Private i Private i by liuqingyan

VIEWS: 102 PAGES: 68

									Business Systems         ISSUE # 66       Quarter 3/2008       ASIA PACIFIC EDITION

                                                        Celebrating 20-Years
                                                             of AS/400
                                                         Oracle Corporation
                                                           Silverlake Axis
                                                           Dr Frank Soltis

                                                             Curbing IT’s
                                  SpiritBank Locks Up
                                    With Encryption
                                        Page 30
                                                              Page 26

                   Private i
             IBM ii 6.1 offers greater data security Page 18
              IBM 6.1 offers greater data security Page 18
                                                                  Editor’s Corner

                                                                          his is a special issue for IBM i. We commemorated
                                                                          the 20-year Anniversary of the IBM AS/400 platform
                                                                          recently, reflected in a special pull-out insert and a
                                                                  host of exclusive features. Frank Soltis, IBM’s chief scientist,
                               #66 • Quar ter 3/2008
                                                                  father of the AS/400 exclaimed “Wow” as he reflects on the
                                                                  Anniversary on page 50. Whereas on page 38 , Goh Peng Ooi
          INSIDE                                                  and Dr. Raymond Kwong from Silverlake, pioneer Solutions
                                                                  Provider in ASEAN reminisces on the AS/400 with us.
                                                                  Additionally, Lenley Hensarling and John Schiff Vice President
                                                                  from Oracle Corporation discusses the strength of our joint
    Cover Story                                                   history and more on page 14.
    Keeping an i on Security                       n   18            Our cover story on page 18 focuses on how IBM i, already one
    IBM i 6.1 brings more simplicity and control.                 of the most secureable systems in the marketplace, can be made
    By Carol Woodbury, cover illustration by                      even more so with i 6.1 providing features that make it much
    Steven Lyons                                                  easier for us to secure our systems, bringing more simplicity
                                                                  and control.
                                                                     Spotlighting all three Power Systems operating systems - IBM i,
    FeatureS                                                      Linux and AIX, Trends on page 6 details the new virtualization
    Jazz Up Your Software                                         capabilities of your IBM Power Systems servers with new
    Management n 23                                               PowerVM technology.
    Discover IBM Rational Application Lifecycle                      Last year, new IBM products and services, announced as part
    Management Software for i. By Kushal Munir and                of Project Big Green, included a five-step approach to energy
                                                                  efficiency in the data center that, if followed, would sharply
    Sean Babineau
                                                                  reduce data center energy consumption. It would also transform
                                                                  clients’ technology infrastructure into “green” data centers,
    Leaner and Greener                    n   26
                                                                  predicting energy savings of approximately 42 percent for an
    How Project Big Green is helping make data
                                                                  average data center. A mere year later, our feature Leaner and
    centers more efficient. By Shirley S. Savage
                                                                  Greener on page 26 explores how clients are reaping the benefits
                                                                  – some seeing a total energy reduction within the date center of
                                                                  75 to 80 percent!
    ColumnS                                                          See you in our next issue in November! Long live IBM i and
    Editor’s Corner n 2                                           Power Systems!

    Trends n 6
    New PowerVM Offers Virtualization Across                      The Editor (
    Three Operating Systems

Page 18                                            Page 23                                 Page 26

Business Systems edition


Lessons From the Lab n 10                                           Developer n 46
Lab Services Offers Security Planning                               Extending RDi Using Plugins
to Keep the Neighbors Out
                                                                    Technical Corner n 51
Special Feature                                                     Fortifying Security With SQL
Exclusive Interview with
Oracle Corporation n 14                                             ENDPGM n 64
Exclusive Interview with Silverlake                                 How melons changed the way Justin Porter feels about IBM i
Axis Celebrating 20 Years of
AS/400 Success n 38
Frank Soltis Reflects on the 20-Year
Anniversary of the AS/400 n 50
                                                                         Poll Position                  System i users sound off

Administrator n 16                                                          Do blades fit into your future data-center plans?
The Benefits of a Policy-Based
Security Approach

Case Study
A Spirit of Protection n 30
SpiritBank, USA
Loud and Clear n 34
Widex Hearing Aid Company

Customer’s Testimonial
PT Bank Bumiputera Indonesia,
Tbk n 42
Barbecue Plaza Co., Ltd.,
Thailand n 44

This publication could contain technical inaccuracies or
typographical errors. Also, illustrations contained herein
may show prototype equipment. Your system configuration
may differ slightly. This publication contain small programs
that are furnished by IBM as simple examples to provide an
illustration. These examples have not been thoroughly tested         The above results are from the opinion poll that was part of the June issue of the magazine’s i5
under all conditions. IBM, therefore, cannot guarantee or            EXTRA online newsletter. To subscribe to i5 EXTRA, visit
imply reliability, serviceability, or function of these programs.
All programs contained herein are provided to you “as
is” implied warranties of merchantability and fitness for            Note: The EXTRA Poll is not scientific and reflects the opinions of only those Internet users who have
a particular purpose are expressly disclaimed. All rights
                                                                     chosen to participate. The results cannot be assumed to represent the opinions of Internet users in
reserved. Names of products and services marked with *
                                                                     general, nor the public as a whole. The EXTRA Poll is not responsible for content, functionality or
may be trademarks of their respective companies. This IBM
                                                                     the opinions expressed therein.
Systems Magazine ASIA PACIFIC Edition is produced for IBM
by Thumb-Print Studio.

    Industry signals to keep you in the know

                     You’ve Got the Power
                     New PowerVM offers virtualization across three operating systems

                     By charlie cler

                                                                         he new virtualization capabilities of your IBM
                                                                         Power* Systems servers with new PowerVM*
                                                                         technology puts the power in your hands.
                                                                  PowerVM offers enhanced processor virtualization
                                                                  features that can help you improve server utilization.
                                                                  A new PowerVM feature lets you reduce scheduled
                                                                  application outages by mov ing live, r unning
                                                                  applications on the fly from one server to another.
                                                                  Deploying PowerVM in your environment can help
                                                                  increase the efficiency of your IT operations and
                                                                  improve application performance and availability.
                                                                    IBM recently introduced the concept of the Power
                                                                  Systems software stack; PowerVM fulfills the stack’s
                                                                  vir tualization component and introduces new
                                                                  capabilities when running on POWER6* technology-
                                                                  based servers.
                                                                    PowerVM is capable of simultaneously providing
                                                                  virtualized resources to the three Power Systems
                                                                  operating systems (AIX*, Linux* and IBM i). The
                                                                  POWER6 processor enables the new PowerVM features.
                                                                  Additional operating-system-specific virtualization
                                                                  capabilities beyond the scope of PowerVM may be
                                                                  provided by individual operating systems.

                                                                  Powervm overview
                                                                  PowerVM virtualizes hardware system resources
                                                                  (processors and I/O). This processor virtualization
                                                                  affords the opportunity to increase server utilization
                                                                  through shared pooling of CPU resources among
                                                                  a group of partitions. Virtualized I/O lets multiple
                                                                                                                           IlluSTrATION BY NICk rOTONDO

                                                                  client partitions share individual adapters and disk
                                                                  drives. This can help reduce server deployment and
                                                                  infrastructure costs.
                                                                     PowerVM is composed of the following virtualization
                                                                  • Shared processor LPARs (SPLPARs)
                                                                  • New shared dedicated capacity

                      Within the shared processor pool, unused CPU cycles

                        can be automatically distributed to busy partitions

                  on an as-needed basis, letting you ‘right-size’ partitions.

•   New Multiple Shared Processor Pools (MSPP)                     c a n s h a r e t h e s e I / O r e s o u r c e s a m on g m u l t i p l e
•   Virtual I/O Server (VIOS)                                      client partitions through the use of virtual adapters. For
•   Integrated Virtualization Manager (IVM)                        example, a single physical Ethernet adapter connected to the
•   New Live Partition Mobility                                    VIOS provides LAN connections to multiple client partitions.
•   PowerVM Lx86                                                   The sharing capability of the VIOS is designed to reduce the
                                                                   total quantity of physical I/O adapters and disk drives required
Let’s look at each of these components in more detail.             in a server, potentially reducing overall operating costs.
  SPLPARs are virtual partitions that share a common pool of          I V M is a management tool that combines par tition
processors. Micro-Partitioning* technology lets these virtual      management and VIOS functionality into a single partition
partitions be sized using 1/100th of CPU increments. SPLPARs       running on the system. The IVM features an easy-to-use
can start as small as 1/10th of a CPU. This level of CPU           point-and-click interface and is supported on blades and
granularity provides excellent f lexibility (compared with         entry-level to midrange servers. Using the IVM helps lower
dedicated-processor LPARs) when allocating processor resources     the cost of entry to PowerVM virtualization because it doesn’t
to partitions. Within the shared processor pool, unused CPU        require a Hardware Management Console (HMC).
cycles can be automatically distributed to busy partitions            Live Partition Mobility lets you move a running AIX or
on an as-needed basis, letting you “right-size” partitions so      Linux partition from one server to another compatible server
they run at higher utilization rates. Implementing the shared      without any application downtime. This feature can help keep
processor pool using Micro-Partitioning technology lets users      your applications running while you:
create more partitions on a server and thus reduce costs.          • Conduct planned system maintenance
  Shared dedicated capacity lets partitions running with           • Reprovision a partition to a server with more resources to
dedicated processors donate unused processor cycles to the            accommodate growth beyond the capabilities of the server
shared processor pool. This provides the opportunity to increase      where the partition currently resides
the workload or number of partitions running in the pool.          • Reprovision partitions as part of a server consolidation
When the owning partition needs the processor resources               effort to reduce operating costs
back, they’re automatically redirected. Shared dedicated
capacity is another feature that helps you improve overall         Powervm editions
server utilization.                                                These PowerVM features have been packaged into three different
  MSPP is a feature that lets you create additional shared         PowerVM editions: PowerVM Express Edition, PowerVM
processor pools within the main pool. When shared processor        Standard Edition and PowerVM Enterprise Edition.
partitions are created, you assign them to run in a specific         PowerVM Express Edition provides an introduction to
pool. Each pool is assigned a maximum processing unit              PowerVM virtualization at a low entry price. It’s offered
value that sets an upper limit on the CPU resources that can                                                    (continued on page 60)
be consumed by the collection of partitions assigned to that
pool. This MSPP feature can help reduce software-licensing           resources
costs by grouping partitions running the same software
                                                                     iBM PowerVM
application within a single pool with a known upper bound  
on the CPU resources they can consume. Partitions can also
be dynamically moved from one pool to another.                       Virtualization with iBM i, PowerVM and Power Systems
  VIOS is a utility partition that provides virtualized I/O
resources to client partitions. Physical network adapters
and disk resources are assigned to the V IOS, which

     lessons From the lab
     IBM’s technical team to the rescue

                      Who’s Got the House Keys?
                      lab Servicea offers security planning to keep the neighbors out

                      By Bruce Bading

                          magine the following conversation over dinner          head of accounts receivables, for a large services firm
                          and a glass of wine on a f light between New           in the Midwest. “Hey Frank,” Leo says, “I thought we
                          York and Paris. Tom and Susan are leaving on a         had things pretty locked down on the system, but I just
                      two-week vacation for their 10th anniversary. Susan        found out that all of my people can see the financials
                      suddenly looks at Tom and says, “Uh-oh, I forgot to        and payroll. Who has access to my stuff?”
                      give Deane a copy of the house key so she could take         Frank replies: “Ah, everybody—I think. Why?”
                      care of the cats while we’re gone.”                          Now, doe s t hat conve r sat ion sou nd mor e
                        “No worries,” Tom replies, “I left a copy of the house   possible? In our rush to configure applications
                      keys with the neighbors in case there was a problem.”      with functionality and ease-of-use in mind, do
                        Relieved, Susan asks, “Which neighbors, honey?”          we ever ask ourselves how important and integral
                        “Ah, all of ’em, sweetheart. Why?” Tom answers.          security is and should be to our applications? Let’s
                      That would never happen. Let’s get real; they don’t        face it: Unless our business is someplace like, say,
                      serve dinner and wine in coach anymore. Actually,          the moon, we have all sorts of connectivity to the
                      you might be surprised how realistic that conversation     outside world and maybe vice versa, as well as a lot
                      would be if you changed the topic slightly. How about      of people working for and with us, most of whom
                      a discussion on security around critical or sensitive      we really don’t know, I promise. The point is: Do
                      information? Enter Frank, systems operator, and Leo,       you really know what kind of access is available on

your systems and, just as importantly, does it comply with         Critical Condition
your security policy (I hope you have one) and regulatory          Granted, operating systems and application access is much
requirements?                                                      more complex and requires a bit more planning than my
                                                                   home-security scenario, but the end result should be the
exclusionary-access Control model                                  same. The system should actually become easier to manage
What would’ve kept both Tom and Frank out of hot water             and users should never know that they’re working in a more
is a well-designed exclusionary-access control model. An           secure environment—everything just continues to work except
exclusionary-access control model is exactly what it says:         that which shouldn’t.
Everyone’s excluded by default, and users or groups are granted       Unfortunately, the state of i and application security
specific access through private authorities, authorization lists   (where companies have too many users with *ALLOBJ special
and/or adopted authority. Or in Tom and Susan’s case, the          authority) isn’t as healthy as it should be. As a matter of fact,
method used to control who has house keys. Exclusionary            I think it’s in downright critical condition. When we distribute
access isn’t the only step we need to take to secure our system    keys they way Tom does, we’re all in that condition. We just
and objects, however. Here are a few of the other things we        don’t take securing our data as seriously as we should. It’s our
should be doing:                                                   livelihood and, in some cases, our personal data. No one can
• Have and maintain a well-articulated security policy.            afford to be complacent with hackers and thieves growing
• Maintain a system-standards document that defines how            bolder and smarter. Add to that numerous studies pointing
   newly acquired and current systems should be configured.        to the fact that the even larger threat comes from inside. If
• Create and maintain well-defined roles and responsibilities.     it does come from the outside in, I seriously doubt that we’ll
• Create and maintain an electronic data classification            ever be able to prosecute that dude in the Caribbean who
   scheme. (This assists you in designing an exclusionary-         stole and sold our company’s data.
   access model.)                                                     With the real cost of data theft counted in the billions of
• Assign electronic data owners and custodians (usually line-      dollars per year and the cost to credibility incalculable, we
   of-business owners who are responsible for the data). For       should all be losing sleep. Consider systems that have too
   more information, refer to the International Organization       many users with special authorities; encryption for the sake
   for Standardization document ISO 17799 (           of encryption without proper access controls; wide-open
• Use a well-designed change-management process.                   ODBC access where proper access controls have been ignored;
• Stay abreast of all regulatory-compliance requirements           publicly authorized profiles that own data objects or, worse
   specific to your industry, investor status, and other laws      yet, have *ALLOBJ special authority; and it goes on and on,
   and regulations.                                                deeper and deeper.
                                                                      But there’s hope! Expert advice and resources are available
As I work with customers, I hear many poor excuses for not         from the Rochester lab, which provides assessment, consultation
minding data better. One of the most distressing things I          and remediation services to assist your organization. Visit
hear when I’m talking to people about security is the false        the IBM* Systems and Technology Group Lab Ser vices
impression that implementing tighter access controls will          Web site ( vices/labser vices)
somehow make their systems more difficult to manage and            for more information. And if all of this has given you a
impede users’ abilities to perform their jobs. So my question      headache, take two aspirin, get a good night’s rest and call
is, do you really know what jobs your users are and should be      me in the morning.
performing? Roles and responsibilities come to mind here.
   Let me take it down to its simplest level. Our exterminator
has the combination to the backyard gate. I suppose I could
let him go through the house if we’re not home, but I don’t
think that would be too cool. My kids have the arming codes
for our home’s security system, but only my wife and I have        Bruce Bading, a System i security consulting architect at
the master codes and our children know not to share theirs         IBM, has been responsible for securing a variety of platforms
with friends. Everybody’s fine and nobody complains that           and applications including i, Windows* 2000 and 2003,
they can’t function and it’s a whole lot easier to manage than     personal workstations, enterprise identity mapping and Cisco
letting the bug guy go through the house and everybody have        PIX firewalls. He leads security remediation projects for many
the codes to our alarm. You’ll find that it works the same way     of IBM’s largest System i customers with more than 20 years
regarding electronic data if you take the time up front to plan    of system and application-security experience. Bruce can be
and design a secure system and policies.                           reached at

     exclusive Interview with oracle Corporation

     Lenley Hensarling, Group Vice President and General Manager, JD Edwards
     John Schiff, Vice President and General Manager, JD Edwards World
     Oracle Corporation

     Strength of the Joint History and Long-term Relationship,
     Applications Unlimited, Product Updates

     IBM i: How would you characterize Oracle JD Edwards’ relationship         In summary, the strong, long-term, and outstanding
     with IBM nowadays?                                                     relationship between Oracle JD Edwards and IBM offers our
     Lenley Hensarling: I’d say the relationship is better than ever.       joint customers the assurance to know that as Oracle’s portfolio
     Oracle and IBM are committed to the long-term success of               of applications grow, Oracle and IBM will continue to insure
     our joint customers and we continue to provide customers               that these new products are supported on IBM Systems.
     a choice of industry-leading business solutions, platforms
     and operating systems for Oracle solutions.                            IBM i: Can you explain the value for JD Edwards World customers
        In fact, JD Edwards and IBM have worked together for over           of the IBM i 6.1 (formerly IBM System i V6R1)?
     30 years and collaborate daily on development, marketing               John Schiff: We continue to work very closely with IBM as
     and sales activities. Senior IBM and Oracle architects work            they produce new releases of software. We also continue
     together to influence technical product direction for each             to have a close alliance. Our products work well together
     company and are continually looking years ahead when                   and we see a very strong loyalty with our customers in this
     developing future advanced solutions.                                  scenario. IBM continues to work with us to make sure they
        Our joint competence centers are a proof point of our               get the maximum value from their software. Customers can
     ongoing, solid relationship. The IBM/Oracle International              upgrade when it is appropriate, and they can check with us
     Competency Center has locations in Redwood Shores,                     when there is new technology coming from IBM. A very
     California, Pleasanton, CA, Denver, CO, and Tokyo, Japan               strong relationship continues there.
     and they provide benchmarks, technology enablement
     recommendations, sizing guidelines, and tuning tools for               IBM i: How do you see the IBM POWER6 announcement?
     all Oracle applications. Leveraging a proven track record              John Schiff: POW ER6 has really been an interesting
     of thousands of successful implementations, a closely                  announcement from IBM. If you look at the POWER6
     coordinated global team of IBM and Oracle professionals                announcement, it really says that you have a server that is
     enable our JD Edwards customers to gain access to world-               architected to run multiple environments with one set of
     class solutions.                                                       hardware, whether it be Unix, Linux or the i for Business
        Furthermore, IBM is often one of the high level sponsors at         (OS/400) operating systems. It means that a customer
     Oracle’s OpenWorld annual conference in the United States.             investing in hardware does not need to make a decision on
        It is important to mention that there are significant benefits of   what technology they are going to run initially. As they
     running JD Edwards on an IBM i (formerly System i) since this          evolve and want to make use of other parts of Oracle’s
     platform was designed to run all JD Edwards EnterpriseOne and          technology, they can certainly do that with the new POWER6.
     JD Edwards World components on a single system, simplifying            It gives a strong economic proposition, and as IBM deploys
     its management, reducing overhead costs, and improving our             higher volumes of the server technology, our customers
     applications performance, reliability, and availability.               should see benefit from that as well.

