The Next Generation of IBM i Access - Gateway/400gateway400.org/documents/Gateway400/Handouts/IBMiAccess.pdf · The Next Generation of IBM i Access Gateway400 User Group April 10,

1

© 2013 IBM Corporation

© 2013 IBM Corporation

Follow us @IBMpowersystems

Learn more at www.ibm.com/power

The Next Generation of IBM i Access

Gateway400 User Group April 10, 2014 Presenter: Jesse R. Gorzinski, MBA ([email protected])

© 2013 IBM Corporation 2

Agenda

Overview Background

System configurations

Features

Edit->Preferences

Password caching

Advanced topics Shell commands

Deployment

Migration

Hiding/restricting function

Mobile device access

Q&A

https://twitter.com/ibmpowersystems

https://twitter.com/ibmpowersystems

https://www.ibm.com/power

2


IBM i Access Family

The r7.1 IBM i Access Family of Products IBM i Access for Windows (5770XE1)

• Client Access • Most mature and widely used product

System i Navigator

5250 Display and Printer Emulation

Data Transfer

Operations Console & Virtual Control Panel

IBM i Access for Web (5770XH2) • IBM i System Hosted HTML based web product • Very robust capability and increasingly deployed

5250 Display

Print Access

Database Access

IBM i Access for Linux (5770XL1) • Lightly embraced product specifically for Linux RPM Operating Systems

ODBC provider

5250 Display

Incoming Remote Command

Data Access Providers

Remote Command

Print Drivers

Integrated File System Access

Commands

Jobs


New Client Product

On April 24th, 2012, IBM Announced the upcoming Technology Preview of a brand new Client Product member of the IBM i Access Family.

IBM i Access Client Solutions (5733XJ1) Consolidates commonly used tasks for managing your IBM i into one simplified

location The core of the product is a Java client that is not platform specific. Runs on most full featured client/server Operating Systems that support Java 6.0

or higher such as most versions of Windows, Macintosh and Linux. Same deployment, configuration, settings, problem determination across all

platforms. Features include:

• Ease of Deployment • 5250 Display and Printer Emulation • Data Transfer • 5250 LAN Console and Virtual Control Panel • Links to HMC, Systems Director Navigator, and other consoles

3


New Client Product

Comes in three parts:

Core offering (today's conversation piece) contains platform-independent code

Application packages offer platform-specific API's for applications.

http://www.ibm.com/developerworks/ibmi/library/i-ibmi-access-client-solutions/


How the pieces fit

5770XE1 functions are finding a new home…












4


How the pieces fit

5770XL1 functions are finding a new home…


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A

5


System Configurations

Use the System Configurations panel to store connection information on the IBM i Systems that will be used


System Configurations

Create, Edit or Delete connection information for IBM i Systems that are used. System Name: What is entered by the user to connect to for this host IP Address: What the PC’s DNS environment last returned when

connecting to the System Name Service Host Name: The System’s Console host name or IP address as

configured Description: Defined by the user when created

6


New System Configuration

OK - Saves the information entered and closes the panel

Save/New - Saves the information entered and clears the panel

Cancel - Closes the panel without saving anything


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A

7


Console

5250 Console – Opens a interactive console to the current System

Virtual Control Panel – Opens a Virtual Control Panel if Lan Console is used for the current System

Hardware Management Interface 1 – Opens a web browser to the management console specified for the current System


5250 HMCConsole

8


Virtual Control Panel


Hardware Management Interface

9


Hardware Management Interface

HMC Pre-Login Monitor


Console Configuration

Console information is configured in the System Configuration panel Lan Console / Virtual Control Panel

• Service Host Name HMC 5250 Console

• Host Name or IP Address to the HMC 5250 Proxy interface

• Supports SSL Hardware Management Interfaces

• Host name or IP address

Can append a port to the name or address

x.x.x.x:port

• Description • Examples of management interfaces

Advanced System Management Interace (ASMI)

Integrated Virtualization Manager (IVM)

Hardware Management Console (HMC)

10


HMC Advanced Configuration

Clicking the "Advanced" button lets you set a specific managed system and partition.

