i5 iSeries support UNIX servers support Microcode dovmloads for i5 iSeries p5 pSeries Sign up for email notification of HMC corrective service Obtaining the HMC 5 2 1 Recovery media The HMC Recovery DVD V5 R2 1 is a bootable image You can order DVD media from this page or download the DVD images in ISO format which you can then use to burn your own DVDs See the Installation instructions for procedures and downloads for installation over a network Download ISO images via Download Director Download ISO images individually Order recovery media Figure 4 3 HMC Recovery DVD download Chapter 4 System i5 consoles in i5 OS V5R4 95 Supported combinations of server firmware and HMC code Figure 4 4 shows the supported combinations of server firmware and HMC code Note The HMC machine code must be equal to or greater than the server firmware level The sequence in which you install fixes or updates is important Install the HMC updates before you
73. 06 Active F3 Exit F5 Refresh F11 Display non configured units F12 Cancel Figure 3 32 The Select Copy from Disk Unit screen Chapter 3 System i5 disk at i5 OS V5R4 79 c Select one of the new drives on the Select Copy to Disk Unit screen Figure 3 33 and note the serial number Select Copy to Disk Unit Data Disk being copied Serial Resource Unit ASP Number Type Model Name Status 1 1 75 OCF43A4 6717 050 DD006 Active 1 Select Serial Resource Option Number Type Model Name Status d 68 0C82161 6718 050 DD004 Non configured 68 0C231E9 6718 050 DDOOS Non configured F3 Exit F11 Display disk configuration status F12 Cancel Figure 3 33 The Select Copy to Disk Unit Data screen d Press F10 to accept the warning Other disk unit will become missing e Press Enter to confirm the copy The Copy Disk Unit Data Status screen Figure 3 34 appears Copy Disk Unit Data Status The operation to copy a disk unit will be done in several phases The phases are listed here and the status will be indicated when Known Phase Status Stop compression if needed Completed Prepare disk unit Start compression if needed Copy status 3 Complete Number of unreadable pages Figure 3 34 The Copy Disk Unit Data Status screen 80 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 8 Return to the DST main screen Figure 3 35 and power down
74. 130 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 5 1 2 Required software i5 OS V5R4 or V5R3M5 is a prerequisite on all partitions for the new System i5 hardware Install the latest cumulative PFT package HIPER PTFs and any hardware specific PTFs for your installation on all of the partitions Enter the command SNDPTFORD PTFID SF99540 DLVY ANY to order the latest cumulative PTF package This package must have the latest group HIPER PTFs and database PTFs delivered with it 5 1 3 AS 400 models not supported in i5 OS V5R4 Older AS 400 models are not supported in i5 OS V5R4 gt AS 400 models 4xx and 5xx are only supported up to OS 400 V5R1 gt AS 400 models 150 6xx Sxx and SB1 are only supported up to OS 400 V5R2 gt iSeries models 170 and 7xx are only supported up to i5 OS V5R3 Tip Clients with these models must perform data migration to new 5xx models rather than following the upgrade path It is preferable for clients to upgrade to the latest supported level on the hardware for interoperability If this is not possible due to hardware insufficient memory or time constraints for example data migration can be performed from the current release i5 OS V5R4 is the last release that will support models 270 820 830 840 SB2 and SB3 5 1 4 License agreements In i5 OS V5R3 V5R3M5 and V5R4 software license agreements must be accepted before certain products can be installed It
75. 5 it is therefore often necessary to migrate the load source data from a small drive to a larger drive When moving to System i5 hardware this stage of the upgrade usually takes place on the old preupgrade system but may take place on the new postupgrade system if both drives are supported The load source migration is not a part of the upgrade and as such is a chargeable service performed by an IBM customer engineer CE or IBM Business Partner Usual system upgrade task sequence This is the sequence of events in a usual system upgrade task 1 Migrate the Load Source 2 Upgrade the operating system and install the program temporary fix PTF 3 Upgrade the system hardware 4 Perform disk and I O reconfiguration This sequence might have to be altered if hardware that not being supported in the release is in use For example the operating system might have to be upgraded and PTFs applied before load source migration because the new load source disk might not be supported in the current release If moving from 8xx hardware your new load source drive might be larger than is supported on your current system In such a situation you must either perform the upgrade as an unload reload or upgrade the load source to a 17 GB drive on your current system then perform another load source upgrade on your target upgraded system to the larger drive 3 5 1 Considerations for load source migration Keep the following issues in m
76. 7 4 2 3 Thin Console 5250 emulation screen 0 00 cee 98 4 2 4 Neoware Connection Manager 0 0 ccc eee tenes 101 4 2 5 Physical installation and cabling 0 0 00 et eee 102 4 2 6 Customization settings 00 0 cee 110 42 7 Maintenance nad iaren gus Se Malden od ce Nafta ee Wee Peta tenons 119 4 2 8 Backup recovery and availability considerations 000000 123 42 9 Troubles hoon ic sean ete E a cue ag a She plete neh Ge Ree Ge o Reig tees 124 4 3 Console card locations 1 2 2 0 0 tees 126 4 3 1 Designated slots for models 5xx V5R3 0 000 eee 126 4 3 2 i5 OS V5R3M5 and V5R4 new Smart IOA plus models 127 4 4 Changing the console type 0 c cette ee 127 4 4 1 Using the console service functions 65421 0 eee eee 128 Chapter 5 i5 OS V5R4 software 0 0 00 ee 129 5 1 i5 OS V5R4 software requirements and information 2 000020005 130 5 1 1 i5 OS V5R4 informational authorized program analysis report and PSPs 130 5 1 2 Required software 2 2 0 elek a EE tees 131 5 1 3 AS 400 models not supported in i5 OS V5R4 0 0 00 cee 131 5 1 4 License agreements 0 tees 131 5 2 i5 OS V5R4 software upgrade paths 0 00 ee 131 5 3 Interoperability with the existing systems 0 e eee 132 5 4 i5 OS V5R4 software upgrade 0 0 cette 132 Chapter 6 Tape data encryption in i5 OS
77. 89BA7 4328 x x 21 89C7A 4328 x x 21 89C42 4328 x See help for more information Model 070 078 001 078 078 070 001 099 099 099 099 F9 Display disk unit details Resource Name DD023 DD025 DCO1 DDO17 DDO19 DDO18 DCcO1 DDO33 DDO21 DDO20 DDO32 Fi2 Cancel Status Active Active RAID 5 Active Active Active RAID 6 Availability Active Active Active Active Bottom Figure 3 7 Display device parity information screen Chapter 3 System i5 disk at i5 OS V5R4 63 3 4 3 Migrating to RAID 6 from unprotected disk with iSeries Navigator To migrate to RAID 6 from unprotected disk with iSeries Navigator follow these steps 1 In iSeries Navigator expand Disk Units right click Parity Sets and select Start parity iSeries Navigator m Fie Edit View Help e xe r 8 Environment My Connections 1 mir 9 5 17 170 Parity Sets fi My Connections fl 10 10 10 4 ff 9 36 188 17 fl 9 36 189 77 f 9 5 17 170 Basic Operations Sf History Log d Hardware Disk Units Non Tape De Software Fixes Invent amp Colection Se Logical Parti f Network FImy Tasks 9 5 17 170 B Add a connection Management Central 9 36 188 17 6 Work Management B Configuration and Service ij System Values Time Management amp All Hardware 4 Communications System Adapters 43 LAN Resources Workstation Resources Proces
78. 92 2892 replacement Integrated xSeries Server can only reside in 5074 5075 or 5079 towers 270 or 8xx systems Some Integrated xSeries Servers are model dependant The new Enterprise Edition Servers ship with an Integrated IBM eServer zSeries including 9792 There are also Windows considerations to be met when upgrading an Integrated PC Server 5 All 1 03 GB 1 96 GB and 4 19 GB disks are not supported in any 270 8xx servers or 5065 5066 5074 5079 5075 or 5094 5294 5095 towers 6 1 2 GB and 2 5 GB inch cartridges can be read write on 4482 4582 4 GB 14 inch cartridge tape units 7 13 GB 14 inch cartridge can be read write on a 4483 4583 16 GB 14 inch cartridge tape unit 8 Internal 8 mm cartridge tape units are no longer supported on 270 or 8xx systems The alternative is to use an external 7208 tape device 9 FC2748 4748 9748 are supported by V4R5 V5R1 FC2778 4778 9778 are supported by V5R1 and V5R2 FC2757 and 2782 are supported by V5R2 February 2003 level 10 There are numerous fax options for PCI alternatives to the SPD 2664 Integrated FAX Adapter Refer to the system handbook for alternatives 11 If the 6501 is being used to attach to an external tape disk device it is common for this adapter to be replaced with a 2765 Fibre Channel Tape Adapter or a 2766 Fibre Channel Disk Adapter 1 2 2 SPD features that can be converted to PCI Table 1 2 shows the SPD features disks and towers that can be converted to PCI Note
79. AD Mount History csv a Manage Ports a Manage Access m ReKey Encryption j Go G service Library _ Select Action x Select Move al a Element Address Type __ a Location a Encryption Remo ry F Frame C Column R Row Switch to Original Navigation 3592 Slot F3 C1 R13 Encrypted 3592 Slot F3 C1 R30 Encrypted 3592 Slot F3 C1 R29 Encrypted J1R803JA JAG2e 1034 3592 Slot F3 C1 R31 Encrypted J1R804JA JAG2e 1037 3592 Slot F3 C1 R25 Encrypted JJX004JJ JAG2e 1039 3592 Slot F3 C5 R38 Not Encrypted oO JJX030JJ JAG2e 1038 3592 Slot F3 C5 R39 Encrypted JJX031JJ JAG2e 1030 3592 Slot F3 C5 R40 Encrypted JJX032JJ JAG2e 1031 3592 Slot F3 C6 R2 Encrypted JJX033JJ JAG2e 1032 3592 Slot F3 C6 R1 Encrypted v JJX034JJ JAG2e 258 3592 Drive F3 R8 Encrypted as lone o aae Figure 6 83 Selecting ReKey Encryption 3 The Rekey Encryption window opens Enter the key modes and labels you want to use to rekey the cartridge and click Apply Figure 6 84 on page 194 Chapter 6 Tape data encryption in i5 OS V5R4 193 Rekey Encryption Modify Scratch Cartridges to Encrypt in Library Managed Drives Volume Serial Key Mode 1 Key Label 1 previously selected key labels Keyl OSS previously selected key labels Cancel Figure 6 84 Rekey Encryption window 194 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Related publications The publication
80. AID Level 60 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Selecting RAID optimization strategy using the dedicated service tools Perform the following tasks to select the RAID optimization strategy using the DST 1 Inthe DST main menu select Work with Disk Units 2 Select Work with Disk Configuration 3 Select Work with device parity protection 4 The screen in Figure 3 4 appears Enter 7 for Select parity optimization Work with Device Parity Protection Select one of the following 1 Display device parity status 2 Start device parity protection RAID 5 3 Stop device parity protection 4 Include unit in device parity protection 5 Exclude unit from device parity protection 6 Start device parity protection RAID 6 7 Select parity optimization Selection F3 Exit F12 Cancel Figure 3 4 Changing RAID optimization using DST Chapter 3 System i5 disk at i5 OS V5R4 61 5 In the Select Parity Optimization screen Figure 3 5 select the required type of optimization and press Enter Select Parity Optimization Select how you want the parity set optimized The current parity optimization is Balanced Type choice press Enter Select parity optimization Availability Balance Capacity e UNEP Performance Selection F3 Exit F12 Cancel Figure 3 5 Selecting parity optimization If the required optimization cannot be performed
81. B IP 192 168 3 1 Gateway 192 168 3 1 Subnet 255 255 255 0 Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State FFFF Server state is unknown Reference code Connection status 10 00 of 100 Searching for server at Ethernet port HMC1 or HMC2 F Reset search for server 1 localhost d 1 1 Figure 4 6 Thin console connection status screen Under Server Information the State field indicates the power and runtime states as they are detected by the Thin Console The State field contains a numeric status code and a description Table 4 1 lists the codes and their meanings Table 4 1 Server information state codes CEC_PHYP_FUNCTIONAL FIRMWARE READY Chapter 4 System i5 consoles in i5 OS V5R4 99 OxFFFF CEC_RUN_STATE_UNKNOWN UNKNOWN Under Connection Status the server connection status code indicates the progress of the connection between the Thin Console and the server It is a four digit code XX YY where XX is the major connection status 00 99 and YY is the minor connection status 00 99 Table 4 2 lists the status codes and their description During a successful connection these codes must progress from 0 to 100 Table 4 2 Server connection status codes code co No_cowvecTion SEARGHNG FOR SERVE PROCESSOR _ PASS_DATA_THROUGH The user should see the i5 OS 5250 data stream when at this state p80 HWS_IS_ ECHOING IP COMMUNICATION ACTIVE
82. Centre His areas of expertise include iSeries hardware migration LPAR configuration disaster recovery communications and networking He is a certified iSeries Technical Expert Cisco Certified Network Associate CCNA Cisco Certified Design Associate CCDA and Microsoft Certified Systems Engineer MCSE You can contact him at MBTechnology BTClick com Caroline Verellen is a Backup Continuity and Recovery Specialist working for IBM Global Services in Belgium and the Benelux area She has spent five years at System i5 software support specializing in System Backup Recovery and three years at IBM Backup Continuity and Recovery Services as System Engineer i5 where Caroline consults with System i5 customers on disaster recovery plans and recovery procedures managed and housed high availability systems and upgrading hardware software HW SW in a Business Continuity and Recovery Services BC amp RS environment You can contact her at Caroline_Verellen be ibm com Copyright IBM Corp 2007 All rights reserved ix Thanks to the following people for their contributions to this project Sue Baker Pat Cawley Joe Gibbons Duane Grosz Mike Konkel Scott Maxson Mark Olson Brian Podrow Barb Smith Tracy Smith Allyn Walsh Geoff Warren Larry Youngren IBM Rochester John Morganti IBM Austin Carla Ruhl Thai Tran IBM Tucson Tom Benjamin John Peck IBM Endicott Become a published author Join us for a two week to six week resi
83. D types It is possible to mix RAID 5 and RAID 6 protection schemes on the same system even on the same disk IOA For example an IOA with 12 4327 drives and three 4328 drives connected when deciding on the option of starting RAID 6 will start one RAID 6 RAIDset of 12 drives each with parity stripes and therefore having 10 12ths capacity and one RAID 5 RAIDset of three drives Three drives are insufficient to start a RAID 6 RAIDset a minimum of four drives are required For operational simplicity systems should not mix RAID types This requirement might necessitate moving disks or buying additional hardware Auxiliary storage pools User ASPs are designated collections of disks and are used as a method to separate data into defined areas of storage Disks are placed in auxiliary storage pools ASPs during disk configuration If disk failures occur within a user ASP that the chosen method of disk protection cannot handle the user ASP becomes unavailable to the system In the case of the system ASP ASP1 this results in system outage If a user ASP any ASP not ASP1 becomes unavailable some applications continue to function if their required programs and data are not in that ASP User ASPs can be used for separating different applications or for performance reasons For example journal receivers can be placed in a user ASP so that database writes are not in contention with journal writes on the same disk It is advantageous
84. Dark grey background IBM Light grey background IBM Light background IBM Light blue background Menu Bar Assist Program Blue text Turquoise text Green text White text Entry Area Pink text Yellow text ned text SEES Status Line Save Delete Apply Changes To Session Exit Help Delete apply changes To Session Exit Choose Apply to have colors take effect in session Figure 4 38 5250 session Save color scheme 5 Save the color scheme as the default for all your sessions as shown in Figure 4 39 IBM 5250 Console A Color Mapping x Pertinent o e Select the color mapping function EE Advanced Choose a color scheme ser NewColours Black background IBM Dark grey background IBM Light grey backgrou IBM Light background IBM Light blue backgrour O Color Mapping x Choose a save option Save as a default for all your sessions w Save for this session only Menu Bar Turquoise text White text Yellow text Red text EE Status Line Save Delete Apply Changes To Session Exit Help Choose Apply to have colors take effect in session Button Figure 4 39 5250 session Save option Chapter 4 System i5 consoles in i5 OS V5R4 117 6 When you exit the window you will be asked whether to apply the changes you just made to the current session Select Apply changes to this session before
85. Data Status screen Figure 3 41 Replace Disk Unit Data Status The operation to replace a disk unit from the selected disk units will be done in several phases The phases are listed here and the status will be indicated when known Phase Status Stop compression if needed Completed Prepare disk unit 0 Complete Start compression if needed Replace status Number of unreadable pages Wait for next display or press F16 for DST main menu Figure 3 41 The Replace Disk Unit Data Status screen 84 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 15 Check the configuration by performing the following tasks a From the DST main menu select the option for Work with Disk Units Select the option for Work with Disk Unit Configuration b c Select the option for Display Disk Unit Status d In the Display Disk Configuration Status screen shown in Figure 3 42 check whether the load source unit 1 is one of the new larger disks you require Serial ASP Unit Number 68 0C82161 68 0C231E9 75 O0D7B2A2 75 OD7EDB4 NNR F Press Enter to continue Type 6718 6718 6718 6718 F3 Exit F5 Refresh F11 Disk configuration capacity Model 050 050 050 050 Display Disk Configuration Status Resource Name DDOO4 DD005 DD003 DD002 F9 Display disk unit details F12 Cancel Status Mirrored Active Resuming Active Active
86. FM Stopped Datalink File Manager Basic Operations amp Work Management B Configuration and Service Z dTi Network fo Virtual Private Networking Started VPN Connection Manager 7 3 fa CIMOM Stopped CIM Object Manager F TCP IP Configuration AE CC Stopped ecc m f Remote Access Services fag ASFTomcat Started ASFTomcat Basic Serviet and JSP Engine for Servers Triggered Cache Manager fe TCP IP FIP FB iSeries Access LPD z DNS POP amp User Defined 25 f ADD TELNET Server OOO O Enterprise Identity Mapping Internet R Intearated Server Administration catha F Imy Tasks 192 168 4 1 OSEKE Stop Instance gt Add a connection W Configure s pbs a Configure system as Directory server Install additional components ical Configure ii Server Jobs irver Fa Administer dir ectory server D Configure s O Help for related tasks Properties Figure 6 38 Starting HTTP Administration server 4 In a Web browser go to http IP address 2001 166 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 5 The i5 OS Tasks window is shown Select Digital Certificate Manager Figure 6 39 i5 OS Tasks Mozilla Jokes p File Edit View Go Bookmarks Tools Window Help e e 3 j Reload z Ah Home W Bookmarks BluePages L HR Web Belgium Luxe L Belgium Luxembourg in L IBM amp http 192 168 4 1 2001 i5 OS Tasks C IBM Corporation 2000
87. FS path name of the file in which you pasted the signed certificate data and click Continue as shown in Figure 6 55 Selecta Certificate Store Expand All Collapse All wFast Path Work with server and client certificates Work with CA certificates Work with user certificates Work with certificate requests Work with CRL locations u Create Certificate m Create New Certificate Store m Install Local CA Certificate on Your PC Manage Certificates gt Manage Certificate Store gt Manage CRL Locations Manage LDAP Location s m gt Manage PKIX Request Location Y Digital Certificate Manager Import Server or Client Certificate Certificate type Server or client Certificate store EKM KEYSTORE_IKDB Specify the fully qualified path and file name of the certificate that you want to import Example path and file name MYDIRECTORY MYFILE EXT Import file EKM EKM KDB Continue Cancel Figure 6 55 Importing the file Chapter 6 Tape data encryption in i5 OS V5R4 175 3 Enter the password for the keystore from which you want to import the keys and specify the key label Click Continue Figure 6 56 Digital Certificate Manager 7 Import Server or Client Certificate Certificate type Server or client Certificate store EKM KEYSTORE_I KDB Selecta Certificate Store Expand All Collapse All Enter the encryption password for the file th
88. Figure 3 42 The Display Disk Configuration Status screen 16 Perform an IPL on the system 3 5 4 Load source migration RAID system These scenarios are available for load source to migrate on a RAID protected system gt No spare disk slots anywhere in the system gt Sufficient spare disk slots to start a new RAIDset with the new drives gt Insufficient spare disk slots to start a new RAIDset with the new drives Load source migrate RAID system No spare disk slots in the system If no spare disk slots are available in the system perform the following tasks Switch off RAID Restart RAID OaRWN Perform a full system save Perform an IPL to the DST Perform an IPL on the system Follow the basic procedure for nonprotected systems Load source migrate RAID system Spare disk slots available Check the number of RAIDsets under the load source IOA If more than one it means that one or more RAIDsets can be physically moved to another IOA but the RAIDset must be kept together as a set under the new IOA Chapter 3 System i5 disk ati5 OS V5R4 85 Follow these steps 1 Perform a full system save 2 Power down the system 3 Move the nonload source disk RAIDset to another IOA Ensure that you move all of the disks in the RAIDset and only the disks in that RAIDset Install the new disks in the vacated slots Start RAID on the new disks Perform disk copy from the load source disk to one of the new
89. File Independent FTP US English Byte Size 957 Date 9 1 2006 Figure 6 12 EKM downloads 2 Place the KeyManagerConfig properties file into a directory of your choice 3 Place the IBMkeyManagementServer jar file into the directory C Program Files IBM Java50 jre lib ext Chapter 6 Tape data encryption in i5 OS V5R4 147 Installing the iKeyman utility The iKeyman utility is part of the JRE you installed You can start it from a DOS prompt Figure 6 13 by entering the following command cd C Program Files IBM Java50 jre bin java com ibm ikeyman Ikeyman amp N gt ed C Program Files IBM Java5 jre bin Program Files IBM JavaS5 jre bin gt java com ibm gsk ikeyman Ike yman amp Figure 6 13 Start iKeyman utility For more details about the utility download the BM Global Security Kit Secure Sockets Layer Introduction and ikKeyman User s Guide at http download boulder ibm com ibmd1 pub software dw jdk security 50 GSK7c_SSL_IK M_ Guide pdf The standard Java tool keytool can also be used Visit the Sun Java Web site for details about keytool usage 6 1 6 Creating a keystore To create a keystore for the encryption keys to be used by the iKeyman utility perform the following tasks Note In ikKeyman a keystore is called key database and a key is called certificate 1 After entering the java command to start the iKeyman utility the IBM Key Management window Figure 6 14 is displayed To c
90. Guide to Upgrades and Migrations to IBM System i5 3 Switch off the RAID protection 4 Remove one 8 58 GB drive from the configuration Physically remove this drive from the system move the load source drive to this drive s position and place a new 35 16 GB drive into the load source position 5 Perform a D type IPL and install SLIC System Licensed Internal Code in the new load source drive 6 Perform the load source migrate procedure to migrate from the old load source drive to the new 35 16 GB drive The old load source drive now becomes nonconfigured At this point you have one 35 GB drive and 16 8 GB drives configured and one 8 GB drive nonconfigured 7 IPL the system to a restricted state to ensure that storage management recovery is completed 8 IPL to DST 9 Remove six 8 58 GB drives from the configuration Physically remove the seven nonconfigured drives from the system and replace with seven 35 16 GB drives Tip In this case the ASP threshold limit will have to be increased to allow this action defaults to 95 10 Initialize and format the new drives 11 Add the new drives to the system ASP 12 Start the RAID protection 13 Remove the 10 remaining 8 58 GB drives from the configuration 14 Physically remove the old drives leaving only eight new drives 15 Perform an IPL When working out a strategy for this type of data migration it is necessary to draw up a table similar to Table 2 2 This ensure
91. H00586 and MHO0610 Download multiple files via Download Director Download multiple ZIP or ISO image files simultaneously by choosing an option from the drop down menu on the following selection box Select a package to download e The View links in the individual downloads table provide important information used to verify corrective Figure 4 2 HMC corrective service downloads gt Recovery media download Figure 4 3 on page 95 https www14 software ibm com webapp set2 sas f hmc power5 download v521 Recov ery html The HMC Recovery DVD which is used to update your code to a new release is a bootable image and contains the HMC Base Code If you have to scratch install the HMC machine code you require the recovery DVD for the release installed on the HMC Before you start an upgrade ensure that you have performed the following tasks Back up the managed system s profile data 94 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Back up the critical console information this enables you to go back to the previous level of machine code in case something goes wrong when upgrading Record HMC configuration information schedule operations and remote command status Save the upgrade data Upgrade data enables you to restore the HMC configuration after the upgrade The upgrade data is stored in a designated disk partition on the HMC Only one version of the upgrad
92. IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Understand the considerations for upgrades to IBM System i5 in i5 0S V5R4 Learn how TS1120 hardware based tape encryption works with i5 0S Review Thin Console support for low end System i5 without an HMC Nick Harris Michael Bird Caroline Verellen Redbooks ibm com redbooks International Technical Support Organization IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 August 2007 SG24 7200 01 Note Before using this information and the product it supports read the information in Notices on page vii Second Edition August 2007 This edition applies to Version 5 Release 4 Modification 0 of i5 OS Copyright International Business Machines Corporation 2005 2007 All rights reserved Note to U S Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp Contents Notices 30 55 aj feiss Male eee ee eg a ie es Be A A vii TADOIMALKS 3 i Pk A ak RAN an AER IR Rik ide Si AL ARE de hd Jd Reseed viii Preface oak f cd oer a need we Sede eed nace a hile ae R a ix The team that wrote this IBM Redbook 0 000 e eee tees ix Become a published author 1 0 2 0 ee ete x Comments welcome 00 cece tenet Xx Chapter 1 Planning for upgrades to System i5 hardware 0 1 1 1 Planning
93. II devices 2605 Integrated Services Digital Network 27452 47459 ISDN basic rate adapter Electronic Industries Association 2745 4745 EIA 232 V 24 two line adapter Card description and properties PCI expansion tower PCI expansion tower PCI expansion tower PCI expansion tower PCI expansion tower PCI I O processor that drives PCI IOA adapters The twinaxial workstation IOA provides support for up to 40 active twinaxial displays and printer addresses 4745 supports up to two multiple protocol communications ports 4745 supports up to two multiple protocol communications ports 8 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 SPD Card description and properties Suggested Card description and feature replacement PCI properties code feature 2610 2656 X 21 two line adapter 2745 4745 4745 supports up to two and 2659 multiple protocol communications ports 2612 2654 EIA 232 V 24 two line adapter 2745 4745 4745 supports up to two 2655 2657 multiple protocol communication and 2658 ports 2613 6153 V 35 one line adapter 2745 4745 4745 supports up to two and 6173 multiple protocol communication ports X 21 one line adapter 2745 4745 4745 supports up to two multiple protocol communication ports 2620 and Cryptographic processor 4801 PCI cryptographic coprocessor 2820 2623 Six line communication controller 2843 9943 or PCI I O
94. Identifier Current Total Figure 4 26 Power on IPL steps Chapter 4 System i5 consoles in i5 OS V5R4 109 4 2 6 Customization settings From the 5250 session select Ctrl Alt End to go to the ezConnect Neoware Connection Manager window Figure 4 27 This GUI enables you to change some of the settings of your Thin Console This section describes the menu options ezConnect Neoware Connection Manager Connection Settings Help Bonnet End Edit Delete Copy BEA TEE a TE Se ee Ready a Figure 4 27 Neoware Connection Manager Connection menu Figure 4 28 shows the options that are available from the Connection menu The Session option enables you to restart the 5250 console connection If you change any of the connection settings you have to restart the connection for the changes to take effect ezConnect Neoware Connection Manager Connection Settings Help Connect Edit Delete apy End Add Edit Delete IBM active WEIPIe Copy Eta Close All Connections Restart Figure 4 28 Neoware Connection Manager Connection menu Settings menu Appliance properties The Appliance properties option Figure 4 29 on page 111 from the Settings menu enables you to customize some of the Thin Console properties The options from Network to Desktop 110 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 within a red frame in Figure 4 29
