So, while travelling through Virginia this weekend, I stopped in to see my old friend and tattoo artist Jedi Tattooist Edward Yeary.

I first met Eddie back in 1993, when thinking about getting a Tattoo. This turned out to be my first tattoo... and even though nearly twenty years later I still only have one tattoo it's now much bigger... every time I see him I seem to add a little something to it :)

Anyway, I digress, on this occasion the reason was twofold:

1. The second sitting of Miss Kates Back Piece Koi and
2. planning the web presence for Eddie's Tattoo Shop (EDDIE YEARY'S CHERRYBOMB TATTOO in ROCKYMOUNT VA) which means www.EDDIEYEARY.com for his personal artwork and www.INFINITYCOLORWORKS.com for his range of hand crafted natural tattoo inks.

While shooting some video and photos for this website we came up with this gem... it's made me chuckle so much we are going to use it in raw un-edited format:

If you dont have a Redneck Filter installed this is what he said:

WARNING - NON-TECHNICAL BLOG ALERT! WOOP WOOP!

Before leaving the old country (UK) a few years back I was the proud owner of the ultimate road going work horse... a Landrover Defender 110.

It was an early 1994 model with a 2.5 Liter Turbo Diesel engine and a hand painted exterior I used it for construction work every day and it's farmyard rugged skills and ultimately basic controls made me chuckle on a daily basis. I remember getting it really dirty one weekend and taking it to the car wash... opening the doors and jet washing the interior.... *INTERIOR*... yep it started first time and trundled off home with its diesel engine burbling. The kids christened this car BORIS and it became a well known vehicle around Camberley, Surrey.

Over the last few weeks I've been playing with various e-commerce concepts for Eddie Yeary's new online presense INFINITY COLORWORKS. His concept is to sell his range of hand-crafted tattoo inks direct to tattoo artists world-wide: offering a big savings to other tattooists by cutting out the middle man.

Eddie Yeary has been mixing and refining tattoo pigments for decades and has been selling the Phat Cat Color range through third party tattoo vendors. Obviously they add a $markup and while he was laying down my latest piece of skin-art earlier this year, we discussed taking him to the next level.

Co-inciding with the release of this newly branded Alchemy (UV/Blacklight) Ink range, and soon-to-be-announced Infinity Color range (shhh its a secret) his new website is now online at http://www.infinitycolorworks.com

Yes - you did read that right. For those of you who are not in the skin-ink club, Alchemy Tattoo Inks glow in UV light. I've seen some of the UV tattoos he has laid down over the last few years and they are simply amazing.

Anyway, I digress, after selecting Drupal Ubercart for ecommerce of Infinity's Tattoo Ink range I thought I would quickly mention the noteable contenders: ZenCart (very simple to use but just wasnt flexible enough) Joomla (very neat CMS and Drupal only edged it because of its bigger list of available bolt-on modules) and the simple Google Checkout Stores.

Google Stores are the new kid on the block and if you're trying to build a website that feels professional, secure and still has the user-friendliness that customers need to order online - then look at Google. I very nearly selected it but stuck with uBercart for a some other secret (shhhhh) reasons.

This month I've been mainly working with Turnover SCM for iSeries.

"Turnover is the premier Change Management Tool for IBMi Power Systems. The windows Client integrates nicely with RDi and WDSC Development tools and it neatly handles RPG, CL. SQL, DDS, etc etc for controlled code development for all size IBMi shops." No, I dont work for the Turnover mother company - Soft Landings - I just like the product itself. It's more comprehensive and simpler to use than its closest competitors (Aldon and PTS Implementor). IMHO of course.

Anyway, as usual, I digress. I read an interesting little hint hidden away deep in some forum. It's worth recording here so I can find it if I ever need it in the future.

If promotion of a Logical File fails to add a member the FORM will fail and go into RECOVER mode.

I fly a lot for business...

I like the ZONED loading system but would like to see a few tweaks. Seem pretty obvious to me but how about:

So, I was rummaging through one of my cavernous office desk drawers this morning. I was looking for an elusive desktop calculator (you know, one of those ones that starts the week on your desktop but at some time during any given night, jumps up, runs around the room and hides itself for no apparent reason) but found something far more interesting: An iSERIES.

Yep, one small enough to fit in my drawer.

Who knew that an iSeries could be used to “brush away dust and grit from a lens surface”

:)

Voilà!

In view, a humble vaudevillian veteran, cast vicariously as both victim and villain by the vicissitudes of Fate. This visage, no mere veneer of vanity, is a vestige of the vox populi, now vacant, vanished.

Question: All the Exit Program examples I see are in the C Language. Is it possible to write Exit Programs in RPG?

Answer: Yes, but you must write a data structure as same as it in the C header file. The C header file is H/QSYSINC. This include is also available for other languages in QSYSINC/QRPGSRC, QSYSINC/QRPGLESRC, QSYSINC/QLBLSRC, and QSYSINC/QCBLLESRC.