Doing so enables Virtual Control Panel

Requires SSH login


Locate Console

Scans your LAN for LAN-console-enabled systems

Allows you to launch directly to virtual control panel (VCP) or 5250 console

11


Data Transfer

Select the Data Transfer option Will default to the current System


Data Transfer

Displays the Data Transfer interaction panel Starts out with a Data Transfer to IBM i and Data Transfer from

IBM i tab to the current System on the main panel

12


Data Transfer

Data Transfer interaction panel All active Data Transfer requests are displayed in a tab on this

panel Open Saved Requests Save Requests Create IBM i Files Data Transfer Migration


Data Transfer from IBM i

Data Transfer to Display

13



Data Options Query options to narrow data results



File Details

14



Format Options



Properties

15


Data Transfer to IBM i

File Details


Data Transfer to IBM i

Properties

16


Create IBM i File

Wizard to create IBM i database file based on client file Same behavior of Access for Windows client


Data Transfer Migration

Access for Windows Data Transfer saved request migration Migrate saved .dtt and .dtf files to IBM i Access Client Solutions

.dttx and .dtfx files

17


5250 Emulation

Provides nearly identical interaction, look and feel to the Access for Windows PC5250 emulator


5250 Session Manager


18



Similar to Access for Windows PC5250 Session Manager Start a saved session Create new Display or Printer Session Create a Multiple session start batch file from existing saved

sessions


New Display Session

Very different look and feel to the configuration panels, but nearly the same capabilities are available

19


New Printer Session

Printer session configuration panel


5250 Emulation Sessions

IBM i Access Client Solutions 5250 Emulation sessions are saved as .hod files Access for Windows PC5250 .ws files can be imported into

.hod files .hod files can also be saved outside of the Session Manager

• Need to setup a file association in the PC Operating System to run the file and have it open the emulator

20


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A


SSL Options

21


“Client SSL must be FIPS compliant” option

On IBM JRE’s: The IBM FIPS-compliant cryptography provider will be used

The IBM JSSE provider will run in FIPS mode for SSL connections

On Oracle/other JRE’s: The administrator must configure the JRE to default to FIPS-compliant SSL providers


Default communication to SSL

Newly-created session configurations will have the SSL option on by

default

22


Default communication to SSL

When a connection is made to a system name for which there is no stored

configuration, SSL will be used


Edit -> Preferences

“mouseover” text

a description is

displayed in the

main panel when

highlighted

(next slide)

Set the active

language

(restart needed)

[for IBM service]

23


Enable Description Panel (checked [default])


Enable Description Panel (unchecked)

24


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A


Password caching

Password caching options are slightly different from IBM i Access for

Windows. What's different?

25


Password caching

"User Windows user name" has been replaced with "Use shared

credentials"

Shared credentials uses a single password cache for all IBM i systems

One login can now suffice for 20 systems (it may or may not be the same

as your windows login)


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A

26


Shell Commands

IBM i Access Client Solutions provides several shell or command line utilities that can be used outside of the graphical user interfaces

Basic syntax is (all on the same line) acslaunch_win-32.exe /plugin=<name>

[/system=<system>] [/options]

Or java -jar acsbundle.jar /plugin=<name>

[/system=<system>] [/options]

The “/system” parm is only valid for commands pointed at a specific system


Shell Commands

Examples include:

Backup •Saves the client configuration to file

Restore •Restores the client configuration from file

Cfg •Creates system configuration

Dump •Requests all running client processes to write service information

Medic •Packages the existing logs and dumps

Log •Sets the client logging level

Logon • Manages user id and password caching

27


Shell Commands And…

Props • Opens the Edit -> Preferences panel

Maint • Maintenance options

Ping • IBM i Access Client Solutions connection verification

Sm • Opens 5250 session manager

5250 • Opens 5250 display session

DTGui • Opens Data Transfer interaction panel

Download • Runs a previously saved data transfer download .dtfx

CLDownload • Runs a data transfer download without a .dtfx

Upload • Runs a previously saved data transfer upload .dttx


Shell Commands

Shell Command Ping example

28


Shell Commands - Emulator

/plugin=SM Launches a Session Manager

/plugin=5250 Launches a 5250 session

/PLUGIN=5250 /SYSTEM=<system> [/<options>]