95. ORE_ILKDB Certificate label keylabel_selfsigned_1 EA Figure 6 61 Certificate is created Chapter 6 Tape data encryption in i5 OS V5R4 179 6 6 Configuring Encryption Key Manager Now define to the EKM server where the keys and the information on the tape drives are stored The KeyManagerConfig properties file is only a sample configuration Adapt it to point the EKM server to the keystore you created and the drive table file 6 6 1 Editing the properties file Perform the following tasks to edit the properties file 1 From an i5 OS command line type the WRKLNK command and go down to the KeyManagerConfig properties file Type 2 to edit the file as shown in Figure 6 62 Work with Object Links Directory EKM Type options press Enter 2 Edit 3 Copy 4 Remove 5 Display 7 Rename 8 Display attributes 11 Change current directory Opt Object link Type Attribute Text a keystore_i kdb STMF az keystore_i RDB STMF a EKM KDB STMF E EKM RDB STMF 2 KeyManagerConfig p gt STMF Bottom Parameters or command F3 Exit F4 Prompt F5 Refresh F9 Retrieve F12 Cancel F17 Position to F22 Display entire field F23 More options Figure 6 62 Edit properties file 2 Figure 6 63 on page 181 shows the sample configuration file with the default values Change some of the values and add some Strictly respect the syntax and do not leave any trailing blanks Do not use in p
96. Perform an IPL Install the operating system Select DST console mode Start a service tool Perform automatic installation of the operating system Use Dedicated Service Tools DST System following Licensed Internal Code disk units DST environment save storage and restore storage remote service support system partitions system security restricted state Figure 3 27 The DST main menu d On the Work with Disk Units screen Figure 3 28 enter 2 Work with disk unit recovery Select one of the following 1 Work with disk configuration 2 Work with disk unit recovery Work with Disk Units Figure 3 28 The Work with Disk Units screen Chapter 3 System i5 disk at i5 OS V5R4 77 e On the Work with Disk Unit Recovery screen Figure 3 29 enter 7 Suspend mirrored protection Work with Disk Unit Recovery Select one of the following 1 Save disk unit data 2 Restore disk unit data 3 Replace configured unit 4 Assign missing unit 5 Recover configuration 6 Disk unit problem recovery procedures 7 Suspend mirrored protection 8 Resume mirrored protection 9 Copy disk unit data 10 Delete disk unit data 11 Upgrade load source utility 12 Rebuild disk unit data 13 Reclaim IOP cache storage More Selection F3 Exit Fi1i Display disk configuration status F12 Cancel Figure 3 29 The Work with Disk Unit Recovery screen f Atthe Suspend Mirrored Protection screen Figure 3 30
97. R4 145 Bg developerWorks Java technology Security Mozilla m l x 8 Verify the installation and version of the JRE by entering the following commands in a DOS prompt Figure 6 9 cd C Program Files IBM Java50 jre bin java version Command Prompt Mm x A Program Files IBM Java5 jre bin gt java version java version 1 5 6 avaCIM gt 2 Runtime Environment Standard Edition Cbuild pwi32dev 26666511 lt sk2 gt gt IBM J UM Cbhuild 2 3 J2RE 1 5 6 IBM J 2 3 Windows Server 2003 x86 32 j umwi322 20060504 lt JIT enabled 9UM 20060501_06428_1HASMR IT 26666428_1866_r8 di 20066561_AA gt Figure 6 9 Check version command prompt Installing the unrestricted policy files Perform the following tasks 1 Go to the following Web site scroll down to the Java Cryptography Extension JCE topic Figure 6 10 and click IBM SDK Policy files http www ibm com developerworks java jdk security 50 File Edit View Go Bookmarks Tools Window Help 2 2 93 Back s f http www 128 ibm com developerworks java jdk security 50 i search S Forward Reload Print Ak Home WbBookmarks BluePages HR Web Belgium Luxe 4 Belgium Luxembourg in 4 IBM Systems Informati 4 Kaart Windows 32 bit code samples HelloWorld tar Windows 32 bit Javadoc HTML documentation e Windows 64 bit code samples HelloWorld tar Windows 64 bit Javadoc HTML documentation Java
98. Retum to i5 OS Tasks Figure 6 53 Certificate Request Created window The CA returns a signed certificate to you Store the file on System i5 in the IFS 174 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 5 3 Importing a key into the keystore To import a key into the keystore perform the following tasks 1 Import the signed certificate into your keystore You can use this method to import keys from another keystore Click Work with server and client certificates verify that the Certificate store is correct and click Import as shown in Figure 6 54 Selecta Certificate Store Digital Certificate Manager Work with Server and Client Certificates Certificate type Server or client Certificate store EKM KEYSTORE_ILKDB ice No certificates found for this certificate store Expand All Collapse All wEast Path Work with server and client import Create Cancel certificates m Work with CA certificates m Work with user certificates m Work with certificate requests m Work with CRL locations m Create Certificate m Create New Certificate Store Install Local CA Certificate on Your PC gt Manage Certificates P Manage Certificate Store gt Manage CRL Locations a Manage LDAP Location u Manage PKIX Request Location gt x iiy Figure 6 54 Importing the signed certificate 2 Enter the complete I
99. S124671 for 5722JV1 For i5 OS V5R4 install S124672 for 5722JV1 and then copy the unrestricted policy files from qibm proddata java400 jdk15 lib security to QOpenSys QIBM ProdData JavaVM jdk50 32bit jre lib security 6 4 3 Installing the Encryption Key Manager jar and sample configuration file For i5 OS V5R3 install PTF S125093 for 5722SS1 This PTF installs the EKM code the default configuration properties file and the script file For i5 OS V5R4 perform the following tasks 1 Install PTF S125094 for 5722SS1 This PTF installs the default configuration properties file and the script file 2 If J2SE V5 0 SR2 is installed PTF S124375 download the IBMKeyManagementServer jar file from the IBM TotalStorage site refer to the TS1120 topic Go to http www ibm com servers storage support tape ts1120 downloading html Click Downloadable files On the page that is displayed select IBM Encryption Key Manager component for the Java Platform Scroll down to find the file as shown in Figure 6 37 and place it in the QOpenSys QIBM ProdData JavaVM jdk50 32bit jre lib ext directory DESCRIPTION DOCUMENTATION Download Options Platform Multi Intro Planning amp User s IBM EKM Application Platform Version Guide Ver 08232006 Independent FTP US English Byte Size 268588 Date 9 1 2006 Platform Multi Intro Planning amp User s IBM EKM Sample Platform Version Guide Configuration File Independent FTP US English Byte
100. SNMP System Data Key Manager Addresses O service Library Switch to Original Navigation Figure 6 72 Verifying key manager connection 7 If the connection succeeds a confirmation window is displayed Figure 6 73 Success Microsoft Internet Explorer CIE Key Manager Test The following frames successfully pinged requested address Frame 2 Close Wy Localintranet Figure 6 73 Verification of key manager connection successful Chapter 6 Tape data encryption in i5 OS V5R4 187 6 7 2 Enabling your tape drive for encryption Perform the following tasks 1 In the left panel select Manage Library gt By Logical Library This lists the logical libraries that have been defined in theTS3500 tape library The last column shows encryption methods in use Figure 6 74 IBM System Storage TS3500 Tape Library Work Items Manage Logical Libraries H Welcome Page Q E Refresh _ Last Refresh 8 31 2006 20 25 57 a Manage Drives Manage Library by Frame by Logical Library Accessor Disable ALMS Virtual 10 Date and Time 6 Character Volser Reportin a Total Logical Libraries 5 Manage Ports Gi manage Access Rename Go Gi service Library Logi Dri Cartrid VIO Slot j ogical rives artridges lots Encryption Select 5 Exports S Library YP Dedicated Shared Assigned Max A
101. Store Expand All Collapse All vFast Path Local Certificate Authority CA z GE ee VeriSign or other Intenet Certificate Authority CA Work with CA certificates PKIX Certificate Authority CA Work with user certificates Work with certificate requests Wot sith BL acon m Create Certificate Select the type of Certificate Authority CA that will sign this certificate Create New Certificate Store Install Local CA Certificate on Figure 6 59 Selecting Local Certificate Authority 5 The Create Certificate window is displayed Select a key size of 1024 and a certificate label and complete the required fields as shown in Figure 6 60 Click Continue ja ae m Digital Certificate Manager IEM Key size 1024 bits A Certificate label keylabel_selfsigned_1 required Certificate Information Common name EKMCertificate required Collapse Al 1 Organization unit vFast Path Organization name MyCompany required z pe piai Locality or city Work with CA certificates State or province MyCity required minimum of 3 characters oS ae Country or region US required m Work with CRL locati Subject Alternative Name Create Certificate Note Certificate extensions are not necessary for Secure Sockets Layer SSL but are recommended for Virtual Private Network Create New Certificate Store VPN Install Local CA Certificate on
102. Systems Informati L Kaart RCHAS07 RCHLAND IBM COM s IBM Web Administration for i5 OS Configure HTTP servers application servers and deploy applications we iSeries Navigator URL Advisor Leam how to add i5 OS administration tasks into your web applications Digital Certificate Manager Create distribute and manage Digital Certificates i IBM Directory Server for i5 OS Administer the IBM Directory Server EM IBM IPP Server for i5 OS Configure the IBM IPP Server P A Te ryptographic Coprocessor P 4 Configure the cryptographic coprocessor iS OS Web Based Help Server 7 Administer the Web based help server Related task information H Requires JavaScript lt ie GL Z Es Done a Figure 6 39 i5 0S Tasks window This takes you to the DCM start page Figure 6 40 on page 168 The installation is complete 6 5 Creating a keystore in DCM This section shows you how to create the certificate store in DCM and how to move the keys into the store Note In DCM a keystore is called certificate store and a key is called a certificate Chapter 6 Tape data encryption in i5 OS V5R4 167 To create a keystore perform the following tasks 1 From the DCM start page Figure 6 40 select Create New Certificate Store Digital Certificate Manager Mozilla File Edit View Go Bookmarks Tools Window Help peck 7 conor 7 Relond op L hitp 192 168 4 1 2001 QIBM ICSS Cert Adm
103. THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF NON INFRINGEMENT MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Some states do not allow disclaimer of express or implied warranties in certain transactions therefore this statement may not apply to you This information could include technical inaccuracies or typographical errors Changes are periodically made to the information herein these changes will be incorporated in new editions of the publication IBM may make improvements and or changes in the product s and or the program s described in this publication at any time without notice Any references in this information to non IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you Information concerning non IBM products was obtained from the suppliers of those products their published announcements or other publicly available sources IBM has not tested those products and cannot confirm the accuracy of performance compatibility or any other claims related to non IBM products Questions on the capabilities of non IBM product
104. This section describes how to create and move your keys into the keystore 6 2 1 Creating a self signed key Perform the following tasks 1 In the IBM Key Management window click the Create Certificate icon on top of the page which is highlighted in Figure 6 18 fa IBM Key Management C EKM keystore_x jck Key Database File Create View Help Da K A Ci os ba RL DB Type JCEKS database file FileName C EKM keystore_xjck Key database information Token Label Key database content l verisign class 1 public primary certification authority g3 Delete verisign class 4 public primary certification authority g3 verisign class 1 public primary certification authority g2 View Edit verisign class 4 public primary certification authority g2 verisign class 2 public primary certification authority Extract entrust net global client certification authority rsa secure server certification authority verisign class 2 public primary certification authority g3 verisign class 2 public primary certification authority g2 verisign class 3 secure server ca verisign class 3 public primary certification authority verisign class 1 ca individual subscriber persona not validated verisign class 3 public primary certification authority g3 verisign class 3 public primary certification authority g2 The requested action has successfully completed
105. V5R4 0 0000000 137 6 1 Using the Encryption Key Manager and TS1120 tape drive 138 6 1 1 Encryption methods 0 0 eee 138 6 1 2 Encryption components 000 139 6 1 3 Planning for tape encryption 1 0 eee 140 6 1 4 Backup and recovery considerations with Encryption Key Manager 140 6 1 5 Encryption Key Manager server onaPC 0 0c eee eee 142 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 1 6 Creating a keystore 0 teen ee 148 6 2 Creating keys in your keystore 1 0 0 00 e ct eee 151 6 2 1 Creating a self signed key 0 ccc eee 151 6 2 2 Creating a certificate request 0 0 eee 153 6 2 3 Importing keys from another keystore 00 cece eee 156 6 3 Configuring Encryption Key Manager 0 00 e eee eee eee 159 6 3 1 Editing the properties fille 0 2 eee 159 6 3 2 Starting the EKM Admin Console command prompt 0055 162 6 3 3 Starting and stopping the EKM server 0000 e eee eee eee 163 6 3 4 Adding tape drives to the EKM drive table 0 0 0 e eee eee 163 6 4 Encryption Key Manager on i5 OS 2 0 tee 164 6 4 1 Software requirements saaana 164 6 4 2 Installing the unrestricted policy files 0 0 0 c eee eee 164 6 4 3 Installing the Encryption Key Manager jar and sample configuration file 165 6 4 4 Inst
106. Your PC IP version 4 address Manage Certificates Fully qualified domain name View certificate host_name domain_name Renew certificate E mail address Import certificate user_name domain_name Export certificate Soen m E s w k v Figure 6 60 Creating the certificate 178 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 The Certificate Created Successfully window is displayed Figure 6 61 Click OK Digital Certificate Manager Mozilla Reload ale i Back i File Edit View Go Bookmarks Tools Window Help SR amp tvtp 192 168 4 1 2001 RM ESS Cer AdmnfqaxmL nnn Stop 4 3 yl esearch oh Selecta Certificate Store Expand All Collapse Al wFast Path Work with server and client certificates Work with CA certificates m Work with user certificates m Work with certificate requests m Work with CRL locations Create Certificate m Create New Certificate Store Install Local CA Certificate on Your PC v Manage Certificates a View certificate mM Ak Home W Bookmarks BluePages HR Web Belgium Luxe 4 Belgium Luxembourg in 4 IBM Systems Informati Kaart Digital Certificate Manager Certificate Created Successfully Message Your certificate was created and placed in the certificate store listed below Certificate type Server or client Certificate store EKM KEYST
107. a new IBM System i5 environment SG24 7200 01 ISBN 0738489581 A Ww Redbooks INTERNATIONAL TECHNICAL SUPPORT ORGANIZATION BUILDING TECHNICAL INFORMATION BASED ON PRACTICAL EXPERIENCE IBM Redbooks are developed by the IBM International Technical Support Organization Experts from IBM Customers and Partners from around the world create timely technical information based on realistic scenarios Specific recommendations are provided to help you implement IT solutions more effectively in your environment For more information ibm com redbooks
108. additional disk capacity for parity data or both reducing available space for the user data Mirror protected Disk mirroring requires each disk drive to have an identical mate An exact copy of the data on the first drive is made to the second drive In the event of a drive failure the system continues to function using the other copy The system fails only if both drives in a mirrored pair fail 54 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Mirror protection can be heightened by carefully selecting and placing the hardware The system will always select the best available protection when starting the mirroring process Mirror protection can be at the following levels with the greatest protection coming last gt Disk protected A disk drive failure will not cause system outage However because both the disks of a mirrored pair are on the same Small Computer System Interface SCSI bus a failure of the SCSI bus causes system outage gt SCSI bus protected All of the disks have their mirrored pair on a different SCSI bus However a mirrored pair is on the same storage adapter card IOA In this case an entire SCSI bus may fail causing the system to lose contact with all drives on that SCSI bus and there is no system outage gt IOA protected Both of the disks of mirrored pairs are on separate storage adapter cards IOA Failure of an IOA does not cause system outage gt Input out
109. al numbers of the drives and their positions Perform an IPL in manual mode to the DST Chapter 3 System i5 disk ati5 OS V5R4 75 6 Suspend the load source mate as follows a On the IPL or the Install the System screen Figure 3 25 enter 3 Use dedicated Service Tools IPL or Install the System System Select one of the following Perform an IPL Install the operating system Use Dedicated Service Tools DST Perform automatic installation of the operating system Save Licensed Internal Code OBRWONPEe Selection Licensed Internal Code Property of IBM 5722 999 Licensed Internal Code c Copyright IBM Corp 1980 2004 All rights reserved US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP schedule Contract with IBM Corp Figure 3 25 The IPL or Install the System screen b Sign in to the DST Figure 3 26 Dedicated Service Tools DST Sign On System Type choices press Enter Service tools user Service tools password Figure 3 26 Signing in to the DST 76 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 c On the DST main menu Use Dedicated Service Tools screen shown in Figure 3 27 enter 4 Work With Disk Units Select one of the Work with Work with Work with Work with Work with Work with FPOWAMAOANODUORWNPF BR Work with End batch PR BW Selection F3 Exit Fi2 Cancel
110. alling Digital Certificate Manager 000 c eee eee 165 6 5 Creating a keystore in DCM 0 0 0 0 cece 167 6 5 1 Creating keys 0 0 0 c nett 170 6 5 2 Creating a private public key pair in your keystore 00 00005 173 6 5 3 Importing a key into the keystore 00 0c eee 175 6 5 4 Creating a local Certificate Authority signed key in your keystore 176 6 6 Configuring Encryption Key Manager 00 000 cece eee 180 6 6 1 Editing the properties fille 2 2 0 0 eee eee 180 6 6 2 Starting the EKM Admin Console command prompt 0005 181 6 6 3 Starting and stopping the EKM server 000 0 eee eee eee eee 183 6 6 4 Adding the tape drives to the EKM drive table 0000 0000s 183 6 7 Configuring your TS1120 tape drive for encryption 00 000 eee eee 184 6 7 1 Defining the keystores to be used by the TS3500 0005 184 6 7 2 Enabling your tape drive for encryption 0 000 188 6 7 3 Setting up a scratch encryption policy 0 000 cece eee eee 190 6 7 4 Rekeying an encrypted cartridge for use by another company 193 Related publications 0 0 0 0 ccc eee 195 IBM REUDOOKS 3 sero he s oar ti EA Ghar ood ewie po Dee ole Peed awe ged Pee 195 Other publications Aiae iG ayes ou be eae ake ds alan dae 195 Online resources 1 eee 195 How to get IBM Redbooks 0 0c eee t
111. an Cartridge Ranges Cartridge Assignment Policy s Scratch Encryption Policy Select a Frame Select a Logical Library JIR800JA JJX034JJ Insert Notification All Frames v JAG2e x a Manage Drives a Manage Library Sort Volume Seria ort By Search a Manage Ports G manage Access DOWNLOAD Mount History csv G service Library Switch to Original Remove M Go eh aii Select Ae asai hee Element Address Type on eee R Row Encryption J1R800JA JAG2e 1029 3592 Slot F3 C1 R13 Encrypted J1R801JA JAG2e 1035 3592 Slot F3 C1 R30 Encrypted J1R802JA JAG2e 1036 3592 Slot F3 C1 R29 Encrypted J1R803JA JAG2e 1034 3592 Slot F3 C1 R31 Encrypted J1R804JA JAG2e 1037 3592 Slot F3 C1 R25 Encrypted JJX004JJ JAG2e 1039 3592 Slot F3 C5 R38 Not Encrypted JJX030JJ JAG2e 1038 3592 Slot F3 C5 R39 Encrypted JJX031JJ JAG2e 1030 3592 Slot F3 C5 R40 Encrypted lt gt JJX032JJ JAG2e 1031 3592 Slot F3 C6 R2 Encrypted 7 Figure 6 82 Working with data cartridges properties If you set the Show Density parameter to yes on the library side you can also tell whether a tape is encrypted by looking at the density type A nonencrypted tape written on a 3592 E05 drive will show a density of FMT3592A1 For an encrypted tape the density is FMT3592A1E IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Note Remember that the TS3500 li
112. any form of data protection This method is recommended only in situations where the maximum usable disk capacity is required and data does not have to be protected such as a system that is used only for training purposes and is regularly scratch installed to set up new courses Device parity protected Device parity protection is a hardware function that protects data from being lost because of disk unit failure or damage to the data on a disk Two types of device parity protections are implemented in i5 OS V5R4 RAID 5 and RAID 6 The earlier releases of the operating system implemented only RAID 5 parity protection RAID 5 protection Disks are protected by a parity check bit being written for each sector on the drives In the event of a single disk failure within a RAIDset the system continues to operate in a degraded mode because the data in the failing unit can be calculated by using the saved parity value and the values of the bits in the same locations on the other disks In the event of a second disk failure within the same RAIDset the system fails and system recovery is from data backups The cost of RAID 5 is a reduction in the overall disk capacity equivalent to one disk per RAIDset For example a system with two RAID 5 RAIDsets of 10 disks each 20 drives in total will have a total capacity equivalent to 18 disks Chapter 3 System i5 disk at i5 OS V5R4 53 A RAID 5 RAIDset can spread parity data over two four
113. aphy Resource Optical Units amp Tape Unit amp By Location m Disk Pools Nonconfigured Disk Software amp Fixes Inventory amp Collection Services fa Logical Partitions af Network Figure 1 3 Configuration and Service Disks 6 Right click By Location and select Graphical view The disk graphics are hot and show where the disk is situated on the system so that it can be identified easily Right click one of the disks and select Properties to see more 14 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 information about the disks such as serial number location percent full percent busy and most important the unit number required by STRASPBAL Figure 1 4 shows the pop ups To review the details in each frame right click the frame and select Properties This shows the serial number and frame ID for each frame The frame ID information can be compared to the LED on each frame so that you can identify each frame AS 400 Operations Navigator lol x Fie Edit View Options Help taB xE O 27 minutes old I Environment My Connections y Management Centra f a By Location Tower Disk Units My Connections oo E DTower Fro Disk Units Tower Tower Fr02 Disk Units Tower Tower Fr03 Disk Units Tower Tower Fr04 Disk Units Tower Basic Operations Disk Units Graphical View lol x 1 6 Wo
114. are the general settings Click Network if you want to modify the network settings ezConnect Neoware Connection Manager Appliance properties Lannect Srl 5250 Console Figure 4 29 Neoware Connection Manager General settings Figure 4 30 shows the Network Settings window O Network Settings Built in Ethernet default 192 168 3 1 192 168 3 255 192 168 3 1 Figure 4 30 Neoware Connection Manager Network settings Chapter 4 System i5 consoles in i5 OS V5R4 111 The three other options in the red frame in the Appliance properties Figure 4 31 are advanced settings Factory Reset resets the customization to the factory default and the Console option opens the Appliance Console ezConnect Neoware Connection Manager Appliance properties gt Goriiect api E 5250 Console Figure 4 31 Neoware Connection Manager Advanced settings In the Appliance Console screen Figure 4 32 type menu and press Enter C Appliance Console A bash menui Figure 4 32 Appliance Console 112 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 This opens an advanced configuration menu Figure 4 33 The options in this menu exist to enable problem determination by IBM support personnel Option 10 overrides the FSP address and stops the automatic network search code Important It is recommended that you do not make any changes here Abash menu console
115. at are created or altered and which will be required on a new system are saved 9 The target server is then synchronized with the source system This can be done ina number of ways Install only changed objects saved with the save changed objects commana Install client data libraries only assuming that the program libraries are unchanged Scratch install from up to date source system saves Chapter 2 Migration examples 35 Follow the disk migration upgrade path outlined in 2 1 4 Upgrade with converted or relocated disks on page 38 Important Although scratch install is the safest way to ensure that all of the objects are synchronized it might take an excessive amount of time The method allows for an intermediate stage where the target system is refreshed with the changed data to test the final upgrade method When using the save changed objects command the client must be sure that the testing process does not change the data objects Otherwise data mismatches occur Refer to Backup and Recovery V5R4 SC41 5304 for detailed procedures 10 Move any required hardware from the source to the target system 11 Perform full system backups 12 Go live 2 1 2 Data migration using the side by side method source system in the previous release In the data migration side by side upgrade method a new server is installed with a serial number that is different from the existing server s because no upgrade
116. at contains the certificate If you want to provide a label for the certificate enter the label below Fast Path Password Bun required Work with and client 3 ea T Certificate label keylabel_1 Work with CA certificates m Work with user certificates Work with certificate requests m Work with CRL locations Continue j Cancel m Create Certificate m Create New Certificate Store Install Local CA Certificate on v Manage Certificates a View certificate m Renew certificate m Import certificate Export certificate Delete certificate y lt lle Figure 6 56 Importing the key This key is then imported into your keystore 6 5 4 Creating a local Certificate Authority signed key in your keystore 176 An alternative to the third party CA signed keys if it intended only for internal use is a locally signed key also called local CA signed certificate The DCM does not create self signed certificates as such Perform the following tasks 1 Create a local CA certificate if it is not yet created To do this perform the following tasks a Click Create a Local CA Certificate b The Create a Certificate Authority window opens Select a key size of 1024 c Click Select a Certificate Store and select your keystore IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 Click Install Local CA Certificate on Your PC In the right panel cli
117. ath names They are interpreted by Java as escape characters Use instead Audit handler file directory Specify where you want EKM to store the audit log This directory must exist before you start the EKM Admin console Admin ss keystore name Admin ss1 truststore name TransportListener ss keystore name TransportListener ssl truststore name config keystore file Specify the path and the file name of the keystore Admin ss1 keystore password Admin ss1l truststore password TransportListener ssl keystore password TransportListener ssl truststore password config keystore password 180 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Specify the keystore password You do not have to specify the password but if you do not do it you will be asked to enter it when you start the EKM server Config drivetable file url Specify the path and the file name where you want EKM to store the information on the drives that are known to EKM The path must exist before starting the EKM Admin console You can choose the file name yourself but it must have a txt extension It will be created by the EKM The file path must be preceded by FILE debug output file Specify the path and the file name of the debug file you want to create The file must have a log extension drive acceptUnknownDrives Set this property to true if you want the EKM server to automatically add th
118. ation The graphics truly represent the actual position of a drive unit in a tower To access the graphical view perform the following tasks 1 From the iSeries Navigator main window expand Configuration and Service Figure 1 2 AS 400 Operations Navigator File Edit View Options Help e xeon Environment My Connections Management Central amp My Connections D H a Basic Operations 6 Work Management a BP Configuration and Service af Network B Security a Users and Groups B Database m s File Systems a Backup Application Development amp AFP Manager fl Beefy fl Beefyadsl H A Qbeefy 77 Confiquration and Service Name lol x 0 minutes old Description Ef System Values T Hardware Software Fixes Inventory amp Collection Services f Logical Partitions Configure system values Display hardware on the server Display software on the server Display and manage fixes Collect performance data Work with logical partitions Figure 1 2 iSeries Navigator Configuration and Service 2 In the right hand panel expand Hardware 3 Expand Disks Units 4 You will be asked for a service tools ID and password when you select a resource Chapter 1 Planning for upgrades to System i5 hardware 13 Notes Dedicated and System Service Tool IDs and passwords are not the same as the OS 400 user profiles and IDs Starting with OS 400 V5R1 service too