                    Mr Lenley Hensarling                                                     Mr John Schiff

IBM i: What is Oracle’s Applications Unlimited and how does it    business needs. Through planned acquisitions, Oracle has
affect JD Edwards EnterpriseOne and World customers?              strengthened its product offerings, accelerated innovation,
Lenley Hensarling: Applications Unlimited is Oracle’s plan to     and continued to meet customer demands more rapidly. In
continue enhancing our current applications product lines         fact, Oracle sees acquisitions as the primary way enterprise
through customer driven enhancements and roadmaps, ongoing        software companies can remain competitive and innovative.
upgrade innovations, lifetime support and no forced migrations,   Proof of this successful strategy is that Oracle can offer the
and upgrade path to next-generation applications.                 strongest strategic road map and is the applications leader
  For J D Edwards’ customers this means that your                 in CRM, supply chain management, and human capital
technology investment is protected with a comprehensive,          management. Oracle also has 37,000 customers using Oracle
well-def ined product roadmap, backed with Oracle’s               applications. The JD Edwards organization leverages this
Lifetime Support that further extends Oracle’s support            experience and knowledge by continually bringing you
for its applications. Oracle’s Applications Unlimited and         robust and quality products such as our latest releases – JD
Lifetime Support are simple, predictable, and the most            Edwards World A9.1 and JD Edwards EnterpriseOne 8.12
comprehensive policies available. Furthermore, by focusing
on ongoing upgrade innovations, we can deliver reduced            IBM i: What advice can you offer customers who would like to
downtime, shorter upgrade cycles, and proven upgrade              convince their business of the value of upgrading from JD Edwards
paths and methodologies ensuring that our customers’              EnterpriseOne Xe or 8.0? And for JD Edwards World customers to
upgrades are now simpler and more efficient.                      upgrade from the A7.3 or A8.1. releases?
                                                                  Lenley Hensarling: Quite often people have the impression that
IBM i: How have JD Edwards customers benefited from being part    other customers aren’t upgrading right now. We actually
of Oracle?                                                        monitor who is going where on releases on a quarter-to
Lenley Hensarling: By combining with Oracle, JD Edwards’          quarter basis. The last data we have for Q3 is that we have
customers have been able to benefit from a much broader and       21 percent of our installed base on 8.12, the most recent
strategic set of offerings to more expeditiously meet their                                                   (continued on page 54)

                                                                            Quarter 3/2008    IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
     Getting the most from your systems

The Benefits of a Policy-Based
Security Approach
By chriS Kundinger

        here’s no question about it: Securing data has changed.       the people who already have access to them. It’s determining
        Security buzzwords like firewalls, passwords and              security based on what kind of data is in the file and what
        intrusion detection are now making room for up-               types of people should be able to act on that data.
and-coming terms like compliance and regulations. It’s no                Lack of system compliance often is due to a valid user having
longer enough to protect systems from external threats only.          too much access or an object not being secure enough. A
And with new laws and regulations, the cost of maintaining            data-centric approach can be a powerful technique to protect
system compliance and passing audits continues to grow. Major         data, but let’s face it: It’s difficult to implement, typically a
standards and requirements such as Payment Card Industry              manual process, time consuming and even harder to maintain.
(PCI), Sarbanes-Oxley and HIPAA are driving many companies            However, when done properly, it’s an extremely effective way
to reconfigure how their data is secured.                             to both ensure and clearly demonstrate compliance, which the
   One can argue that reconfiguring a system’s data to meet           law requires business leaders to do.
these requirements is only patching the current system and               The lack of a common way for business leaders and IT
ignoring the underlying problem that the way to approach              professionals to communicate is evidenced by the disconnect
securing data is changing. However, rethinking the way data           between the business objectives and IT security controls. The
is secured and using a policy-based approach can be a key step        technology experts are driving security. They often lead the
to simplifying the system compliance process and positioning          security processes in making use of “security best practices”
a business to quickly and efficiently adapt to regulations.           without focusing on industry regulations. This approach can
   The use of natural language bridging the divide between business   be effective for securing data but fails to prove compliance
leaders and IT professionals and keeping security focused on data     during an audit.
makes a policy-based security approach effective.                        A question like, “Why does joe123 have full access to the www
   Laws and regulations are written in natural language.              directory?” must be answered by a policy that’s meaningful to
PCI requirement No. 7 states: “People should see only                 all parties. For a security policy to be meaningful, it needs to
the information that is needed to perform their job.” This            be derived from strategic business thinking typically done by
statement, written in natural language, is easy to understand         the business leaders. A policy-based approach using IBM Secure
and meaningful to business leaders and auditors. In the               Perspective provides an easy answer. The user joe123 has full
context of actually securing the system’s resources, this             access to www because he’s part of the Web administrators and
statement is ambiguous. Who are the “people”? What does               the security policy defines that “Web administrators have full
“see” mean? What is “the information”? A statement like,              authority on the Web files.” Policy-based security expressed
“joe123 has read and write access to file /home/file1” is a           in natural language lets business leaders and IT professionals
concrete statement that can be directly applied to a system’s         communicate in a way both parties can understand.
security. This statement, however, isn’t meaningful to the
business leaders and auditors because it lacks the context            leveraging Secure Perspective
explaining why it’s important to the business. Why should             IBM Secure Perspective is derived from an IBM research project
joe123 have that access? What part of the business’s security         that acknowledged the importance of creating a data-centric,
policy necessitates this resource-access definition?                  policy-based security tool that expresses security policy in
   Security policies must be meaningful and enforceable; they         natural language. Secure Perspective has identified the need
should be written in natural language and translatable to a set       for a security solution that bridges the gap between a business’s
of system-specific statements.                                        data-security policy and practice.
   Data-centric security focuses on the system objects and                                                    (continued on page 55)

            K e e p i n g                                                                                     a n

         o n                                    S e c u r i t y
          IBM i 6.1 brings more simplicity and control

                                                                 By carol WoodBury

           BM* i 6.1 provides a huge array of new features                the timing of password-expiration warnings, but they
           and the area of security is no exception. Even                 can also control how often they change their passwords.
           though the System i* platform was already one                  I’m sure this never happens in your shop but rumor has it
     of the most secureable systems available, i 6.1 provides             that some users are so loath to switch passwords that they
     even more features that make it easier for us to secure              programmatically change them enough times so the system
     our systems, including password controls, auditing and               lets them use their current passwords. That workaround will
     authority enhancements, intrusion-detection improvements,            no longer succeed if administrators use the new feature that
                                                                                                                                          IlluSTrATION BY STEVEN lYONS

     encryption and sanitizing, and new service values and                can specify how often (in hours) users can change their
     service tool ID protections. You’ll feel like you have more          passwords. Administrators can also specify whether and
     eyes on your system with less effort.                                how many digits, alpha characters and special characters
                                                                          are required in a password and whether they’re allowed to be
     Password Controls                                                    in the first or last position. So users who keep incrementing
     Among the features available in i 6.1 are new ways to                their passwords each month (e.g., woodbury1, woodbury2,
     define password controls. Not only do administrators have            woodbury3, etc.) will have to think up another scheme for
     more control over the composition of users’ passwords and            devising their new passwords.

                                                                        The number of objects that
                                                                          can be secured with an
                                                                      authorization list has increased
                                                                       from just more than 2 million
                                                                      to much more than 16 million.

In addition to thwarting users trying to sneak around the          Authorities
organization’s password policies, these new password controls      One of the biggest frustrations of working with the IFS is
let administrators set operating-system password rules that        the authority settings on files created using the Copy to
are consistent with rules available in most network-password       Import (CPYTOIMPF) or Copy to Stream File (CPYTOSTMF)
controls, making it easier to manage passwords across the          commands. In prior releases, administrators had no way
enterprise. Once you move to i 6.1, look for the new password      to specify the authorities on the new files; therefore, the
system values Block Password Change (QPWDCHGBLK),                  files were created with *PUBLIC authority and the primary
Password Expiration Warning (QPWDEXPWRN) and Password              group set to *EXCLUDE. The owner, which was the person
Rules (QPWDRULES) and the corresponding expiration-warning         running the process that created the file (versus having the
parameter on the Create and Change User Profile commands.          group own the file), was given *RWX authority. Unlike other
                                                                   objects, the authority wasn’t taken from the directory in
Auditing                                                           which it was being created. Now administrators have some
Auditing the actions taken in user and system jobs is              options, among them to continue creating the file with the
an invaluable feature of integrated i auditing. However,           authorities as is done today or to take the authority from the
sometimes specifying a type of action to audit produces            directory the file is being created into. This enhancement
audit journal entries for actions that you aren’t concerned        helps eliminate much frustration, especially in the case where
about or consider normal rather than an exception. To help         one person runs a process one day that creates a stream file
you customize the information logged in the audit journal,         and then the next day a different person runs it, deleting
IBM has provided subsetted actions. For example, in a prior        and recreating the file. Prior to this, the object’s authority
release, IBM subsetted the *SECURITY value into eight              or ownership had to be altered to let the non-owner run
subcategories. Now, instead of getting all entries that are        the process. With the capability to specify where the file’s
generated when specifying *SECURITY, you can specify one           authority comes from, administrators have several options
or more of the subsetted categories (for example, *SECCFG          for securing the file so that this process will work (e.g., you
and *SECRUN) and get only the entries that most security           can use an authorization list to secure the file or grant the
administrators want. This method avoids filling up your            users’ group a private authority to the directory, which will
audit journal with entries you’re not interested in. Also          then be granted to the new file).
in i 6.1, IBM subsetted the *JOBDTA auditing action into              Authorization lists are an efficient way to secure objects.
two subcategories, *JOBBAS and *JOBCHGUSR. For details             Unfortunately, when securing objects in the IFS with an
on exactly what’s audited when specifying these values in          authorization list, administrators could never use a command
the QAUDLVL system value, see Chapter 9 in the Security            to see the objects secured by the authorization list. Now they
Reference manual (        can use the Display Authorization List Objects (DSPAUTLOBJ)
systems/scope/i5os/topic/rzarl/rzarl.pdf).                         command and choose to send the information to an outfile.
  Another update to the auditing features can be found             The outfile will contain the pathname of IFS objects secured
in the Change User Auditing (CHGUSRAUD) command. In                with the list. Additionally, the number of objects that can be
prior releases, when IBM added the subsetted categories as         secured with an authorization list has increased from just
possible values for the QAUDLVL system value, the subsetted        more than 2 million to much more than 16 million.
categories weren’t supported on the AUDLVL parameter. Now,            Another enhancement that should save endless frustration
all subsetted values are supported, including the values           is in the area of saving and restoring objects. Many
introduced in prior releases and in i 6.1.                         administrators have found out the hard way that saving an

object (file, program, etc.) and then restoring it loses any       BRMS support has been expanded to include software
private authorities users may have been given to the object.       encryption, not dependant on any specific hardware being
The only authorities restored were those kept with the object:     in place.
*PUBLIC, owner, owner’s authority, primary group, primary        • Another available encryption service is the capability
group authority and the authorization list name. In i 6.1, if      to encrypt an entire auxiliary storage pool (ASP) or an
you have *SAVSYS or *ALLOBJ special authority you can              independent ASP. This adds a layer of security, especially
specify to save the private authorities associated with the        in a storage-area network environment. It’s also important
object. Then, if you have *ALLOBJ, the private authorities         if there’s a threat of having a disk drive stolen or if a drive
can be restored when you restore the object. No more lost          fails and you don’t have an opportunity to wipe your
private authorities!                                               organization’s data from it.

Intrusion Detection Improvements                                 Administrators must plan carefully before embarking on
Introduced in i5/OS* V5R4, the Intrusion Detection System        an encryption project. Especially critical is to plan how the
(IDS) feature detects attacks to and attacks being launched      encryption keys will be created and managed. Without proper
from a system’s TCP/IP stack. Updates to IDS are significant.    key management, you may be unable to restore your data. As
The ease of configuring and managing this function has been      part of your planning, you’ll want to carefully read the IBM
greatly enhanced with GUIs available in both IBM Navigator       information regarding saving to and restoring from encrypted
for i and Systems Director Navigator for i5/OS. Additionally,    tape backups as well as saving and restoring encrypted ASPs
more intrusions are being detected, as are extrusions (where     (
the system is being used to launch an attack). And because       i5os/topic/rzahg/rzahgbackup.htm?tocNode=int_215989).
the real value of this type of function is to be notified when     One concern many of you have is to ensure no data remains
attacks are happening so appropriate action can be taken, the    on disks when they’re returned. Aside from taking a hammer
IDS function now provides real-time notification. You can        to your hard drives, there’s been no way to assure your data
direct IDS to send a message to a monitored message queue,       couldn’t be recovered. IBM Disk Sanitizer for i5/OS, which
send e-mail notification or both. IDS is a great feature to      meets the U.S. Department of Defense requirements, is now
enable, especially on critical production systems and systems    available via a PRPQ.
acting as Web servers or otherwise directly connected to
the Internet.                                                    New System Values and Service Tool ID Reports
                                                                 Some of the new system values and reports are sure to be
Encryption and Sanitizing                                        popular with administrators. While the system values in
Encryption is required in some industries for compliance         previous releases were a good idea, the feature in its original
with regulations such as the Payment Card Industry’s Data        form was unusable by most shops. Before, the Limit Device
Security Standards; it also helps avoid having to notify         Sessions (QLMTDEVSSN) system value allowed administrators
individuals under various state breach-notification laws.        to limit how many sessions a user could sign onto at once. The
Realizing this, IBM has made several enhancements to its         old settings—on or off—allowed one session (on) or unlimited
encryption support:                                              sessions (off). This feature was rarely turned on because most
• For organizations wanting to use the IBM hardware crypto       business users needed at least two sessions to perform their jobs.
  card, new interfaces for configuring and managing the card     In i 6.1, the system value provides granularity. Administrators
  are available. The APIs provided with the card are, well,      can limit the user to one to nine sessions or allow unlimited
  let’s just say, not the most user-friendly. The new command    sessions as before. The user-profile override for this system
  and menu-driven interfaces are a significant improvement       value (the LMTDEVSSN parameter on the Create and Change
  in the usability department.                                   User Profile commands) also allows this granularity.
• In a prior release, IBM announced support for encrypted          IBM created service tool IDs a few releases ago to help
  backups using a specific BRMS-managed tape drive. Now          control which users can access service tools. Unfortunately,

                                                                        Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
                                                                                         If you have *ALLOBJ, the
                                                                                         private authorities can be
                                                                                        restored when you restore
                                                                                         the object. No more lost
                                                                                             private authorities!

until i 6.1 the only way to see these users was to go into either                of the most secureable systems in the marketplace. From new
System Service Tools or Dedicated Service Tools. In i 6.1,                       function to enhanced integrity to updated features, i security
IBM added the Display Service Tools User ID (DSPSSTUSR)                          has something for everyone.
command, letting you list the service tool IDs that have been
created along with their privileges and status.

