IBM has announced the new operating system for IBM i platform. IBM i 7.6 delivers a significant advancement in security and innovation. This release introduces significant updates across the portfolio, including advancements in security, performance, availability, and application development. These enhancements provide businesses with the tools and capabilities they need to navigate the challenges of today’s dynamic technology landscape and capitalize on future opportunities
The enhancements in version 7.6 are numerous, but the standout feature is the integration of multi-factor authentication (MFA) directly into the operating system and the encryption support. This development simplifies the process of implementing MFA and is viewed as a significant security enhancement at no additional expense for IBM i users. IBM i 7.6 focuses on continuing securability. Helping with compliance and regulations as customers secure their systems to face today’s modern it landscape
MFA has become a necessary standard in the industry to enhance security and prevent unauthorized access to applications and data. Most banks and financial institutions require their customers to input extra codes sent via text or email or to use an authenticator app, such as Authy, to generate time-based one-time passwords (TOTP) on their mobile devices.
For many years, IBM has facilitated encryption for Auxiliary Storage Pool (ASP), and users can now encrypt data within the system ASP, referred to as ASP1. This capability is available through the disk configuration options in the System Service Tools (SST), contingent upon the installation of option 45 (Encrypted ASP Enablement), which is crucial for operation. The encryption keys are kept in the LIC, and there is no need for downtime when activating or deactivating ASP1 encryption.
System service tools (SST) and dedicated service tools (DST) support a separate MFA TOTP key implementation not connected to the operating system MFA support. The TOTP keys set for SST users have no relationship to the TOTP keys set for IBM i user profiles, specifically an SST user with a linked profile does not share a TOTP key with the linked profile. Another difference is that SST does not allow setting a frequency for providing the TOTP value, it is required every time a password is required. An SST administrator can enable MFA for SST without enabling it on the operating system.
IBM is introducing a new command called Configure Host Server (CFGHOSTSVR), which enables administrators to manage the permissions for non-secure connections on various supported host servers, such as central, database, data queue, file, network print, remote command, and sign-on.
Strong AES encryption algorithms are now enabled by default when using Kerberos, the network authentication protocol that’s widely used for single sign-on (SSO) environments. The default encryption types when creating a new entry are now AES256 and AES128. Previously, admins could select from a range of encryption types when configuring Kerberos, including Cipher Block Chaining with Data Encryption Standard (CBCDES), CBCDES3, DESHMAC, and Arcfour, in addition to the AES crypto algorithms.
IBM has updated the crypto algorithms used under its IBM i Cryptographic Services APIs. First, IBM has created a new Key Derivation Function (QC3KDF) API that uses an algorithm recommended by the NIST for password hashing, dubbed the Password Based Key Derivation Function 2 (PBKDF-2). This algorithm derives keying material from passwords, master keys, or other secret values
The QIBM_IOSYSCFG_VIEW function ID provides administrators the ability to define users with read-only role for viewing input/output system configuration information without *IOSYSCFG Special Authority. Over one hundred IBM i 7.6 display and retrieve interfaces updated to check for *IOSYSCFG or for read only access with QIBM_IOSYSCFG_VIEW.
QIBM_IOSYSCFG_VIEW defaults to *DENIED access for all users. *ALLOBJ special authority does not give a profile access to this function usage ID.
Many IBM i shops use BRMS (Backup, Recovery & Media Services for i) for the backup and recovery and with the introduction of IBM i 7.6 we see a major change for these environments. You will not be able to run standard 5770BR1 standard product and will instead be able to use its replacement product 5770BR2 which a subscription based option. The new subscription term option for BRMS provides all features of the product in one package.
With the introduction of 7.6 there are four new user profiles:
- QPGMR_NC
- QSECOFR_NC
- QSYSOPR_NC
- QUSER_NC
Similar to their counterparts (QPGMR, QSECOFR, QSYSOPR, and QUSER), these profiles have identical privileges, but they do not have passwords and are not subject to modification. The abbreviation NC indicates ‘no change’
The final IBM i 7.6-specific security enhancement has to do with program temporary fixes (PTFs), specifically security PTFs. IBM is now giving customers an easy way to tell when a specific security PTF has been applied to their systems.
IBM i Access Client Solutions (ACS) continues to be enhanced and updated to meet the needs of our system management folks for IBM i. The new version for ACS is 1.1.9.8.
– As tracking security PTFs becomes increasingly important, reporting when the latest Security PTF Group was applied is also important information, IBM says in its announcement letter.
– The PTF Group apply date is now shown on the Display PTF Group (DSPPTFGRP) display to help simplify the task of tracking the apply date without having to track down individual PTFs within the group. The PTFGroup apply date can also be retrieved with the List PTF GroupDetails (QpzListPtfGroupDetails) API.
There are many enhancements so you can read more about the new release of IBM i 7.6 here
Note: IBM i 7.6 is not supported on any servers with IBM Power9 and earlier processor technology.