119. because data that is not saved cannot be recovered by using this method Remove the hardware from the source system and perform an MES upgrade Scratch install a new system from the saves Perform resource mapping o oN Perform a test and go live 2 1 4 Upgrade with converted or relocated disks 38 This method is the standard 8xx to 5xx upgrade and offers a plug and go upgrade If it is well planned it can be the fastest form of upgrade If many disks are being moved there is always the risk of inadvertent damage for example a bent pin or a disk not starting Although these can cause major problems they are rare occurrences This is the simplest process of upgrading provided there are no SPD attached devices Assuming there are no SPDs this is the outline of this process 1 Bring the current server and any partitions up to i5 OS V5R4 with the latest PTFs 2 Ensure that there is space in the new system for the disk to be removed and relocated from the existing system unit Make sure that there is space for the I O adapters to be relocated to the new server Perform a full system backup Power down the existing server Remove the disks and the I O adapters Plug the disks into the new system unit N DO fk O Install the I O adapters in the new system 9 Upgrade or migrate any towers that are moving across 10 Cable up the System Power Control Network SPCN loop 11 Cable the high speed link HSL
120. brary manages the encryption not BRMS or the native i5 OS functions Although the INZTAP DENSITY FMT3592A1E might look like it is working you receive a message stating that the density has changed in reality the density does not change 6 7 4 Rekeying an encrypted cartridge for use by another company When you encrypt a cartridge it can only be accessed internally To send your cartridges off to another company and allow them to use the cartridges rekey the cartridges so that the other company can decrypt the data using a different key This way you do not have to give your keys to the other company Instead you create a new key pair for use by the other company Perform the following tasks 1 Select Manage Cartridges Data Cartridges define your selection and click Search 2 Select the tape cartridge you want to rekey select ReKey Encryption from the Select Action menu and click Go Figure 6 83 IBM System Storage TS3500 Tape Library Work Items Cartridges H Welcome Page amp Manage Cartridges Data Cartridges E Cartridge Ranges Cleaning Cartridges Select a Frame Select aiLogical Library JIR800JA JJX034JJ 1 0 Station All Frames v JAG2e lal Cartridge Assignment Policy Scratch Encryption Policy p _ Insert Notification Sort By Volume Serial v ere a Manage Drives pl G manage Library DOWNLO
121. byte 1 03 GB disk unit revolutions per minute rpm 1333 1334 17 54 GB disk unit 10k rpm 1337 1602 35 16 GB disk unit 10k rpm 6605 and 35 16 GB disk unit 15k rpm 6652 70 56 GB disk unit 15k rpm 1313 1323 gt One byte 1 96 GB disk unit 8 58 GB disk unit 10k rpm 1326 1336 gt Two byte 1 96 GB disk unit 17 54 GB disk unit 10k rpm 1603 6606 35 16 GB disk unit 10k rpm 6650 6806 35 16 GB disk unit 15k rpm 6906 and 70 56 GB disk unit 15k rpm 9606 1327 1337 Two byte 4 19 GB disk unit 8 58 GB disk unit 10k rpm 6607 6807 17 54 GB disk unit 10k rpm 6907 9707 35 16 GB disk unit 10k rpm and 9907 35 16 GB disk unit 15k rpm 70 56 GB disk unit 15k rpm 1333 6713 Two byte 8 58 GB disk unit 8 58 GB disk unit 10k rpm 6813 8713 17 54 GB disk unit 10k rpm and 8813 35 16 GB disk unit 10k rpm 35 16 GB disk unit 15k rpm 70 56 GB disk unit 15k rpm 1334 6714 Two byte 17 54 GB disk unit 17 54 GB disk unit 10k rpm 6824 8714 35 16 GB disk unit 10k rpm and 8824 35 16 GB disk unit 15k rpm 70 56 GB disk unit 15k rpm 1349 1379 1 2 GB inch cartridge tape unit 4482 or 45826 4 GB inch cartridge tape unit and 6368 1350 2 5 GB inch cartridge tape unit 4482 or 45826 4 GB inch cartridge tape unit 1380 6369 6380 6381 and 6481 1355 6385 13 GB inch cartridge tape unit 4483 or 45837 16 GB 4 inch cartridge tape unit and 6485 1360 6390 7 GB 8 mm cartridge tape unit 8 mm cartridges are supported and 6490 on
122. cable connects directly from the device Ethernet port to the SP s HMC1 or HMC2 Ethernet port on the server thus not taking any IOA IOP input output adapter input output processor slot The console type is displayed as HMC to the i5 OS Coexistence of a Thin Console and an HMC is not supported The Thin Console is a Neoware c50 thin client running a customized Linux image which includes an IBM 5250 emulator It boots from internal flash memory To update the code or reinstall the Linux image download the Linux image from the Web as a zip file and extract it to a Universal Serial Bus USB memory stick Because the image does not take up much space the minimum requirement for the memory stick is only 128 MB You cannot install separate fixes to the code Any update must be performed by overwriting the entire Linux image with the new one When you order a system with a Thin Console it does not automatically include a display Therefore either add it to your order or provide one yourself Figure 4 5 shows a System i5 Thin Console Figure 4 5 System i5 Thin Console 4 2 1 Thin Console installation The Thin Console is supported only on selected nonpartitioned System i5 9405 520 9406 520 and 9406 550 These models must be running i5 OS V5R3 or later and a firmware level of SF240 or later 4 2 2 Specifications The Thin Console is a Neoware c50 thin client running a customized Linux image which includes an IBM 5250 em
123. cept your current console type and the second confirmation screen shows that a value did not exist previously a zero is present against the old value and the new value is shown Press Enter to exit and set the console mode automatically The IPL then continues to the IPL screen or the Install the System screen Although this condition is most likely to occur during the installation of a new partition it could happen on your first manual IPL of i5 OS V5R4 Chapter 2 Migration examples 49 50 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 System i5 disk at i5 OS V5R4 This chapter describes data protection schemes that are available and the points to consider when deciding among the different schemes and the methods in which to implement them This chapter also includes details about several ways of performing the load source disk migration that might be required when upgrading system hardware Copyright IBM Corp 2007 All rights reserved 51 3 1 Introducing the System i5 disk technology This section describes available methods for data protection through data redundancy techniques 3 2 Disk types Speeds and feeds Table 3 1 shows the integrated disks that are supported on System i5 Table 3 1 Disk types supported for System i5 Disk type Capacity GB Speed rpm 4318 17 54 10 000 3 3 Disk packaging In System i5 as with its predecessors most models can accommodate disk drives in the
124. ch tapes because you cannot mix nonencrypted and encrypted data on one cartridge Attention This is another point where you must remember not to save the keys to the encrypted media You must plan for the eligible tapes to be known as encryption capable Anyone using these encrypted tapes must understand the restore implications To set up a scratch encryption policy perform the following tasks 1 In the left panel select Manage Cartridges gt Scratch Encryption Policy Figure 6 79 on page 191 shows two Volser volume serial ranges of cartridges that are already defined Select Create from the Select Action menu and click Go 190 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 IBM System Storage TS3500 Tape Library Work Items Welcome Page m Cartrid m eae Refresh Last Refresh 8 31 2006 20 50 05 Scratch Encryption Policy Cleaning Cartridges I O Station Cartridge Assignment Policy Scratch Encryption Policy Select Action x Go Insert Notification Key 1 Key 2 4 SERB AVORSONG ISIC SI re Ts Sar Gi manage Drives 3 9 Mode Label Mode _ Label a Manage Library J1R800 J1R804 Clear Label Tape_Sol_Tst_Shr_Pvt_1024_Lbl_01 Clear Label Tape_Sol_Tst_Shr_Pvt_1024 Gi manage Ports JJX030 JJX034 Clear Label Tape_Sol_Tst_Shr_Pvt_2048_Lbl_03 Clear Label Tape_Sol_Tst_Shr_Pvt_1024 F Manage Access a Service Libra
125. ck Forward 3 Reload 5 File Edit View Go Bookmarks Tools Window Help g amp http 192 168 4 1 2001 QIBM ICSS Cert Admin qycucm1 ndm mainO laa S l e searcn Select a Certificate Store z Ah Home W Bookmarks BluePages HR Web Belgium Luxe 4 Belgium Luxembourg in 4 IBM Systems Informati kaart Digital Certificate Manager Work with Server and Client Certificates Certificate type Server or client Certificate store EKM KEYSTORE_ILKDB Message No certificates found for this certificate store Expand All Collapse All wEast Path Work with server and client certificates Work with CA certificates Work with user certificates Work with certificate requests Work with CRL locations n Create Certificate Create New Certificate Store Install Local CA Certificate on Your PC e Certificates View certificate Renew certificate Import certificate v i Co ee Figure 6 58 Work with Server and Client Certificates window Chapter 6 Tape data encryption in i5 OS V5R4 177 4 In the Select a Certificate Authority window select Local Certificate Authority CA and click Continue Figure 6 59 la Digital Certificate Manager IBM Select a Certificate Authority CA Certificate type Server or client Certificate store EKM KEYSTORE_ILKDB Selecta Certificate
126. ck Install certificate as shown in Figure 6 57 Select a Certificate Store Expand AIl _ Collapse All Fast Path m Work with server and client s Work with CA certificates a Work with user certificates m Work with certificate requests Work with CRL locations u Create Certificate Create New Certificate Store Install Local CA Certificate on Your PC v Digital Certificate Manager Install Local CA Certificate on Your PC To install receive the certificate on your browser Click the following link to install the certificate in your browser Your web browser will display several windows to help you complete the installation of the certificate Install certificate To copy and paste the certificate to a file on your PC F you need the Certificate Authority CA certificate for a non browser application such as Client Access Express or IBM Personal Communications choose the Copy and paste certificate link Use the online help provided here and in the appropriate application for information about working with your certificate file Click the following link to copy and paste the certificate into a file on your PC Copy and paste certificate 3 Select the Work with Server and Client Certificates option and click Create as shown in Figure 6 58 f Digital Certificate Manager Mozilla 1 i Ba
127. cols SSL_TLS 55 truststore name testkeys ssl truststore type jceks TransportListener tcp port 3801 config keystore file keymanager testkeys config keystore provider IBMICE config keystore type jceks Figure 6 35 Default properties Chapter 6 Tape data encryption in i5 OS V5R4 161 Figure 6 36 shows the KeyManagerConfig properties file with the correct values for the configuration in this example P keymanagerconfig properties Notepad Oj x File Edit Format View Help it event outcome success failure Audit event types all AUdIt eventqueue max 0 Audit handler file directory c EkmM audit logs Audit handler file name kms_audit log Audit handler file size 10000 Admin ssl keystore name Cc EkM keystore_x jck Admin ssl keystore password Admin ss truststore name C EKM keystore_x jck Admin ss1 truststore password config drivetable file url FILE c EkM drivetable drvinf txt debug none debug output simple_file debug output file c EkmM debug log drive acceptunknownDrives true fips off TransportListener ssl ciphersuites JSSE_ALL TransportListener ssl clientauthentication 0 TransportListener ssl keystore name C EkM keystore_x jck TransportListener ssl keystore password TransportListener ssl keystore type jceks TransportListener ssl port 443 TransportListener ssl protocols SSL_TLS TransportListener ssl truststo
128. ct Settings gt Appliance properties Factory Reset Verify that the service processor is powered on by noting whether the control panel display is active Restart the Thin Console to see whether the problem is reproducible Isolate faulty hardware problems by using the other HMC port at the back of the server using another Ethernet cable or by using another Thin Console Complete these tasks to resolve the problem Verify that the keyboard is set to a location that matches the current keyboard setting Verify that the Caps Lock Num Lock and Scroll Lock keys are off Change the HMC access password to a new value by logging into ASMI as the administrator Refer to the topic on Changing ASMI passwords in the IBM Systems Hardware Information Center Use a password with only uppercase English alphabetic characters If this resolves the problem contact IBM support Complete these tasks to resolve the problem 1 Verify that another Thin Console or an HMC is not connected alongside this Thin Console 2 Restart the Thin Console to see if the problem is reproducible The Thin Console displays status code 30 xx until the server is powered on and PHYP standby is reached If the Thin Console remains in state 30 xx power on the server If the state is OxOF and the status does not display system status after you see 30 xx contact IBM support Verify that another Thin Console or an HMC is not connected alongside this Thin Con
129. d 570 Table 4 6 5xx embedded LAN port location code Location code of embedded LAN port U787A 001 sssssss P1 T5 U787B 001 sssssss P1 T9 570 U7879 001 sssssss P1 T6 In case of multiple CECs the CEC with the load source Designated slots 520 Table 4 7 lists the designated slots for models 520 Table 4 7 Designated slots for models 520 HMC or IOP less HMC or IOP less Direct cable twinax Direct cable twinax LAN without an IXS LAN with an IXS or lIOP driven LAN or lIOP driven LAN without an IXS with an IXS IOP less IOA or ECS PTF IOA LAN IOP less IOA or ECS LAN or twinax IOP driven IOA if C1 if 5706 5707 IOP driven IOA if C1 is IOP is IOP 2nd location for LAN or twinax C3 ECS PTF Feature IOP Direct cable IOP Feature IOP must be in a or IOP IOP less IOA IOPless IOA IOP less IOA IOPless IOA LAN if 5706 5707 IXS card Twinax or LAN IXS card console IOP must be in C3 or C6 IOP less IOA or IXS card overhang IOP or IOP less IOA_ IXS card overhang feature IOP 4 4 Changing the console type Refer to the IBM Systems Hardware Information Center for instructions about how to switch between console types on a running system http publib boulder ibm com infocenter eserver v1r3s topic iphca iphcabook pdf Chapter 4 System i5 consoles in i5 OS V5R4 127 4 4 1 Using the console service functions 65 21 When you migrate to another system without predefining the console type the system might n
130. d on Because the Thin Console is directly connected to the FSP it is able to detect that connection even when the i5 OS system is not running In such a situation the system attention light is on It will go off as soon as the server powers on The following figures Figure 4 16 to Figure Figure 4 26 on page 109 show the codes displayed by the Thin Console to signal this Note the Server Information State Server Information Reference Code and Connection status fields Figure 4 16 shows power off 10 00 Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State FFFF Server state is unknown Reference code Connection status 10 00 of 100 Searching for server at Ethernet port HMC1 or HMC2 Figure 4 16 Power off 10 00 Figure 4 17 shows power off 20 00 Server Information IP 192 168 3 147 Type Model 9405 520 Serial 10E80CC State 0000 Server powered off Reference code Connection status 20 00 of 100 Server found Figure 4 17 Power off 20 00 Figure 4 18 through Figure 4 21 on page 107 show four stages of power off 30 00 Server Information IP 192 168 3 147 Type Model 9405 520 Serial LOE80CC State 0000 Server powered off Reference code Connection status 30 00 of 100 Waiting for server to power on Figure 4 18 Power off 30 00 1 of 4 106 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5
131. dency program Help write an IBM Redbook dealing with specific products or solutions while getting hands on experience with leading edge technologies You will team with IBM technical professionals Business Partners and clients Your efforts will help increase product acceptance and client satisfaction As a bonus you will develop a network of contacts in IBM development labs and increase your productivity and marketability Find out more about the residency program browse the residency index and apply online at ibm com redbooks residencies html Comments welcome Your comments are important to us We want our IBM Redbooks to be as helpful as possible Send us your comments about this or other IBM Redbooks in one of the following ways gt Use the online Contact us review IBM Redbook form found at ibm com redbooks gt Send your comments in an e mail to redbook us ibm com x IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 gt Mail your comments to IBM Corporation International Technical Support Organization Dept HYTD Mail Station P099 2455 South Road Poughkeepsie NY 12601 5400 Preface Xi xii IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Planning for upgrades to System i5 hardware This chapter discusses planning considerations for moving to the IBM System i 515 520 525 550 570 and 595 hardware models The introduction of the Har
132. due to resource constraints for example not enough disks a message is displayed when starting RAID as shown in Figure 3 6 Parity set will not have high availability You have selected the High Availability configuration optimization for device parity but the parity sets Listed below will not be configured for High Availability There must be one disk unit of the same capacity attached to each Input Output Adapter IOA to achieve the High Availability configuration If you proceed the following parity sets will not have the High Availability configuration Parity Serial Resource Set Number Type Model Name 1 O0C 6200013 5S71F 001 DCO2 2 OC 6199036 571B 001 DCO1 3 OC 6199036 571B 001 DCO1 4 O0C 6199036 571B 001 DCO1 F3 Exit Fi2 Cancel Function key not allowed Figure 3 6 Error message due to inadequate disks being available for the selected optimization 62 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 After RAID is started with the required optimization the Display Device Parity Status screen Figure 3 7 displays information about the optimization used F3 Exit Display Device Parity Status Press Enter to continue F5 Refresh F11 Display disk hardware status Parity Serial Set ASP Unit Number Type x x 68 0E30697 4326 x x 68 0E306CE 4326 4 0C 6199036 571B x x 68 0E2E116 4327 x x 68 0E2C3DD 4327 x x 68 0E3F6F8 4327 5 0C 6199036 571B x x 21 89B8D 4328 x x 21
133. duplicate key labels you are always provided with the opportunity to change the key labels before you import the keys Select the key label you want to change enter the new name and click Apply as shown in Figure 6 30 xi Would you like to change any of these labels before completing the import process oK Select a label to change Cancel keylabel_selfsigned_3 keylabel_selfsigned_1 Enter a new label keylabel_selfsigned_4 Apply Figure 6 30 Change Labels window 7 The change is reflected in the Select area as shown in Figure 6 31 Click OK x Would you like to change any of these labels before completing the import process oK Select a label to change Cancel keylabel_selfsigned_3 keylabel_selfsigned_4 Enter a new label keylabel_selfsigned_4 Figure 6 31 Applying label change 158 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 8 The imported keys are now displayed in your keystore in the IBM Key Manager window as shown in Figure 6 32 fa IBM Key Management C EKM keystore_x jck Key Database File Create View Help Ce Be Ro Key database information DB Type JCEKS database file FileName C EKMikeystore_xjck Token Label Key database content Personal Certificates z Receive keylabel_
134. dware Management Console HMC and the increasing integration of Linux AIX and Windows environments into System i servers results in a potentially more complex upgrade process Subsequently the planning process requires more attention from all parties involved the client the IBM Business Partners the IBM sales team and the IBM Customer Engineer to ensure a successful upgrade with minimal disruption Copyright IBM Corp 2007 All rights reserved 1 1 1 Planning fundamentals Careful planning is an essential step in implementing a successful upgrade This section deals with an overview of the planning process This process can be applied to any upgrade The planning process has two distinct phases gt Presales planning gt Postsales planning As a general rule you should review the System i planning Web site at http www ibm com systems support i planning Also check the support planning Web site at http www ibm com systems support i planning upgrade index htm 1 1 1 Presales planning This section discusses the preorder tasks Whether the order is new or an upgrade it is recommended that the first configuration planning is performed with the IBM System Planning Tool SPT As yet the SPT does not directly support upgrades but it can be used to validate the final upgrade configuration This is the sequence of actions 1 Importing or re creating the pre upgrade configuration 2 Validating the configuration
135. e command line The System Services Tools sign in window is displayed Enter your user ID and password Notes Dedicated and System Service Tool IDs and passwords are not the same as the OS 400 user profiles and IDs Starting in V5R1 service tools passwords are case sensitive you may also define multiple IDs If you forget or disable your service tools IDs they can be reset with the command CHGDSTPWD from an OS 400 command line using the Security Officer profile Chapter 1 Planning for upgrades to System i5 hardware 15 2 In the System Service Tools main menu select a Type 1 Start a service tool b Type 7 Hardware Service Manager c Select F6 Print configuration 3 Some print format options are presented If your printer allows it use 132 characters wide and press Enter 4 A spool file is submitted to the service printer Usually this is a QPRINT output queue You now have a printout of the hardware on your system that can be used to help identify the disk units on your system and their location 1 4 Physical planning For detailed specifications refer to the physical planning guide or the physical planning section of the IBM eServer Hardware Information Center on the Web at http publib boulder ibm com infocenter eserver vlr3s index jsp The i520 i550 physical layout Figure 1 5 shows the plan view of the i520 i550 Do not let this system intimidate you It is very similar to the layout of a PC server There
136. e data can be stored at a time so perform this operation immediately before the upgrade For details about the upgrade process refer to http publib boulder ibm com infocenter eserver vlr3s topic ipha5 fixeshmc_ upgrades htm Hardware Management Console Support for HMC 5 2 on UNIX servers and Midrange servers Recovery media Qe Ci Downloads Installation instructions Related documentation Obtaining the HMC 5 2 1 Recovery media The HMC 5 2 1 Recovery media package PTF MH00653 is equivalent to the HMC 5 2 1 Update package PTF MH00594 except that it represents Recovery DVDs for HMC 5 2 1 The Recovery DVDs provide a new BIOS used in 7310CR3 RoHS compliant machines The BIOS is installed during Recovery DVD installation upgrade process Upgrade notes Upgrading HMC V4 to HMC 5 x There is no Corrective Service to update to HMC Version 5 from Version 4 You must perform an Upgrade via Recovery media to update from HMC 4 to any HMC Version 5 x Before upgrading you must use the Save Upgrade Data task to preserve existing configuration on the HMC such as partition profiles and HMC configuration Upgrading to HMC 5 2 1 You can upgrade to HMC V5R2 1 in the following manners If you are currently at HMC V5R2 0 you can use the Update images PTF MH00594 to update your HMC to V5R2 1 After the update the output from the Ishmc V command will show a base_version string of VSR2 0 You do not need to apply PTF MH
137. e data encryption in i5 OS V5R4 139 6 1 3 Planning for tape encryption Before you implement tape encryption with the IBM EKM decide on which platform you will install the EKM server and which type of keystore you will use Refer to BM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide GA76 0418 Also refer to 6 1 4 Backup and recovery considerations with Encryption Key Manager on page 140 Regardless of which EKM server platform and keystore type you choose each IBM EKM implementation with the TS1120 tape drive involves the following tasks Refer to 6 1 5 Encryption Key Manager server on a PC on page 142 6 4 Encryption Key Manager on i5 OS on page 164 and 6 7 Configuring your TS1120 tape drive for encryption on page 184 1 Install the required operating system on your server 2 Install the correct version of the Java Runtime Environment JRE or IBM Software Development Kit SDK for Java 3 Install the IBM Java unrestricted policy files US_export_policy jar and local_policy jar 4 Install the IBM EKM Application IBMKeyManagementServer jar and the IBM EKM Sample Configuration File KeyManagerConfig properties 5 Install a tool to manage the type of keystore you have chosen 6 Define the keystore and import or create keys into the keystore 7 Configure EKM and define tape drives to EKM or set the drive EKM configuration property acceptU
138. e following Save disk unit data Restore disk unit data Replace configured unit Assign missing unit Recover configuration Disk unit problem recovery procedures Suspend mirrored protection Resume mirrored protection Copy disk unit data 10 Delete disk unit data 11 Upgrade load source utility 12 Rebuild disk unit data 13 Reclaim IOP cache storage ON OU BRWNE More Selection F3 Exit Fii Display disk configuration status F12 Cancel Figure 3 38 The Work with Disk Unit Recovery screen e Enter 1 next to the suspended Unit 1 disk unit at the screen shown in Figure 3 39 Select Configured Unit to Replace Type option press Enter 1 Select Serial Resource OPT Unit ASP Number Type Model Name Status 1x 1 75 0CE64B0 6717 050 DD001 Suspended F3 Exit F5 Refresh F12 Cancel Figure 3 39 The Select Configured Unit to Replace screen Chapter 3 System i5 disk at i5 OS V5R4 83 f Atthe Select Replacement Unit screen Figure 3 40 enter 1 next to the newly installed disk unit and press Enter to confirm Select Replacement Unit Serial Resource Unit ASP Number Type Model Name Status 1x 1 75 0CE64B0 6717 050 DD001 Suspended Type option press Enter 1 Select Serial Resource Option Number Type Model Name Status i 68 0C231E9 6718 050 DD005 Non configured F3 Exit F12 Cancel Figure 3 40 The Select Replacement Unit screen The status is displayed in the Replace Disk Unit
139. e is only one of the available EKM commands For more information about EKM commands refer to BM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide GA76 0418 Chapter 6 Tape data encryption in i5 OS V5R4 163 6 4 Encryption Key Manager on i5 OS This section describes the installation requirements and implementation steps involved in running an EKM on i5 OS 6 4 1 Software requirements Table 6 2 shows the minimum i5 OS versions and their corresponding minimum SDK versions Table 6 2 Supported i5 OS versions and their corresponding SDK versions i5 OS eet Licensed program feature codes and PTF level IBM Developer Kit for Java Java 5722JV1 BASE and option 7 Developer Kit 5 0 The latest Java group PTF SF99269 PTF S125093 for 5722SS1 Option 3 Extended base directory support 5722AC3 Cryptographic Access Provider IBM Developer Kit for Java Java 2 5722JV1 BASE and Option 8 Platform Standard Edition Install SR3 or SR2 for J2SE 5 0 J2SE 5 0 32 bit SR3 PTF number is not yet available at the time of publication SR2 PTF 124375 for 5722JNV1 The latest Java group PTF SF99291 PTF S125094 for 5722SS1 Option 3 Extended base directory support Cryptographic Access Provider is included in the base in V5R4 a For the latest level refer to the following Web site http www 912 ibm com s_dir sline003 NSF GroupPTFs 0penVi ew amp vi ew GroupPTFs After yo
140. e tape drives to the EKM drive table when they contact EKM If you decide against allowing the tape drives to be added automatically which means that you will have to add the tape drives manually set this value to false Refer to 6 6 4 Adding the tape drives to the EKM drive table on page 183 Edit File EKM KeyManagerConfig properties Record 1 of 49 by _10 Column 1 76 by 126 Control _ SSN EE ENT PEE Ga taunts S ERAT e T AET R P TEATE T E A A r a a N a T Bice EE ALET T xeeexexeeeeaBeginning of datatkkkkkkkkkkkk Note that the file is sorted by property name EKM shutdown automatically reorders the values in the properties file Audit event outcome success failure Audit event types all Audit eventQueue max 0 Need to change the following directory value or create the directories Audit handler file directory EKM auditlogs Audit handler file name ekm_audit log Audit handler file size 10000 Need to change the following 2 pathnames to the correct pathnames for the keystores being used on your system Admin ssl keystore name EKM EKM kdb Admin ssl truststore name EKM EKM kdb Need to change the following pathname value or create the directories config drivetable file url FILE EKM drives drivetable Need to change the following pathname to the correct pathname for the keystore being used on your system OETA TN F2 Save F3 Save Exit F12 Exit FiS Services Fi6 Repeat find Fif Repeat cha
141. e the RAID set is maintained vvvy 12 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 All disks that do not meet the first two conditions must be removed before or during the upgrade In the case of an upgrade to i5 OS V5R4 the load source drive must be removed before the upgrade Special care must be taken to ensure the fourth criteria where the RAID sets span more disks than can be physically placed on an IOP for example earlier expansion towers had disks in sets of 16 disks usually two RAID sets However because a 5074 has disks ina set of 15 disks one disk must be removed from the configuration and from its RAID set prior to moving the disks as a set to the 5074 The new System i5 has fewer internal disk slots in the CEC than most 8xx servers Therefore the disks might have to be rearranged to enable RAID sets to be retained and to have disks to fit in the CEC 1 3 1 Redundant Array of Independent Disks arrangements In i5 OS V5R4 RAID 6 capability has been introduced for some disk adapters The client must still choose between RAID 5 or RAID 6 when the disk drives are added into the configuration For a more detailed discussion of RAID 6 refer to Chapter 3 System i5 disk at i5 OS V5R4 on page 51 iSeries Navigator The iSeries Navigator provides an alternative graphical view of the disk drives This helps you identify the exact location of a drive from a graphical represent