Something for Everyone
The security enhancements provided with i 6.1 are impressive.                    Carol Woodbury, an IBM Systems Magazine, Business
While many of you may dread retranslating your programs                          Systems edition technical editor, is president and co-founder of
during the i 6.1 upgrade, this step ensures that no user-written                 SkyView Partners Inc., a company specializing in security policy
programs are masquerading as IBM programs. This, along                           and compliance software and services. She’s a system-security
with several other integrity enhancements included in this                       expert, noted author and award-winning presenter. Carol can
release, helps give us confidence that we’re working on one                      be reached at

                        For further information on our IBM Systems Magazine Asia Pacific, please contact the respective

                        country representatives listed below:
                                                                                    MALAYSIA & SINGAPORE
                                                                                    alida abdullah Phone: +60 3 2301 4779
                        AUSTRALIA & NEW ZEALAND                                     Email:
                        Jayne ridley Phone: +61 2 9463 5667
                        Email:                                  PHILIPPINES
                                                                                    Ben Magcalas Phone: +63 2 995 2407
                        HONG KONG
                        angie law Phone: +852 2825 6821                             SRI LANKA
 IBM Systems Magazine

                        Email:                                 Presannah Veerahulasingham Phone: +9411 249 3500
                        rakshit K. Thussu Phone: +91 80 22063423                    TAIWAN
                        Email:                            Thomas chiou Phone: +886 2 8723 9895
                        hendrika gaudens refwalu Phone: +62 21 5238467              THAILAND
                                                                                    dulthida Tanprayoon Phone: +66 2 2730041

                        KOREA                                                       VIETNAM
                        JeongBoo lee Phone: +82 2 3781 4359                         ngo Thi Phuong Khanh Phone: +84 88 2414 74
                        Email:                                     Email:

                 Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION
                                                Discover IBM Rational Application Lifecycle Management Software for i

                                                                                 BM •

                                     Jazz Up
                                            Your Software Management

                                                                           By KuShal Munir and Sean BaBineau

                                                 BM* Rational* software helps organizations govern, automate and integrate software delivery
                                                 using what’s known as the IBM Rational Software Delivery Platform. This platform provides a
                                                 multitude of products, services and best practices that have helped organizations throughout

                                                 the years manage the software deliver y cycle for on-time, high-quality deliver y. While
                                                 many organizations using Microsoft* Windows*, UNIX* and Linux* platforms have known
                                     the value of the Rational Software Delivery Platform for some time, it’s been a well-kept secret among
                                     IBM i developers. This comprehensive, open, modular and proven solution can also help the business
                                     software developer using RPG and COBOL on i.
                                       This article provides an overview of four application lifecycle-management products that you can use for
                                     both native development and application modernization on i: Rational ClearCase*, which provides software
                                     configuration management capabilities; Rational ClearQuest*, for software change management; Rational
                                     Functional Tester, for automated functional and regression testing; and Rational Team Concert, a new, exciting
                                     product for collaborative software delivery.

                                                                                                               Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
Change and Release Management                                      where they become visible to team members. If a problem arises,
Rational ClearCase is an industr y-leading solution that           say as a result of a broken build, you can go back and obtain
enables you to effectively manage and control your software        the change history of the artifacts that may have caused it,
assets, including RPG and COBOL code. It’s a client-server         allowing for quick identification and possible resolution.
application where the server provides a repository to store and      You can use the ClearCase software to set up personal
control versions of your software assets. Using a combination      workspaces and enable seamless access to the exact members
of ClearCase and Rational Developer for i (RDi) Version            and objects you need. This is useful if, for example, you’re
7.1 or WebSphere* Development Studio Client for i Version          maintaining an older release of your software while working
7.0, which provide edit, compile and debug capabilities for        on a new release. You can also optionally use ClearCase to
RPG and COBOL applications, you now have sophisticated             perform parallel development, which lets multiple developers
version-control capabilities that will help you manage source      work on the same code or release simultaneously.
members and other objects (through save files) across the            ClearCase provides state-of-the-art tooling that includes
software-development lifecycle. As a developer, you check out      automatic branching, advanced merging and differencing
a particular source member from the ClearCase server, make         technology to easily resolve conflicts. Parallel development
changes in the integrated development environment (IDE),           can make teams more productive, as developers don’t have to
compile and test your changes and, when you’re satisfied that      wait for others to complete their work before being allowed
they’re correct, check those changes back into the repository,     to change artifacts. The product also lets you continue

development while disconnected from the network and easily           With Rational Function Tester, you can record interactions
synchronize your changes to the repository when reconnected.         with the GUI that can be automatically played back later to
   One of the best features of ClearCase is the capability to do     validate the test. As you record the interactions, you can insert
activity-based change management, where you can define and           verification points to validate your application’s output to the
manage related changes to assets as activities. You can later        UI. The recordings generate scripts in Java, which you can edit
query the changes that were made for a particular activity,          to customize—for example, to group a set of repetitive actions
say a bug fix or a new feature. In addition to local and remote      into a common function for reuse and easy recalibration when
(WAN) access, ClearCase provides client access through the           the application changes. When you run your automated tests
Web. A significant benefit of using ClearCase is that it lets you    in playback mode, the test results for your verification points
produce audit trails that trace the origins and details of changes   get recorded in an HTML-based test log.
made to software assets to help meet regulatory-compliance             IBM Rational Functional Tester Extension for Terminal-based
requirements. ClearCase is highly scalable and suitable for use      Applications is an extension product to Rational Function
by small as well as large, geographically dispersed teams.           Tester. Rational Functional Tester Extension adds the capability
   Rational ClearQuest is a comprehensive change-management          to automate testing for applications that have a 5250 or 3270
tool that lets your organization or department automate              terminal UI. It includes an emulator from which you can
repeatable and enforceable processes for software development.       record keystrokes entered to drive the execution of your
The product provides defect, feature and change tracking to          green-screen application and add verification points to select
help you resolve and indicate the status of problems or new          which areas of the screen you want to validate to determine
enhancements. ClearQuest also enables you to produce real-time       the correct execution of the test. You can exclude parts of
reports for various metrics to check project health. (How many       the screen that may be unpredictable, such as time or date,
defects have been fixed in the last month? Are we implementing       and validate generically based on regular expressions, which
feature requests as planned? And so on.)                             Rational Functional Tester Extension helps you generate.
   ClearQuest provides out-of-the-box workflows for defects and      The test scripts are similarly generated in easy-to-read and
features to help you indicate status at a given time. You can add    easy-to-edit Java.
comments to defects and feature requests and attach any other          Sometimes, automation of test cases is infeasible. IBM
relevant collateral, such as screen shots or documents.              Rational Manual Tester lets you organize, document and
   For a simple example, suppose a tester finds a problem            guide test execution. If you’ve ever documented the sequence
with your application. Using ClearQuest, the tester can              of steps for running a test, you already know there’s a lot of
open a defect, add some comments describing the problem,             cutting and pasting for sets of commonly repeated actions.
attach a screen shot of the problem and assign the defect            And when things change, you have to update all of the places
to a developer. The developer can be automatically notified          where you’ve copied and pasted these steps. Rational Manual
via e-mail that a new defect has been opened. The developer          Tester lets you reuse the documentation of these steps so
looks at the defect information provided by the tester, fixes        you can update all of these common actions in one place. It
the problem and changes the state of the defect to indicate          also acts as a guide to running your tests, so you can have a
that it’s fixed. At this point, the tester runs the test again       window displaying what to do for each successive test step as
for the application with the supposed fix, and can either            you’re executing the test, and where you can indicate success
close the defect if the test passes or reopen it if the problem      or failure for the test run.
persists. Anytime the state of the defect changes, the relevant        IBM Rational Performance Tester is a product for load-testing
team member (developer or tester) is notified by e-mail. This        Web applications. Let’s say you’re about to put your new Web
kind of automated process tracking and notification can              application into production, but you want to make sure it
improve your team’s productivity and the quality of your             remains responsive and available with up to 10,000 concurrent
development assets.                                                  users. You can employ Rational Performance Tester to simulate
                                                                     this workload, by executing scripted browser interactions
Quality Management                                                   through agents deployed on one or more PCs. Rational
The Rational brand has several solutions to help improve             Performance Tester then collects statistics on the response
your effectiveness for quality assurance with automated or           times experienced by these simulated users. Like Rational
manual testing.                                                      Functional Tester, Rational Performance Tester interfaces with
  IBM Rational Functional Tester is an automated testing             the Web application through a browser, so it doesn’t matter
tool for Web- and GUI-based applications (Java* and .NET).                                                      (continued on page 62)

                                                                            Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   

  reener                   Leane

 G                                           How Project Big Green
                                         is helping make data centers
                                                 more efficient

By Shirley S. SaVage

       fter only a year, clients are already reaping the rewards    put IT on a much-needed energy diet. If every data center in
       of IBM Project Big Green, a program designed to help         the world went green, the results would be astonishing. A mere
       companies boost the energy efficiency of their IT            20-percent improvement in efficiency would reduce energy
operations, through IBM innovations for the data center. Now        consumption by 35 billion kilowatt hours.
IBM is set to help companies take those energy-efficiency
                                                                                                                                       IlluSTrATION BY MATT COllINS

innovations into areas beyond the data center. Not only will        Curbing Energy Use
companies be able to see improvements in other areas, but they’ll   Project Big Green is “IBM’s effort to improve the energy
also gain tangible measurements of their success. Welcome to        efficiency of its IT infrastructure,” says Rich Lechner, vice
the next phase of Project Big Green.                                president, IBM Systems and Technology Group, who has overall
   With oil priced at more than $100 per barrel and natural gas     responsibility for IBM’s energy-efficiency initiatives. “It’s a
at more than $10 per million British thermal units, energy costs    broad portfolio of offerings that gives a holistic approach from
are voraciously eating away at companies’ revenues. Since IT        the facilities level through systems and virtualization with an
is a huge consumer of energy, a more efficient data center can      eye toward energy optimization.”

                                              “Some clients are seeing total
                                             energy reduction within the data
                                               center of 75 to 80 percent.”
                                         —Rich Lechner, Vice President, Systems and Technology Group, IBM

  Energy optimization is one diet method that will curb IT’s       without increasing our consumption or environmental impact,”
ravenous appetite for energy. In a data center, 55 percent of      Lechner says. “We’re realizing the benefits we projected.”
energy used goes to power and cooling with 45 percent used           Those benefits include opening a state-of-the-art green data
by the IT load. IT resources use 70 percent of the energy          center in Boulder, Colo. The data center has an energy-efficient
for power supply, memory, fans, drives and other resources         design and construction and features a high-density computing
while processors use 30 percent. Meanwhile, utilization’s          system that uses virtualization and IBM’s Cool Blue* portfolio
resource-use rate accounts for 20 percent of the energy used       of energy-efficient power and cooling technologies. IBM also
while a whopping 80 percent is idle.                               has made a series of energy-efficiency improvements at its
  Project Big Green addresses all of these areas. For the data     Southbury, Conn., data center and has applied for energy-
center, it can help companies understand energy use and find       efficiency certificates associated with that project.
opportunities for improvement. For IT resources, Project Big         Consolidation plays a huge role in IBM’s energy-reduction
Green will assist in planning, building and upgrading to energy-   plan. “We’ve embarked upon the largest server-consolidation
efficient data centers. Control over utilization can be achieved   project in the world by consolidating 3,900 x86 and UNIX*
by implementing energy management and virtualization.              systems onto just 33 IBM System z* mainframes,” Lechner
  According to Lechner, to date, more than 2,000 customers         says. The company looks to save $25 million in energy costs
worldwide have improved their IT energy efficiency through         through the consolidation, which it expects to complete in
Project Big Green. “A number of clients have achieved              December 2009. As of June, “we’re on track to achieve that
measurable results,” he says, “including floor-space reduction     date,” Lechner says.
as great as 80 percent and energy reduction on an average
of 40 percent, although some clients are seeing total energy       Adding Enhancements
reduction within the data center of 75 to 80 percent. They’re      Project Big Green was designed to cover five major areas:
seeing the utilization of their assets—servers, storage and        diagnose, build, virtualization, liquid cooling and active energy
networking—triple, and in some cases quadruple, over the           management. Since May 2007, “we’ve made enhancements in
previous environment.”                                             each of those areas,” Lechner says.
  The organizations that have put Project Big Green into             In the active energy-management area, IBM now offers the
practice, and found the benef its of energy eff iciency,           capability to monitor and manage not only servers, storage
span a range of industries, proving the concept will work          and networking devices, but also facilities equipment such
for any business. T he list includes the Universit y of            as air conditioning, lighting systems and chillers within the
Pittsburgh Medical Center, Hannaford Bros. Co., Nationwide,        data center. This area is being realized by IBM’s work with
Threshold Animation Studios, AISO.Net, Bryant University           several partners, such as American Power Conversion and
and PG&E Corporation.                                              General Electric Co.
                                                                     In May, IBM announced that active energy management is
Leading by Example                                                 being extended “beyond the data center boundaries to include
A keystone to IBM’s commitment to energy efficiency is its         other elements of the facilities such as lighting systems
own program to boost compute capacity with no increase             outside the data center area,” Lechner says. That’s an exciting
in energy consumption. The company expects to see an               development that opens up new opportunities for customers
annual savings of 5 billion kilowatt hours through its efforts.    to boost energy efficiency in their facilities.
Additionally, IBM’s actions will help avoid 2.5 million tons         Enhancements in the build area encompasses new,
of carbon-dioxide emissions annually. That’s the equivalent        highly efficient servers, such as the System z10* mainframe
of taking 1 million automobiles off the road.                      and t he POW ER6* processor system w it h advanced
  “IBM made a commitment that the company was going to             virtualization capabilities.
double the compute and data capacity between 2007 and 2010           Looking at cooling, the new generation of IBM’s rear-

door heat exchangers is a stunning innovation in terms of            certificates for improvements to the IT infrastructure in their
technological development and energy savings. “The first             data centers. To receive the certificates, a company’s reduction
generation extracted 60 percent of the heat generated by a           in energy use will be verified by Neuwing Energy Ventures,
rack of servers right at the source,” Lechner says. “The new         a leading verifier of energy-efficiency projects. The Energy
generation extracts 100 percent of the heat at the source. In        Efficiency Certificate program was launched in the United
theory, you could deploy these servers with no need for air          States in November 2007. As of April, the program has proved
conditioning.” Eliminating the need for air conditioning would       so successful that it’s in the process of expanding to more
yield a substantial cost savings for many companies.                 than 25 countries around the world, according to Lechner.
  Other innovations include advances in IBM’s storage and               That’s not the only way IBM is helping clients achieve
server virtualization offerings. Additionally, the company           measurements of energy-efficiency success. In April, it
recently introduced WebSphere* Virtual Enterprise, which             announced the availability of a customer energy-efficiency
expands virtualization into the application area, improving          assessment tool. The tool was developed by The Bathwick
application efficiency in terms of energy use. “We’re enhancing      Group, a well-known benchmarking company. “The tool is
the portfolio in every dimension,” Lechner says.                     already generating results,” Lechner notes. “It allows clients
                                                                     not only to assess their own energy efficiency but also to
Emphasis on Eco-Responsibility                                       compare themselves against others.”
Improving energy efficiency is now a necessary part of                  IBM is also rallying its business partners to the cause of
a company’s corporate responsibility. Today’s responsible            energy efficiency. This is another example of how Project
business is a green one and takes into account the financial,        Big Green is growing organically to encompass all areas
operational, social and regulatory drivers that influence green      of the IT industry. “We’ve had the chance to work with a
decision making. Becoming an eco-responsible company                 large number of business partners to expand our reach with
certainly makes a positive impact.                                   Project Big Green,” Lechner says. In April, “we announced
   On the financial side, more efficient energy use translates       a business-partner program with a specialty around energy
directly into cost savings. Every dollar saved on energy will        efficiency to enable our partners to engage with clients in the
spur another six to eight dollars of operational savings, Lechner    same holistic fashion.”
says. On the operational side, IT innovations let companies             The expansion of the program holds a great deal of promise
achieve more computing performance for each kilowatt hour            for companies looking to be more eco-responsible. “IBM is
of energy used. From a social and regulatory standpoint,             significantly expanding the scope of Project Big Green to allow
companies that proactively address energy challenges and             clients to address a much broader portion of the IT infrastructure,
show verified energy conservation measures can gain stature          not only in the data center but beyond its walls,” Lechner
in the eyes of customers.                                            says. “The issue of social and environmental responsibility
   Project Big Green was envisioned to address all of these facets   and regulatory pressure is increasing and clients need to be
of an eco-responsible business. When the program was launched,       thinking about how to develop programs that can be monitored
“one of the primary drivers for customers was operational,”          and verified. IBM can help them do that. The energy-efficiency
Lechner says. “Customers couldn’t deploy new server or storage       certificate program is a great way to get started.”
technology because they couldn’t get more energy into the data
center or they couldn’t dissipate the heat that was already in       Seeing Green
the data center.” The other primary driver was financial issues.     No matter what your company’s current state of energy
These include rising energy costs and the fact that compute          consumption, Project Big Green can help trim energy use
and data capacity doubles every 12 to 36 months, increasing          and boost the bottom line. From the financial, operational
IT needs and their associated energy costs.                          and social aspects of your business, the need to be green has
                                                                     never been more important. IBM recognizes that today’s energy
Providing the Proof                                                  challenges are just the beginning. As new demands arise,
Those drivers continue to be important and they’ve been joined       you can expect Project Big Green to develop innovations to
by social and environmental responsibility drivers. “Customers       help you successfully meet them. Project Big Green’s growth
want to put in place energy-efficiency commitments and               has just begun.
carbon-footprint commitments in response to pressure from
their employees, their customer base, from their shareholders
and from regulatory bodies,” Lechner says. These stakeholders
want to see proof of a company’s eco-responsibility.                 Shirley S. Savage, a Maine-based freelance writer, is the
  In response, IBM has introduced the industr y’s first              author of several management reports on technology and energy
corporate-led initiative where clients can earn energy-efficiency    topics. Shirley can be reached at

                                                                            Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
                                                                       PhOTO BY jOhN BArNETT

Michelle haskin, vice president and
application specialist, says SpiritBank
adopted a data-encryption program partly
to preserve customer confidence.