Shell Commands – options for /plugin=5250

Valid options are:

/name=<name> - session name

/wide - use a wide screen size (27x132)

/id=<id> - sets the short session id

/nosave - do not save settings on exit

/prompt - force the configuration dialog to appear

/port=<port> - port number

/ssl - connect using secure sockets

/sso - bypass signon screen

/kerberos - Use kerberos

/width=<width> - initial width of the emulator window

/height=<height>- initial height of the emulator window

/xpos=<xpos> - initial x-coordinate position of the top-left corner of

the emulator window

/ypos=<ypos> - initial y-coordinate position of the top-left corner of

the emulator window

29


Shell Commands – Check connectivity

/PLUGIN=ping /SYSTEM=<system> [</options>]

Options include:

/SSL=<1/0> Turn SSL on or off

/ACCEPTALLCERTS=<1/0> Whether or not to automatically add all SSL

certificates to the trusted set (when using SSL).

/SERVERAUTH=<1/0> Turn SSL Server authentication on or off (default is

off). This option is disregarded if not testing SSL.

/GUI=<1/0> Toggle GUI window on/off (default is off if launched

from command-line)

/PORTS=<port1,port2> A comma-separated list of ports to test. It can be

numbers or service names (e.g. /PORTS=as-signon,as-sts). If not

specified, a default set of ports is tested.

Specifying .CONSOLE will check a list of console specific ports.

/TIMEOUT=<seconds> Specify a timeout value, in seconds.


Shell Commands – Run Data Transfer saved request

/PLUGIN=download /file=<dtfx_filename> [/userid=<userid>]

/PLUGIN=upload /file=<dttx_filename> [/userid=<userid>]

Userid option is optional

OR… new "DTBATCH" plugin:

/PLUGIN=dtbatch <dttx_filename> <dtfx_filename>

30


Shell Commands – Simple download (no saved request)

/PLUGIN=cldownload /system=<system>

[/userid=<userid>]

{/hostfile=<library/filename> | /sql="statement"}

{/clientfile=<path><filename>.<extension> | /display}

/userid - user id to use when connecting to the target system

/hostfile - Source library and file on the IBM i system for the download

e.g. /hostfile=QIWS/QCUSTCDT

/sql - specify an SQL statement

e.g. /sql="select CUSNUM,LSTNAM,INIT,ZIPCOD from QIWS/QCUSTCDT"

/clientfile - Target file location for the download.

The format of this file will be determined by the specified

extension (for example, .csv .ods .xlsx .xlsx)

If the file extension is not specified or is of a type

not supported, the data will be formatted as a .csv file

/display - write the output to the terminal


Shell Commands – simple download

Shell command CLDownload example, on IBM i

Note: no login needed!!

31


Shell commands

Many, many more…

Virtually any major function you can launch from main GUI

See GettingStarted documentation for details, and visit:

https://www.ibm.com/developerworks/ibmi/library/i-acs-commandline/


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A









32


What you get in the package


Ways you can launch

1. “java -jar acsbundle.jar”

2. Binary launcher (preferred)

33


Deployment: initial questions

When thinking about deployment, ask yourself where you want to put:

1. the product image? (jar file)

2. the user’s settings? (system configurations,

5250 sessions, etc.)


Deployment: What might be our options?

Computer (local)

Network Share

USB Thumb Drive

Intranet (http:// URL)

34


Where can I put the image (jar file)?

6

7

Computer (local)

Network Share

USB Thumb Drive


Any filesystem (local, USB drive, network)

or

Intranet link (http:// or https://)

NOTE: A Java Runtime Environment (JRE) will also

need to be accessible


Where can I put the user’s settings?