142. eation You must see the name of the keystore in the IBM Key Management window as shown in Figure 6 17 F IBM Key Management C EKM keystore_x jck Key Database File Create View Help Cae bd SR Ls Key database information DB Type JCEKS database file FileName CA EKM keystore_xjck Token Label Key database content verisign class 1 public primary certification authority g3 Delete risign class 4 public primary certification authority g3 verisign class 1 public primary certification authority g2 View Edit verisign class 4 public primary certification authority g2 Ld verisign class 2 public primary certification authority Extract entrust net global client certification authority Lt rsa secure server certification authority verisign class 2 public primary certification authority g3 verisign class 2 public primary certification authority g2 verisign class 3 secure server ca verisign class 3 public primary certification authority verisign class 1 ca individual subscriber persona not validated verisign class 3 public primary certification authority g3 verisign class 3 public primary certification authority g2 The requested action has successfully completed Figure 6 17 Keystore created 150 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 2 Creating keys in your keystore
143. eature replacement PCI code feature 2686 Optical link processor 266 Mbps HSL port Used for attaching 5044 Each 2686 supports a maximum of one 5044 2688 Optical link processor 1063 Mbps HSL port Used for attaching 5065 5072 5073 5082 and 5083 expansion towers Each 2688 supports a maximum of two 50xx towers 2695 Optical bus adapter Allows for the HSL port addition of up to three 2686 or 2688 optical link processors in any combination 5044 System unit expansion rack This is 5094 5294 5095 a 12 SPD I O card slot cage ina 5075 5074 or rack enclosure 5079 5052 and Storage expansion unit Provides 5094 5294 5095 5058 space for up to 16 disk units 5075 5074 or 5079 5055 and Storage expansion unit Provides 5094 5294 5095 5057 space for up to eight to 16 disk units 5075 5074 or 5079 5072 and 1063 Mbps system unit expansion 5094 5294 5095 5073 tower Provides an additional bus 5075 5074 or 5079 5082 and 1063 Mbps storage expansion 5075 5074 or 5083 tower Provides a direct access 5079 storage device DASD tower for adding up to 16 disk units 2629 LAN WAN Workstation IOP This 2843 9943 or supports up to three LAN WAN 2824 Workstation IOAs 6050 6140 Twinaxial workstation controller 2746 4746 and 6180 One 8 port attachment is provided to support up to 40 twinaxial devices 6141 and ASCII workstation controller This N A 6142 workstation controller supports up to six ASC
144. eb interface 184 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 Inthe left panel of the tape library Web interface select Manage Access Key Manager Addresses as shown in Figure 6 68 IBM System Storage TS3500 Tape Library Work Items Key Manager Addresses Welcome Page GQ anaga anmas Refresh _ Last Refresh 8 31 2006 20 42 42 E Manage Drives Q Manage Library Select Action v co Qa Manage Ports E m Select IP Address Port anage Access LE e ooo LAs o a U l Web Security 9 5 53 92 3801 SNMP Settings Oo 95 53 94 3801 SNMP Destinations SNMP System Data Key Manager Addresses Gi service Library Switch to Original Navigation Figure 6 68 Key Manager Addresses 3 To add a key manager address select Create in the Select Action menu and click Go Figure 6 69 IBM System Storage TS3500 Tape Library Work Items Key Manager Addresses 2 Welcome Page am ale oe Refresh Last Refresh 8 31 2006 20 42 42 an Manage Drives G Manage Library Ca manage Ports Select Action Go Select Select Action manage Access Select E S IP Address Port Web Security Modify 3801 SNMP Settings Delete 3801 SNMP Destinations Ping Address SNMP System Data Key Manager Addresses G service Library Switch to Original Navigation Figure 6 69 Creating a ke
145. ected key labels Apply Cancel Done Local intranet Figure 6 80 Scratch encryption policy definition Chapter 6 Tape data encryption in i5 OS V5R4 191 192 3 To check whether your cartridges are being encrypted select Manage Cartridges gt Data Cartridges Narrow your search by selecting a frame or a logical library In this example we selected only the encryption enabled logical library Figure 6 81 Click Search to display your selection of cartridges IBM System Storage TS3500 Tape Library Work Items Cartridges Welcome Page mr loi oae Refresh Last Refresh 8 31 2006 21 03 19 Data Cartridges Cleaning Cartridges I O Station Cartridge Assignment Policy i Scratch Encryption Policy Select a Frame Select a Logical Library Insert Notification All Frames ix a Manage Drives a Manage Library S i 5 ort By Volume Serial earch a Manage Ports Gi manage Access DOWNLOAD Mount History csv G service Library Select Logical Library Element Address Type Location F Frame C Column F Switch to Original Navigation Please select a filter and or sort options Once complete click Search Figure 6 81 Data cartridges 4 The last column in the list shows whether a cartridge is encrypted Figure 6 82 Work Items Cartridges H Welcome Page a amp Nanette Refresh_ Last Refresh 8 31 2006 21 03 56 Data Cartridges Cleaning Cartridges Lo
146. ediate step Tip Because there is no supported upgrade path the source system and the target system have different serial numbers If the source system never had its name changed from the shipped value that is SXXXXXXxX where xxxxxxx is the system serial number it is recommended that you do not copy the network attributes across because this results in the new system being named with a serial number that is not its own Change the system name by issuing the CHGNETA command Press F4 and change any parameters as necessary The upgrade process is as follows 1 The required hardware is ordered to duplicate most or all of the environment it is possible that the source system has communication lines that are no longer being used and so the target system does not have to reflect the source system exactly 2 The source system is upgraded to V5R3 3 The target system is installed 4 The existing full system backups are used to create the new test system using the recovery procedures from the Backup amp Recovery guide iSeries Backup and Recovery SC41 5904 08 5 The client tests the current environment 6 Production objects that are created or altered and are required on the new system are saved 7 The target server is then synchronized with the source system This can be performed ina number of ways Installing only the changed objects saved with the save changed objects command Installing only the
147. eeta 196 Help from IBM v4 o tec ee tei ene en ete a ate ete en ieee Geta ai ean 196 IND OX scorn eae Sate Be ae SS eae Saki go ee eee 197 Contents v vi IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Notices This information was developed for products and services offered in the U S A IBM may not offer the products services or features discussed in this document in other countries Consult your local IBM representative for information on the products and services currently available in your area Any reference to an IBM product program or service is not intended to state or imply that only that IBM product program or service may be used Any functionally equivalent product program or service that does not infringe any IBM intellectual property right may be used instead However it is the user s responsibility to evaluate and verify the operation of any non IBM product program or service IBM may have patents or pending patent applications covering subject matter described in this document The furnishing of this document does not give you any license to these patents You can send license inquiries in writing to IBM Director of Licensing IBM Corporation North Castle Drive Armonk NY 10504 1785 U S A The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES
148. eight or 16 drives A RAID 5 RAIDset can contain a minimum of three disk drives four for older disk input output adapters and a maximum of 18 disk drives RAID 6 protection Disks are protected by writing two redundant data bits using the p amp q parity data based on the Reed Solomon algorithm Conceptually by writing two sets of parity data a RAID 6 array can tolerate up to two disk failures within the array A RAID 6 array with a single disk failure is still protected as much as a RAID 5 array with no failures A RAID 6 RAIDset with two failing drives continues to function in degraded mode until a third disk in that RAIDset fails The cost of a RAID 6 array is equivalent to two drives capacity per RAIDset For example a system with two RAID 6 RAIDsets of 10 disks each 20 drives will have a total capacity equivalent to 16 disks RAID 6 arrays spread parity data across all drives in the array when RAID 6 is started so if seven drives are in the array they will each have two parity stripes using up a total of two sevenths of the capacity leaving five sevenths of the capacity for user data Any disk drives that are subsequently added to the array will not have any RAIDstripes and so the full capacity is available for user data For example adding two more drives to the RAIDset gives seven drives at five sevenths capacity and two drives at full capacity For performance reasons it is desirable to stop and restart RAID on these dr
149. el 9405 520 Serial 10E80CC State OOOF Server firmware ready Reference code C6004027 Connection status 60 01 of 100 Requesting console access Figure 4 24 Power on 60 01 Figure 4 25 shows that power on is ready IPL or Install the System System S1LOE80CC Select one of the following Perform an IPL Install the operating system Use Dedicated Service Tools DST Perform automatic installation of the operating system Save Licensed Internal Code OP WN PE Selection Licensed Internal Code Property of IBM 5722 999 Licensed Internal Code c Copyright IBM Corp 1980 2006 All rights reserved US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP schedule Contract with IBM Corp Figure 4 25 Power on ready 108 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Figure 4 26 shows the power on IPL steps Licensed Internal Code IPL in Progress 08 18 06 14 11 57 IPL oh g ea E NE RS Unattended Start date and time 08 18 06 14 11 24 Previous system end Abnormal Current step total 16 16 Reference code detail C6004065 IPL step Time Elapsed Time Remaining Commit Recovery 00 00 01 00 00 00 Data Base Initialization 00 00 01 00 00 00 Journal IPL Clean up 00 00 01 00 00 00 Commit Initialization 00 00 01 00 00 00 gt Start the operating system Item Current Total Sub Item
150. er 1 Planning for upgrades to System i5 hardware 17 If you want to run these disks under a separate partition they must be driven by an IOP IOA from one of the PCI X slots in the CEC Figure 1 7 a A A a SCSIDEVICE IDE Device P4 D2 n O QO PDI IDE Device Op Panel P1 T1 P4 D4 Figure 1 7 i520 front view Table 1 3 shows the physical specifications for model 520 Table 1 3 Model 520 physical specifications Rack mounted 437 mm 508 mm 178 mm 43 kg drawer 17 2 in 23 in 7 in 95 Ib Stand alone 201 mm 584 mm 533 mm 43 kg server 7 9 in 23 in 21 in 95 Ib 0588 5088 485 mm 1075 mm 200 mm 68 kg 19 1 in 42 3 in 8 0 in 150 Ib 0595 432 mm 686 mm 178 mm 42 7 kg 17 in 27 in 7 in 94 Ib 5094 485 mm 1075 mm 910 mm 280 kg 19 1 in 42 3 in 35 8 in 617 Ib 5095 246 mm 800 mm 556 mm 52 7 kg 14 5 in 31 5 in 21 9 in 116 Ib 5294 216 mm 1020 mm 1800 mm 726 kg 8 5 in 40 1 in 71 in 1600 Ib 18 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Table 1 4 shows details about the operating environment Table 1 4 Model 520 operating environment gt Stand alone 6 8 bels 5 35 degrees C 41 95 degrees F Chapter 1 Planning for upgrades to System i5 hardware 19 The i570 physical layout Figure 1 8 shows the plan view of model i570 This model is rack mount only and uses blindswap cassette technology so that you will not get t
151. ered does not have sufficient hardware to perform a side by side This method is the least desirable option If the target system has sufficient hardware to be used as a system a side by side is recommended to minimize the risks Failback is possible in the event of failure The unload reload scenario follows the same process as that described previously except that a new system is built with vital components disk and I O adapters from the existing system Thus for a short time when the customer engineer CE is performing the hardware upgrade the client s data is only on tape that is the source system has the vital components removed leaving it a lifeless hulk and the target system is not yet built Failback can involve a scratch install back onto the old hardware However this is time consuming and will possibly take too long for the business to stand This is the process 1 The vital system components move from the source to the target system Other migration methods cannot be used 2 Ensure a common tape media between the systems 3 Upgrade all the partitions to i5 OS V5R3 or later release with the latest cumulative pack HIPER and hardware related PTFs 4 Perform a full system backup at least two copies to guard against media error 5 Check the job log to ensure that the saves are completed successfully Chapter 2 Migration examples 37 Important Be absolutely certain that the saves are completed successfully
152. ervice Downloads Installation instructions Related documentation Select another HMC elease Download multiple files Download individual files or order CDs Download the HMC 5 2 1 update upgrade package and fixes for HMC 5 2 1 from this page A 4 Cc x n m a i 4 v n c U U0 6 9 Upgrade notes gt Microcode dovml Upgrading HMC V4 to HMC 5 x for i5 iSeries pSeries i There is no Corrective Service to update to HMC Version 5 from Version 4 You must perform an Upgrade via Recovery media to update from HMC 4 to any HMC Version 5 x Before upgrading you must use the Save Sign up for email Upgrade Data task to preserve existing configuration on the HMC such as a otific 0 n of HMC partition profiles and HMC configuration re O Upgrading to HMC 5 2 1 You can upgrade to HMC V5R2 1 in the following manners If you are currently at HMC V5R2 0 you can use the Update images PTF MH00594 to update your HMC to VSR2 1 After the update the output from the Ishmc V command will show a base_version string of VSR2 0 You do not need to apply PTF MH00653 if you are already using the update images from MH00594 to update your HMC to V5R2 1 e If you are currently at HMC V4R1 1 through HMC V5R1 0 you must use the Recovery media PTF MH00653 to upgrade your HMC to V5R2 1 After the upgrade the output from the Ishmc V command will show a base_version string of V5R2 1 HMC V5R2 1 contains fixes from M
153. es Migration A Guide to Upgrades and Migrations to IBM System i5 E Redbooks IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 0 2 spine 0 17 lt gt 0 473 90 lt gt 249 pages IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Understand the considerations for upgrades to IBM System i5 in i5 0S V5R4 Learn how TS1120 hardware based tape encryption works with i5 0S Review Thin Console support for low end System i5 without an HMC Planning an upgrade from an existing IBM AS 400e or IBM eServer iSeries server to a new model IBM System i5 can range from a simple disk migration to a complex task involving many components and OS upgrade steps This IBM Redbook discusses the various topics that are involved in migrating to the new Peripheral Component Interconnect X PCI X and IBM POWERS processor technology We include upgrade scenarios to assist your planning IBM i5 OS V5R4 contains additional components functions and features which this book discusses The new features include the new Thin Console support for the IBM System i5 low end platform This book also discusses the new hardware based tape encryption available with i5 OS V5R4 and the IBM TotalStorage TS1120 tape drive Whether you are an IBM Field Technical Support Specialist business partner or client this book offers the guidance to plan your upgrade or migration to
154. es is 5250 Configure the 5250 partition consoles on System i5 servers in the following ways gt Use only the HMC as the partition console gt Use the HMC as the partition console and define a twinax console device or operations console device as an alternate console device for a partition gt Not use the HMC as a partition console and specify a twinax console or operations console as the partition console When you use the HMC as the partition console connect to the 5250 console locally or remotely Connecting to the 5250 console locally To open a console session in the HMC perform the following tasks 1 In the navigation area select the managed system and select Server and Partition gt Server Management 2 The Server and Partition Server Management pane is displayed Expand the Partitions folder select the desired partition and right click This gives you the option to open either a dedicated 5250 console or a shared 5250 console If you open a shared 5250 console another user can open a 5250 emulation window and share the session with you Because this is really one session being shared between users there is no control switching mechanism Everything you type in the shared session is visible to the other user Connecting to the 5250 console remotely If your HMC is located in the machine room the use of the HMC as the partition console means that you have to go over to the machine room whenever you require a con
155. estment to spend 15k 20k on a benchmark test You will also benefit from access to the new software and hardware plus getting the additional benefit of skills transfer to key client staff Stabilization and preparation for the server model upgrade After the OS 400 upgrade the client must allow the server the time to stabilize at the new release allowing time for any OS 400 or application issues to be identified and resolved before proceeding further During this stage the client also plans the upgrade to the server Physical planning position weight power and cooling requirements and so on is performed LPAR configuration might require resources to be moved from their shipped location Disk migration might result in data migration and disk reconfiguration prior to upgrade The client must save the LPAR configuration from the iSeries Navigator to a diskette for later loading on the HMC or manually keying in the LPAR configuration into the HMC A readiness check is required before proceeding further 6 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 System model upgrade The client hands over all of this information to the IBM customer engineer CE who performs the miscellaneous equipment specification MES upgrade It is vital that the client has actually performed the critical planning stages outlined earlier The client might begin to set up the HMC in a stand alone setting that is not plugged
156. etic media controller 27297 2749 or PCI magnetic media controller 2768 1 In contrast to SPD towers that have either disk space or lOA IOP slots and limited disk space HSL towers feature IOP IOA slots and disk slots in greater quantity than the existing SPD towers Therefore depending on the type of SPD towers you are replacing you have multiple choices for HSL towers 2 If you are planning on migrating SPD features and towers to 5065 or 5066 before doing an upgrade to an 8xx system you must use the SPD PCI features that can reside only in 5065 or 5066 towers 3 2745 4745 support up to two multiple protocol communications ports when one or two in any combination of the following cables are attached 0348 V 24 EIA232 20 ft PCI cable 0349 V 24 EIA232 50 ft PCI cable 0353 V 35 20 ft PCI cable 0354 V 35 50 ft PCI cable 0355 V 35 80 ft PCI cable 0356 V 36 20 ft PCI cable 0358 V 36 150 ft PCI cable 0359 X 21 20 ft PCI cable 0360 X 21 50 ft PCI cable 0365 V 24 EIA232 80 ft PCI cable 0367 Operations Console Cable 4 The Integrated PC Server IPCS earlier known as FSIOP might be shown as feature 6517 6518 6519 6526 6527 6528 or 6529 All FSIOP and 6616 IPCS are no longer supported on V5R1 If you are using an 6617 or 6618 IPCS and planning on moving from SPD Chapter 1 Planning for upgrades to System i5 hardware 11 to PCI the 2790 2890 2791 2891 2799 2899 and 27
157. everal systems The Workload Estimator enables measurement input to best reflect your current workload and provides a variety of built in workloads to reflect your emerging application requirements Virtualization can be used to yield a more robust solution The Workload Estimator provides current and growth recommendations for processor memory and disk that satisfy the overall client performance requirements The tool is currently capable of estimating the computer resources required for IBM Lotus Domino IBM WebSphere Commerce IBM WebSphere Web serving and traditional workloads The Workload Estimator projects the most current System i5 server models that meet the capacity requirements within the CPU utilization objectives Workload Estimator can be used alone or in conjunction with the System Planning Tool Workload Estimator download Web site Download the Workload Estimator from http www ibm com jct01004c systems support tools estimator index html Figure 1 1 on page 4 shows the Workload Estimator home page Use the link shown in the browser window to start the download and follow the on screen instructions Chapter 1 Planning for upgrades to System i5 hardware 3 Country region select Home Products Services amp solutions Support amp downloads My account IBM Systems Workload Estimator q ERS IBM Systems Workload Estimator BladeCenter i The IBM Systems Workload Estimator is a web based sizing tool for Syste
158. f the 5xx CEC slots 1 6 1 Moving the Integrated xSeries Adapter or Integrated xSeries Server from iSeries 8xx to 5xx Perform the following tasks to move the IXS and the IXA from iSeries 8xx to 5xx 1 2 3 Ensure that the iSeries server is at V5R3 or later Install the latest program temporary fixes PTFs on iSeries Upgrade the integration software on the xSeries a Select Start gt Programs gt IBM iSeries gt Integration for Windows Server b Select the server you want to upgrade c Right click and select All tasks Update 4 Back up your xSeries server 5 During the upgrade to the iSeries hardware move the IXA or IXS card to its new position in the new iSeries server 6 Change the resource name in the nonprogrammable workstation NWS description 7 Vary on and use as normal 1 7 IBM AIX 5L migration Because AIX 5L is not supported on iSeries 8xx servers this is not a migration issue Any required AIX partitions can be set up and the data migrated subsequent to the model upgrade 24 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Note Historically model upgrades have not been offered in the AIX marketplace Therefore this scenario is not unusual for the AIX client base For more information about AIX 5L implementation refer to AIX 5L on IBM System i Platform Implementation Guide SG24 6455 For information about upgrades to the system within t
159. ficate authority Ca Figure 6 24 Certificate request created Chapter 6 Tape data encryption in i5 OS V5R4 155 6 2 3 Importing keys from another keystore This section explains how to import keys from another keystore iKeyman instance or import a signed certificate from a CA Follow these steps 1 In the IBM Key Manager window Figure 6 25 select Personal Certificates from the Key database content field and click Export Import f m Key Management C EKM keystore_x jck Key Database File Create View Help Die bl SRL Key database information DB Type JCEKS database file FileName C EKM keystore_xjck Token Label Key database content Receive keylabel_selfsigned_2 keylabel_selfsigned_1 Delete View Edit Export Amport Recreate Request New Self Signed Extract Certificate a personal certificate has its associated private key in the database Figure 6 25 Selecting the Export Import keys option 2 In the Export Import window Figure 6 26 select Import Key and specify the key file that is the keystore type JCEKS the File Name and the Location of the keystore from which you want to import the keys Click OK Export Import Key Choose Action Type Export Key Import Key Key filetype JCEKS A File Name keystore jck Browse
160. fundamentals 0 00 tees 2 1 1 1 Presales planning 0 0 eee eee 2 1 1 2 Postsales planning a E tees 5 1 2 Migration towers and SPD hardware 0 00 c cece cette 7 1 2 1 SPD features and their replacements 000 0c cee eee ee 7 1 2 2 SPD features that can be converted to PCI 0 0 00 cee eee 12 1 3 DiSk Migrationysc scdhaep ied bela oe Pb ele hae se a Ey Ss 12 1 3 1 Redundant Array of Independent Disks arrangements 4 13 1 4 Physical planning s rieri ereen bo ee ede eed eed lee ee bade ee 16 TS LINUX MIQKFATION sire eea eri Ad tee ie Batak adh ae da apie dered ar haeh Sete tere deb 23 1 5 1 Migrating a Linux logical partition from iSeries 0000 eae 24 1 6 Windows migration 0 0 eE ERE tees 24 1 6 1 Moving the Integrated xSeries Adapter or Integrated xSeries Server from iSeries XX t0 DXX ka iren iina a wh ese A a a a ete N pele 24 T7 IBMVAIX SL migrano aus 3 eres reise mare ential TERET Bigs E eas A IERRA 24 1 8 Migration and upgrade check list 0 0 eee 25 Chapter 2 Migration examples 00 00 cece tees 33 2 1 General upgrade considerations 1 0 0 0 000 ees 34 2 1 1 Side by side upgrade and data migration using the side by side method 35 2 1 2 Data migration using the side by side method source system in the previous ElIGASE a pa oes we been i be E E hase tele a latent ait eral is eles Gees 36 2 1 3 Upgrade usi
161. hat contains the load source disk must be housed in the system unit with the load source disk in slot 6 This might result in disk reconfiguration services being required prior to the upgrade 3 Ensure that there is space for the I O adapters to be relocated to the new server Because the migration tower is not supported on model 520 I O features and disks housed in this unit must be replaced before or during the upgrade Perform a full system backup Install an additional disk in the 5074 tower Install a new I O in the 5074 tower If the system unit on the 820 contains two RAID sets move one complete RAID set to the 5074 tower If not a data migration similar to that described in the previous example Example disk migration Gig Mig service on page 40 must be performed to get the number of disks down to the number supported in the 520 either four or eight depending on the order If the system has been in use since the time you performed this action perform another full system backup N ODO oO f 8 Power down the existing server 9 Remove the disks and the I O adapters from the system unit 10 Set up the HMC 11 Move the disks from the old system unit and install them in the new system unit 12 Install the I O adapters in the new system unit or 5074 as required 13 Upgrade 5074 to 5094 14 Power on the unit 15 Fix any bus ownership issues and hardware resource naming issues 16 Go live 42 IBM eSer
162. he System i5 range consult the AIX 5L upgrade pages at http www ibm com servers aix upgrade index html 1 8 Migration and upgrade check list Table 1 7 contains a checklist that you can print to prepare for your upgrade and migration plan During your planning process customize this checklist and use it as a structure to help you identify what you must do for your particular situation and availability requirements Table 1 7 Migration and upgrade planning checklist Task Brief description Due date Where to find task owner additional information General planning task If you have not already done so make a copy of this checklist and put it in your project book Organize your project book and project documents Perform physical planning tasks to make sure that you have adequate space and power for your upgraded system Be sure to consider the differences in cabling requirements Verify your planned configuration If you have not already done so determine whether you have to order replacements for unsupported hardware devices If your system exchanges information with other AS 400s or iSeries plan any required changes to ensure the coexistence of different OS releases If you have not already done so determine whether you will use IBM services for any part of the upgrade process Visit the physical site planning site which is available on the Web at http publib boulder ibm com infocenter ese
163. he following tasks 1 Choose Select a Certificate Store in the left panel of the DCM window Figure 6 44 Digital Certificate Manager Certificate Store Created The certificate store has been created File name EKM keystore_ikdb Selecta Certificate Store Expand All Collapse All a Create Certificate Create New Certificate Store Install Local CA Certificate on Your PC gt Manage User Certificates gt Manage CRL Locations Manage LDAP Location Manage PKIX Request Location Retum to i5 OS Tasks Secure Connection Note You must click on the Select a Certificate Store button in the left frame to refresh the Digital Certificate Manager DCM to work with this new certificate store Figure 6 44 Certificate Store Created window 2 Select Other System Certificate Store and click Continue Figure 6 45 Selecta Certificate Store Expand All Collapse All m Create Certificate m Create New Certificate Store a Install Local CA Certificate on Your PC gt Manage User Certificates gt Manage CRL Locations s Manage LDAP Location m Manage PKIX Request Location Retum to i5 OS Tasks Secure Connection Digital Certificate Manager Select a Certificate Store Select the certificate store that you want to open Local Certificate Authority CA SYSTEM OBJECTSIGNING iS Other System Certificate Store Figure 6 45 Select a Certificate Store window