 A                      S P I r I T                                                                           O F

SpiritBank goes beyond regulations to avoid a data-loss nightmare                                            By JiM uTSler

      wrote an article about encryption recently, starting      using BOSaNOVA’s Q3 storage encryption appliance, to help
      it off with scary stories and statistics about lost and   ensure the security of its customers’ information.
      stolen data tapes. It sent a shiver up even my spine,
      thinking that my highly personal and confidential         a Scary thing
      information might fall into the hands of some dirty-      The Tulsa, Okla.-based SpiritBank has been in business
deed doer who would steal my identity and buy a new car         for more than 90 years, and remarkably, it’s still family
on my credit. (If it does happen, I hope they at least get      owned (third generation). In these days of banking mergers
a hybrid.)                                                      and acquisitions, that’s quite an accomplishment—and one
  Unfortunately, those stories are still creeping up in the     that’s paid off. The bank has 350 employees working in its
press, and SpiritBank is one financial institution that isn’t   headquarters and its 18 branches, which are in 12 markets
taking chances. Indeed, SpiritBank has taken rigorous steps,    in a mix of metropolitan and rural locations.

                                                                      Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
     “If we lose a tape, we lose a tape. All we have to do is buy a new one.”
                           — Michelle haskin, vice president and application specialist, SpiritBank

   Following a path along I-44 in Oklahoma, the commercial            tapes to the Cardinal office in Parsons, Tenn., to troubleshoot
bank operates in large cities such as Tulsa and Oklahoma City         or diagnose problems, it did so via commercial carriers.
and smaller burgs such as Bristow and Cushing. “Because                  In both cases, however, the possibility that a tape might get
of this, we have a prett y diverse customer base,” says               lost or stolen always existed, opening the bank up to possible
Michelle Haskin, vice president and application specialist            liability—and the potential for customer revolt.
with SpiritBank.                                                         “A loss of customer confidence would have as big an
   Running quietly in the background are two IBM* System i*           impact as any fine would, maybe even more,” Haskin says.
servers, including a production 520 and a backup 820 (soon            “Once you lose that confidence, you can never get it back.”
to be upgraded to a 520). The bank also has an IBM System             Although it had never misplaced a tape, it decided it didn’t
Storage* Ultrium* 3 3580 tape drive for its daily, weekly and         want to take any chances, especially given data thieves’
monthly tape backups. And, as with most financial institutions,       increasing sophistication.
it has several vendor-supplied banking applications, most                “Five or 10 years ago, that wasn’t really a concern. It was too
notably Cardinal/400 from Cardinal Software. “That’s our              expensive for people to purchase the proper tape drives and
primary app,” Haskin says.                                            there was not nearly the number of conversion utilities back
   SpiritBank was sending tape off into the wild in clear text        then that are available now,” Haskin says. “In addition, you
before deciding to encrypt all offsite-bound tapes. The daily         had to have a System i server to read the tapes. Now, you can
backups would go with a bank employee to one of the bank’s            actually buy a tape drive off of eBay, hook it up to your PC
branches and be sealed in a vault. If the company needed to send      and use conversion utilities to read a tape that was created on
                                                                      the System i server. In fact, you can find a video of someone
                                                                      proving just how easy it is on the BOSaNOVA Web site. It’s a
                                                                      very scary thing.”
                                                                         Unfortunately, according to Haskin, many banks still don’t
                                                                      recognize the threat—or if they do, they haven’t taken any steps
                                                                      to address it. In fact, she says, “I’ve been in the data-processing
                                                                      area in the banking industry for 25 years, and sending tapes
                                                                      offsite in clear text was an accepted industry practice. It wasn’t
                                                                      until probably a year ago that you even heard people talking
                                                                      about the necessity of encrypting tapes. And even now, many
      U P                     C L O S E                               companies, banks and financial institutions continue to send
                                                                      tapes via mail or shipping companies. And just because you
 CuStomer: SpiritBank                 appliance setup software and    have a tracking number doesn’t mean a tape won’t fall off the
 HeaDQuarterS: Tulsa, Okla.           Cardinal/400 from Cardinal      back of a truck.”
 BuSIneSS: Commercial bank            Software
 HarDWare: An IBM System i            CHallenGe: Making sure          reading the Headlines
 520, an IBM System i 820             the data on its backup tapes    Though the banking industry is getting closer to developing
 (soon to be upgraded to              is secure                       regulations that would require banks to encrypt their tapes,
 another 520) and BOSaNOVA’s          SolutIon: using BOSaNOVA’s      the only banking regulation so far regarding lost tapes is
 Q3 storage encryption                Q3 storage encryption           that the institution would be held financially liable for the
 appliance                            appliance to securely encrypt   lost data and must notify customers of the loss. Haskin says
 SoFtWare: BOSaNOVA’s                 backup tapes to be taken        she fully expects “in the near future that encryption will be
 Q3 storage encryption                offsite                         part of that regulation—or at the very minimum, be highly
                                                                      recommended by examiners.”

   Already, there’s movement in that direction. The Gramm-             One important benefit of the Q3 solution was that the
Leach-Bliley (GLB) Act, for example, has set encryption             devices are married to the encrypted tapes they create, so
guidelines for financial institutions, such as requiring them       even if another Q3 device is brought into the data center and
to at least consider whether “encryption of electronic customer     attached to the System i platform, and an encrypted tape is
information, including while in transit or in storage on            loaded, the tape still can’t be read. This is true even if someone
networks or systems to which unauthorized individuals may           has the encryption key, because each Q3 device has a unique
have access,” is appropriate. GLB also suggests that if financial   embedded chip that must match the associated data on the
institutions think encryption might be beneficial in their          tape it encrypted.
particular cases, they must implement it.                              As an added safeguard, BOSaNOVA supplies two chips for
   Although there are no direct calls yet for encryption in         each Q3 device. Should users experience any problems with
the financial services industry, it’s sure to be mandated at        the original chip, they can simply install the backup chip
some point. To its credit, SpiritBank decided not to wait for       and continue backing up as they had in the past. SpiritBank
that mandate. It instead determined that the “risk wasn’t           keeps the spare chips for its two Q3 units in separate vaults
worth the cost justification,” Haskin says. In response, the        at two locations, ensuring even greater data security.
bank brought its technology-steering committee, security               As of now, SpiritBank uses only one of the Q3 units, for
officer and technology department together to chart a new           its production server. When it replaces the 820 with the new
safe-data course.                                                   520, it will begin full box-to-box replication. (Because the 820
   After assessing its own system vulnerabilities, SpiritBank       is maxed out, Haskin says, it’s used only to back up specific
found its most glaring problems were the unencrypted tapes.         files. The company works with a disaster-recovery site in
“Even though our daily backups were going only 10 miles             Texas to make sure it can recover from a system failure.) When
to a vault in one of our branches, a lot can happen over the        complete replication between the System i boxes begins, the
course of that trip,” Haskin says.                                  bank will create two sets of backup tapes, each protected by
   SpiritBank began looking at several software and hardware        the encryption capabilities of the BOSaNOVA Q3 solution.
encryption solutions. In the end, it decided that the hardware         If the production box were to go down, SpiritBank can move
route was the best way to go, assigning the encryption load         the production Q3 to the backup box and load data from the
to an appliance that would sit between the server and the           tapes encrypted on the production system. SpiritBank can even
tape drive, avoiding any potential server-performance hits.         take the production Q3 to its disaster-recovery site and restore
Additionally, Haskin remarks, “A hardware solution wouldn’t         from the production tapes there. If the disaster includes the Q3
require us to make any changes to our backup script. Everything     device, Haskin can use the backup chip in a new Q3 box and
would simply run as it always had,”                                 still successfully recover. “This system is very secure, but also
   After reviewing several options, SpiritBank asked BOSaNOVA       very flexible,” she says.
for more information about the Q3 storage encryption appliance
and eventually requested a demo model for testing. The entire       Sit Back and relax
testing procedure, according to Haskin, took only about an          SpiritBank isn’t taking any chances, thanks to its encryption
hour. This included installing the appliance, restarting the        scheme, which comes due in large part to BOSaNOVA’s Q3
820 and configuring the Q3 box on a PC. After running a             storage encryption appliance. “If we lose a tape, we lose a
backup on the 820, the company loaded the tape into the 520,        tape,” Haskin says. “All we have to do is buy a new one.”
which didn’t have a Q3 box attached to it and was unable to           SpiritBank can now send its tapes wherever it wants, without
read the tape. “It was terrific,” Haskin recalls.                   worrying about an open truck door or a determined hacker. And
                                                                    when the banking industry finally gets around to regulating
Secure and Flexible                                                 the use of encryption, SpiritBank can simply sit back and relax
Based on the success of that test, SpiritBank’s technology-         as other companies scramble to obtain compliance. Now part
steering committee approved the purchase of two Q3 units, one       of its spirit is a spirit of protection.
for the production 520 and the other for the backup 820. Once
the Q3 devices arrived, it took only 30 minutes to put them
into production, including installation, configuration, testing
and then going live. “They were really easy to install,” Haskin     Jim Utsler, IBM Systems Magazine senior writer, has been covering
says. “You load a program on a PC and set the encryption            technology for more than a decade. Jim can be reached at jutsler@
key—and that’s pretty much it.”                           

                                                                           Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
           LoudandClear              Widex Hearing Aid Company
                               communicates better with clients
                                                  so others will hear

                                                                   By JiM uTSler

     f I weren’t using a computer to write this, it’s unlikely                To address this issue—and reduce the number of mail-in and
     anyone would be able to read it. That’s because my                    telephone-based orders the company received—Widex decided
     handwriting is a mishmash of r un-in cursive and                      to launch a Web site that would let dispensers place orders
     block letters that most people—including sometimes                    online. Not only would this reduce the number of errors and
     myself—can barely translate. I might as well be a                     call backs, but it would also give dispensers the freedom to
doctor, writing prescriptions that only the most talented                  check on placed orders and keep up with the latest hearing-aid
pharmacists can decipher.                                                  technology via technical papers.
  That was the issue Widex Hearing Aid Company had been                       Now, Widex has an end-to-end ordering solution, with every
facing. It was receiving written orders from audiologists (or              step of online—as well as handwritten and phone-in—orders
                                                                                                                                            PhOTO BY MIChAEl PArAS

“dispensers,” in the company’s parlance) for hearing aids that             being tracked by VAI’s (Vormittag Associates Inc.’s) S2K
required frequent calls by the company’s customer-relations                Enterprise ERP suite of business software. Thanks to this
representatives to make sure what they were reading was                    marriage between the company’s IBM WebSphere* Portal and
accurate. Often, it wasn’t, with 10 to 20 percent of such orders           VAI-based Web-enabled solution, Widex has dramatically
having problems and requiring clarification.                               reduced the volume of traditionally placed orders and, more

                 photo caption
Widex’s Joe laMonte says the company’s
online ordering system helps get hearing
aids faster to those who need them.

                                           Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
                                              Up Close
importantly, the number of                                                                              fed back into the system. This
errors it has to clarify.                     cuSToMer: Widex Hearing Aid Company                       end-to-end order tracking lets
                                          headQuarTerS: Long Island City, N.Y.                          Widex’s customer-relations
Handwriting lessons                       BuSineSS: Hearing-aid manufacturer                            representatives keep track of
Founded in 1956, the Long                 hardWare: An IBM System i 525 and an IBM                      exactly where orders are in the
I s l a n d C i t y, N .Y.- b a s e d     System i 270                                                  manufacturing and distribution
Widex is a large and well-                SoFTWare: VAI’s (Vormittag Associates Inc.’s) S2K             process, which they can then
respected manufacturer of                 Enterprise ERP suite of business software and IBM             share with their dispensers.
beh ind-t he-ear (BT E ) and              WebSphere Portal                                                    Of course, this reliance on
in-the-ear (ITE) custom-made              challenge: Reducing order errors and improving                customer-relations reps was
hearing aids for children and             turnaround time                                               crucial prior to the company’s
adults. In the case of the ITE            SoluTion: Integrating an e-business Web site with             Web-site deployment. Before
custom-made products, the                 its back-end order processing system to improve               the site went live, most orders
compa ny r e ce ive s or de r s           customer satisfaction                                         were placed via either the
from dispensers and uses the                                                                            phone or mail. In the latter
specif ications included to                                                                             ca s e , h a ndw r it te n for m s
manufacture hearing aids that                                                                           accompanied t he physica l
fit a specific end-user’s ear.                                                                          ear-canal impressions. And
    As Joe LaMonte, executive                                                                           as LaMonte notes, “Doctors
director of information technology with Widex, explains,              often don’t have the greatest handwriting, and you can put
“When you have a hearing problem, you’ll go to an audiologist         an audiologist in the same boat. Sometimes, something they
who will help diagnose the issue. That audiologist will then          wrote wouldn’t be clear or the audiologist might check two
take an impression of your ear, which consists of putting foam        boxes on the order form when only one should have been
in your ear that conforms to your actual hearing-aid canal.           checked. In those cases, we’d have to call back to ask what
The dispenser will then send us that impression, which we             exactly they meant.”
use to make a 3-D image. The 3-D image is used to guide our             This type of back and forth had obvious consequences, most
lasers for actual manufacturing. Once that’s completed, the           notably a delay in order fulfillment. Considering Widex’s
electronics are inserted into the hearing aid.”                       work—helping the hearing impaired hear once again—these
    Widex has a sister company, Hal-Hen Company Inc., that            delays were becoming unacceptable. Widex needed a solution
offers a wide array of hearing-aid accessories, including for         that would help solve those delays, as well as other issues,
audiologists, testing equipment and other medical devices,            including the 40 percent of incoming calls that involved
and for end users, items such as batteries and cleaning               dispensers wanting to track their orders.
products. Hal-Hen is considered the world leader in the
manufacturing and distribution of these and its many                  error Corrections
other hearing-aid accessories.                                        In 2005, the company began looking for alternative order-
    Supporting Widex is an IBM System i* 525 and a System i           taking methods, realizing that phone calls and handwritten
270. The 525 hosts VAI’s S2K Enterprise ERP suite, which,             notes simply weren’t the way to continue doing business.
LaMonte says, “has been heavily modified.” These modifications        Widex approached VAI to help it find a way to let dispensers
were a necessity, given the industry in which Widex works. It’s       serve themselves and hopefully reduce errors and customer-
somewhat of a niche market with no shrink-wrapped products            service callbacks.
available. The modifications were made in conjunction with              The obvious answer was an online site where dispensers
Widex’s programmers and those from VAI.                               could log on and place orders. Using this model would eliminate
    “We have a custom program that configures the multiple            hard-to-read notes, double-checked boxes or misunderstood
variations of a hearing aid,” LaMonte explains. “If you check         directions. Instead, dispensers would be able to use a system
a specific box, three other options might open up. If you check       similar to what Widex’s internal employees had already been
one of those, two more might open up. So we have a very               using in the modified VAI system, complete with check boxes
high-end configurator that we’ve customized, which keeps              and automatic error corrections.
everything fairly accurate in the ordering process.”                    Working with VAI programmers, Widex began the process of
    Once a BTE or ITE order has been configured and locked into       building a site that would integrate with VAI and automate the
the VAI system, the designing and manufacturing processes             order flow, from initial order placement to order manufacturing
begin. When an order is completed, that information is then           to order fulfillment. To help make this happen, the company