Computer (local)

Network Share

USB Thumb Drive


Any filesystem (local, USB drive, network)

35


How do I place the product image where it needs to be?

For filesystem locations, simply copy the file(s) and give users access

For http:// or https://, you have two options:

Static-serving the file from your web server

• Simply have your web server “serve” the file via a static link or some similar

mechanism

• (requires the user to have file association for .jar, and for that association to launch a

Java 6 JRE)

Using Java WebStart technology

• Only requires the user to have some Java installed (does not have to be Java 6)


How do I configure where user settings go? AcsConfig.properties

This can be configured in the product configuration file, named

“AcsConfig.properties”

AcsConfig.properties is simply a list of configuration properties and values.

These properties may also be specified on the command line

-D<property>=<value>

One such property is

com.ibm.iaccess.AcsBaseDirectory

36


AcsConfig.properties (cont.)


AcsConfig.properties (cont.)

The following locations are searched for the AcsConfig.properties file: 1. In the classpath (that is, inside acsbundle.jar)

• Sample, default version included with the product

2. In the same directory as acsbundle.jar

• Sample, default version included with the product

3. By interrogating the “ibmi.acs.configuration” Java System property (the property’s

value is assumed to be the properties file). One would set this property on the

command line. Example:

acslaunch_win-32.exe -Dibmi.acs.configuration=M:\AcsConfig.properties

IMPORTANT NOTE!! When the configuration file exists in multiple locations, the last one

wins

37


com.ibm.iaccess.AcsBaseDirectory

The value of this property determines: The location of user settings

The location of service logs/dumps/etc

The default directory used by the 5250 session manager (this can be configured

separately if desired)

The value is expected, therefore, to be a directory name on a filesystem. It

can be Left blank (which leaves behavior at the default location)

The path of a hardcoded directory name (fully-qualified is highly recommended)

A constructed path using special keywords (next slide)

Tip: use forward slashes (‘/’), not backslashes (‘\’)


com.ibm.iaccess.AcsBaseDirectory : Special keywords

{USER} : would be the current username (valid anywhere in the path)

{PRODUCTDIR} : would mean the product’s location in the file

system (valid only at the beginning)

{TEMPDIR} : would be the temporary directory (valid only at the

beginning)

{ROOT} : the root of the file system where the product is located (valid

only at the beginning)

{CWD} : the current working directory (valid only at the beginning)

{HOME} : the user's home directory (valid only at the beginning)

{DEFAULT} : the default place the product normally puts its settings

(valid only at the beginning)

38


Verifying location


Verifying location

39


Cliff’s notes: Common configurations

Default (“My Documents” on Windows, home dir otherwise) com.ibm.iaccess.AcsBaseDirectory=

Network share

com.ibm.iaccess.AcsBaseDirectory={ROOT}/config_directory/{USER}

com.ibm.iaccess.AcsBaseDirectory={PRODUCTDIR}/config_directory/{USER}

Thumb drive!

com.ibm.iaccess.AcsBaseDirectory={PRODUCTDIR}/config_directory


Deployment

Remember these questions? There’s also an “extra credit question”……

Any guesses?

1. the product image? (jar file)

2. the user’s settings? (system configurations,

5250 sessions, etc.)

3. A Java Runtime Environment (JRE)

40


Deployment: customizing your JRE

Some general notes about Java Runtime Environment: Use up-to-date versions of Java!

When using 32bit launchers (.exe’s), you must use a 32bit JRE (and 64bit launchers

require a 64bit Java)



Customizing your JRE (offering a specific JRE for all users) can be done in

the following ways: If launching the product by invoking java.exe (java –jar acsbundle.jar), fully-qualify a path

the java.exe you would like to launch with

If launching the product by invoking acslaunch_XXXXX.exe, use one of the command

line options:

Usage: [-options] [args...]

where options include:

-vm <path to jvm home directory>

-vmdll <path to a jvm lib file>

see java -help for other valid options

where args include:

/plugin=<name> [plugin-options...]