164. he user definable settings in the Thin Console are minimal they can be easily re entered in the event of a Linux image reload As with any other 5250 console type an unplanned outage of the Thin Console hardware must not prevent the attached server from continuing to run However it will restrict access to some functionality on the system such as the DST Chapter 4 System i5 consoles in i5 OS V5R4 123 4 2 9 Troubleshooting This section discusses solutions for some common problems Hardware problems Table 4 3 lists some common hardware problems that might occur when using the Thin Console You can also refer to the documentation that comes with your console device or refer to the following Web site http www neoware com Table 4 3 Troubleshooting hardware problems The display of the Thin Console is There might be a hardware problem with the Thin completely blank Console or monitor or there might be a setup problem Follow these steps to resolve the problem 1 Verify that the cabling is secure and accurate 2 Verify that the Thin Console and monitor are powered on 3 Reset the default monitor resolution setting Refer to the console documentation or visit http www neoware com The keyboard is not working correctly This might be a hardware problem or it might be that the keyboard is set to a location that does not match the current keyboard setting Refer to the console documentation or visit http www neoware co
165. hich this book discusses The new features include the new Thin Console support for the IBM System i5 low end system This book also discusses the new hardware based tape encryption that is available with i5 OS V5R 4 and the IBM TotalStorage TS1120 tape drive Whether you are an IBM Field Technical Support Specialist business partner or client this book offers the guidance you require to plan your upgrade or migration to a new IBM System i5 system The team that wrote this IBM Redbook This book was produced by a team of specialists from around the world working at the International Technical Support Organization ITSO Poughkeepsie Center Nick Harris is a Consulting IT Specialist for the IBM System i5 and works in the Rochester Executive Briefing Center He spent the past nine years at the ITSO s Rochester Center He specializes in logical partition LPAR iSeries hardware and software external disk Integrated IBM xSeries Server for iSeries and Linux He has written and taught IBM classes worldwide on IBM System i5 iSeries and IBM AS 400 system design and server consolidation He spent 13 years in the United Kingdom UK AS 400 Business and has experience in S 36 S 38 AS 400 and iSeries servers You can contact him at niharris us ibm com Michael Bird is a freelance IT consultant in the UK He has more than 20 years of experience in IT He worked for IBM for 10 years as a Customer Engineer CE and in the AS 400 Support
166. ice tools SST menu Figure 3 14 is similar to the DST menu The actions to be performed in SST are similar to those actions described for DST in the earlier sections Work with Disk Configuration Select one of the following Display disk configuration Add units to ASPs Work with ASP threshold Include unit in device parity protection Enable remote load source mirroring Disable remote load source mirroring Start compression on non configured units Add units to ASPs and balance data Start device parity protection RAID 5 Start device parity protection RAID 6 GOON OURWNRPE e Selection F3 Exit F12 Cancel Figure 3 14 Working with the disk configuration screen in SST 3 4 6 Migrating to RAID 6 from mirrored To change the disk protection from mirrored to RAID 6 follow these steps 1 IPL to DST 2 Stop Mirroring 3 Start RAID 6 3 4 7 Migrating to RAID 6 from RAID 5 protected To change to protection from RAID 5 to RAID 6 follow these steps 1 IPL to DST 2 Stop RAID 5 3 Start RAID 6 68 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 3 5 Load source migration The load source drive for a system or logical partition LPAR must be at least 4 19 GB for i5 OS V5R3 and at least 17 54 GB for i5 OS V5R3M5 and i5 OS V5R4M0 For a better performance the faster 15 000 revolutions per minute rpm drives are recommended When upgrading a system to System i
167. igure your TS1120 tape drive for encryption using the TS3500 Tape Library Specialist Web interface 6 7 1 Defining the keystores to be used by the TS3500 To enable encryption point the TS3500 tape library to where it can find the keystore or the Key Manager you created When the TS1120 tape drive located in the library wants to write or read an encrypted tape it requests keys from the keystore All you have to do is point the tape library system to the key manager by adding its address 1 Go to the IBM System Storage Tape Library Specialist Web interface Figure 6 67 For instructions for setting up the IBM System Storage Tape Library Specialist Web interface refer to IBM System Storage TS3500 Tape Library Operator Guide GA32 0560 01 IBM System Storage TS3500 Tape Library Work Items Welcome Page bila Faga TS3500 Tape Library Qa Manage Cartridges Qa Manage Drives Qa Manage Library GQ Manage Ports GQ Manage Access gt The Specialist enables you to monitor library status and perform library operations from a remote location Use G service Library 4 the Work Items area on the left to navigate to available Specialist tasks Switch to Original Navigation Manage Physical Library Manage Logical Library e Advanced Library Management System is Enabled For more information select the help icon in the top right of the screen Figure 6 67 IBM System Storage Tape Library Specialist W
168. in qycuemt ndm maind m Search een 7 Ah Home we Bookmarks BluePages L HR Web Belgium Luxe 2 Belgium Luxembourg in L IBM Systems Informati 4 Kaart Digital Certificate Manager Selecta Certificate Store Expand All Collapse All 5769 NC1 5769 NCE 5769 SS1 5722 SS1 C Copyright IBM Corporation 1997 2005 m Create Certificate All rights reserved US Government Users Restricted Rights pense ees Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp Install Local CA Certificate on Your Licensed Materials Property of IBM PC GENUINE f gt Manage User Certificates p a R S A Contains software from RSA Data Security Inc gt Manage CRL Locations Manage LDAP Location m Manage PKIX Request Location Retum to i5 OS Tasks He EL ED Done CO Figure 6 40 DCM start page 2 In the Create New Certificate Store window select Other System Certificate Store and click Continue as shown in Figure 6 41 Digital Certificate Manager Create New Certificate Store Select a certificate store SIGNATUREVERIFICATION Select a Certificate Store fS Other System Certificate Store Collapse All Continue Cancel Create Certificate m Create New Certificate Store Install Local CA Certificate on Your PC gt Manage User Certificates gt Manage CRL Locations Manage LDAP Location Manage PKIX Request Location Retum to i5 OS Task
169. inal dView E tion Method 11 359 0 255 Show Library Managed Navigation Details Figure 6 75 Modifying encryption method 188 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 3 The Encryption method window is displayed Figure 6 76 Note that the default value is None and that the four remaining parameters are for IBM Support use only Attention Changing these values is not recommended fe Encryption Method Microsoft Internet Explorer Encryption Method Encryption Method Advanced Encryption Settings for Engineering Support use only mmx Iv Advanced Method No Advanced Setting v Scratch Cartridge Encryption No Advanced Setting Density Code No Advanced Setting v Key Path No Advanced Setting v Apply Cancel a Done 3 Local intranet Figure 6 76 Encryption method 4 To change the encryption method select Library Managed in the Encryption Method menu as shown in Figure 6 77 j Encryption Method Microsoft Internet Explorer Encryption Method Encryption Method Application Managed Advanced Encryption Settings for Engineering Support use o Advanced Method No Advanced Setting v Scratch Cartridge Encryption No Advanced Setting __ Density Code No Advanced Setting x Key Path No Advanced Setting a Apply Cancel sij
170. ind gt Do not encrypt the keys you require for decrypting If you install your keystore on the same system from which you are backing up data you risk backing up parts of the EKM to the encrypted tape as well Although it might look easier to have your EKM server on the same system when all you want to do is restore just one library or a file it will make your system completely unrecoverable if a scratch install is required Therefore it is recommended that you install the EKM server on a different system from the one on which you are encrypting data gt Do not encrypt data for which you do not require encryption Consider what data you want to encrypt LIC i5 OS system libraries and directories do not contain confidential or sensitive data Accidental loss can be covered by maintaining several copies of the system data Do not encrypt data unnecessarily Combine these two recommendations which can also help you save considerable time in the event of a complete system loss of your System i5 Because the EKM server is running on a different system you can start recovering it independent of your System i5 server At the same time because you have not encrypted the system data on the System i5 server you do not have to wait until the EKM server is up and running to start installing the System i environment in your recovery site If your EKM server is going to be running the same system you must first recover that system to a point where
171. ind when performing load source migration gt The target load source LS drive must be equal or greater in usable capacity than the source LS drive gt The hardware level and the operating system level of the host system for the process must support both the source LS drive and the target LS drive gt Always perform a full system save before starting the process gt When moving RAID protected drives all of the drives in a RAIDset must move together when moving between storage IOAs gt Check the number of drive bays in the target system they might be less than the number of bays in the source system For example if you are moving from model 800 to model 520 there might be six drives in the load source disk s RAIDset in model 800 but only four disk positions in the CEC of model 520 gt Draw a map ofall drives that will be moved and record their serial numbers and positions iSeries Navigator provides a useful graphical representation of disks and their positions When moving disks to the PCI X IOAs from the non PCI X IOAs the RAID arrangement on disk physically changes at the next IPL This re arrangement process is non reversible Chapter 3 System i5 disk ati5 OS V5R4 69 Note The process is basically the same for a system with an LPAR as for a system without an LPAR All you have to do is follow the relevant scenario instructions 3 5 2 Load source migration No disk protection 70 This process assumes no RAID
172. ing system you must define one of your logical partitions as the service partition After changing the update policy the next IPL of the service partition will cause the server firmware level on the managed system to be flashed with the current level of the server firmware portion of the LIC on the service partition This process is known as LS Flash Synching Firmware Load Source to SP Flash synchronization Therefore it is important that you check the current level of firmware on the service partition before you make the change and ensure that it is at the same level or at a higher level than the server firmware running on the managed system Also consider the consequences in the event of a scratch install of the service partition To avoid these situations it is recommended that you set the update policy to HMC instead of operating system The only situation where you will be forced to change the update policy from HMC to operating system and designate a service partition is when you go from a system that was previously managed by an HMC to a system that is no longer managed by an HMC You will receive the following error message to signal this situation This partition does not have the authority to perform the requested function Verify that this partition has service authority If the problem persists after granting the partition service authority then contact your service support structure IBM eServer iSeries Migration A Guide
173. ion Due date Where to find ____ Task Has IBM Technology Services been offered to assist in the installation of all or part of the hardware software or configuration of the network communication Task If planning for a TCP IP network has a unique Internet domain name been registered _____ Task If the client is planning to connect to the Internet are appropriate security measures planned or implemented Testing tasks Plan how to validate your applications Plan how to check network communications and client software 32 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Migration examples This chapter provides some examples of a general upgrade and migration process and certain advanced situations Before reading this chapter you must have an understanding of the planning considerations and migration options described in Chapter 1 Planning for upgrades to System i5 hardware on page 1 Important The steps and descriptions in this chapter are for guidance only Steps processes and responsibilities might change If you are planning an upgrade using a supported miscellaneous equipment specification MES the Customized Upgrade Installation Instructions CUII will always be the correct document to describe the upgrade For an unsupported migration using an upgrade method you should seek advice from your IBM Representative before attempting the upgrade Copyright IBM Cor
174. is certificate store or remove a certificate from a specific user identity Create Certificate Validate certificate Validate a certificate in this certificate store Create New Certificate Store Check expiration Check the expiration dates of certificates Install Local CA Certificate on Set CA status Enable or disable a Certificate Authority CA certificate in this certificate store _ Update CRL location assignment Assign the Certificate Revocation List CRL location for a Certificate Authority CA E m O Assign a user certificate Assign a user certificate to a user identity Renew certificate 1 Import carina Export certificate Delete certificate a Validate certificate Check expiration a Set CA status Update CRL location assignment Assign a user certificate lv sil M 2 Figure 6 49 Manage Certificates window 172 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 5 2 Creating a private public key pair in your keystore This procedure explains how to request a certificate from a CA A CA is a trusted third party After you create your certificate request the CA signs it The signed certificate is then held in your keystore Perform the following tasks 1 Click the Create Certificate option in the left column In the right panel select Server or client certificate and click Continue as shown in Figure 6 50 Digital Certificate Manager
175. ives to spread the parity stripes across all the nine drives giving nine drives of seven ninths capacity A RAID 6 RAIDset can contain a minimum of four disk drives and a maximum of 18 disk drives RAID 6 can be implemented only on 571B and 571E IOAs which have auxiliary cache IOA cache is mirrored to prevent data loss in the event of an IOA cache failure An additional feature of RAID 6 is that when functioning with no drive failures the RAID 6 IOA can interrogate the user data and the parity data to ensure consistency Because of the two parity bits any inconsistency can be isolated and corrected For example if a disk head is not tracking correctly and therefore not reading data correctly the parity bits will not conform to the data and a parity inconsistency is logged On a RAID 5 implementation all that is known is that there is a problem and the failing disk cannot be isolated until other diagnostics show a hardware error However on a RAID 6 implementation because of the two parity bits the false data bits can be isolated and corrected Thus the system can perform data cleaning Note The System i5 implementation of RAID 6 uses the P amp Q parity data based on the Reed Solomon algorithm method This method utilizes a hardware finite field multiplier direct memory access DMA engine to perform the necessary calculations Because other implementations utilize software calculations they use CPU capacity or have to use
176. ivity you plan to use must be specified as part of the order for your new iSeries server 13 Power down the existing system and remove the cables 14 Connect the new system with the HSL cables and the SPCN cables as per the CUII document 15 In the new i570 system the CE will install the catch assembly to each central electronics complex CEC drawer 16 Install the fabric flex SMP cable so that the left side is behind the rack frame and will not interfere with the covers or the rack trim Figure 2 1 on page 47 46 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Figure 2 1 Fabric flex SMP cable Note Fitting the flex cable is a client install but an MES adding a CEC drawer is considered a CE install 17 Start with the top CEC drawer and then align the flex cable assembly to engage the install lever with the catch assembly 18 After ensuring that the connector pin alignment is all right move the lever in the fabric flex cable to the installed position and lock in place Refer to the fabric SMP cable install lever action in the CUII document Chapter 2 Migration examples 47 19 Install the flexible service processor cable on the right side of the rear of the CEC unit Figure 2 2 Figure 2 2 FSP cable 20 Remove the load source disk from the old server and insert it into the correct load source slot in the new system 21 Remove the five remaining disks from the first RAID
177. ize Keypad Color Mapping Keyboard Remapping System S10E80CC Enter Service tools password F3 Exit F5 Change password F12 Cancel Figure 4 36 5250 Session color mapping Chapter 4 System i5 consoles in i5 OS V5R4 115 3 Click Advanced Select a construct from the left column and change it to the color of your preference Click Apply Current Color When you are finished click Save to save your changes to a new user defined color scheme Figure 4 37 J IBM 5250 Console A Color Mapping Select the color mapping function 255 f a Menu bar background a i Current Color Menu bar foreground Main session background Push button background Blue text Green text Pink text Red text E 7 Apply Current Color Turquoise text White text Yellow text Assist Program Menu Bar Cursor Mouse pointer Rule line Blue text Turquoise text Entry Area Green text White text Status line background Button Pink text Yellow text Red text EEE Status Line Delete Figure 4 37 5250 session color mapping function 116 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 4 Click Basic select the new color scheme you just created and click Save as shown in Figure 4 38 J IBM 5250 Console A Color Mapping Select the color mapping function CER Advanced Choose a color scheme NewColours IBM Black background IBM
178. l passwords are case sensitive You may also define multiple IDs which may also have varying authority levels If you forget or disable your service tool IDs they can be reset by using the command CHGDSTPWD from an OS 400 command line using the Security Officer profile 5 Figure 1 3 shows the four options that are available to you All Disks This provides a list of all the disks on the system By Location This provides a list of disks by tower Right click one of the towers to view its serial number and frame ID This can be compared to the frame ID displayed on the tower itself Disk Pools This enables you to view a list of disks according to auxiliary storage pool ASP Nonconfigured Disks This provides a list of disks found on the system but have not yet been added to an ASP AS 400 Operations Navigator File Edit View Options Help amp Ba Xx ahs 2 minutes old Environment My Connections ERS Disk Units Management Central My Connections Name Description All Disk Units All disk units By Location Disk units organized by phys Disk Pools Disk units organized by disk Nonconfigured Disk Nonconfigured disk units Basic Operations EB Work Management a Configuration and Service E System Values a da Hardware amp All Hardware 4 Communications System Adapters amp LAN Resources amp Workstation Resources Processor Information Eh Cryptogr
179. lace zx Availability EA Parity Set 1 V 16 Cmb02 DcO2 Fro No arity Set 2 Iv 3 Cmb01 DcO1 Fro No nA Parity Set 3 Iv 3 Cmb01 DcO1 Fro No 4 Parity Set 4 gt Start Parity Cancel Help ll Figure 3 9 The Confirm Starting Parity window The Start Parity status window appears Figure 3 10 O start Parity 9 517 170 J E Percent Complete 15 Close Figure 3 10 The Start Parity status window Chapter 3 System i5 disk at i5 OS V5R4 65 3 4 4 Migrating to RAID 6 from unprotected disk using dedicated service tools To migrate to RAID 6 from unprotected disk using the DST follow these steps 1 From the DST main menu select Work with Disk Units 2 Select Work with disk unit configuration 3 Select Work with Device Parity Protection 4 On the screen shown in Figure 3 11 enter 6 for Start device Parity Protection RAID 6 Work with Device Parity Protection Select one of the following 1 Display device parity status 2 Start device parity protection RAID 5 3 Stop device parity protection 4 Include unit in device parity protection 5 Exclude unit from device parity protection 6 Start device parity protection RAID 6 7 Select parity optimization Selection F3 Exit F12 Cancel Figure 3 11 Working with device parity protection in DST 66 IBM eServer iSeries Migration A Guide to Upgrades and Migrations
180. le If your drive is mounted on E double click E syslinux32 syslinux e drive bat If your drive is mounted on F double click F syslinux32 syslinux f drive bat Chapter 4 System i5 consoles in i5 OS V5R4 119 If you have another drive letter either create a corresponding bat file using Notepad or contact Development Your USB key must now be a bootable installer Power down the Thin Console by holding down the Power button for five seconds Insert the USB key into your Neoware Thin Console N OO A Power on the Thin Console and press the Delete key after you hear the Thin Console beep to enter the BIOS setup utility 8 In the Phoenix AwardBIOS CMOS Setup Utility screen Figure 4 42 select Advanced BIOS Features Standard CHOS Features gt Frequency Voltage Control t Advanced BIOS Features Load Optimized Defaults t Advanced Chipset Features Set Supervisor Password t Integrated Peripherals jet User Password gt Power Managercat Setup Save amp Exit Setup gt PaP PCI Configurations Exit Without Saving gt PC Health Status sc Quit fie Select Itea 18 Save amp Exit Setup Virus Protection Boot Sequence Figure 4 42 Phoenix AwardBIOS CMOS Setup Utility 120 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 9 This takes you to the Advanced BIOS Features window Figure 4 43 Phoenix AvardBl0S CHOS Setup Utility fidvanced BIOS Features
181. le to complete the upgrade you will have to recover your system by scratch installing from this backup During the installation process and subsequent PTF installation the system may have to IPL several times You can prevent the system from running your autostart jobs by changing the system value QSTRUPPGM to NONE Performing an automatic upgrade The steps involved in performing an automatic upgrade are 1 Insert the System LIC CD into the CD drive 2 Set the control panel mode to Normal 3 Power down the server or partition by entering the following command PWRDWNSYS OPTION IMMED RESTART YES IPLSRC D 4 Load the next volumes when prompted Verifying the success of an automatic installation Perform the following tasks to verify the success of an automatic installation 1 When the sign in display is shown sign in as QSECOFR Enter the command GO LICPGM select option 50 and press Enter 2 3 It the Display Install History screen press Enter 4 Check the displayed log for errors 5 Refer to Chapter 10 Troubleshooting software installation problems in System i i5 OS and related software Installing upgrading or deleting i5 OS and related software Version 5 Release 4 SC41 5120 which is available on the Web at http publib boulder ibm com infocenter iseries v5r4 topic rzahc rzahc pdf Installing additional programs if required To install additional programs perform the following tasks 1 Enter
182. lf It must have a txt extension It will be created by the EKM The file path must be preceded by FILE debug output file Specify the path and the file name of the debug file you want to create The file must have an extension of log 160 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 TransportListener tcp timeout Specify 120 that is the number in minutes drive acceptUnknownDrives Set this property to true if you want the EKM server to automatically add tape drives to the EKM drive table when they contact EKM If you decide against allowing tape drives to be added automatically in which case you must add the tape drives manually set this value to false See 6 3 4 Adding tape drives to the EKM drive table on page 163 P KeyManagerConfig properties Notepad 0 xi File Edit Format View Help it event outcome success failure it event types all it eventQueue max 0 it handler file directory keymanager audit it handler file name kms_audit 10g it handler file size 10000 in ssl keystore name testkeys in ssl truststore name testkeys config drivetable file url FILE keymanager drivetable debug none debug output simple_file debug output file keymanager debug fips off TransportListener ssl ciphersuites JSSE_ALL i 5s 1 clientauthentication 0 55 keystore name keymanager testkeys ssl keystore type jceks ssl port 443 ssl proto
183. ly through external 7208 devices 6325 and Optional CD ROM feature 4425 or 4525 CD ROM device 6425 2621 Removable media device 2729 or 2749 PCI Ultra magnetic media attachment controller Storage device controller 2748 4748 PCI Redundant Array of 97489 Independent Disks RAID disk 27782 4778 or unit controller 9778 10 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 SPD Card description and properties Suggested Card description and feature replacement PCI properties code feature 34xx magnetic tape subsystem All the devices that are attached attachment to the 2644 IOP are not supported on V5R2 Magnetic storage device controller All the devices that are attached to the 6112 IOP are not supported on V5R2 Diskette adapter All the devices that are attached to the 6146 IOP are not supported on V5R2 DASD controller All the devices that are attached to the 6500 IOP are not supported on V5R2 Tape Disk device controller 27297 or 2749 PCI magnetic media controller 2765 or Fibre Channel FC tape and 27661 disk controllers 6502 6512 RAID disk unit controller 27482 4748 or PCI RAID disk unit controller 6530 6532 97489 and PCI X RAID disk controllers and 6533 2778 4778 or 97789 27579 or 27829 Internal tape device controller 27487 4748 or PCI RAID disk unit controller 97489 and PCI X RAID disk unit 2778 4778 controller 9778 27579 or 27829 6534 Magn
184. m You cannot view wide displays such as Set the resolution of the Thin Console to 1024 x 768 spool files using the 5250 console 124 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Connection status codes Table 4 4 shows connection status code problems that might arise when using the Thin Console Table 4 4 Troubleshooting using status codes Symptom The status screen does not get past status code 00 xx The status screen displays status code 10 xx and then prompts you for the HMC access password After entering the password the user ID and password cannot be authenticated The status screen does not get past status code 10 xx or 20 xx The status screen does not get past status code 30 xx The status screen does not get past status code 40 xx Problem and recovery task The Thin Console is not able to find an active service processor To resolve the problem 1 Verify that the Ethernet cable is plugged into either the HMC1 or HMC2 port at the back of the server 2 Verify that the Ethernet ports on both the server and the Thin Console are showing link active and activity lights Verify that the HMC port on the server is configured with either the 192 168 3 147 or the 192 168 2 147 IP address manufacturing defaults If the port is not configured using one these IP addresses reset the factory settings From the ezConnect Neoware Connection Manager window sele
185. m Cluster servers i5 System p5 and System x You can use this tool to size a new gt IBM System i5 tools Mainframe system to size an upgrade to an existing system or to size a consolidation of several systems The Workload Estimator allows measurement input to gt IBM System p5 tools System i5 best reflect your current workload and provides a variety of built in OpenPower servers workloads to reflect your emerging application requirements Virtualization can be used to yield a more robust solution The Workload Estimator will Intel processor based provide current and growth recommendations for processor memory and disk that satisfy the overall client performance requirements UNIX servers Run IBM Systems Workload Estimato Solutions Run the online version of the Workload Estimator Storage Download the IBM Systems Workload Estimator 18 8 KB Important information on downloading Support Operating systems Workload Estimator features Figure 1 1 WLE download page Solution proposal By discussing the client s existing server configuration and their requirements the IBM Sales Representative or IBM Business Partner formulates a complete proposal During this phase of the project the baseline information about the client environment must be gathered During the solution proposal use the Workload Estimator or one of the System i capacity planning tools to establish the size and the capacity of the System i server For
186. m i5 hardware 27 28 Task Brief description Due date task owner Task Does the client understand which parts of this installation are the client s responsibility and which are the IBM Service Representative s responsibility Task Have the appropriate installation manuals for both hardware and software been ordered for the client on CD ROM Task Does the client agree with the installation plan Task Has the client committed personnel and resources to the project Task Will the client location be able to move the system to the installation site from the delivery dock Is the height width depth and load capacity of any elevator to be used adequate for system Task Have the names of the movers and the installation group been given to the client s security personnel Task Will additional special tools be required to move the equipment to the client s machine room Software checklist Task Has the required level of OS 400 been ordered Task If LPARs are going to exist will they have valid OS 400 releases for the hardware and the primary partition Task Will the installed system be upgraded to the required level of OS 400 before the upgrade and if so when Task Are the current cumulative program temporary fix CUM PTF packages available Task Has the Preventive Service Planning PSP package been reviewed and understood Where to find additional information See the physical planning site http