 “It used to take seven days to complete a typical custom-made order.
                               now, it’s down to three to five days.”
           — Joe lamonte, executive director of information technology, Widex

brought IBM WebSphere Portal into the mix, which would not         enter a unique identifier and password to access the system.
only act as the site’s front end, but also tie the site into VAI   Dispensers can even determine who in their offices can access
S2K.                                                               widexPro. “We have extensive access control so people can
   “We liked the content-management piece of WebSphere,”           only place orders, or only view orders, or send things in for
LaMonte says. “And the scalability and flexibility the solution    repair, or just access the informational parts of the site, like
offered seemed to be the way to go. After all, our industry        our Knowledge Center,” LaMonte says.
changes rapidly, between products and technology, and                 This Knowledge Center contains a wealth of audiologist-
everything we needed for this online solution had to be just       related materials. For example, it houses information pertaining
as flexible as we are.”                                            specifically to pediatric hearing care. Users can also get
   After five months of intensive collaboration between VAI        information about Widex’s latest offerings and sign up for
and Widex, the site, dubbed widexPro, finally went live in         seminars or training sessions sponsored by Widex. Training
April 2006. Since then, workflow has changed quite a bit.          is based on geographic location, so dispensers in the New
   “Because the logic behind our in-house ordering system was      York area, for example, will be shown all of the seminars and
so complex, we didn’t want to have to reinvent the wheel,”         training sessions within that region.
LaMonte says when explaining that the online-ordering                 And they can do all of this around the clock, not just when
process is similar to the former manual, form-based process,       Widex is open for business and people are answering the
but with error-correction checks put in place. As he puts it,      phones. Audiologists who are busy all day with patients can
“The only real difference is that it’ll prevent any kind of        log onto the site from home, place orders, check on the status
conflicts in the order. On the forms, people could check two       of orders and sign up for seminars. “This gives our dispensers
boxes incorrectly, not knowing you can’t have both, like two       a great deal of flexibility,” LaMonte says.
left hearing aids or two right hearing aids. The online system
will simply reject that.”                                          Helping the Helpers
   Once an order’s placed on the Web site, a work order is         Although Widex had a static Web site in the past, it was more
generated. When the company receives the foam ear-canal form       of a marketing tool than anything else. Since collaborating
from the dispenser, that work order is sent to the manufacturing   with VAI, however, that site has taken on new life, giving its
floor, where work begins on the modeling and manufacturing         customers a better, more accurate and quicker way to conduct
of the hearing-aid device. After the device is completed, it’s     business with Widex. As LaMonte points out, “It used to take
shipped to the dispenser so he or she can program it and give      seven days to complete a typical custom-made order. Now,
it to the patient to use.                                          it’s down to three to five days. And rush orders are sent out
   Meanwhile, the dispensers can check on the status of orders,    in 24 to 48 hours.”
including whether orders have simply been received and are            Given the company’s superior-service credo, this increase in
waiting for the mailed ear-canal model, if orders have been        expedience was a necessity. After all, Widex wants to make sure
pushed to manufacturing, or if orders have been fulfilled and      orders are placed, processed and completed properly—without
are on their way to the dispensers.                                deciphering handwriting or calling for clarification. Now that
   This has had a dramatic impact on the number of incoming        it has a near-foolproof way of doing so, Widex can help its
calls. “They can check on order status—if it’s been shipped,       dispensers’ patients get the tools they need to hear the world
what the tracking number is—all on the Web site,” LaMonte          around them.
notes. “This has really cut down on calls, although we’re
always available to our dispensers, no matter how they want
to contact us.”                                                    Jim utsler, IBM Systems Magazine senior writer, has been covering
   Dispensers have their own logons, ensuring the security of      technology for more than a decade. Jim can be reached at jutsler@
their order information. When they visit the site, they must

                                                                          Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
     exclusive Interview with Silverlake axis Celebrating 0 years

     Goh Peng Ooi, Executive Chairman
     Dr. Raymond Kwong, Managing Director

     IBM i: Silverlake has been a pioneer Solutions Provider on the IBM   composition and physics as symmetry. AS/400 is symmetrical
     i platform. Can you let us know about Silverlake’s beginnings and    to our application, and vice versa. As AS/400 gets more
     relationship with the AS/400 platform?                               and more powerful, we benefit from that growth without
     Goh Peng Ooi: While I was in University of Tokyo, my                 having to invest heavily to revamp our application. This
     professor was especially interested to know more about               is one property of symmetry. It allows us to focus on our
     the ‘Future Systems’ project and when I joined IBM, I was            own research, which is ‘Business Process and Strategy On
     marketing and selling the S/38 solution. In 1988, I saw the          Demand’ (BPSOD), based on Category, Group, Representation
     co-relationship among business applications, AS/400 and              and Coxeter System without having to worry about the
     Group Theory. I started Silverlake by sheer coincidence,             underlying platform evolution and changes. In other words,
     with the help of Bill Osborn, Jim Clevenger and others from          both sides of the symmetry grows tremendously without
     an American company. Based on the above, I have never                disturbing each other, in fact, they complement each other.
     had any doubt that the solution should be based on AS/400,           Dr. Raymond Kwong: Over the last 20 years we have
     even more so now that we had managed to prove that for               continuously improved our application and optimized on the
     very large applications, the most efficient and effective            i5/OS to meet the mission critical demands of our customers
     platform is the AS/400 (later evolved to iSeries, System i           who have grown to be some of the largest financial
     and POWER platforms).                                                institutions in Asia. Our large enterprise customers are
                                                                          running our application on i5/OS serving tens of millions of
     IBM i: The name Silverlake was the code name of the AS/400           customers and transactions every day. In collaboration with
     before it was launched in the market. Is there a connection          our customers, we have benchmarked on i5/OS to support
     between the two?                                                     hundreds of millions of customers and transactions.
     Goh Peng Ooi: It was a serendipitous coincidence that my                Mission critical businesses, now and in the future, are seeking
     professor was very interested to know about the Future               an invariant and customer responsive platform for enabling
     Systems project as I was selling the S/38 solution. The code         profitable growth and continuous innovation. Silverlake
     name for AS/400 was Silverlake, and our associates in the            applications running on the IBM i platform is the answer.
     US were also using the name Silverlake. Since a strong
     connection was forged with the Silverlake code name, I               IBM i: You have a choice of Hardware, Operating System and
     decided to adopt Silverlake as the name of our company.              Middleware platforms to choose from. But Silverlake has always
                                                                          relied on the core IBM technology in the iSeries and i5/OS Operating
     IBM i: The AS/400 platform was invented 20 years ago and has had     System. Can you explain the benefits you have seen with this for
     tremendous changes in technology to what it is today. Have you       you as a company and to the customers you serve?
     experienced any impact in your application due to the changes?       Goh Peng Ooi: Based on our Coxeter Visualizer, we were able
     How have you optimized the i5/OS Operating System?                   to prove that mission critical business process applications
     Goh Peng Ooi: I like to use the word symmetry since we can           like Banking, Insurance, Capital Market, Provident Fund,
     roughly unify the last one hundred years of mathematics of           Airlines, etc. are best built on iSeries and i5/OS. Mission

of aS/00 Success

                          Mr Goh Peng Ooi                                                    Dr Raymond Kwong

   critical business process applications need on-demand                Process and Strategy On Demand (BPSOD) platform applicable
   characteristics, that is, predictability, understandability,         across all businesses. Using this platform, we have composed
   accuracy, clarity, traceability, reviewability, scalability,         solutions for Banking, Capital Markets, Insurance, Provident
   transparency, upgradeability, maintainability, continuous            Fund, Airlines, etc. By using the platform repeatedly, we were
   improvability, consistency, reliability, repeatability, etc and      able to build new and increasingly complex business solutions
   at the same time, economy.                                           in a very short timeframe, yet enjoying all the attributes of
      All these qualities require seamless integration between the      the mission critical operating platform.
   platforms and applications, to achieve perfect symmetry.
      That was the reason why we started with AS/400 and                IBM i: IBM announced the POWER6 processors on the POWER
   never looked back. We are grateful that our customers are            platform and V6.1 of i5/OS. How have you benefited from this?
   willing to listen to our advice and work collaboratively with        Dr. Raymond Kwong: The mainframe-class reliability, availability
   IBM and us. We believe that in return, we have delivered             and scalability offered by the IBM Power platform and V6.1 of
   tremendous benefits to our customers all these years. This           i5/OS will help ensure Silverlake customers are able to support
   is proven by the fact that all our customers have continued          their growth objectives rapidly and cost effectively. This will
   with our mutually beneficial relationships throughout the            enable us to continue to serve our existing customers’ drive
   last nineteen years.                                                 and new customers’ need for Business Process and Strategy
                                                                        On Demand solutions.
   IBM i: Silverlake is recognized as the leading provider of Core        Since the launch of the POWER platform and V6.1 of
   Banking solutions in Asia Pacific and Worldwide. Do you have         i5/0S in April of 2008, one of our largest customers have
   solutions on other Industry verticals?                               seamlessly migrated to POWER 595 to support their rapid
   Goh Peng Ooi: We are better known in the Banking Solution            organic business expansion and planned future growth
   space, but the truth is that our solution is based on our Business   through mergers and acquisitions.

                                                                                 Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
      IBM i : Many Banks in Asia Pacific have benefited from             Secondly, we believe that the so-called ‘software business’
      Silverlake’s core banking solution. What is your                is transforming very quickly, and the only way forward for
      recommendation for other Banks?                                 all of us is to conduct serious research or work very closely
      Goh Peng Ooi: A large part of business success depends on       with our customers. We are executing on both initiatives.
      the organization’s business processes. Our first customer
      had a total number of about 10,000 business processes.          IBM i: Last question: Mathematics, Banking and Silverlake
      Today, we see some of our top customers moving across           – What is the connection?
      150,000 business processes. We do not see how the               Goh Peng Ooi: I have always been interested in the
      ‘traditional’ approach of seeking ‘requirements’, followed      mathematics of composition, especially on Fischer
      by building and modifying code or adjusting parameters          3- Transposition, since its ‘anti-theorem’ quietly unifies
      can satisfy such complexity. Our opinion is that some of        Category, Group, Representation and Coxeter System.
      our customers are going to move ahead and defeat their             We developed the ‘Business Process And Strategy On
      competitors in Asia Pacific, due to their business process      Demand’ (BPSOD) tool based on these concepts. Using
      efficiency and effectiveness. While it is true that the         this tool, we generated our Silverlake Integrated Banking
      competitors may not immediately perceive this as a ‘life        System (SIBS). We just went into alpha on our Coxeter
      and death’ issue, our opinion is that by the time the pain      Visualizer, which in one or two years, will auto generate
      is felt, it would be too late for a cure.                       IBM i (AS/400) codes. The Coxeter Visualizer was able to
                                                                      prove that there is a one-to-one relationship between our
      IBM i : Do you have any recommendation for solution providers   application to any business process, irrespective of whether
      looking at the IBM i (POWER Platform) and i5/OS as their        it is banking, insurance, capital market, airline, utility, etc
      operating environment?                                          applications. We also proved that these solutions are best
      Goh Peng Ooi: Firstly, our opinion is that the IBM i and        built on IBM i. While it may appear at first to be unrelated
      i5/OS are great for business processes. Any organization        to business, in my opinion, the Fischer 3-Transposition is
      with a large number of business processes should seriously      not only related to business processes, but also to human
      consider the adoption of IBM i.                                 and natural processes.

     IBM Systems Magazine                              A S I A PA C I F I C E D I T I O N

     Customer’s testimonial
     A look at customer’s successes and achievements

PT Bank Bumiputera Indonesia, Tbk

     Synopsis: A consumer bank in Indonesia
     strengthens its core banking platform and
     secures a comprehensive backup plan when
     it teams with IBM upgrading to IBM System i
     from an outdated banking platform.

     Location: jakarta, Indonesia

     Industry: Banking


Customer Background                                                  In the midst of this upgrade, the bank also saw an
PT Bank Bumiputera Indonesia, Tbk. (Bank Bumiputera),              opportunity to better protect its mission-critical financial
was founded in 1989 as a wholly owned subsidiary of AJB            systems. Previously, the organization had lacked any type
Bumiputera 1912, one of the oldest mutual life insurance           of disaster recovery strategy, meaning that in the event of a
agencies in Indonesia. Originally founded as a corporate           local outage or emergency, all bank operations would cease to
bank, the organization migrated to direct consumer banking         function. The organization realized that its lack of a disaster
during the Asian banking crisis of the late 1990s. As of July      recovery plan placed its internal operations and the finances
2002, the bank is a publicly held organization.                    of its customers at great risk.

Business Need                                                      Solution
To remain a leader in a highly competitive industry, Bank          Working with IBM Global Technology Services, the Bank
Bumiputera sought a way to strengthen its IT systems and           Bumiputera implemented a new core banking platform
infrastructure. The bank had been relying on an outdated           developed by IBM Business Partner Silverlake Corporation.
banking platform that it had implemented in 1996 from a local      While the team from Silverlake Corporation configured
software provider. The system, based on the RPG programming        and installed the new core banking applications, the IBM
language, was hosted by Jakarta, a local IT vendor. While          Global Technology Services team facilitated the underlying
a reliable platform, the system lacked the ability to easily       infrastructure’s abilit y to adequately support the new
accommodate new business demands and, due to extensive             platform.
customization, required a great deal of time and effort to           As the availability of the applications and protection of
maintain. The bank decided to replace this platform with a         financial data was also a concern for the bank, the IBM team
more flexible infrastructure.                                      developed a dual-site disaster recovery system for the banking

applications. Both the client’s production site
and its recovery facility are located in Jakarta,
Indonesia. The core of the bank’s backup strategy
is an IBM TotalStorage 3580 Tape Drive Express
device. The client also uses the tape library to
host its banking data.

Benefits of the Solution
Thanks to the suppor t of the IBM Global
Technology Services team, Bank Bumiputera
has been able to strengthen its core banking
platform and improve efficiency by upgrading
to IBM System i, utilizing two IBM System i
550 platforms. The new system offers users
a f lexible, intuitive platform that simplifies
operational tasks as wells as system management.
In addition, the organization anticipates that
the new disaster recovery solution will offer
increased stability and security for its banking
operations. And thanks to these improvements,
the bank is confident that by 2010 it will reach
Anchor Bank status - a designation that indicates
the organization has the capacity to expand its
market share without compromising banking
principles and that will enable the bank to remain
an independent entity under the consolidation
efforts of its parent company.

       Thanks to the support of the IBM Global Technology Services team, Bank Bumiputera has
       been able to strengthen its core banking platform and improve efficiency by upgrading to
       IBM System i, utilizing two IBM System i 550 platforms which offers users a flexible, intui-
       tive platform that simplifies operational tasks as wells as system management.

                                                         Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
     Customer’s testimonial
     A look at customer’s successes and achievements

Barbecue Plaza Co., Ltd., Thailand

                                                                       warehouse was neither automated nor optimized, requiring
     Synopsis: A company that operates several
                                                                       more management resources than necessar y. Neerada
     highly successful restaurants in Thailand
                                                                       Choopojcharoen, business development executive, explains:
     achieves inventory efficiency gains and
                                                                       “Previously, business knowledge and information were difficult
     prepares for future growth when it deploys an
                                                                       to access; now, by systemizing the business, everyone can
     SAP solution on an IBM System i platform.
                                                                       gain access to and share the information, and help us plan for
                                                                       growth. The time taken to produce reports limited our ability
     Location: Bangkok, Thailand
                                                                       to identify efficiencies. In some cases, the system simply did
                                                                       not record enough detail. With plans to grow the business
     Industry: retail
                                                                       throughout the region, these were critical business issues.”

                                                                       Barbecue Plaza selected the SAP ERP 6.0 application. The plan
Customer Background                                                    was to introduce accurate business forecasting, which would
Barbecue Plaza Co., Ltd. in Bangkok, Thailand, operates                help reduce inventory levels and enhance financial controls
approximately 70 highly successful restaurants under the Bar           and profitability.
B Q Plaza (Mongolian), Joom Zap Hut (Thai) and Fire Place                 “Barbecue Plaza selected SAP ERP software, providing the
(Japanese cuisine) names. The formula is simple: customers             best fit with its restaurant business and readying the company
select and grill their own food and participate in the fun of          for international operations,” says Neerada Choopojcharoen.
the cooking process. Barbecue Plaza is one of the biggest              “SAP software is globally accepted throughout our supplier and
restaurant companies in the barbecue and grilling category             partner chain, making it an easy choice for Barbecue Plaza.
and is considered one of the largest casual dining restaurant          However, as a relatively small company, it was important to
chains in Thailand, ranked in the top ten restaurant chains            find a way to make the transition rapidly and at low cost, so we
both locally and internationally. From its start in 1987 with          could gain the benefits of SAP software quickly and easily.”
30 employees, the company has grown significantly and now                 The next step was to consider the best way to introduce
employs some 2,500 people.                                             SAP applications to the company and to choose the best IT
                                                                       infrastructure. With long experience of the stability and
Business Need                                                          reliability of the IBM System i platform, Barbecue Plaza
Until recently, Barbecue Plaza’s managers had been relying             chose an IBM System i 520 Standard Edition, with one active
on manual systems to report on the business. Financial and             processor and one additional processor available on demand.
inventory data was extracted from self-developed software,             The company engaged IBM to provide, install and configure its
which by 2007 was almost 20 years old. Without up-to-                  new SAP software, using IBM System i InstallOption for SAP
date information, materials management at the central food             Business All-in-One (formerly known as the “KOBI” process).