<file> Tip: place quotes around paths containing spaces!

41



Alternatively, if launching the product by invoking acslaunch_XXXXX.exe,

you can also place a JRE alongside the .exe file For instance, if your product image is expanded to C:\ACS,

• Launcher executable will be at C:\ACS\Start_Binaries\Windows_i386-32\acslaunch_win-32.exe

• You can put a JRE in C:\ACS\Start_Binaries\Windows_i386-32\jre\

• (e.g.: you can copy the directory “C:\Program Files (x86)\java\jre6”

to “C:\ACS\Start_Binaries\Windows_i386-32\jre”)



Why would you want to do this? JRE can be on a network share or thumb drive

The default JVM on a workstation may or may not be Java 6 or

newer (or there might not be a JVM on a particular workstation)

Gives the administrator more control

Need not worry about having Java installed on user workstations

Why would you NOT want to do this? Client VM may get updates automatically

Your deployment is all based on local workstation, you don’t want

to deploy a JRE, and JRE’s may vary

Usually not necessary (most workstations have Java)

42


Verifying JRE


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A

43


Migration

The following information can be migrated from IBM i Access for Windows:


Data Transfer saved requests

5250 session profiles


Migration – System configurations

The tool for migrating system configurations is called “Copy Connections”

44


Migration – System configurations

The “Copy Connections” tool lets you copy system configurations to and

from Windows platform-specific products


Migration – Data Transfer saved requests

45


Migrates saved .dtt and .dtf files to IBM i Access Client Solutions .dttx and .dtfx files




46


Migration – 5250 session profiles



47





Resulting .hod file is saved in session manager directory

Key mappings are also converted. A converted .kmp file will be saved in

session manager directory.

48


Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A


Hiding/Restricting function

You may not want all the features of ACS visible to your users.

There are two ways exclude them from view (hide them)

1. Hiding component for a deployment

2. Restricting component with workstation-level restrictions

49


Hiding component for a deployment

Deployed via AcsConfig.properties Property must be set:

• com.ibm.iaccess.ExcludeComps

Set this property to a comma-separated list of function keywords

The function keywords which may be specified are: DATAXFER - Data Transfer to/from IBM I

EMULATOR - 5250 Display/Print emulation and 5250 Session Manager

KEYMAN - SSL certificate management

OPCONSOLE - Operations console and Virtual Control Panel

RMTCMD - Remote Command (available from the command line)

SPLF - Printer Output

HWCONSOLE - Hardware management interface

L1CPLUGIN - Navigator for i


Excluding components – An example…

Without the property set (left) and with

com.ibm.iaccess.ExcludeComps=OPCONSOLE,HWCONSOLE,L1CPLUGIN (right)

50


Workstation restrictions

Accessed via Edit->Preferences


0

Workstation restrictions

Effective for all users on this workstation

Can only be set/removed by administrators

Non-administrators will not see the option

Scriptable via shell commands

/PLUGIN=restrict /<options>

Valid options are:

/restrict=<func1,func2,func3> Restricts the given functions on this workstation.

/unrestrict=<func1,func2,func3> Allows the given functions on this workstation.

/list Lists whether functions are allowed or restricted on this workstation.

/export=<file> Export restrictions to the named file with a .acsr file extension.

/import=<file>.acsr Import restrictions from a file with a .acsr file extension.

/exportreg=<file> Export a Windows registry file (.reg file).

51


1

Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A


2


Unfortunately, ACS does not run "natively" on mobile devices.

Why?

Popular alternatives are to use remote access techniques. Run ACS on a

different platform (IBM i, Windows, Linux, Mac) and use VNC or remote

desktop protocol (RDP).

iPad /VNC article: https://www.ibm.com/developerworks/ibmi/library/i-access_client_solutions/

https://www.ibm.com/developerworks/ibmi/library/i-access_client_solutions/





52


3

Agenda

Overview Background


Features

Edit->Preferences

Password caching


Deployment

Migration



Q&A