187. mmand has been entered the DOS prompt is displayed and you can continue to type in the relevant EKM console command 162 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 3 3 Starting and stopping the EKM server To start the EKM server enter startekm at the prompt To stop it enter stopekm Example 6 1 Example 6 1 Starting the EKM Admin console and the EKM server C Program Files IBM Java50 jre bin gt java com ibm keymanager KMSAdminCmd C EKM keymanagerco nfig properties startekm Loaded drive key store successfully Starting the Encryption Key Manager 1 0 Processing Arguments Processing Server is started stopekm Stopping the EKM admin service 6 3 4 Adding tape drives to the EKM drive table If you decide against allowing tape drives to be added automatically specify drive acceptUnknownDrives false butin that case you must add the tape drives manually before using EKM Start the EKM Admin console and enter the following command from the command prompt for each drive adddrive drivename drivename recl alias1 rec2 alias2 drivename is the serial number of the drive for example 000001365054 The serial number must comprise 12 characters Use leading zeroes recl and rec2 are optional parameters They are the default keys assigned to your drive in the event that the key requested for use with a cartridge loaded in your drive is not present in the keystore adddriv
188. more information about the Workload Estimator refer to the following Web site http www 304 ibm com jct01004c systems support tools estimator index html You must also review the information in the IBM Systems Hardware Information Center Much of the hardware planning information for both IBM System i5 and IBM System p5 servers is now available in the Hardware Information Center at http publib boulder ibm com infocenter eserver vir3s index jsp The IBM Prerequisite Web site provides you with compatibility information for hardware features This tool helps you to plan a successful system upgrade by providing you with the prerequisite information for the features you currently have or plan to add to your system http www 912 ibm com e_dir eServerPrereq nsf If you are working with an existing System i server that has an HMC at V5R2 you can use the System Plan function to gather hardware and partition information that can be utilized for the creation of your SPT model You will not be able to deploy the upgrade system plan unless the upgrade is to just add hardware for an additional partition For more information about the System Planning Tool and the System Plan function of the HMC refer to http www ibm com servers eserver support tools systemplanningtool You can also refer to the LPAR Simplification Tools Handbook SG24 7231 Initial e Config output The initial server design can be output from e Config which enables IBM Sales
189. n Return to i5 OS Tasks Secure Connection Digital Certificate Manager IEM Current Certificate Store You have selected to work with the certificate store listed below The left frame is being refreshed to show the task list for this certificate store Select a task from the left frame to begin working with this certificate store Certificate type Server or client Certificate store path and filename EKM KEYSTORE_I KDB Figure 6 47 Current Certificate Store window Chapter 6 Tape data encryption in i5 OS V5R4 171 There are two ways in which to work with the keystore you selected Inthe left column select Fast Path Work with server and client certificates Figure 6 48 Selecta Certificate Store Digital Certificate Manager Expand All Fast Path vEast Path Select the type of action that you want to perform m Work with server and client Work a CA certificates Work with server and client certificates Work with user certificates You can add delete export view or renew a server or client certificate in the certificate store In addition you can import a certificate Work with certificate requests into the certificate store create a new certificate or set a certificate as the default certificate for the certificate store m Work with CRL locations Work with CA certificates Create Certificate You can view delete or export a Certificate Authority CA certificate In addition you can import a
190. nd P4 is the old PO Note When we refer to the side by side or unload reload methods here we are discussing the style of upgrade or migration This does not necessarily mean that the marketing features for a side by side or unload reload have been configured on e Config Table 2 1 compares the upgrade methods The option with the least risk is a combination of side by side to test and relocated disks for the final upgrade when possible Table 2 1 Comparison of upgrade methods 34 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 1 1 Side by side upgrade and data migration using the side by side method The side by side upgrade path is a method where the target system is a complete or near complete replacement for the source system This is of two types gt Side by side retaining the existing serial number that is a side by side upgrade gt Side by side with a new serial number that is a box swap and not an upgrade This is used often when there is no supported upgrade path from the client s existing system as a data migration to a new system If the source system is a model that does not support the V5R3 or later level of OS 400 there are additional steps in the upgrade path Both the methods involve the purchase of enough resources to duplicate most or all of the current environment Side by side upgrade In the side by side upgrade method with IBM approval an IBM service contract
191. ne can take control of the console session at a given moment Both direct attached and LAN attached consoles allow incoming dial in connections to the PC which facilitates remote access and system management 4 1 3 The Hardware Management Console This topic describes the virtual console terminal emulation functionality of the HMC For more information about HMC installation and configuration system management remote management Web based System Manager WebSM and SSH and Advanced System Management Interface ASMI refer to Logical Partitions on System i5 A Guide to Planning and Configuring LPAR with HMC on System i SG24 8000 90 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Using the Hardware Management Console as a partition console With the introduction of the 5xx models the LPAR configuration and management functions were removed from the iSeries service tools and transferred to the HMC The HMC performs logical partitioning functions service functions and various system management functions It is a prerequisite to LPAR configuration and Capacity on Demand in any System i5 environment The HMC connects to the managed system through an Ethernet LAN connection to port HMC1 or HMC2 of the Service Processor SP in the CEC A virtual console terminal can be configured to run on the HMC for each partition thus reducing the requirement for extra hardware in each partition One of these console typ
192. nect Fi3 Clear Fi7 Top Fi 8 Bottom F21 CL command entry Figure 6 64 QSH Command Entry screen 4 When the EKM Admin server is started the prompt is available as shown in Figure 6 65 QSH Command Entry gt strEKM propfile EKM KeyManagerConfig properties Sep 7 2006 11 29 06 AM com ibm keymanger config ConfigImpl get FINER ENTRY Sep 7 2006 11 29 06 AM com ibm keymanger config ConfigImpl get ALL debug output simple_file Sep 7 2006 11 29 06 AM com ibm keymanger config ConfigImpl get FINER RETURN F3 Exit F6 Print F9 Retrieve F12 Disconnect Fi3 Clear Fi7 Top Fi 8 Bottom F21 CL command entry Figure 6 65 Start EKM Admin Console 182 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 6 3 Starting and stopping the EKM server To start the EKM server enter the following command from the QSH command entry Figure 6 66 strEKM server propfile fully _qualified_properties file _name To stop the EKM server enter stopEKM You can also run the server in a batch job In that case end the batch job to stop the server FINER ENTRY Processing gt strEKM server propfile EKM KeyManagerConfig properties Sep 7 2006 11 41 01 AM com ibm keymanger config ConfigImpl get Sep 7 2006 11 41 01 AM com ibm keymanger config ConfigImpl get ALL debug output simple_file Sep 7 2006 11 41 01 AM com ibm keymanger config ConfigImpl get FINER RETURN L
193. ng unload reload 0 00 ccc eee 37 2 1 4 Upgrade with converted or relocated diskS 00 cee eee eee eee 38 2 1 5 Upgrade with load source migration 0 e eee ee 39 2 2 Migration examples rarer hurts Me ak eae ES ele A ates in eae el beg Ales 40 2 2 1 Model 810 to model 520 or 525 550 with no LPAR 200005 40 2 2 2 Model 820 with tower to model 520 525 550 with no LPAR 42 2 2 3 Model 640 to model 520 or 525 550 noLPAR 0 02 0 eee eee 43 2 2 4 Model 720 to model 520 or 525 550 ee 44 2 2 5 Model 840 to model 570 system upgrade with no LPAR or Hardware Management Console nananana ccc eee 45 Chapter 3 System i5 disk at i5 OS V5R4 1 ee 51 3 1 Introducing the System i5 disk technology 0000 e eee ee eee eee 52 3 2 Disk types speeds and feeds 0 cee eee 52 3 3 DISK packagiNG accuse Ao See Pea GATE Ena ee ede ee wR ORS 52 3 3 1 System i515 525 520 and 550 1 eee 52 3 32 SYSTEM 1570 aan cg ane fete Pee kei E dee Wh sanded E hw hls Boca ae eden es 52 3 9 3 SyStem 1 595 0 otc A ae cl ek MA US Lk a A erh 52 Copyright IBM Corp 2007 All rights reserved iii iv 3 3 4 VO expansion 2 400 94 4 te dada dee abe aa Peed bade haedareta byes 52 3 4 Disk protection typeS 0 0 0 0 ke vati oeu ee eet 53 3 4 1 RAID 5 VS RAID Ginie enana apante geet pla Pew he Yale eee ee de s 55 3 4 2 Considerations when planning di
194. nge F19 Left F20 Right Figure 6 63 Sample properties file 3 Save the changes to the KeyManagerConfig properties file 6 6 2 Starting the EKM Admin Console command prompt This section describes how to start the EKM admin console from the QGHELL command line Important Do not modify the KeyManagerConfig properties file when the EKM Admin console is running The changes will be lost If you want to make changes end the EKM Admin console first and restart it after you have made the changes The properties file is only read at startup and the values are stored in memory When the EKM Admin console is ended it writes the values in memory to the KeyManagerConfig properties file in case any changes are made using the EKM commands when the admin server is up For information about EKM commands refer to BM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide GA76 0418 Perform the following tasks Chapter 6 Tape data encryption in i5 OS V5R4 181 1 To start the EKM Admin console enter the STRQSH command on an i5 OS command line 2 Start the EKM Admin console from the QSH command line by entering strEKM propfile fully _qualified_properties file name 3 The screen shown in Figure 6 64 opens To show Help on the strEKM script type strEKM h QSH Command Entry gt strEKM propfile EKM KeyManagerConfig properties F3 Exit F6 Print F9 Retrieve F1i2 Discon
195. nknownDrives to on 8 Start the EKM server 9 Enable the TS1120 tape drive for encryption In this topic only the installation of an EKM server on the System i platform and a Windows based PC are discussed in detail However EKM is supported on a wide range of platforms For installation on other platforms refer to IBM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide GA76 0418 You can find this and other publications file downloads and updated information on the IBM TotalStorage Web site under the TS1120 topic http www ibm com servers storage support tape ts1120 downloading html In the Support for TS1120 Drive page click Downloadable files In the page that is displayed select IBM Encryption Key Manager component for the Java Platform 6 1 4 Backup and recovery considerations with Encryption Key Manager 140 When planning for EKM be sure to consider the backup and recovery implications Keys can get lost in two ways gt The keystore itself is encrypted gt The keys are corrupted or the system they are running on is down Important The impact of losing your keys is nothing less than disastrous A data on the encrypted tapes become inaccessible without any means of recovery There are no workarounds IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 In the light of the probable consequences keep the following points in m
196. nsion tower or an external drive As with the i520 only one of the DVD drive bays is available for i5 OS use In the control panel there are USB and Ethernet ports Neither of these is available for use by the partitions The controls for accessing the display messages and entering the options is very similar to the current 8xx operation panel Chapter 1 Planning for upgrades to System i5 hardware 21 There are six disk bays in the i570 570 Front Locations sits Media fl Operation Panel SANGHA P4 D1 Ethernet D1 Not supported USB by i5 OS P3 D1 P3 D3 P32D5 P3 D2 P3 D4 P3 D6 CPU Regulators Base DASD Six Pack Hot Plug Capable A Required if second HSL 2 RIO G loop is installed Figure 1 10 i570 front view Table 1 5 describes the physical features of the i570 Table 1 5 Model 570 physical specifications System unit 483 mm 790 mm 174 1 mm 63 6 kg 19 in 31 1 in 6 85 in 140 Ib 0588 5088 485 mm 1075 mm 200 mm 68 kg 19 1 in 42 3 in 8 0 in 150 Ib 0595 432 mm 686 mm 178 mm 42 7 kg 17 in 27 in 7 in 94 Ib 5094 485 mm 1075 mm 910 mm 280 kg 19 1 in 42 3 in 35 8 in 617 Ib 5095 246 mm 800 mm 556 mm 52 7 kg 14 5 in 31 5 in 21 9 in 116 Ib 5294 216 mm 1020 mm 1800 mm 726 kg 8 5 in 40 1 in 71 in 1600 Ib 22 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Table 1 6 shows the operating en
197. nt practice involves minimizing the number of changes performed at any given time This minimizes the possibility of failure and ensures easier problem resolution if necessary Preparation for feature upgrade If the client has hardware that is not supported at the target release of IBM OS 400 steps must be taken to remove this hardware and if required replace it with functionally equivalent hardware Planning is required to ensure the correct positioning and functionality of this hardware Chapter 1 Planning for upgrades to System i5 hardware 5 A readiness check is advised before proceeding If there are complex or advanced components in the configuration the IBM Sales Representative or IBM Business Partner can run a systems assurance review This is a checkpoint to ensure that certain advanced options have been adequately considered Feature upgrade Feature upgrade can be performed by the client an IBM Service Representative or an IBM Business Partner depending on the features being replaced Instructions are included with the hardware A feature upgrade can be as small as adding an Ethernet adapter or using concurrent maintenance or as large as adding multiple expansion towers with many disks and adapters Certain features might also require an upgrade to i5 OS V5R3 before they can be installed Resource management and preparation for software upgrade After the first feature upgrade the client must perform some hardware res
198. ntent Personal Certificates z Receive keylabel_selfsigned_2 keylabel_selfsigned_1 Delete View Edit Export Amport Recreate Request New Self Signed Extract Certificate The requested action has successfully completed Figure 6 20 Self signed key created 152 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 2 2 Creating a certificate request This procedure explains how to request a certificate from a Certificate Authority CA A CA is a trusted third party After you have created your certificate request the CA signs it The signed certificate is then held in your keystore Follow these steps 1 In the IBM Key Manager window click the Create new key and certificate request icon on top of the page shown highlighted in Figure 6 21 fe IBM Key Management C EKM keystore_x jck Key Database File Create View Help Dos ta SF Ce Key database information DB Type File Name JCEKS database file CAEKMikeystore_xjck Token Label Key database content isign class 1 public primary certification authority g3 verisign class 4 public primary certification authority verisign class 1 public primary certification authority verisign class 4 public primary certification authority verisign class 2 public primary certification autho
199. o see the inside of this server The I O adapters can all be removed from the rear of the server Other components can be accessed through the front of the server 6 Pack DASD Dual Slimline Backplane edia Backplane PCI Card P1 C1 Thru P1 C6 PCI Card PCI Card PCI Card Raid Card HSL 2 RIO G P1 C7 HMC SPCN CARD P1 C8 D System SN VPD a P1 C10 PROC REG 3 HLH PROC REG 2 Operation PROC REG 1 Panel PROC 2 Reg Dist VBUS Vertical Midplane Connect Backplane Hot Plug Capable l2 Not available if second HSL 2 RIO G P1 C7 is installed C1 P6 not shown Required if second HSL 2 RIO G P1 C7 is installed Base Base unit available with 6 PCI Cards Slot P1 C6 not accessible if optional HSL 2 RIO G P1 C7 is installed Figure 1 8 570 plan view The rear of the i570 Figure 1 9 on page 21 has the blindswap cassettes on the left and power supplies to the right Between the I O adapters and the power supply is the Service Processor There are two types of blindswap cassettes one for card slot 1 5 and a different type for slot 6 The cassette for slot 6 is different because it can accommodate the second HSL 2 adapter On the lower right is the system interconnect port This allows multiple i570s to be connected to form a large operating unit
200. oaded drive key store successfully Starting the Encryption Key Manager 1 0 20060823 Processing Arguments Server is started QSH Command Entry F3 Exit FO6 Print F9 Retrieve F12 Disconnect Fi3 Clear Fif Top F18 Bottom F21 CL command entry Figure 6 66 Starting the EKM server 6 6 4 Adding the tape drives to the EKM drive table If you decide against allowing the tape drives to be added automatically specify drive acceptUnknownDrives false In such a situation you add the tape drives manually before using EKM To add the tape drives to the EKM drive table start the EKM Admin console and enter the following command from the prompt for each drive adddrive drivename drivename recl alias1 rec2 alias2 drivename is the serial number of the drive for example 000001365054 Note that the serial number must comprise 12 characters Use leading zeroes recl and rec2 are the optional parameters They are the default keys assigned to your drive in the event that the key requested for use with a cartridge loaded in your drive is not present in the keystore adddrive is only one of the available EKM commands For more information about EKM commands refer to BM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide GA76 0418 Chapter 6 Tape data encryption in i5 OS V5R4 183 6 7 Configuring your TS1120 tape drive for encryption This section describes how to conf
201. of the HMC code These versions support POWER4 servers IBM eServer pSeries To upgrade to the machine code version your Ipp based HMC must first be upgraded to HMC 3 2 6 the highest level release of the Ipp based code End of Service Reminder HMC 3 2 and lower products are no longer supported effective August 31 2006 BIOS updates This site provides BIOS updates only for those HMC models PCs that require a BIOS update for the HMC to work correctly BIOS updates are not provided for HMC models that do not require updates for HMC functionality gt BIOS updates for the HMC Additional resources gt POWERS code matrix gt HMC best practices rt gt i5 iSeries supp is gt UNIX servers support gt Microcode dovmloads em i and Sign up for email notification of HMC corrective service stem p Figure 4 1 HMC machine code levels Chapter 4 System i5 consoles in i5 OS V5R4 93 Select the release level and download either the fixes for that release corrective service download or get a release update recovery media download Installation instructions are also available Here is an example for HMC machine code 5 2 1 gt Corrective service download Figure 4 2 which is available at https www14 software ibm com webapp set2 sas f hmc power5 download v521 Updat e html Hardware Management Console Support for HMC 5 2 1 for UNIX servers and Midrange servers Corrective s
202. on A Guide to Upgrades and Migrations to IBM System i5 Task Brief description Due date Where to find task owner additional information ____ Task Does the hardware support the client s availability plan DASD Tape LAN and Communication lines Task If non IBM hardware will be Check with third party attached to the system product suppliers especially non IBM DASD has the client verified whether it is supported Task Does the source system include migration or SPD towers Task Will the currently installed tower be converted to HSL PCI towers Task If no migration tower is going to be used have PCI replacement features been ordered to replace the installed SPD features Task Is space required for a load source pump Task If the load source is going to be protected with RAID has the proper amount of additional disk been ordered 3 7 9 for the RAID set required Task Has the appropriate console type been configured twinaxial operations navigator or HMC Task Has an appropriate device been ordered or is it already available for the console type Task If 10k rpm disks are to be migrated to HSL towers is there room to accommodate them Task Has the method to migrate data from nonconverted disk been identified Installation plan tasks Task Has a site preparation review been planned Task Has the removal of migrated replaced equipment been planned Chapter 1 Planning for upgrades to Syste
203. op file ves gt T New Session IP Window Emulator User ID Emulator Password Other Parameters OK Cancel Figure 4 41 5250 settings 4 2 7 Maintenance Hardware warranty replacements are made by Neoware Customers must register at the following Neoware Web site for warranty entitlement http www neoware com support warranty php The software service is delivered by Neoware Currently no known fixes are required for the Thin Console Neoware provides fixes to its registered customers Load that code to a USB memory key The minimum capacity requirement for the memory key is 100 MB The flash code contains the complete NeoLinux image and not just a fix or update Refer to the following Web site for more details http www neoware com Perform these tasks to update flash the code of the Thin Console 1 Receive the code from Neoware 2 Expand the compressed file contents into the root directory of your USB key If your USB key is shown as E drive E image dd must be on the drive after the copy is complete If you have already made a bootable USB key for Thin Console updates you only require a new image dd file The file you receive might have a different format such as image 142 dd In such a situation change the name to image dd 3 Find the batch file that corresponds to your mounted USB key drive letter In this example the USB key is located in E Double click the corresponding batch fi
204. or mirroring disk protection Follow these steps Perform a full system save Power down the system Install the new drive in the system Remove an existing drive if necessary Change the mode to Manual and IPL to DST In the next screen Figure 3 15 enter 3 Use Dedicated Service Tools oP OM gt IPL or Install the System System SLOE80CC Select one of the following Perform an IPL Install the operating system Use Dedicated Service Tools DST Perform automatic installation of the operating system Save Licensed Internal Code OP WN PE Selection Licensed Internal Code Property of IBM 5722 999 Licensed Internal Code c Copyright IBM Corp 1980 2006 All rights reserved US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP schedule Contract with IBM Corp Figure 3 15 The IPL or Install the System screen IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 In the Dedicated Service Tools screen sign in to DST as QSECOFR Figure 3 16 Note The DST QSECOFR password is not the same as the QSECOFR user ID password and is case sensitive Dedicated Service Tools DST Sign On System S1LOE80CC Type choices press Enter Service tools user qsecofr Service tools password Figure 3 16 Signing in to DST 7 Inthe Use Dedicated Service Tools DST screen Figure 3 17 enter 4 Work with disk units
205. ot detect the new console type The system reference code to signal this event is A600500x In this event you can force the system to switch between the different console types until it finds the type that is connected The way you to do this is to use the console service functions 65 21 These functions can be used on a HMC system or a non HMC system It is recommended that you only use this function if you do not have another workstation available to recover from the error A prerequisite to starting the procedure is to make sure that all hardware is configured correctly for the console type you want to connect in the case of a partitioned system with HMC make sure that you tagged the right IOP and that the console device is working properly and is connected as required Another prerequisite is that the server has advanced far enough through the IPL for the console service functions to be available If your system is not in manual mode and the extended functions are not activated or both perform these steps 1 Place the server in manual mode 2 Select console function 25 and press Enter 3 Select console function 26 and press Enter The console service functions 65 21 must be performed from the control panel or through the control panel function on the HMC or the Operations Console control panel GUI 1 From the control panel or the control panel function on the HMC or the Operations Console enter the function 65 2 Within
206. ource IPL mode 2 415A 2 B or 3 D 1 1 Manual 2 Normal 3 Secure or 4 Auto Press Enter to change the IPL attributes and return to the main DST menu Press F8 to set the IPL attributes and restart the system Machine processing will be ended and the system will be restarted Press F10 to set the IPL attributes and power off the system Machine processing will be ended and the system will be powered off Press F12 to return to the main DST menu without changing IPL attributes F3 Exit F8 Restart Fi0 Power off Fi2 Cancel Figure 3 37 The Operator Panel Functions screen 9 Remove the load source drive the serial number and location you noted in step 2 on page 75 from the system 10 Move the new load source drive the serial number and location you noted in step 7 on page 79 to that slot 11 Remove the old load source mate the serial number you noted in step 2 on page 75 12 Move the new load source mate to that slot the serial number and location you noted in step 7 on page 79 13 Power on the system or partition in manual mode IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 14 Replace the configured unit as follows a Sign on to the DST b Select the option for Work with Disk Units c Select the option for Work with Disk Unit Recovery d At the screen shown in Figure 3 38 enter 3 Replace configured unit Work with Disk Unit Recovery Select one of th
207. ource management cleanup work and testing to ensure that all required functions are working correctly Also in this stage the preparation work for the OS 400 software upgrade is performed A readiness check is recommended before proceeding Software upgrade The i5 OS upgrade is a client responsibility unless it is contracted to IBM or an IBM Business Partner A test environment must be available to create a version of the system and its applications Ideally this would be on an i5 server to ensure that there are no hardware interactions that could hamper the actual upgrade However it is possible to test the i5 OS V5R3 software on any older iSeries server that supports V5R3 This could be a 7xx or 8xx model i5 OS V5R4 can also be installed on 5xx or 8xx models if the system or LPAR has a 17 GB load source drive This enables system and application function testing but not volume testing If the system that is to be migrated has critical applications consider making a trip to the IBM Rochester Benchmark Center Here you can test both the function and the capacity on an i5 server even before you place an order The Benchmark Center is a fee based offering For more information refer to the following Web site http www ibm com servers eserver iseries benchmark cbc index htm We appreciate the cost involved but it is often well worth the investment For example if you are planning to spend 150 000 on a server it would be a small inv
208. ource unit to the tower During the upgrade you can simply relocate any PCI I O adapters in the system unit to the new locations in the new system unit Run the LPAR migration tool and then fix the ownership issues if any and resource naming and allocation of new resources Consider the following points gt Is it cost effective to keep older drives gt How will you maintain RAID sets during Disk Migrate While Active DMWA or physical relocation gt What is the impact of changing two buses to three when upgrading 5065 5066 Chapter 2 Migration examples 39 2 2 Migration examples This section provides a few examples of physical migration or upgrade 2 2 1 Model 810 to model 520 or 525 550 with no LPAR The source system is a model 810 with an integrated system expansion unit and no external towers The target system is a model 520 with no external towers attached This is the upgrade path using migrated or converted disks 1 Upgrade model 810 to V5R3 with the latest PTFs 2 Ensure that there is space in the new system for a disk to be removed and relocated from the existing system unit Restriction Model 810 has six disk slots in the base configuration with up to 18 disks in the system unit all running off one RAID controller IOP A model 520 has four disk slots in the base configuration with a maximum of eight disks in the system unit Depending on the capacity requirements a client can choose to house all their