       “With SAP applications on the System i platform, international expansion
       of the business is a real prospect, with systemized business processes
       and management.”
                                                              – Neerada Choopojcharoen, Business Development Executive

The solution would support around 40 users, initially at the       development and quality assurance. The tape images were
headquarters office.                                               restored to two logical partitions of the System i5 520
   “The IBM System i InstallOption for SAP Business All-in-One     Standard Edition, and after slightly less than three days
process was essentially invisible to Barbecue Plaza,” remarks      of onsite work, the team had the System i 520 Standard
Neerada Choopojcharoen. Our objective was to implement the         Edition ready to support the full deployment of the new
right solution for the company quickly, easily and at low cost.    SAP applications.
The IBM team and SAP consultants were most impressive,               In the past, large stores of food were held centrally and
and IBM System i InstallOption for SAP Business All-in-One         distributed when requests arrived from each restaurant. With
delivered a complete SAP solution very rapidly.”                   the SAP applications, it will be possible to forecast demand
   She adds, “IBM System i was clearly the best option for         more accurately and reduce central stores. With the control
Barbecue Plaza, giving us a secure platform that is easy to        offered by SAP software, total inventory can be monitored more
manage. It was also very fast to deploy, thanks to IBM System      closely, and costs can be analyzed by brand and location.
i InstallOption for SAP Business All-in-One.”                        Group inventory efficiency gains will be based on data
                                                                                                   captured from the restaurants.
Benefits of the Solution                                                                           This will enable analysis of
For mid-sized companies such                                                                       how each restaurant actually
as Barbecue Plaza, a common                                                                        per for ms, producing a
perception is that SAP software                                                                    systematic picture of business
requires a great deal of time,                                                                     performance.
r esou rces a nd budget ju st                                                                               Barbecue Plaza has been
to install and make initial                                                                        growing steadily for 20 years,
system preparations for full                                                                       and it is ready to ex pand
implementation. IBM System i                                                                       i n t e r n a t i on a l l y. N e e r a d a
InstallOption for SAP Business                                                                     Choopojcharoen comments,
All-in-One consists of an installed and configured package of      “The introduction of SAP software enables us to streamline our
SAP software (development, quality assurance and production        operations and create a more organized and well-documented
systems) and the IBM i5/OS operating system, with the most         process. We can now monitor and manage items such as
current patches applied, saved onto a tape media cartridge that    inventory, restaurant turnover, profitability and productivity
offers fast installation, massively reduced implementation times   more effectively.
and significantly reduced cost. IBM System i InstallOption for       With SAP software on the IBM System i platform, we now
SAP Business All-in-One reduces the SAP software setup and         have a format that can be analyzed and prepared for rollout
preparation time from around four weeks to between just two        throughout the Asia Pacific region. We can now choose to
and three days for a three-system landscape of SAP software        expand using the franchise model, a completely new business
development, quality assurance and production systems in two       option not previously available to the company. Having
logical partitions of a System i5 520 Standard Edition. The        selected the System i 520 Standard Edition as the supporting
methodology combines industry best practices and powerful          infrastructure for the SAP software, we are certain that it is
hardware in one competitive offering - all out of the box.         more than capable of supporting the new workload, and we
   IBM System i InstallOption for SAP Business All-in-One          can scale up quickly and easily as the business increases.”
solution creates complete, configured images on tape that            The System i InstallOption for SAP Business All-in-One
are shipped to the local SAP software implementer, ready           solution delivered a complete SAP solution landscape to
for installation on the IBM System i platform - in this case,      Barbecue Plaza in a matter of a few days.
a System i 520 Standard Edition. The SAP software can be             “Working with SAP software is quite a transformation for
tailored using standard industry templates before it is saved      Barbecue Plaza,” says Neerada Choopojcharoen. “With SAP
to tape, which accelerates and simplifies the implementation       applications on the System i platform, international expansion
process, enabling the software to be brought into productive       of the business is a real prospect, with systemized business
use more rapidly.                                                  processes and management. The System i InstallOption for SAP
   Barbecue Plaza took advantage of the System i InstallOption     Business All-in-One solution is ideal for ambitious companies
for SAP Business All-in-One solution for the installation          such as Barbecue Plaza, and we look forward to seeing the
of a three-tiered SAP software landscape of production,            solution grow with our business.”

                                                                           Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION     
     System i application development

                      Extending RDi Using Plugins
                      By Joe PluTa

                            BM WebSphere* Development Studio Client              a project has only one member and hasn’t had any
                            (WDSC) has recently been supplanted by the new       activity since 2003, then it’s probably not something
                            Rational* Developer for i (RDi). By its nature as    you want in your production environment. But you’ll
                      a superset of Rational Application Developer, WDSC         need to go through this sort of vetting process for
                      is a full-featured development tool—so much so that        any free software.
                      it’ll be supported well into 2010.                           And although you’ll find dead projects, you’ll also
                         RDi, on the other hand, is a much more focused          discover many outstanding, active projects. And one
                      tool—with some expected side effects. Benefits include     of these projects may just be the tool you need.
                      a much smaller footprint, quicker load time and a
                      generally snappier interface. However, there’s no          Installing a Plugin
                      room for extra features, so you might find yourself        Perhaps the trickiest part of the entire plugin paradigm
                      looking for a certain wrench that just isn’t in the        is that it uses the standard Eclipse installation and
                      toolbox. That opens up a new world of opportunity          upgrade process, which is completely different from
                      for you with plugins.                                      the one employed by IBM’s Rational products. In fact,
                                                                                 if you mistakenly use the Eclipse update process to
                      What’s a Plugin?                                           update the Rational tool, you can render the tool
                      In the Eclipse world, the plugin is the basic building     inoperable. So take care when installing plugins. If
                      block of functionality. Eclipse itself is built of’re unfamiliar with the process, you may want to
                      In my seminars I tell folks that by itself, Eclipse        back up your RDi program files, although it’s usually
                      is basically like Windows* Explorer, only not as           not difficult to remove a plugin if you don’t like the
                      smart. The workbench lets you create projects with         way it affects your workspace.
                      no features, in which you can create folders
                      and text files.
                                                                              Figure 1
                         It isn’t until you install a couple of
                      new feat ures—the Java* Development
                      Tooling (JDT) and the Plugin Development
                      Environment (PDE)—that Eclipse starts to
                      become a usable tool. That’s because now
                      you can not only create complete client-side
                      Java applications compliments of JDT, but
                      you can also create and deploy plugins using
                      PDE. And that’s the basis of the entire Eclipse
                      movement—extending the workbench using
                      plugins. In fact, JDT and PDE themselves
                      are plugins.
                         Besides the plugins from the Eclipse project
                      itself, literally hundreds of third-party
                      plugins exist. A general word of advice: If

                       It’s easy to write simple JavaScript code that can
           go into an open editor window and make changes to the code.

   In most cases, getting a plugin is easy: Download it as a            3. A Browse button will appear that lets you search your hard
ZIP file onto your PC and deploy it through the Help menu                  drive for the plugin ZIP file. Locate it and then select “OK.”
on the main workbench. Figure 1 (opposite page) shows how
to invoke the Install/Update wizard. From the main menu,                After these three steps, the ZIP file will show up in the list
select Help>Software Updates>Find and Install.                          of sites to visit, and it should be selected. Hit “Finish” to
   In the Install/Update wizard, three basic steps (see Figure 2,       begin the installation process. (It’s a little confusing, but
below) should be the same for most plugins:                             you get used to it.) What follows is a typical installation
1. On the Feature Updates panel, select “Search for new features        cycle: accepting licenses, verif ying the components to
   to install.” This option will update already installed options,      install, etc. Once complete, you’ll usually be asked to restart
   which you should probably avoid until you’re comfortable             the workbench.
   with the process as you could accidentally update the core
   components and render the Rational product inoperable.               What Sort of Plugins are available?
   Eventually, you’d use this to update your plugins, but let’s         A wide variety of plugins exist. Some are specific to Power*
   leave that for another day.                                          Systems running i, such as the Arcad 5250 emulation plugin,
2. When the Update sites to visit panel appears, select the New         which provides a green-screen emulation window inside the
   Archived Site button. This indicates you’ve downloaded the plugin    workbench. It’s free, but you have to register online with Arcad
   and have it available locally on your disk drive. This is the most   ( Then you’ll be e-mailed a link to
   common technique, but others exist, as we’ll see later.              the plugin to download and install.
                                                                          Now you can add a 5250 emulation session. The steps aren’t
                                                                        entirely intuitive, but once you’ve done it, it’s easy to remember.
  Figure 2                                                              You can see the basic outline of the procedure in Figure 3
                                                                        (below). First, create a project. Then, within that project, use
                                                                        the File>New option to create a new Arcad 5250 Emulator
                                                                        Session. Just specify the name and properties. (Big hint: Don’t

                                                                          Figure 3

                                                                               Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
change the extension on the file name—if the extension isn’t       Eclipse Monkey scripts are invoked as menu options from the
.5250, you won’t be able to open it.) Open it and you’ll have      main menu. As part of the plugin installation, a new menu
a nice emulator session like the one in Figure 4 (right).          option named Scripts is added to the workbench. You add
  You’ll find many other plugins as well. For example,             scripts to that menu simply by putting them into a specially
SoftLanding has a nice one for displaying spooled files and        named folder—the menu option used to invoke the script is
messages, among other uses. Another fantastic plugin is the        identified in special comments at the beginning of the script,
Quantum DB plugin, which is basically an SQL front end. This       along with other attributes.
one isn’t IBM i specific, but because DB2* is an SQL-compliant       Code Sample 1 (below) is a simple example I wrote to spin
database, it works well. I really like the data perspective in     through a marked section of RPG D-specs and change variables
WDSC, but that’s no longer available in the slimmed-down           specified as type B to the preferred type, I. It’s pretty simple but
RDi. Instead, you can get the Quantum DB plugin and get back       shows off several features of the Eclipse Monkey package. For
most of the data-perspective features plus a few new ones.         example, the second line of the comment block is a specially

What else Can Plugins Do?
While plugins can make you more productive without much           Figure 4
investment, there’s one hitch: You have to wait for someone
else to write them. Since RDi is Eclipse based, an option at the
other end of the time-investment spectrum is to write your
own plugins. It’s not impossible and tutorials abound, but it’s
labor intensive and requires strong Java skills.
   However, a middle option exists, and that’s really the thrust
of this article. The Eclipse Monkey tool has been incubating at
the Eclipse site for a while. It’s part of a larger project known
as Dash. The Dash home page ( has a
link to an installation guide that looks very similar to the
process I just outlined, with a significant difference: Instead
of adding a new archive site, you add a new remote site, giving
it a name and a URL. This instructs RDi to go to the Internet
to find the plugin. It’s all quite automatic, sort of the Send
PTF Order (SNDPTFORD) of the Eclipse
world. Once it’s done, you’ll have a great         Code Sample 1
new tool installed.

monkeying around With eclipse
One of the f irst ways you can use
t his tool is as a power f u l macro
language. Eclipse Monkey lets you
write functions in JavaScript*, which
can access components made visible by
the Monkey infrastructure. As shipped,
Monkey provides easy access to most
of the Eclipse Workbench, especially
the editors. It’s easy to write simple
JavaScript code that can go into an open
editor window and make changes to the
code. The following line of code returns
the current active editor:

var editor = editors.activeEditor;

formatted line that lets you specify the menu that the script will     modify the source
                                                                                                Figure 5
appear in, as I alluded earlier. If you only specify a name, the       in the editor.
script will appear in the Scripts menu of the main menu bar.             For e xa mple,
In this case, I specify a submenu of RPG and then a name of            Figure 5 (right) is
Fix D Specs (components of the menu structure are separated            a simple prompt
by the “>” symbol). To invoke this option, select menu Scripts,        to get the old and
submenu RPG, option Fix D Specs.                                       new procedu re
   I already mentioned the easy access to workbench                    names for a
components. The first line of the main() function gets the             procedure rename.
currently active editor. The next line then gets the selected          Now, you m ight
range, which consists of the starting offset and ending offset.        point out that this
If no range is selected, both start and endpoint to the current        could be done using a search and replace. But if you specified
cursor position. An editor function translates those into line         the procedure name on a D-specification, chances are changing
numbers, which I then use to loop through the source file.             name’s length would throw off that D-spec. (That’s not the
   Inside the loop, I get each line using the reverse method,          case if the name was specified with three dots after it, but
which converts a line number to an offset. I pull out the line         not everybody does that, especially for short names.) Or, the
and then check it. This code is a little confusing because             new procedure name might be longer than the old name and
I explicitly hard code some offset information; not only is            force a line to split. An Eclipse Monkey macro can handle
the specification type the sixth character, but I also have to         these situations.
skip the date and sequence number information that’s at the              I’m just scratching the surface of the tool. Eclipse Monkey
beginning of every QSYS-based source member. That totals               also has classes that let you open other files. These could be
18, but since JavaScript, like Java, uses a zero-based index           very useful; in the procedure rename case, it would be nice if
for strings and arrays, the specification type is at offset 17.        the name of the procedure in the prototype were automatically
Sure, it’s a little confusing, but that’s the sort of thing we         changed. The next step would be to find all of the other source
programmers are good at, right?                                        members that used that prototype, and then change them as
   The rest of the code is pretty straightforward. If it’s a type      well, and so on. I hope you can see how this simple tool could
D and not a comment (D in position 6, blank in position 7) and         grow to be a real productivity booster.
the variable type is B, change it to an I. This routine is by no         I’ll continue to watch this and other plugin projects—
means finished—it assumes the variable was specified with              Eclipse and non-Eclipse—to see how they might make RDi
from and to positions. If it was specified with only length, the       programmers more productive. Please let me know if you
new I specs won’t be defined properly. But again, it’s meant           find any good ones.
more as an introduction than as a true working macro.

more than macros
Perhaps more importantly, once you get a little more versed
in Java, you can write your own Java classes that can then
make themselves visible to the Monkey scripting interface.
This is a fast and easy way to write plugin-like code without
learning the whole plugin architecture. They won’t be as
tightly integrated into the workbench as a regular plugin;
you’ll need to use the Monkey scripting mechanism to invoke
your code. But that’s OK for now—once you’re fluent at writing
the functional part of the plugin, you can learn the rest of the
procedural aspects of the plugin-developing environment. I’m
finding it an enlightening way to learn to interface with the
various workbench classes, both those provided by the base             Joe Pluta is the founder and chief architect of Pluta Brothers
Eclipse package and the Rational products.                             Design Inc. and uses WebSphere extensively. He performs onsite
   I’ve already written a little class that lets me create a generic   mentoring and speaks at user groups around the country. Joe
popup window to prompt the user for information that can help          can be reached at

                                                                             Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
     Frank Soltis reflects on the 0-year anniversary of the aS/00

     A Triumph of Hardwork                                              group,” Soltis says. “Every one of us believed Fort Knox
                                                                        wouldn’t work.”
     By neil Tardy                                                         Eventually, IBM reached the same conclusion. By then,
                                                                        the advanced-technology group was nurturing the idea of
                                                                        running System/36 applications in a System/38 environment.

              ven IBM* Chief Scientist Frank Soltis, the father         Technologists from the main IBM plant would trek over to
              of the AS/400* server, admits he never expected           the white buildings before or after their regular shift to lend
              to be discussing the business computer a full two         their expertise. They weren’t motivated just by the pursuit of
     decades after its unveiling.                                       new technology. They also believed jobs were at stake. That’s
       “To think then that I’d be sitting here, talking about the       because at the IBM New York headquarters, Rochester’s
     20th anniversary? It’s like, ‘Wow, that would never happen,’ ”     future was tied to Fort Knox.
     Soltis says. “I don’t think any of us looked ahead.”                  “When Fort Knox collapsed, there was nothing here,”
       When he looks back on those hectic                                                  Soltis says. “That would have been the end

                                                                                     PhOTO BY MIkE rANZ
     mont h s lead i ng up to t he ser ver’s                                               of Rochester products.”
     introduction on June 21, 1988, Soltis still                                             Convinced that they were saving IBM
     marvels at what the technologists at IBM                                              Rochester itself, employees worked
     Rochester accomplished. They fought for                                               tirelessly on what, in late 1985, became
     backing for a radical idea, they fought for                                           the Silverlake project. Compressing a
     their jobs and, along the way, they often                                             typical five-year development cycle into
     fought one another. Ultimately though,                                                barely two years, IBMers practically had
     the technology they advanced continues                                                to be dragged away from their work.
     to run businesses worldwide.                                                             Soltis recalls IBM locking the plant for
       As long-standing midrange professionals                                             an extra day over one holiday weekend just
     know, the business computer called                                                    to keep people out. “People were putting
                                                                      iBM chief Scientist
     the IBM AS/400 ser ver evolved from                              Frank Soltis         in an incredible number of hours and not
     two IBM products, the System/36* and                                                  necessarily being paid for it,” he says.
     the System/38* ser vers. If you think                                                 “But the thing was, we used to do annual
     consolidating those two systems was challenging, imagine           opinion surveys, and at that time we had the highest
     combining five. That was IBM’s plan in the early 1980s. In         opinions ever, as far as people being happy. We were content
     the interest of efficiency, the company wanted to combine          with what we were doing.”
     all of its computing platforms—including System/36,                   Content, even amid contentious moments among
     System/38 and the mainframe—into a single system code              developers of the two systems. Even though multiprocessor
     named Fort Knox.                                                   design and I/O architecture came from the System/36,
       “It was one of those overly ambitious projects that just         the AS/400 was, at its core, an enhanced System/38. And
     wasn’t going to work,” Soltis says. “You’d look and you’d          many System/36 developers doubted this direction.
     say, ‘Wait a minute, I can’t satisfy the needs of all five of         But Soltis describes the whole experience as IBM
     these systems’ customers with one system.’ ”                       Rochester showing what it could do. That’s one reason
       Soltis and other skeptics—to name just two, Dick Mustain,        he found such satisfaction in seeing the first AS/400
     a top System/36 architect, and Dick Bains, an expert in            systems roll off the assembly line.
     compiler technology and languages—were taken off Fort                 “When we actually announced and began to ship the AS/400
     Knox. Symbolically, their new advanced-technology                  server, there was a tremendous feeling of, ‘This is ours. We
     group was housed not at the main IBM Rochester plant,              did this,’ ” he says. “To me it was an exciting time.”
     but across the road in the then-new “white buildings.”
     “You could tick off the various people who were                   Neil Tardy is a contributing writer to IBM Systems
     instrumental in both the System/38 and the System/36              Magazine, Business Systems edition. Neil can be reached
     servers, and they ended up in this advanced technology            at

                                                                                                 technical Corner
                                                               An in-depth look at programming, systems operations and more

Fortifying Security with SQL
By elViS BudiMlic

       he IBM* i community has believed for years          authorization ID is equivalent to an i user profile. A
       that the i platform is the most securable           privilege granted to an authorization ID is considered
       computer system on the market. The power of         a private privilege. In contrast to private privileges,
native security is undeniable. However, even shops         privileges granted to SQL PUBLIC group user are
that leverage native i security may be unaware             equivalent to the *PUBLIC authority. Keep in mind
of the SQL security features that can help extend          that in the following examples, anywhere I use a
native security.                                           private user (i.e., Betty), you could substitute special
  In this article, I’ll focus on SQL-based security        PUBLIC group user. One word of advice when mixing
(aka privileges) and explain how they can help you         private and PUBLIC privileges is to ensure that any
become confident in your security.                         granted private privileges are a superset of any
                                                           existing PUBLIC privileges as private privileges
SQl object Security                                        override PUBLIC privileges.
The SQL GRANT and REVOKE statements operate                   It’s important to note that an object’s owner can
on SQL functions, SQL packages, SQL procedures,            grant any and all privileges to any other user. Due
distinct types, sequences, tables, views, and the          to the widely adopted practice of shops running
individual columns of tables and views. Furthermore,       i to assign *ALLOBJ authority to users, it’s even
SQL GRANT and REVOKE statements only control               more important to note that any such user can also
private and public authorities.                            grant and revoke privileges from SQL objects. In
  For the purposes of this article, I’ll focus on table,   other words, special authority *ALLOBJ equates to
view and individual column privilege options.              administrative authority in SQL terminology.
  Kee n r eade r s have probably not iced t hat               DB2* for i supports nine privileges with GRANT
GRANT and REVOKE don’t support group profiles,             and REVOKE SQL commands:
authorization lists and supplemental groups (but all        • SELECT
of these security concepts are inherently honored),        • INSERT
nor can they support objects like commands and             • UPDATE (ALL and column specific)
programs. These security concepts aren’t part of           • DELETE
SQL standards, so when you find yourself needing           • INDEX
to apply i extensions you’ll have to use native            • REFERENCES (ALL and column specific)
commands like Edit Object Authority (EDTOBJAUT),           • ALTER
Grant Object Authority (GRTOBJAUT) and Revoke
Object Authority (RVKOBJAUT). You can interface            These privileges apply to both tables and views,
with them via SQL by leveraging the Execute                although views have some special restrictions (i.e.,
Command (QCMDEXC) stored procedure.                        inherently nonupdatable view negates any granted
  W he n r e v ie w i n g doc u me nt at ion on SQL        UPDATE privileges). Most of the privileges are self-
security concepts, you’ll often see a reference to         explanatory so I’ll just briefly touch upon the ones
an authorization ID. For all practical purposes,           that may not be. The INDEX privilege implies that

                                                                           Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
user can build indexes over a specified table. A REFERENCES         another table (i.e., table B) that references the employeeId
privilege implies that user can add a referential constraint        column in table A. Here’s an example of how that constraint
specifying a listed table or tables as a parent. The ALTER          can be effected:
privilege implies the user can add or drop fields to the table,
add or drop triggers to it and add or drop COMMENTs and             ALTER TABLE tableB ADD FOREIGN KEY (employeeId)

LABELs on the table. The object owner can grant all privileges      REFERENCES tableA (employeeId)

to other users by using ALL or ALL PRIVILEGES keywords              ON DELETE CASCADE ON UPDATE RESTRICT;

instead of listing them individually.
  Here’s a simple example that illustrates how to use SQL           This foreign key constraint implements a business rule stating
security at an object level:                                        that any time an employee is deleted from table A, any matching
                                                                    employee information in table B is also deleted. Furthermore,
GRANT SELECT, INSERT ON tableA TO Betty;                            any attempt to update the employeeId value in table A with
                                                                    an existing matching value in table B will be rejected due to
This lets Betty query and insert new rows into table A, but not     the RESTRICT clause on the foreign key constraint.
update existing values or delete rows. A variation would be:          If this is your first venture into SQL security features and
                                                                    you’re disappointed by the fact that you don’t have column-level
GRANT SELECT, INSERT ON tableA TO Betty WITH GRANT OPTION;          privileges for other common data-access methods like SELECT
                                                                    and INSERT, don’t despair. There’s a way to accomplish that
The WITH GRANT OPTION clause implies that Betty can now             and much more through the power of SQL views.
pass the SELECT and INSERT privileges on to other users. One
caveat: There’s no CASCADE option on the REVOKE statement.          SQl row Security (and more)
This means you could remove previously granted privileges           Many of the best-known ERP applications offer row-level
from Betty, but any users she’s granted privileges to in the        security features, where a particular user can access certain rows
meantime would preserve them.                                       in the table, yet not others. In many cases, row-level security
  Here’s an example of how to revoke existing authorities           is implemented using SQL views. Using reasonable criteria in
from a specific user:                                               a WHERE clause of the statement used to create the SQL view,
                                                                    an application can easily reduce the number of rows accessible
REVOKE ALL PRIVILEGES ON tableA FROM Betty;                         to a particular user or group with no application code.
                                                                       For example, let’s say your application maintains the user
You can, of course, be selective about which privileges to          name in a table itself. With that in mind, the following SQL
revoke.                                                             view might suffice for row-level security implementation:

SQl Column Security                                                 CREATE VIEW viewA AS (SELECT * FROM tableA WHERE USER =

I hinted that you can use SQL security features to extend              appUser);

native i security. So far I haven’t really shown you anything
new as SQL object-level privileges map quite nicely to native       This single view is now available to all of your application
authorities. Let’s explore some of the security features unique     users and they’ll only be able to access data where column
to SQL.                                                             “appUser” matches their user profiles. The magic behind this
  Here’s an example showcasing column-level security options        implementation lies in the special DB2 SQL register USER.
using SQL:                                                          The SQL USER register maps to a present authorization ID, or
                                                                    in other words, the current user of the connection/job that’s
GRANT SELECT, UPDATE(employeeId), REFERENCES(employeeId)            accessing the view.
     ON tableA TO Betty;                                               By using views, not only can you be selective about which
                                                                    rows a user can access, but also about which columns they
This statement would permit Betty to read all of the columns        can access. Perhaps you’ve noticed I project all available
in table A yet only be able to update the employeeId column.        fields from tableA using the asterisk indicator. Had I named
Furthermore, providing there’s a primary key on the employeeId      specific columns, the SQL view’s user would only be able to
column, Betty could also add a foreign key constraint to            SELECT/UPDATE/INSERT columns projected in a view.

             Voilà! You’ve accomplished the desired granularity of access
    through simple use of SQL views and no application logic whatsoever.

   Voilà! You’ve accomplished the desired granularity of access     User Profile (DYNUSRPRF) parameter. Assuming USRPRF
through simple use of SQL views and no application logic            is set to *OWNER, it’s really the DYNUSRPRF setting that
whatsoever. And to reiterate, all of the GRANT and REVOKE           determines whether a program can adopt owner’s authority.
statements we’ve talked about for tables apply to views as well.    When DYNUSRPRF is set to *USER, user authority is used
   Security powers of SQL views don’t stop there. IBM i 5.4         to process dynamic SQL statements (run-time authorization
provides the SQL-specific feature of INSTEAD OF triggers.           ID). When DYNUSRPRF is set to *OWNER, both user and SQL
They let you provide custom routines that’ll run when a user        program’s (or service program’s) owner authority are checked.
runs one of the data manipulation statements. What you              This means that to elevate the authority of dynamic SQL
do in those routines is limited only by your imagination,           statements, both USRPRF and DYNUSRPRF ought to be set
but I’ve seen cases where a customer implemented custom             to the *OWNER special value.
auditing routines through this support, as well as customized          For dynamic SQL in a distributed program (think Distributed
encryption of data at rest.                                         Relational Database Architecture), DYNUSRPRF is again crucial
                                                                    if you want to elevate the authority within, in this case, an
SQl adopted authority                                               SQL package, not a program.
One of the very useful, powerful and widely adopted i security         For interactive SQL, including Start SQL (STRSQL), Run
concepts is the adopted authority. Traditionally, you’d implement   SQL Statement (RUNSQLSTM) and Start REXX Procedure
this security concept by designating the USRPRF value on            (STRREXPRC), the authorization ID is determined by the
the program as *OWNER versus the default value of *USER             current user profile of the job where these commands are
(special value *NAMING applies to SQL statements only).             executing.
When developers wanted to elevate a user’s authority for the
duration of the program execution, they’d set the USRPRF            more options for Security
keyword to *OWNER, implying that to satisfy authorization           As you can see, implementing security using SQL features
checks, the program can use both the user’s authority and the       is not only straightforward, it also offers the possibility of
program owner’s authority. This feature came in very handy,         extending existing native security. Keep what you’ve learned
for example, to give help-desk staff access to Change Password      here in mind next time your management or auditors ask
(CHGPWD) command within the program-specified bounds                you to secure sensitive data in your database.
without authorizing help-desk employees to the CHGPWD
command directly.
  With SQL, you can still implement the adopted authority,
but there are more considerations to take into account
when doing so. The following information will help you
implement adopted authority when there’s a business case
that supports it.
  For static SQL embedded within a program, the *OWNER and
*USER settings of USRPRF keyword have the same meaning              Elvis Budimlic is the director of development at Centerfield
you’re used to (adopt owner’s authority versus run with the         Technology. Prior to joining Centerfield in 2002, he was
authority of the user executing the program). If special value      a programmer and software engineer in IBM’s DB2 SLIC
*NAMING is specified, *SQL naming indicates *OWNER and              department, and he participated in an IBM Redbooks* residency
*SYS naming indicates *USER authority is used.                      for the Redbooks publication “SQL Performance Diagnosis on
  For dynamic SQL located within a program with embedded            DB2 Universal Database for iSeries*.” Elvis can be reached
SQL or pure SQL stored procedure, consider the Dynamic              at

                                                                          Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
     (from page 15)                                                     significantly enhances our financials around Project
     release, which is really gratifying to see. When we talk           Cost Accounting, that has great new functionality for
     to customers about how they are making their decisions,            customers in engineering services. We are also doing
     it is usually driven by reduction in cost of ownership.            significant enhancements to the manufacturing area in kits
     The difference between the releases is in terms of where           processing, as well as doing new work in configurator for
     we’ve done work on transaction control, where we’ve done           9.0. We continue to work in the toolset too, most recently
     work to make the management of the servers involved and            in 8.97, enhancing that to better support SOA access to
     the connections of users back into the Enterprise server           and from the JD Edwards EnterpriseOne application. We
     – its radically different. In the 8.97 tools release, which        did a lot of great performance improvements around how
     you have to at least get to 8.9 for, we put in something           the user interface renders over the web. The second part to
     called server manager. This gives us a single console to           this question is really about Oracle’s strategy with ‘edge
     manage multiple instances. One of the things we’ve seen            applications’ and the acquired products we have. Oracle
     that is a driver for people upgrading is that you are either       Transportation Management came to us from G-Log, and
     doing instance consolidation, or they are moving those             that’s about transportation optimization and handling
     instances into a datacenter. To realize the value of putting       oceangoing freight. We think that’s a great product, and
     those together on the same box or on a set of boxes in             it’s really a whole new product area. We are not getting
     a common datacenter, you really need administration                rid of the JD Edwards EnterpriseOne transportation
     tools that are geared toward that type of model. So we’ve          functionality, but we are also not going to build out a
     made investments in that area, and they have prompted              new module that is an advanced optimization solution for
     people to move ahead. We have also done a lot of work to           transportation, because Oracle has made an investment
     make things scale up better, and we’ve added great new             and continues to make an investment to enhance that
     functionality. It is people looking at what the software           based on the acquisition of the company G-Log. We give
     enables them to do, in terms of attacking new areas of             JD Edwards customers access to the OTM functionality
     business process and optimizing and making them more               through packaged integrations. You will see us acquire
     efficient. That is what is really driving the upgrades.            new products and build these Fusion applications, but we
        Regarding JD Edwards World customers, we are also               will also continue to enhance the JD Edwards product.
     experiencing a significant uptake of the latest release -
     A9.1. Called the Renaissance release, A9.1 offers customers        IBM i: What’s the single most important improvement you need
     over 1,300 enhancements with continuous innovations to             to make to the JD Edwards World product? How does that play
     reduce the cost and complexity of integrations, to enable          into your five- to ten-year plans for World?
     manufacturing & distribution operational excellence,               John Schiff: More than any one single change, we plan to
     and to improve technology upgradeability. In fact, 14%             continue to build on the enhancements we made in A9.1.
     of the JD Edwards World installed base is either live or           With our interim updates, we will add on services and
     in the process of upgrading to the A9.1 release, which             integrations to other Oracle products. We are able to do
     demonstrates the quality, robust enhancements, and the             this because of the architectural changes we made in A9.1.
     ongoing commitment to the JD Edwards World product                 We have added Import/Export capability and approvals.
     line. Currently in the Asia-Pacific region, we have three          With our next release, A9.1.2, which is planned for 2009,
     live JD Edwards World customers on the A9.1 release.               we will focus on requirements for Project Based Industries
                                                                        and will enhance the HR and Payroll products.
     IBM i: What should customers know about your strategy to enhance
     the existing JD Edwards EnterpriseOne product as opposed to        IBM i: For JD Edwards World customers, what kind of advice
     encouraging the implementation of modules and/or add-on            would you give to a customer facing the changing economy
     products that also offer functionality they’re looking for? What   with budget pressures as to what areas they should invest their
     is your commitment to enhancements within EnterpriseOne?           money in to get the greatest ROI?
     Lenley Hensarling: Our commitment to enhance JD Edwards’s          John Schiff: The economy is constantly changing. Yes, there
     products is absolute – and we are doing that. We have the          are many areas that have budget pressures. In fact, World
     JD Edwards EnterpriseOne 9.0 release coming out, which             customers often have been under budget pressures and we

    see the World product being a great investment, providing        manufacturing in China. Many western companies are
    a really favorable total cost of ownership. Even in hard         now entering the market to sell their products in China.
    times we are seeing our customers invest in the product,         This is particularly true of our CPG customers. We see
    seeing expanded footprints in the product, we are seeing         demand for the EnterpriseOne product coming from both
    them upgrading and, as you know, we’ve been having a             of these forces domestic and multi-national. Recently, we
    really good turnout at conferences. By looking at the World      took in house the localization for China so we can support
    product and the whole JD Edwards product line, you see           what’s called “Golden Tax” – an excise tax that the Chinese
    continued benefit in using the product. By working with          government requires. We have now taken that completely
    my team, talking to support, attending web conferences,          in house with the EnterpriseOne development group. That
    they can find new areas of getting additional return on          allows us to do a lot more in that region, partner with more
    their investment. The A9.1 product has provided them             people to support more multi-national customers and do
    with opportunities to get more value out of the product          a better job of servicing that market. In terms of industry
    and to get more productivity for the users. And we will          support, that market is really focused on distribution and
    continue down that path into the future as well.                 manufacturing – that type of manufacturing that used to
                                                                     drive JD Edwards sales in North America. If you look at
    IBM i: Oracle has seen large growth in Asia Pacific and China.   what has been in the news lately – the need to do better lot
    How much of this growth applies to JD Edwards EnterpriseOne      tracking, have signoff on lots being released and to be able
    software? Will EnterpriseOne be expanding its industry focus     to track inputs in the manufacturing process – you get a
    in that area of the world?                                       good feel for what is driving a lot of the demand. So, a lot
    Lenley Hensarling: We see our growth in China and the Pacific    of the same concerns that North American manufacturers
    region focused in two ways. We are growing with new              have faced over the past five to ten years – the need to get
    customers in China and Asia-Pacific who are focused on           better visibility, know where their supplies are coming from
    the domestic markets – so manufacturing and distribution         and where their end-product has gone – have occurred at
    companies that are selling to customers in China that are        an accelerated pace in China. They are now coming to grips
    Chinese companies. The other thing we continue to see are        with a lot of those issues and this is driving the demand
    American and European customers of ours that are moving          for tier one ERP systems like JD Edwards EnterpriseOne
    their manufacturing to China or dealing with outsource           and JD Edwards World.