209. p 2007 All rights reserved 33 2 1 General upgrade considerations When you plan your specific upgrade certain model related considerations must be taken into account because these affect your decision pertaining to the upgrade method chosen Following are the supported model upgrades to new models gt 810 or 820 to 520 550 gt 820 825 830 840 870 and 890 to 570 595 This section also discusses data migration from models that do not support V5R3 or later Following are the five methods you can use to upgrade to the new models Upgrade using the side by side method Data migration using the side by side method source system at previous release Upgrade using the unload reload method Upgrade with converted or relocated disks Upgrade with load source migration YYYY Y These methods apply to both logical partitioned systems and nonlogical partitioned systems If you are upgrading a logical partitioned server additional considerations must be kept in mind In the new hardware there is no PO primary partition The functions of the primary partition are taken over by the flexible service processor When upgrading the logical partition LPAR migration tool allocates partition numbers maintaining where possible the current numbering scheme PO becomes the next available number for example a server with partitions PO P1 P2 and P3 will migrate to a server with partitions P1 P2 P3 and P4 where P1 P3 are as before a
210. path exists to the new hardware The benefit of this method is that the production machine is unavailable only during normal backup routines You might chose to use this method gt gt When the source system does not support the V5R3 or later release of OS 400 When the source system will not support a 17 GB load source drive The tasks involved in the upgrade process are 1 The client orders a new server and services through a special bid process 2 The new system duplicates most or all of the current environment 3 4 5 The source system is upgraded to the highest release it can support The new server is installed If the new server has licensed programs installed scratch install the System Licensed Internal Code SLIC and the base OS 400 Note A new system might be delivered with V5R3 and the licensed programs installed In order to ensure a complete system migration the target system must be scratch installed with only the V5R3 Licensed Internal Code and the base operating system For more details refer to Restoring Previous Release User Data to a New System in Backup and Recovery V5R4 SC41 5304 08 Existing full system backups are used to create the new test system using the recovery procedures described in Backup and Recovery V5R4 SC41 5304 08 Upgrade the licensed programs to i5 OS V5R3 or later 8 Install the latest PTFs 36 IBM eServer iSeries Migration A Guide to Upgrades and Mig
211. perability with the existing systems The movement of data between systems or partitions at different operating system levels is sometimes required The support for this is called interoperability which also allows for applications to be compiled at either release and allows transparent communication between systems It supports centralized management facilities and allows support for PCs running at various levels of client access i5 OS V5R4 has interoperability with OS 400 V5R2 and later 5 4 i5 OS V5R4 software upgrade This section outlines the i5 OS V5R4 software upgrade process Ensure that care is taken because there are differences from the previous release upgrades Important This section is only an outline It is assumed that automatic installation from CD is performed For details about the installation process or alternative methods refer to i5 OS and Related Software Install Upgrade or Delete Version 5 Release 4 SC41 5120 at http publib boulder ibm com infocenter iseries v5r4 topic rzahc rzahc pdf Pre upgrade planning The following tasks are involved in pre upgrade planning 1 Check whether your server meets the requirements to support the new release 2 Confirm the delivery of all the required software components and license keys 3 Order the most recent Cumulative PTF package and Group PTF package that are relevant to your environment 4 View the PSP for the current release and the target release 5 Identify
212. ppliance gt Library managed where a tape library system manages the encryption of data using the encryption capabilities of an attached tape drive 138 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 1 2 Encryption components The tape encryption solution presented in this section is library managed It is built on the following three components gt The IBM Encryption Key Manager component for the Java platform The EKM server is used to store and manage the keys that are used for encryption gt The TS3500 tape library system Figure 6 1 to manage the encryption For i5 OS the supported features are 3584 L22 L23 D22 and D23 For firmware updates refer to http www ibm com servers storage support 1to 3584 downloading html Figure 6 1 TS3500 tape library system gt The TS1120 encryption capable tape drive Figure 6 2 to perform the encryption Only the model or type 3592 E05 can perform encryption All the new orders are encryption capable For existing models 3592 E05 a field upgrade for encryption can be ordered For more information refer to http www 03 ibm com servers storage tape ts1120 index htm Order 3592 E05 FC 9592 plant or FC 5592 field Order 3584 Lxx FC 9900 to use the library managed encryption For the IBM Customer Engineer CE setup of encryption drives order 3592 E05 FC 9596 or FC 5596 Figure 6 2 TS1120 Chapter 6 Tap
213. put processor protected Mirrored pairs are separated at the input output processor IOP level Failure of an IOP does not cause system outage although some facilities might be unavailable depending on the hardware that is also present on that IOP gt Bus protection Mirrored pairs are separated at the system bus level Although failure of a system bus does not cause system outage the other hardware attached to that bus is unavailable gt Frame protection Mirrored pairs are in separate I O towers Although complete failure of an I O tower does not cause system outage the other hardware located on that tower is unavailable gt High speed link loop protection Mirrored pairs are on separate high speed link HSL loops Although HSL loop failure does not cause system outage other hardware attached to that HSL loop is unavailable When adding additional drives to an already mirrored system it is necessary to stop and restart mirroring in order to gain the best level of mirroring for that hardware configuration 3 4 1 RAID 5 vs RAID 6 Table 3 2 shows a comparison between RAID 5 and RAID 6 Table 3 2 Comparison between RAID 5 and RAID 6 Number of disk failures in RAIDset before system outage Capacity cost per RAIDset disk equivalent a ae Chapter 3 System i5 disk at i5 OS V5R4 55 3 4 2 Considerations when planning disk protection Keep these items in mind when planning your disk protection method Mixing RAI
214. r persona not validated verisign class 3 public primary certification authority g3 verisign class 3 public primary certification authority g2 thawte premium server ca verisign class 1 public primary certification authority entrust net global secure server certification authority thawte personal basic ca thawte personal premium ca keylabel_selfsigned_2 keylabel_selfsigned_1 thawte personal freemail ca verisign class 2 onsite individual ca verisign international server ca class 3 thawte server ca entrust net certification authority 2048 entrust net client certification authority entrust net secure server certification authority Figure 6 28 Selecting key label Chapter 6 Tape data encryption in i5 OS V5R4 Cancel 157 5 If any of the key labels for the keys that are being imported already exists in the keystore a Duplicate Key Label warning will be displayed Figure 6 29 Note that the ikKeyman import function has added an asterisk to the duplicate key label name in order to ensure that you do not overwrite the keys by accident You can either accept the name change by clicking OK or edit the key label yourself by clicking Clear Duplicate Key Label a xl An existing key already has label keylabel_selfsigned_2 New Key Label keylabe _selfsigned_2 OK Clear Cancel Figure 6 29 Duplicate Key Label dialog box 6 Regardless of the
215. rations to IBM System i5 9 The client tests the current environment 10 Any production objects that are created or altered which will be required on the new system are saved 11 The target server is then synchronized with the source system This can be done ina number of ways Install only the changed objects saved with the save changed objects commana Install only the client data libraries Scratch install from the up to date source system saves Important Although scratch install is the safest way to ensure that all the objects are synchronized it might take an excessive amount of time This method allows for an intermediate stage where the target system is refreshed with the changed data to test the final upgrade method When using the save changed objects command the client must be sure that the testing process does not change data objects Otherwise data mismatches can occur Refer to Backup and Recovery V5R4 SC41 5304 08 for information about the detailed procedures 12 Move the required hardware if any from the source to the target system 13 Perform full system backups you require system saves in i5 OS V5R4 for recovery 14 Go live 2 1 3 Upgrade using unload reload This is a dramatic upgrade where the entire system is saved to tape and restored on the new system This method is used when large amounts of hardware are moved from the source system to the target system and the target system as deliv
216. re name Cc EkM keystore_x jck TransportListener ssl truststore password EEN TransportListener ssl truststore type jceks TransportListener tcp timeout 120 TransportListener tcp port 3801 config keystore file Cc EkM keystore_x jck config keystore password a config keystore provider IBMICE config keystore type jceks Figure 6 36 Changed properties 4 Save the changes to the KeyManagerConfig properties file 6 3 2 Starting the EKM Admin Console command prompt Do not modify the KeyManagerConfig properties file when the EKM Admin console is running because the changes will be lost If you want to make changes end the EKM Admin console first and restart it after you have made the changes The properties file is read only at startup and the values are stored in memory When the EKM Admin console is ended it writes the values in memory to the KeyManagerConfig properties file in case any changes were made using the EKM commands when the admin server is up For information about EKM commands refer to BM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide GA76 0418 00 Enter the following commands from a DOS prompt to start the EKM Admin console cd C Program Files IBM Java50 jre bin java com ibm keymanager KMSAdminCmd KeyManagerConfig_full_file_path_name Note The path name for the KeyManagerConfig properties file must not contain blanks After the co
217. reate a new keystore click New ao key management rT Key Database File Create View Help Die ue Key database information DB Type File Name Token Label Key database content Personal Certificates k d To start please select the Key Database File menu to work with a key database Figure 6 14 iKeyMan utility 148 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 The New key database window Figure 6 15 is displayed In this example a JCEKS type keystore is created Select JCEKS against the Key database type field Enter the relevant details in the File Name and Location fields The file will be created with the name you specify here Make sure the extension of the file is jks In this example we create a keystore called keystore_x jks in the C EKM folder Click OK New x Key databasetype JCEKS v File Name keystore_x jck Browse Location CAEKM OK Cancel Figure 6 15 Creating keystore 3 The Password Prompt window Figure 6 16 is displayed Specify a password to protect the keystore You will need this password later to access the keystore Click OK xl Password Confirm Password Password Strength OK Clear Cancel Figure 6 16 Password prompt Chapter 6 Tape data encryption ini5 OS V5R4 149 This completes the keystore cr
218. riate offering When you are done press the Continue button at the bottom Offering Platform Format Unrestricted JCE Policy files for SDK 1 4 2 Java download My Profile Version 1 4 2 Welcome back CVERELLEN Languages z English International gt Edit your profile C Unrestricted JCE Policy files for SDK 1 4 1 Java download 5 97 F Version 1 4 1 If you are not CVERELLEN click here Languages English International About IBM Privacy Contact Figure 6 11 SDK version selection 3 Uncompress the zip file to get to the two jar files Replace the current US_export_policy jar and local_policy jar files in your C Program Files IBM Java50 jre lib security directory with the ones you just downloaded Installing the Encryption Key Manager jar and sample configuration file Perform the following tasks 1 Download the IBM EKM Application IBMKeyManagementServer jar and the IBM EKM Sample Configuration file KeyManagerConfig properties Go to http www ibm com support docview wss rs 1139 amp context STCXRGL amp dc D4008ui d ssgl 4000504 Scroll down to find the files as shown in Figure 6 12 DESCRIPTION DOCUMENTATION Download Options Platform Multi Intro Planning amp User s IBM EKM Application Platform Version Guide Ver 08232006 Independent Fre US English Byte Size 268588 Date 9 1 2006 Platform Multi Intro Planning amp User s IBM EKM Sample Platform Version Guide Configuration
219. rity entrust net global client certification authority rsa secure server certification authority verisign class 2 public primary certification authority verisign class 2 public primary certification authority g2 verisign class 3 secure server ca verisign class 3 public primary certification authority verisign class 1 ca individual subscriber persona not validated verisign class 3 public primary certification authority g3 verisign class 3 public primary certification authority g2 Add Delete View Edit Extract The requested action has successfully completed Figure 6 21 Creating new key and certificate request Chapter 6 Tape data encryption in i5 OS V5R4 153 154 2 The Create New Key and Create Certificate Request opens Figure 6 22 Specify a Key Label of your choice that does not contain any blanks Select 1024 from the Key Size menu The Common Name field defaults to the computer name but you can change it Specify a value in the Organization field Verify the Country or region You can change the path and file name where the certificate request is stored All other fields are optional fit Create New Key and Certificate Request Please provide the following Key Label keylabel_certreq_1 Key Size 1024 v Common Name admin w6xapirqs Organization MyCompany Organization Unit optional F
220. rk Management File Help r 4 amp Configuration and Service 9 View by Location zl Tower Disk Units Tower Number Serial Number E System Values a da Hardware amp All Hardware 4 Communications System Adapters LAN Resources Workstation Resources Processor Information y Cryptography Resources Optical Units Tape Units Disk Units All Disk Units 5 8 By Location amp Tower Fg Disk Units amp Tower Fr02 Disk Units amp Tower Fr03 Disk Units Tower Fr04 Disk Units Tower Fr05 Disk Units a Disk Pools Disk Pool 1 Nonconfigured Disk Units Software amp Fixes Inventory amp Collection Services A anina Dartitianc 10 0067059 10 0067059 10 0066352 10 0066352 Dd009 Properties 7 Status Capacity Location Fro3 Frog Fro5 2 3 4 5 15 x T Show all towers Dd009 Disk unit Type Model Level 6717 072 4 Serial number 75 0CF5454 n Unit number 5 Disk pool Disk Pool 1 Figure 1 4 iSeries Navigator Disk properties You now have sufficient information to identify the disks marked for removal A System Rack List A System Rack List provides useful documentation about the hardware contained in your system including information such as hardware features locations and serial numbers of each resource on the system To obtain a System Rack List perform the following tasks 1 Type STRSST in th
221. rmation Center on the Web at http www iseries ibm com infocenter 10 For the initial installation of the Operations Console on a LAN network perform the following tasks a Ensure that the PC is connected to the LAN network b Connect the system to the LAN network using the console driver card in slot C04 or C06 c Label both the cables Perform the following DST function to identify the Operations Console LAN PC as the system console for the DST 1 Select DST from the IPL or Install the system menu or by selecting panel function 21 Enter the QSECOFR user ID and password case sensitive to access the DST Select 5 Work with DST Environment and press Enter Select 2 System Devices and press Enter Select 6 Console Mode and press Enter Select Console type 3 Operations Console LAN Select Save console type by pressing F7 and store before you exit agroa07Dm Note This procedure is found in the section Selecting Operations Console as the console device in Operations Console Setup SC41 5508 02 12 When migrating to the Operations Console it is important that you configure the new Operations Console PC before beginning the server model upgrade At this point in the upgrade instructions where console functions are required on the new iSeries server you will be able to perform the required functions without your current console device The Operations Console features matching the connect
222. ry Switch to Original Navigation Figure 6 79 Scratch encryption policy 2 The Scratch Encryption Policy window is displayed You can select the Set All Other Volsers check box or define a range of cartridges to be used for encryption Each scratch encryption policy requires that you specify two key labels and key modes A key label is only a pointer a common name that enables the tape library and the keystore to identify which keys are to be used for this policy The same key labels must exist in your keystore The key mode defines how the keystore identifies the public private keys used to encrypt a data key Possible values for key mode are Default Label The label is configured at the encryption key manager Clear Label The externally encrypted data key EEDk that is referenced by the specified key label Hash Label The EEDK that is referenced by a computer value that corresponds to the public key that is referenced by the specified key label Click Apply to encrypt all subsequent scratch tapes in the range ZYX100 ZYX110 Figure 6 80 Scratch Encryption Policy Microsoft Internet Explorer Scratch Encryption Policy Set All Other Volsers Volume Serial Number Start ZYX100 Volume Serial Number End ZYX110 Key Mode 1 Clear Label iy Key Label 1 keylabel1 previously selected key labels Key Mode 2 Clear Label x Key Label 2 keylabel2 previously sel
223. s Secure Connection Figure 6 41 Creating new certificate store 1 168 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 3 Select No Do not create a certificate in the certificate store Click Continue Figure 6 42 Digital Certificate Manager Create a Certificate in New Certificate Store Certificate store Other System Certificate Store The new certificate store will contain the default list of Certificate Authority CA certificates Do you want to create a certificate in the Select a Certificate Store certificate store Expand All _ Collapse All O Yes Create a certificate in the certificate store 8 No Do not create a certificate in the certificate store m Create Certificate m Create New Certificate Store Continue a Install Local CA Certificate on Your P Manage User Certificates gt Manage CRL Locations m Manage PKIX Request Location Retum to i5 OS Tasks Secure Connection Figure 6 42 Creating new certificate store 2 4 In the Certificate Store Name and Password window Figure 6 43 specify the Certificate store path and file name If the path does not exist in your System i5 environment create it first by using the CRTDIR command The file name can be anything but must have a kdb extension This file is created automatically You must specify the same path and file name in your EKM configuration
224. s failure The availability 56 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 optimization value ensures that a parity set is formed from at least three disk units of equal capacity each attached to a separate bus on the IOA For example if an IOA has 15 disk units and is optimized for availability the result might be five parity sets with three disk units each attached to separate SCSI buses on the adapter OS 400 V5R3 is required to optimize for availability gt Capacity A parity set that is optimized for capacity stores the maximum amount of data possible The IOA may generate fewer parity sets with more disk units in each parity set For example if an I O adapter has 15 disk units and is optimized for capacity the result might be one parity set containing 15 disk units gt Balanced A balanced parity set compromises between the ability to store large amounts of data and to provide fast access to data For example if an I O adapter has 15 disk units and you choose the balanced parity optimization the result might be two parity sets one with nine disk units and one with six disk units gt Performance A parity set optimized for performance provides the fastest data access The I O adapter might generate more parity sets with fewer numbers of disk units For example if an I O adapter has 15 disk units and is optimized for performance the result might be three parity sets with five disk
225. s listed in this section are considered particularly suitable for a more detailed discussion of the topics covered in this IBM Redbook IBM Redbooks For information about ordering these publications see How to get IBM Redbooks on page 196 Note that some of the documents referenced here may be available in softcopy only gt IBM System i5 eServer i5 and iSeries Systems Builder IBM i5 OS Version 5 Release 4 January 2006 SG24 2155 Logical Partitions on System i5 A Guide to Planning and Configuring LPAR with HMC on System i SG24 8000 High speed Link Loop Architecture for the IBM eServer iSeries Server OS 400 Version 5 Release 2 REDP 3652 Other publications These publications are also relevant as further information sources gt System i i5 OS and related software Installing upgrading or deleting i5 OS and related software Version 5 Release 4 SC41 5120 http publib boulder ibm com infocenter iseries v5r4 topic rzahc rzahc pdf Operations Console Setup SC41 5508 02 http www 1 ibm com support docview wss uid publsc41550802 OS 400 Backup and Recovery V5R4 SC41 5304 http publib boulder ibm com infocenter iseries v5r4 topic books sc415304 pdf IBM Encryption Key Manager component for the Java platform EKM Introduction Planning and User s Guide http www 1 ibm com support docview wss uid ssg1S7001618 Online resources These Web sites and URLs are also relevant as further information sources gt
226. s should be addressed to the suppliers of those products This information contains examples of data and reports used in daily business operations To illustrate them as completely as possible the examples include the names of individuals companies brands and products All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental COPYRIGHT LICENSE This information contains sample application programs in source language which illustrate programming techniques on various operating platforms You may copy modify and distribute these sample programs in any form without payment to IBM for the purposes of developing using marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written These examples have not been thoroughly tested under all conditions IBM therefore cannot guarantee or imply reliability serviceability or function of these programs Copyright IBM Corp 2007 All rights reserved vii Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States other countries or both AIX 5L Lotus System p AIX OS 400 System x AS 400e PowerPC System Storage AS 400 POWER Tivoli Domino POWER5 TotalStorage eServer Redbooks WebSphere IBM Redbooks
227. s that utilization does not exceed 100 If utilization exceeds the ASP threshold by a small amount it is possible to temporarily increase the threshold in the system service tools SST in order to allow migration to occur Table 2 2 Disk capacity and utilization through the migration process 8 58 GB 35 16 GB Disk capacity equivalents equivalents Remove one 17 145 86 GB 80 drive from ASP Migrate load 16 1 172 44 GB 68 source Remove six 8 58 10 1 120 96 GB 96 GB drives Install seven 10 367 08 GB 32 35 16 GB drives Remove ten 281 28 GB 41 78 58 GB drives Chapter 2 Migration examples 41 8 58 GB 35 16 GB Disk capacity equivalents equivalents 2 2 2 Model 820 with tower to model 520 525 550 with no LPAR The source system is a model 820 with an integrated system expansion unit and one 5074 external tower The target system is a model 520 with the external tower migrated Follow the upgrade with a migrated or converted disks path 1 Upgrade model 820 to V5R3 or later with the latest PTFs 2 Ensure that there is space in the new system for the disk to be removed and relocated from the existing system unit that is maintaining the existing RAID sets Restriction Model 820 has six disk slots in the base configuration with up to 12 disks in the system unit all off one RAID controller IOP A model 520 has four disk slots in the base configuration with a maximum of eight disks in the system unit The RAID set t
228. sed for both logical partitioned servers and nonlogical partitioned servers This upgrade maintains the client investment in the disk and provides an easy transition to the new server This upgrade involves the following steps Upgrade the current system to V5R3 or later with the latest PTFs The order must include PCI versions of all the required SPD hardware Migrate all the data from the system unit to the disks in the 5065 5066 tower Perform a full system backup Load the source migration to the 5065 5066 tower oar WO NY Relocate any disks that must be repackaged in the new PCI expansion towers Care must be taken to retain the exact position and RAID arrangement 7 Convert the 5065 66 expansion towers to Peripheral Component Interconnect high speed link PCI HSL 8 Remove all of the SPD hardware 9 Connect all of the converted hardware and the new hardware 10 Run the LPAR migration tool 11 Check the resource allocation particularly the load source for the partition that was PO 12 Perform a full system backup 13 Test and go live If you employ this method for an 8xx to 5xx upgrade you can use any 5065 or 5066 that is being upgraded to move the load source load source on model 5xx does not have to be in the system unit Here you must use disk migrate when active in order to move all the data from the disks in the system unit and remove them from the configuration The final task is to copy the load s
229. select unit 1 the load source mate Suspend Mirrored Protection Type option press Enter 1 Suspend Mirrored Protection Serial Resource OPT Unit ASP Number Type Model Name Status m 1 1 75 0CE64B0 6717 050 DDOO1 Active z 2 1 75 0D7B2A2 6718 050 DD003 Active z 2 1 75 0D7EDB4 6718 050 DD002 Active F3 Exit F5 Refresh F12 Cancel Figure 3 30 The Suspend Mirrored Protection screen 78 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 7 Copy the load source disk unit data to one of the new drives as follows a At the Work with Disk Unit Recovery screen Figure 3 31 enter 6 Copy Disk Unit Data Work with Disk Unit Recovery Select one of the following Save disk unit data Restore disk unit data Replace configured unit Assign missing unit Recover configuration Disk unit problem recovery procedures Suspend mirrored protection Resume mirrored protection Copy disk unit data 10 Delete disk unit data 11 Upgrade load source utility 12 Rebuild disk unit data 13 Reclaim IOP cache storage COON OUBRWNE More Selection F3 Exit Fii Display disk configuration status Fi2 Cancel Figure 3 31 The Work with Disk Unit Recovery screen b At the Select Copy from Disk Unit screen Figure 3 32 select unit 1 Select Copy from Disk Unit Type option press Enter 1 Select Serial Resource OPT Unit ASP Number Type Model Name Status 1 1 75 0CF43A4 6717 050 DD0
230. selfsigned_2 Delete keylabel_selfsigned_1 keylabel_selfsigned_3 View Edit keylabel_selfsigned_4 Exportimport Recreate Request New Self Signed Extract Certificate Figure 6 32 Keys are imported 6 3 Configuring Encryption Key Manager Now define to the EKM server This is where the keys and the information on the tape drives are stored The KeyManagerConfig properties file is only a sample configuration Adapt it to point the EKM server to the keystore you created and the drive table file 6 3 1 Editing the properties file Perform the following tasks 1 Open the KeyManagerConfig properties file Choose Select the program from a list as shown in Figure 6 33 Click OK lo Windows cannot open this file File KeyManagerConfig properties To open this file Windows needs to know what program created it Windows can go online to look it up automatically or you can manually select from a list of programs on your computer What do you want to do ice to find the appropriate program Figure 6 33 Selecting the program prompt Chapter 6 Tape data encryption in i5 OS V5R4 159 2 Use a text editor such as Notepad to edit the file Figure 6 34 Click OK Open With A 2 x 1 Choose the program you want to use to open this file File KeyManagerConfig properties M Programs Windows Media Player E Windows Picture and Fax Viewer A WordPad Type a description that yo
231. set in the old server and insert them into the empty slots in the same cage as the load source disk mentioned in the previous step they can be placed in any order 22 Remove the last eight disks from the second RAID set in the old server and insert them into the empty slots in the cage in the 5294 expansion unit This maintains the existing RAID set 23 For the first connection between the iSeries server and Operations Console PC you must use the service tools user ID of 11111111 eight 1s This prevents the shipped expired user IDs from preventing a successful reauthentication of the client connection to the server When you receive the OS 400 release upgrade the shipped user IDs except 11111111 are expired To establish a successful reauthentication of the client connection to the server use the service tools user ID of 11111111 eight 1s This is especially important for automatic installations Attention Failure to comply with these actions may prevent the console from working correctly during the upgrade or install 24 Power on the new server 25 Perform full system backups you require system saves in i5 OS V5R4 for recovery 26 Go live 48 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Important During a manual IPL of the system if no console was specified earlier you will receive two additional screens to confirm the setting of the console mode The first confirmation requires F10 to ac