(from page 16)                                                       time to define the actors, resources and actions in the business.
  Figure 1 (page 56) outlines seven steps for practicing a           What types of data (resources) exist in the organization’s IT
policy-based security approach using Secure Perspective.             systems? What roles or broad job categories (actors) exist within
Figure 1 also defines the primary role (i.e., business leaders,      the business? What generic words, such as “read” or “change,”
auditors or IT professionals) that would typically complete          describe the general ways people in the organization access
each step and illustrates for which steps Secure Perspective         data (actions)? Typically, leaders in different organizations
provides seamless integration.                                       like human resources, accounting and executives perform this
                                                                     step. Each organization leader understands the actors, resources
Step 1: Organize requirements and regulations.                       and access needed for successful job completion.
This step is possibly the most important. Business leaders              Secure Perspective provides the interface and functionality
and auditors should organize the business requirements and           to create these specific terms and give them descriptions or
regulations into a list. Organizing business requirements and        synonyms. These terms become the basic building blocks of
clearly defining legal regulations isn’t easy. A thorough job here   the security policy.
will simplify the rest of the steps and can save time later.
                                                                     Step 3: Write the security policy.
Step 2: Define actors, resources and actions.                        After the terms have been defined for the actors, resources
Once the requirements and regulations are clearly defined, it’s      and actions, it’s time to write the security policy in natural

                                                                            Quarter 3/2008   IBM SYSTEMS MAGAZINE, ASIA PACIFIC EDITION   
language. Policies are composed of several policy statements.        didn’t feel confident in applying the policy just yet, getting
Currently, Secure Perspective only supports resource-access          this far can have a valuable impact on the business.
statements; so for the sake of this article our policy will only
contain statements in the form of (actor) can (action) (resource).   Step 6: Apply the policy.
In an all-inclusive policy, many other policy statements could       A meaningful policy is now ready to apply. Without Secure
define everything from auditing to encryption.                       Perspective, this step would be a long, manual, error-prone
   Research has shown that people generally prefer to edit           process. In Secure Perspective with the click of a button, the
a policy in one of two ways: free text or structured. Secure         security policy is applied over the defined set of systems.
Perspective provides both. The free-text method for editing          Before an apply, a user has the option to preview the policy
the policy lets the user write and edit the policy statements        to simulate the apply without changing any of the objects.
in plain English. Secure Perspective then analyzes the text          For IBM i and DB2*, it generates the commands it’ll run on
and parses it into suggested policy statements. If terms aren’t
defined, Secure Perspective gives users the option to add those       Figure 1
terms to their dictionaries with the click of a button.
   Secure Perspective also provides the capability to edit the
policy in a structured mode. In this case, a user creates each
policy statement by selecting actors, actions and resources
from drop-down lists. Secure Perspective also provides some
other options: It can analyze the policy to look for redundant
statements and it can represent the policy in a two-dimensional
matrix for an easy visual representation.

Step 4: Classify data and map terms.
Now it’s time for the business leaders to hand the baton to the
IT professionals, who are in the best position to effectively
classify the data. IT people also know the security mechanisms
of the underlying data, so they can map the policy terms (i.e.,
actors, resources and actions) to the system resources. The IT
professionals do this through Secure Perspective’s rich GUI.
Secure Perspective shows the terms on the left and the system
resources on the right (see Figure 2, right). The user can create
the mapping that ties the term to a set of system resources.

Step 5: Check the policy and predict problems.
A meaningful policy is now defined. It can be read in natural
language so those filling every role can understand their
purposes. This policy can also be applied to a system because
the natural-language statements have been mapped to system-
specific commands. However, applying a policy and altering a
system’s security can be scary. Stopping normal processes can          Figure 2
harm business. Secure Perspective has addressed this concern
by providing preapply checks. Users can check the policy
before applying in two ways: By simply running a compliance
check, which I’ll describe in detail in Step 7, or by using Secure
Perspective’s unique feature to predict problems.
  Currently available only on IBM i (as an endpoint), the feature
works by analyzing the security audit journal (QAUDJRN)
for resource accesses that occurred in the past and will be
prevented if the current policy is applied. This is helpful for
identifying data that may not have been defined correctly
in the previous steps. Additionally, this can benefit users by
showing potential security holes in the current environment.
Even if all of these steps were completed and the user still

 Figure 3                                                            the system that can be copied and pasted into a console. For
                                                                     the other systems, the statements generated are interpreted
                                                                     by Secure Perspective’s agent code. The application generates
                                                                     a report with graphs giving feedback about the apply and the
                                                                     success of the individual commands that were run. After the
                                                                     apply, if it’s realized that an undesirable change was made
                                                                     users can undo it.

                                                                     Step 7: Check compliance, event history and reports.
                                                                     With the click of a button, the system can be checked for
                                                                     compliance against a security policy. This displays a report
                                                                     with graphs, shown in Figure 3 (left), giving the compliance of
                                                                     the statements, objects and terms with additional information
                                                                     like the super users and a list of unauthorized or denied
                                                                     accesses. Additionally, Secure Perspective can quickly display
                                                                     other information such as term-mapping summaries, resource-
                                                                     access matrices and event histories for Secure Perspective
                                                                     application events.
 Figure 4
                                                                     What’s new in vr?
                                         Managed endpoints           Secure Perspective V1R2 lets a user implement policy-based
                                                                     security across more systems. Secure Perspective acknowledges
                                                                     that security policies are not system specific but business wide.
                                                                     Therefore, Secure Perspective server can now be installed on
                                                                     Windows* and IBM i and can manage resource access on i,
                                                                     DB2, AIX* and Windows (see Figure 4, left).
                                                                        Secure Perspective also has an enhanced GUI. The new
                                                                     home page, shown in Figure 5 (left), presents a suggested
                                                                     order for completing the key functions and checkpoints with
                                                                     an icon flowchart. The menu bar was moved to the top of the
                                                                     page to give the mapping terms interface more horizontal
                                                                     real estate. New collapsible sections make the report viewing
                                                                     easier to manipulate.
                                                                        Secure Perspective added the capability to create and map
                                                                     filters. Filters are definitions for system-specific objects that
                                                                     can be mapped to terms. For example, a wildcard filter could
     Figure 5                                                        be created in a directory to represent all of the files that start
                                                                     with the string “usr.” This filter can then be mapped to a term
                                                                     and is evaluated during run time (i.e., during an apply or
                                                                     compliance check).
                                                                        Secure Perspective has come a long way since its product
                                                                     launch. Rethinking security to use a natural-language, policy-
                                                                     based approach is vital. Finally, a tool exists that bridges the
                                                                     gap between corporate policy and IT practice.

                                                                     Chris Kundinger is a software engineer at IBM. He’s been
                                                                     a developer for Secure Perspective since its product launch.
                                                                     Chris can be reached at

(from page 8)
exclusively on the Power 520 and Power 550 Express servers.                                and floor-space requirements, and overall improvements in
PowerVM Express Edition is managed with the IVM partition                                  total cost of ownership.
and lets you create a total of three partitions on your server.                              Deployment of PowerVM can also help you improve end-user
   PowerVM Standard Edition provides an expanded set                                       satisfaction. Features within PowerVM let you more quickly
of virtualization features and is available on all POWER6                                  react to changes in business requirements. Using PowerVM
technology-based servers and blades. The standard edition                                  can help you improve application performance and availability.
provides the capability to run many partitions on the same                                 PowerVM can help you move toward service-level agreements
server. PowerVM Standard Edition is managed using the IVM                                  by separating applications from specific server resources.
or an HMC.
   PowerVM Enterprise Edition includes all of the features and
capabilities of PowerVM Standard Edition along with Live
Partition Mobility. PowerVM Enterprise Edition requires an
HMC for all server models. IVM support is provided for use
with blades.                                                                               Charlie Cler has been with IBM for more than 23 years,
   The availability of three PowerV M editions provides                                    working with Power Systems servers since their introduction
f lexibility and choice by letting you select the array of                                 in 1990. He currently supports IBM customers in a system-
v ir t ualization capabilities you need for your ser ver                                   architect role. Charlie can be reached at
implementation. A summary of the PowerVM
editions is shown in Table 1 (right).
                                                                             table                  Powervm edition Features
Powervm edition Support
Po werVM is delivered via both hardware and                                                                                 Express       Standard     Enterprise
sof t ware features when you order a Power                                                                                  Edition       Edition      Edition
Systems server. Table 2 (below) shows a summary
                                                                                Shared Processor Pool                       Yes           Yes          Yes
of PowerVM Edition server and management
tool support.                                                                   Virtual I/O Server                          Yes           Yes          Yes

                                                                                Lx86                                        Yes           Yes          Yes
reap the Benefits of virtualization
PowerVM brings new hardware virtualization                                      Shared Dedicated Capacity                   Yes           Yes          Yes
capabilities to Power Systems ser vers. The
                                                                                Multiple Shared Processor Pools                           Yes          Yes
deployment of PowerVM in your business can
help you reduce server sprawl through improved                                  Live Partition Mobility                                                Yes 1
processor utilization and I/O virtualization that lets
you consolidate more partitions onto each of your                             Note: 1. Only supported with AIX and Linux.
servers. This can result in reduced energy expense

  table                                                        Powervm editions Support

       Feature                       Express Edition                          Standard Edition                              Enterprise Edition

                                     Power 520 Express and Power              JS21/JS22 Blades, System i,                   JS21/JS22 Blades, System i, System p,
       Supported Systems
                                     550 Express servers                      System p, and Power Systems servers           and Power Systems servers

       Management                    IVM                                      IVM, HMC                                      IVM1, HMC

       Maximum LPARs                 3 / server                               10 / core                                     10 / core

     Note: 1. Enterprise Edition IVM support is provided only for JS12 and JS22 blades.

                               (from page 25)                          Team Concert also has multiple team communications features,
                               if it’s talking to an application     including e-mail notifications for assignments and approvals,
                               server on i, Windows, Linux or any    team news feeds and instant messaging.
                               other platform.                          To learn more about the progress of Jazz technology and
                                                                     Rational products based on it, visit the Jazz project Web site
                               Team Collaboration                    (
                              T he I BM Rat iona l tea m ha s
                              been work i ng on a new                Music to Your Ears
                              technology for team collaboration      All of this functionality should be music to your ears. IBM
                              called Jazz*. The open-source          Rational provides solutions to support the broad management
                              extensible Eclipse platform was        of the application-development lifecycle on i. IBM RDi
developed to allow for the integration of software development       supports the core development tasks for RPG, COBOL and
tools in a single IDE. One intention of Jazz is to similarly         other i developers. IBM Rational ClearCase and IBM Rational
define an open-commercial platform that can foster the               ClearQuest help with change and release management. Several
integration of team tools. Software development teams use            quality-assurance solutions for automated and manual testing
a diverse set of disconnected or loosely connected team              exist as well as Web application load testing. All of this,
tools—for source control, problem reporting, executing builds,       plus future announcements on team collaboration with Jazz
tracking test results, scheduling activities, communicating          tech-nology, can really jazz up your application-development
with team members, etc. Jazz is a platform that can tie these        lifecycle and help team members harmonize.
capabilities together.
   The first product being released based on Jazz technology
is IBM Rational Team Concert. Team Concert will have a team
server to consolidate assets and coordinate activities, as well as   Kushal munir has been a software engineer at the IBM Toronto
a client that can plug into your Eclipse-based IDE. It’s highly      lab since 2001. He’s involved in designing, architecting and
configurable and customizable.                                       implementing next-generation team-collaboration tools for i. He
   You can customize your own development processes, team            also helped create IBM’s application-development products for the
roles and permissions for those team roles. You can customize        platform. Kushal can be reached at
types of work items (e.g., defects, enhancements, tasks) your
team uses, the stages of progression and approval for those          Sean Babineau joined the IBM Toronto lab in 1992. He’s worked
work items. You can create parallel lines of development (e.g.,      in various roles in development and management, on compilers
maintenance, new development), schedule stages for your              as well as numerous application-development tools for i. He’s
development lifecycle, assign work items to members of your          leading a project to deliver the next generation of IBM Rational’s
team and balance their workloads. You can manage source              team collaboration tools to i programmers. Sean can be reached
changes, associate these change sets with work items and             at
easily merge source changes that conflict with other changes
being delivered.
   You can schedule and submit builds, and receive build               Figure 1
reports that include information on the exact version of all
source used for that build and which work items and source
changes were integrated for the build. You can customize
queries of work items and reports to illustrate trends for
tracking the project’s health and how well the team is tracking
to the plan. Figure 1 (right) shows a screen shot of the Team
Concert Eclipse-based IDE.
   Team Concert also has a Web UI, so other members of the
team can access the team repository to query or update work
items, view reports, etc., with a simple URL. Whether you’re
using the Web UI or an Eclipse-based client, this allows for
a high degree of linkability to make it easier to navigate the
relationships among plans, work items, source changes and
other team artifacts.

     An eclectic take on the System i world

Picking the Best                                                    he hired Porter to implement the project. To do that, Porter says,
                                                                    “I had to get more acquainted with the System i* platform.”
                                                                       That acquaintance has developed into a deep passion for i.
how melons changed the way justin Porter feels                      “Everyone who uses the i refuses to use anything else because
about IBM i
                                                                    it’s very simple. It works,” Porter says.
                                                                       Due to the seasonal nature of Westside Produce’s business—the
By Shirley S. SaVage                                                company has about 12 employees for eight months of the year
                                                                    and then expands to 800-900 employees during the packing

         ometimes the most meaningful relationships evolve          and shipping season—the company doesn’t have a full-time IT
         from apprehension to deep appreciation. Just ask Justin    staff. Using IBM business partners to collaborate on projects
         Porter, director of technology for Westside Produce in     has helped Westside Produce achieve its goals without worrying
Firebaugh, Calif., how disdain for a “legacy” system turned         about adding staff. “Partnering has been key,” Porter says.
into admiration and zeal.                                              And collaboration doesn’t end at the workplace. Porter is
   Porter’s introduction to IT wasn’t particularly auspicious. As   proud to be a YiP (Young i Professional) and is a member of the
a child, he broke his father’s IBM personal computer the first      COMMON Americas Advisory Council. At the last COMMON, a
time he used it. Knowing his father                                                             very motivated YiP group sought ways

                                                                                         PhOTO BY VIrGINIA wu
would be furious, Porter went to work                                                           to make a difference and to spread the
to fix the PC. “That’s how I ended up                                                           word about i.
in technology,” he laughs.                                                                          As a result, the YiPs partnered
   Por ter’s work w it h t he I BM i                                                            with the IBM Academic Initiative to
platform also had an unexpected                                                                 mutual advantage. “Working with the
beginning. He says it happened “by                                                              Academic Initiative has opened up
accident, and I fought tooth and nail                                                           some doors about what we can do,”
the whole way.” While a student at                                                              Porter says.
the University of California-Davis,                                                                 In June, the YiPs launched a Web
Porter was hired by Westside Produce                                                            site (
to work in the shipping department                                                              to encourage young IT pros to become
during the summer of 2003. Westside                                                             more involved with the i community.
Produce grows, cools, packs and ships                                                           The site has several sections, including
                                                                     Justin Porter’s bar coding
approximately 40 million cantaloupe                                                             one called The Resource Dump, where
                                                                     system helps Westside
and honeydew melons each season                                                                 Yi Ps can post solutions t hey’ve
                                                                     Produce know the story
through contracted farmers in Cali-                                                             developed. The group also plans to
                                                                     behind each melon.
fornia, Texas and Arizona.                                                                      launch a chat section and a wiki as well
   “I mistakenly thought the company                                                            as create a YiP open-source initiative
was running a DOS system when I got here,” Porter says. “I          that would involve the greater community. Says Porter, “We’re
didn’t know what iSeries* was.” As a co-worker explained the        working to change the outlook for young professionals on the
system to him, Porter’s first reaction was “why are we running      platform by providing a central place to congregate and grow
a legacy system? My co-worker, the original architect of the        together on the platform.”
software on the ‘legacy’ system, laughed at me and said, ‘It’s         It may have been a journey from disdain to appreciation, but
not.’ I obviously didn’t understand.”                               Porter knows he’s picked the best and now he wants everyone
   That first summer, at the Westside president’s request, Porter   else to know it, too.
wrote a 10-page document making recommendations about
instituting a bar-coding system for food safety at the company.
Bar codes would let the company track where the fruit came
from and where it went, right down to the specific field and
the crew that hand picked it. While Westside Produce has
never had to conduct a recall, the company wanted to be able        Shirley S. Savage, a Maine-based freelance writer, is the
to precisely track each pallet of fruit that comes through the      author of several management reports on technology and energy
warehouse doors. The president liked the report so much that        topics. Shirley can be reached at


To top