232. sk protection 0000e eee eee 56 3 4 3 Migrating to RAID 6 from unprotected disk with iSeries Navigator 64 3 4 4 Migrating to RAID 6 from unprotected disk using dedicated service tools 66 3 4 5 Migrating to RAID 6 from unprotected disk using system service tools 68 3 4 6 Migrating to RAID 6 from mirrored 1 2 00 c ee ee 68 3 4 7 Migrating to RAID 6 from RAID 5 protected 00 e eee ee 68 3 5 Load source migration 1 2 0 a a E tees 69 3 5 1 Considerations for load source migration 00000 cece eee 69 3 5 2 Load source migration No disk protection 0 0 ce eee eee 70 3 5 3 Load source migration Mirrored systeM 0 0 00 cee eee eee 75 3 5 4 Load source migration RAID system 2 0 ee 85 3 5 5 RAID 5 arrangement on Peripheral Component Interconnect X I O adapters 86 Chapter 4 System i5 consoles in i5 OS V5R4 1 ee 89 4 1 Introduction to the consoles on System i5 servers 00000 c eee eee 90 4 1 1 Twinax CONSE 3 0 022 beech ee wine E a eee GER de ee gt Se Done ee 90 4 1 2 Operations console direct attached or LAN attached 2 5 90 4 1 3 The Hardware Management Console 0 000 cece eee eee 90 4 2 Thit Consol ricco cv EN hah eee die Pee nen ee a ed aA EAE a eae ee 97 4 2 1 Thin Console installation eanes 0 00 cee eee 97 4 2 2 SpeciticatliOnS 02 aii ies Gee a E aE eee a dhe os bee eRe 9
233. sole If so disconnect the other console device Chapter 4 System i5 consoles in i5 OS V5R4 125 The status screen does not get past status Remaining in this state means that the Thin Console has code 50 xx completed the initialization of the firmware communication and has not successfully started communication with the LIC in i5 OS You can find this information in the IBM Systems Hardware Information Center at http publib boulder ibm com infocenter eserver vir3s index jsp topic iphcl iphc ltroubleshooting htm 4 3 Console card locations Starting from V5R3 only the currently configured console type is supported So if you are planning a migration or upgrade that includes a console type change predefine the new console type Refer to 2 2 5 Model 840 to model 570 system upgrade with no LPAR or Hardware Management Console on page 45 for instructions In a partitioned environment if no console type is specified it scans the tagged IOP specified during the creation of the partition If more than one console type is connected to this IOP the first console device to connect becomes the console thus making it difficult to predict which card will be chosen for each IPL Tagging the same IOP for both the primary console and the alternate console might result in the inability to select a console On systems where more than one console card location is available you should not have two of the same card types occupy
234. sole session To circumvent this and facilitate system management you can use the remote connection functionality that is available through the following emulators gt IBM iSeries Access PC5250 emulator V5 R3 with PTF S113587 or later gt IBM Personal Communications 5250 emulator V5 7 or later gt iSeries Access for Linux emulator V5 2 0 1 4 or later The HMC user ID and password are required to connect to the console session For configuration instructions and information about remote security and the HMC firewall refer to the topic System i Managing the HMC 5250 console from the IBM Systems Hardware Information Center which is available on the Web at http publib boulder ibm com infocenter eserver vlr3s topic iphb8 iphb8 pdf HMC and server firmware code level update Your HMC is a critical part of your hardware configuration It is recommended that you keep both the server firmware level and the HMC machine code up to date Chapter 4 System i5 consoles in i5 OS V5R4 91 92 Server firmware Licensed Internal Code The server firmware is the part of the Licensed Internal Code LIC that enables hardware It is stored in the Service Processor The Service Processor stores a permanent copy p side and a temporary copy t side It is recommended that you run the managed server from the t side The firmware level is displayed as SFXXX_YYY where XXX is the release level and YYY is the fix level Firmware fixes
235. sor Information 3 Cryptography Resources Optical Units Al Disk Units f By Location Disk Pools Disk Pool Groups g3 Parity sers Explore Open Create Shortcut Customize this View Graphical View Start parity Change Optimization Instal additional comp PS A Parity Set Status Disk Units VO Proces YO Adapter Frame unit Availability Configuration Recovery and Maintenance C Protection gt avaiabilty BD Graphical View Figure 3 8 Selecting Start parity from Operations Navigator 64 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 On the page that is displayed Figure 3 9 confirm that the RAID Level and Optimization settings are correct Select the boxes for the RAIDsets you want to start and click Start Parity Confirm Starting Parity 9 5 17 170 m X Select how you want the parity sets optimized then select the parity sets you wish to start parity on and select Start Parity Ifyou select RAID 6 there may be RAID 5 sets created due to resource limitations WARNING You are aboutto start parity on the selected parity sets All of the disk units that will be in the parity sets are displayed Starting parity on these parity sets can take anywhere from several minutes to over an hour to complete and can potentially affect system performance RAID Level RAID 6 h Optimization pa
236. ssigned Max E Method Switch to Original LTO 2 LTO 8 0 16 571 0 10 Show N A Navigation JAG1 3592 6 0 28 359 0 16 Show N A LTO 1 LTO 8 0 16 571 0 10 Show N A LTO 3 LTO 4 0 46 571 0 10 Show N A JAG2e 3592 2 0 11 359 0 255 Show Library Managed Figure 6 74 Managing logical libraries 2 Select a tape that is capable of encryption and select Modify Encryption Method from the Select Action menu Click Go Figure 6 75 IBM System Storage TS3500 Tape Library Work Items Manage Logical Libraries 2 Welcome Page E manage carmagen Refresh _ Last Refresh 8 31 2006 20 25 57 Data Cartridges Cleaning Cartridges I O Station Cartridge Assignment Policy Scratch Encryption Policy Insert Notification m Manage Drives Manage Library by Frame by Logical Library Total Logical Libraries 5 Accessor Disable ALMS Modify Encryption Method Go Virtual 10 Select Action Cartridges _ VIO Slots Encrypti ryption Select Ri Export Date sod Time oh Petes red Assigned Max Assigned Max ach Method 6 Character Volser Reportin a Remove 16 571 0 10 Show N A M Port z eee z Maximum Cartridges 28 359 0 16 Show NA C Manage Access Maximum VIO Cartridges lo Hide Show Queued Exports 16 571 0 10 Show NA ate etl cess clean e 46 50 10 Show NA artridge Assignment Policy x Switch to Orig
237. stem name 2 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 The output of the SPT can be used either to create a report or as an input to the IBM Configurator for e business e Config for order processing The report function of the SPT invokes the System Plan Viewer which has a print option You will also be able to use the sysplan file to automatically create and deploy partitions on an HMC Downloading the SPT As is the case with the LVT the SPT is available for download from the ibm com Web site A subscriber list is used to notify users when a new version is available The first time you download the SPT you must use the full version that includes the required Java Virtual Machine JVM code and other support files To download subsequent versions of the SPT you can download the update version of the SPT In either case when you run the exe file an install wizard is initiated to guide you through the installation An icon for the SPT is placed on your desktop when the installation is complete The new STP is available for download from the ibm com support Web site http www 03 ibm com servers eserver support tools systemplanningtool IBM Workload Estimator The IBM Systems Workload Estimator WLE is a Web based sizing tool for IBM System i IBM System p and IBM System x Use this tool to size a new system to size an upgrade to an existing system or to size a consolidation of s
238. terminal has been withdrawn from the market the twinax adapter cards remain available for order on the new 5xx and 5xx systems The twinax console can still be used on a stand alone system or as a console for a system partition However it no longer allows for logical partition LPAR configuration and management on the new 5xx models HMC is a prerequisite for LPAR on any 5xx system 4 1 2 Operations console direct attached or LAN attached An alternative to the twinax console was introduced with the operations console The first generation could only be directly attached to a serial port This is referred to as a direct attached operations console Later support was added to connect the PC toa dedicated LAN adapter card This is commonly known as a LAN console The Operations console runs on a PC as part of the iSeries Access for Windows A green screen console session is provided by the 5250 emulation function of either iSeries Access or IBM Personal Communications You can also use iSeries Navigator for management functions Operator panel functions to a nonpartitioned system or to the primary partition are available through a graphical user interface GUI The direct attached Operations console requires an additional special cable LAN console allows console sessions to multiple systems or partitions at the same time More than one PC that is configured as a LAN console can connect to a single system or partition However only o
239. those locations per console mode For example if the console mode was set to 3 for LAN ensure that a LAN card is not installed in both the primary location and the alternate location 4 3 1 Designated slots for models 5xx V5R3 Table 4 5 lists the designated slots for models 5xx not 520 in the order of priority Table 4 5 Designated slots for models 5xx V5R3 Console slots for LAN and Async ECS slot workstation IOAs such as twinax C4 C2 If an IXS card takes this slot LAN and If an IXS card is installed it causes this twinax will not be available location to go to C5 to make room for an IOP In the case of multiple CECs these are in the same CEC as the load source C04 on 9194 Base PCI X C02 9194 Base PCI X I O enclosure I O setae a Twinax adapters are typically placed in one of the Operations Console LAN slots but can replace the async card too 126 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 4 3 2 i5 OS V5R3M5 and V5R4 new Smart IOA plus models LAN console Embedded LAN ports In the new smart IOA IOP less models feature codes 5706 PCI X Gbps Ethernet TX IOA and 5707 PCI X 1 Gbps Ethernet SX IOA are the only console supported smart IOAs The embedded port is the manufacturing default for the LAN console Card locations are supported only when the embedded port is disabled Table 4 6 shows the location of the embedded LAN ports on models 520 550 an
240. time after the new PCI X IOAs are in place the IOA detects the old RAID format During the IPL the old RAID format is removed and replaced with the new RAID format During this period the drives that are being reformatted are not protected Therefore ensure that full system backups have been taken Chapter 3 System i5 disk ati5 OS V5R4 87 88 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 System i5 consoles in i5 OS V5R4 This chapter describes the different console types that are available for the System i5 environment Twinaxial Console Operations Console direct Operations Console local area network Hardware Management Console HMC 5250 and Thin Console This chapter also provides a guide for setting up and maintaining the Thin Console general information about the console card locations on System i5 servers and the use of service functions 65 11 to change the console type Copyright IBM Corp 2007 All rights reserved 89 4 1 Introduction to the consoles on System i5 servers This section describes the different types of consoles that are available to manage your System i5 server Twinaxial console Operations console direct attached or LAN attached HMC 5250 Thin console vvvy 4 1 1 Twinax console Originally only one console type was available a twinax terminal connected to a twinax card that provided a 5250 console interface to the System i5 server Although the twinax
241. to IBM System i5 5 If there are insufficient drives for RAID 6 the system automatically selects RAID 6 where possible and RAID 5 where alternately possible Figure 3 13 If there are only two disks of a particular size on an ASP they will remain unprotected In the Start Device Parity Protection screen Figure 3 12 select the RAIDsets you want to start and press Enter Start Device Parity Protection Select the subsystems to start device parity protection Type choice press Enter 1 Start device parity protection RAID Parity Serial Resource Option Level Set Number Type Name RAID 5 1 0C 6200013 571F DC02 ae RAID 5 2 0C 6199036 571B DCO01 RAID 5 3 0C 6199036 571B DCO01 RAID 5 4 0C 6199036 571B DCO1 F3 Exit Fi2 Cancel Figure 3 12 The Start Device Parity Protection screen Start Device Parity Protection Select the subsystems to start device parity protection Some RAID 5 sets were selected due to resource limitations Type choice press Enter 1 Start device parity protection RAID Parity Serial Resource Option Level Set Number Type Name 5 RAID 6 1 0C 6200013 571F DC02 a RAID 5 2 0C 6199036 571B DCO1 _ RAID 5 3 0C 6199036 571B DCO1 RAID 6 4 O0C 6199036 571B DCO1 F3 Exit Fi2 Cancel Figure 3 13 Start device parity protection selection screen at DST Chapter 3 System i5 disk at i5 OS V5R4 67 3 4 5 Migrating to RAID 6 from unprotected disk using system service tools The system serv
242. to Upgrades and Migrations to IBM System i5 Refer to the following sites to download server firmware fixes gt iSeries Recommended Fixes Server Firmware Update Policy Set to Operating System http www 912 ibm com s_dir slkbase nsf c32447c09fb9a1f186256a6c00504227 60499 2740f846a4986256 fd3006029b5 0penDocument gt iSeries Recommended Fixes Server Firmware Update Policy Set to HMC http www 912 ibm com s_dir slkbase nsf ibmscdirect E58D7BBFOEAC9A2786256EAD00 5F54D8 HMC machine code An overview of the supported HMC machine code levels is available at https www14 software ibm com webapp set2 sas f hmc home htm Figure 4 1 shows the HMC machine code levels Hardware Management Console Support for UNIX servers and Midrange servers HMC corrective service support These pages deliver corrective service and other download support for the Hardware Management Console HMC for both POWERS and POWER4 servers Online media ordering installation instructions and related technical information are also provided Your IBM support center provides technical support for the HMC HMC products for servers with POWERS processors Version Releases HMC Version 6 HMC 6 1 HMC Version 5 HMC 5 2 1 HMC 5 2 HMC 5 1 HMC Version 4 HMC 4 5 Older versions Version Releases HMC Version 3 3 HMC 3 3 7 and lower releases HMC Version 3 2 HMC 3 2 and lower versions LPP based Note HMC 3 2 x and lower are Ipp based versions
243. to separate essential and nonessential applications into separate user ASPs and assign different levels of disk protection to each ASP For example archive data can be ina user ASP with RAID 5 protection nonessential back office data in a user ASP with RAID 6 protection and business critical functions and data in an ASP with HSL level mirroring Although it is possible to assign disks from the same RAIDset into different ASPs careful thought must be given to the possible outcome of disk failures within the RAIDset Device types and speeds Keep these points in mind gt Mirrored pairs must be of the same capacity They can be of different speeds but this is not recommended gt All of the disks in a RAIDset must be of the same capacity They can be of different speeds but again this is not recommended gt Load source disk for i5 OS V5R3M5 and i5 OS V5R4M0 must be 17 54 GB or higher RAID optimization Unlike mirrored protection all of the disk drives in a RAIDset must be on the same storage IOA card This is because the IOA performs the calculations that are required for the parity stripes or data regeneration following disk failure Within this limitation there is scope for defining different optimization strategies as outlined in the following list gt Availability A parity set optimized for availability offers a greater level of protection because it allows a parity set to remain functional in the event of an SCSI bu
244. u type STRSST and press Enter b Type 1 Start a Service Tool and press Enter c Type 7 Hardware Service Manager and press Enter d Press PF6 to print the report From the rack config list map the resource name to the card position for example DDOO9 D31 Tip Use the LPAR validation tool LVT to establish the current and the new component locations Use the rack config list LVT report and the diagram from the front cover panel of the source system 840 unit to locate the physical location of disk drives and then access the Chapter 2 Migration examples 45 service tools STRSST to establish how many RAID sets were on the system In our scenario there were six disks in the first RAID set and eight disks in the second RAID set Therefore they could be moved to the new server that maintains the RAID set Note If you have more than six disks including your load source in a RAID set some additional reconfiguration tasks must be performed during the preplanning stage 9 Verify that the Ethernet LAN Console is in the correct slot for the Operations Console Details about card placement are available in the topic Operations console hardware requirements in the connecting to iSeries on selecting Connecting to iSeries gt Operations Console gt Manage Operations Console Change from one console type to another gt Twinaxial console to Operations Console This is available in the IBM eServer iSeries Info
245. u have the required operating system SDK JDK or J2SE and the PTFs installed as shown in Table 6 2 gt Install the IBM Java unrestricted policy files refer to 6 4 2 Installing the unrestricted policy files on page 164 gt Install the IBM EKM Application and the IBM EKM Sample Configuration file see 6 4 3 Installing the Encryption Key Manager jar and sample configuration file on page 165 gt Install the proper tool to manage the keys in your type of keystore In this example we defined an IBMi5OSkeystore type keystore The interface to manage this type of keystore is the Digital Certificate Manager DCM GUI refer to 6 4 4 Installing Digital Certificate Manager on page 165 The ikKeyman utility enables you to create the JCEKS keystore type refer to Installing the iKeyman utility in 6 1 5 Encryption Key Manager server on a PC on page 142 6 4 2 Installing the unrestricted policy files There are two ways in which to get the unrestricted policy files gt Downloading the unrestricted policy files from the IBM Web site refer to Installing the unrestricted policy files on page 146 and placing the files in the QOpenSys QIBM ProdData JavaVM jdk50 32bit jre lib security directory in the Installable File System IFS 164 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 gt Installing the unrestricted policy files through a PTF For i5 OS V5R3 install
246. u want to use for this kind of File Browse If the program you want is not in the list or on your computer you can look for the appropriate program on the Web ma Figure 6 34 Open With window 3 Figure 6 35 on page 161 shows the sample configuration file with the default values Some of the values must be changed and some must be added Strictly respect the syntax and do not leave any trailing blanks Do not use V in path names they are interpreted by Java as escape characters Use instead Audit handler file directory Specify where you want EKM to store the audit log This directory must exist before you start the EKM Admin console Admin ssl keystore name Admin ss1l truststore name TransportListener ssl keystore name TransportListener ssl truststore name config keystore file Specify the path and the file name of the keystore Admin ss1 keystore password Admin ssl truststore password TransportListener ssl keystore password TransportListener ssl truststore password config keystore password Specify the keystore password You do not have to specify the password but if you do not you will be asked to enter it when you start the EKM server Config drivetable file url Specify the path and the file name where you want EKM to store the information on the drives that are known to EKM The path must exist before starting the EKM Admin console You can select the file name yourse
247. uced Fix support End of Service Pack support provided Service Service Packs no longer provided IBM recommends updating your firmware and HMC to a Packs recommended Release Level no longer provided Figure 4 4 Supported combinations of server firmware and HMC code Check for updated information about the supported combinations server firmware and the HMC code levels at the POWERS code matrix Web site http www14 software ibm com webapp set2 sas f power5cm supportedcode html For more information about getting and installing fixes and updates for HMC code and server firmware refer to the IBM Systems Hardware Information Center or download the PDF at http publib boulder ibm com infocenter eserver v1r3s topic ipha5 ipha5 pdf Receive updates on the latest fix levels through the subscription service for System i5 at http www14 software ibm com webapp set2 subscriptions iqvcmjd 96 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 4 2 Thin Console Thin Console is a new type of console It is available only for selected nonpartitioned System i5 9405 520 9406 520 and 9406 550 These models must be running i5 OS V5R3 or later and a firmware level of SF240 or later The Thin Console was designed to deliver a low cost and easy setup alternative for console function on nonpartitioned systems that do not require an HMC It provides a 5250 console session to the system The
248. ulator Chapter 4 System i5 consoles in i5 OS V5R4 97 The Linux software image does not include support for printing or for programmable or scriptable interfaces application programming interfaces APIs commands and scripts The Neoware c50 thin client contains 1 VIA Eden Processor 400 MHz 64 MB of flash storage 128 MB of DDR SDRAM memory 1 serial port D Sub 9 Pin Male 1 parallel port D Sub 25 Pin Female 1 VGA port with support for up to 1200x1600 60 Hz 1 PS 2 keyboard port 1 PS 2 mouse port 2 USB 2 0 ports type A vvvvvvvvy The documentation for the Neoware c50 thin clients with their generic NeoLinux 3 0 load NeoLinux Thin Clients User Manual is available at gt http www neoware com docs manuals um_neolinux_30_20040630 pdf The Thin Console has two interactive user interfaces gt A 5250 screen When connecting to the server it displays the connection status After successful connection it displays the servers 5250 console session gt A GUl type configuration screen for the keyboard and monitor called the ezConnect Neoware Connection Manager 4 2 3 Thin Console 5250 emulation screen Figure 4 6 on page 99 shows the connection status screen which displays console information server information and connection status 98 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 Thin Console 1 0 0 142 Console Information Ethernet 00 E0 C5 56 0E F
249. ver iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 2 2 3 Model 640 to model 520 or 525 550 no LPAR In this example the source system a model 640 will not upgrade to V5R3 or later The highest release that it will support is V5R2 The upgrade process is as follows 1 The client orders a new server Services are ordered from IBM or an IBM Business Partner through a special bid process 2 The new system duplicates most or all of the current environment 3 The source system is upgraded to the highest release it can support in this case V5R2 to allow for interoperability 4 The new server is installed 5 Scratch install SLIC and base OS 400 7 8 9 Note The new system may be delivered with V5R3 and the licensed programs installed In order to ensure complete system migration scratch install the target system with only the V5R3 Licensed Internal Code and base operating system Refer to the section Restoring Previous Release User Data to a New System in Backup and Recovery V5R4 SC41 5304 08 which is available at http www ibm com support docview wss uid pub1sc41530408 Existing full system backups are used to create the new test system using the recovery procedures outlined in Backup and Recovery V5R4 SC41 5304 08 Upgrade the licensed programs to V5R3 or later Install the latest PTFs The client tests the current environment 10 Any production objects that are created
250. vironments for model 570 Table 1 6 Model 570 operating environment gt Stand alone 6 8 bels 1 5 Linux migration This section provides a brief overview of the Linux migration process For more information about the migration of an existing Linux partition on an iSeries system to a System i5 refer to the following Web site http publib boulder ibm com infocenter eserver vir3s index jsp topic iphbi iphb imigratiseries htm Upgrade planning for Linux partitions is a relatively new concept because the guest partition has not been available for very long Consider the following three upgrade possibilities gt Upgrading their Linux version to a new release gt The effect of hardware upgrades on their Linux partitions gt Anew Linux kernel is required to run on System i5 hardware When upgrading to a new version of Linux understand whether the distributor supplies an upgrade mechanism When you upgrade from V5R1 to V5R3 or later you must upgrade your Linux OS from 32 bit to 64 bit You must also review your distributor s support for IBM PowerPC 64 bit The second consideration is the hardware support for Linux partitions and the native adapter support If you have any IOAs that you are planning to change as you upgrade move these from the virtual disk to the native attached SCSI disk or the fibre channel disk You must also provide or change the installed disk driver in your Linux partition Upgrading with Linux partitions
251. y fixes PTFs must be installed in the current release This enables additional options in the Prepare for Upgrade menu Important These PTFs are shipped with the OS 400 release If these PTFs are not installed and the software agreements are not accepted the installation fails gt Server firmware must be at release SF235_160 or later gt Check whether the Hardware Management Console HMC code level is compatible with the server firmware 5 1 1 i5 OS V5R4 informational authorized program analysis report and PSPs For additional information about new 5xx hardware and the required software refer to the PSPs and the informational authorized program analysis reports APARs http publib boulder ibm com infocenter iseries v5r4 topic rzaq9 rzaq9 pdf For additional information about the new functions and the functions that have been removed in i5 OS V5R4 refer to iSeries Memorandum to Users Release R540 which is available on the Web at http www 912 ibm com s_dir sline003 nsf 2d3aff1c6b4d6ce086256453000d97 le bdb2077 act f30ff28625710f005cal2f APAR and PSP information can be found by using the following identifiers gt SF98010 refers to installation information for i5 OS V5R4 gt SF99540 refers to information about problems discovered since the latest PTF cumulative package gt MF99540 refers to information about installing V5R3 hardware gt SF99168 refers to information about server upgrades and data migrations
252. y manager address Chapter 6 Tape data encryption in i5 OS V5R4 185 4 The Create Key Manager Address window opens Enter the IP address Port field must be prefilled and click Apply as shown in Figure 6 70 a Create Key Manager Address Microsoft internet Explorer n JG Key Manager Create Create a Key Manager Address IP Address 192 168 4 1 Port 3801 Apply Cancel Done J Local intranet a Figure 6 70 Key manager IP address 5 A confirmation window is displayed to confirm that the key manager IP address is added successfully Figure 6 71 ie Success Microsoft Internet Explorer Jo The Key Manager Address Change is complete Close a Done 63 Local intranet Figure 6 71 Key manager added 186 IBM eServer iSeries Migration A Guide to Upgrades and Migrations to IBM System i5 6 To test the connection between the TS3500 tape library system and the keystore select the key manager address and choose Ping Address in the Select Action menu and click Go Figure 6 72 IBM System Storage TS3500 Tape Library Work Items Key Manager Addresses Welcome Page a Manage rengas Refresh Last Refresh 8 31 2006 20 46 08 G Manage Drives an Manage Library a Select Action v Go Manage Ports T Select Action e Manage Access Select Create IP Address Port Web Security 1 2 3801 SNMP Settings O 3801 SNMP Destinations
253. you can recover the EKM server if you have not encrypted any data up to that point gt Plan for redundancy The critical part of your EKM server is the keystore that holds the keys You can back it up to the media supported on the EKM server and keep this in a secured vault However because there is no recovery from lost keys and because you cannot perform backup or restore functions if your only EKM server is down it is recommended that you also build in redundancy by installing two EKM servers at least You can set up an EKM server on your Disaster Recovery DR site and synchronize it with the one on the main site Alternately you can just install a new EKM server on the DR site in the event of a real disaster or test disaster and import your keys into the keystore Irrespective of the solution you choose if you configure more than one EKM server ensure that you run the same version of software and keystore type on both the servers or alternately test their compatibility As part of your Disaster Recovery Plan DRP make sure that you test the compatibility of the EKM servers and of the tape drives because there is a possibility that the TS3500 tape library configuration at the DR site is different from yours Configure the EKM server to recognize the new hardware and configure the TS3500 tape library to point to the correct EKM server Chapter 6 Tape data encryption in i5 OS V5R4 141 6 1 5 Encryption Key Manager server on a PC
Download Pdf Manuals
Related Search