Question: I have been asked to find out how AS/400 users can change their passwords using a web browser application.  We will synch user info to the NT Domain server to enable validation and signon.  The AS/400 passwords expire every 30 days.  The users must be able to maintain their passwords without leaving the web application (a combination of Cold Fusion, Javascript and HTML).  Off the shelf packages are OK, or IBM supplied API that support some sort of encryption (we don't want passwords xmitted over the internet in the clear.)  Any and all suggestions are appreciated. (12/99)

Communications Security

Question: I have IS staff in a number of remote sites that I would like to setup so that they can vary on and off their local devices. I thought that I would give them the rights to vary controllers and devices but not lines, tape drives or consoles.

The easiest and fastest way seemed to give them *IOSYSCFG rights but I still want to control some configuration objects. Here is what I tried but it doesn't work, can anyone suggest a better way?

1. CRTUSRPRF called IOSYSCFG with only *IOSYSCFG special rights nothing else and even limit command line.

2. CRTCLPGM called WRKCFGSTS that is owned by IOSYSCFG and adopts. This program prompts the command WRKCFGSTS.

3. Replace the menu function they currently have with this new CLP.

4. Grant user IOSYSCFG *USE rights to the command WRKCFGSTS

5. For the few identified objects I don't want them to have access to, set authority for user IOSYSCFG to *EXCLUDE.

The problem is that through this CLP I they can't vary any devices on or off. It's as if the adoption rights don't carry through. Is this true of *IOSYSCFG rights?

Answer 1. Why don't you just give the profile, IOSYSCFG menu level security with menu options for Devices and ctl only?

The IFS is probably one of my favourite things about IBMi. It's a layer of software that lets the rest of your 'Windows' World talk directly to that big Black IBM Super Server in teh corner. The beauty of it is.... those widows machines dont even know they are talking to a super server - because the IFS presents data to them in a lovely windows FAT kind of way. very cool:

Integrated File System Security

Question: I have a problem with security on QDLS. I have a user that is unable to access QDLS from her PC. Her profile is setup as *SECOFR with *ALLOBJ authority. Is there special security for QDLS?

We map a network drive to our system's root:

\\CSCNJ

When she clicks on QDLS is says access denied?? Any ideas??

Here is some of the things that we tried:
Delete all the *.PWL files
Cleared the CA/400 password Cache

Response 1. Is she in the AS/400 directory?(WRKDIRE). (note: turned out to be the most useful response in this particular case)

Response 2. Is she enrolled as a CA user on the AS/400?

Response 3. What userid is she signing on as. Do a WRKACTJOB and make sure it is her userid that is signing on. Also, make sure that she has a Directory entry, and the directory entry points to the right user profile.

Yes thats right. *SPLFS. IBM Spool Files. I love them a lot so I want to keep them secure:

Spool files and Printer security

Question: I want to set up user profile who just can display spool file but who can not delete it.

Answer 1. Spool file security is quite a bit different than usual AS/400 security.

First, The user should not have any special authorities, especially not *SPLCTL *JOBCTL or *ALLOBJ. (OK their are ways to secure an outq when the user has some of these special authorities, but I'm giving you the fast path).

Then create (or change) the OUTQ's in question so that "Authority to Check" parameter is eqaul to "Data Authority" (Ex: AUTCHK(*DTAAUT)) and the "Display Data" parameter is equal to yes (Ex: DSPDTA(*YES)).

Then set the object authority on the outq to *USE for that user. This will give the user read authority only.

Adopting authority can be a very dangerous thing. But if its implemented properly its really quite cool. discuss ;)

Adopting Authority

Question: Is there an easy way of finding all programs in all user libraries that use adopted authority? The DSPPGM command doesn't allow for *ALL and worse, doesn't output to a file.

Answer 1. TAATOOL has a nifty command called - PRTADPPGM

Answer 2. Try GO SECTOOLS. If you roll down, option 21 might prove useful.

Answer 3. Yes and no. The DSPPGMADP can show programs that adopt a specific user profile, as in compiled *OWNER and can put it to a file. Otherwise, its into the APIs for you. Check on QCLRPGMI, retreive program information. The PGMI0100 format has the information that you are looking for. Of course, it isn't a file, but because it uses a receiver variable, you could code this in a CL program.

Answer 4. You can't do it by library, but you can do it by user profile. The PRTADPOBJ command allows you to single out a particular user, or specify *ALL users. Unfortunately, the PRTADPOBJ *ALL option prints all of the IBM user profiles as well as the all of your users.

Talking about an OBJECT in the IBMi world conjures up images of all kinds of wonderfull screens defining object parameters:

AS/400 Object Authority

Question: If a library has security for a user of *USE will this user be able to update files in the library and If files were created with public *USE.

Or is the security level at the library used for all objects under it. My understanding is that the library *USE means the user can use all objects under it and that the security of the files (objects) is used to check what the user can do to the file.

Answer You are correct, having Use to the library means you cant add objects to that library, but if a file has *PUBLIC *CHANGE inside a library that you only have *USE to, you can still change the data in the file

*USE at the library level will let a user pretty much do anything to an object in that library that is not excluded by authority on that object. One exception I've found is the ability to add a member to a file, which requires *CHANGE at the library level.

User profiles are such a wonderful and flexible part of the IBMi operating system. Group profiles, Security levels, authorization lists.... good stuff:

Managing User Profiles

Question I am having a problem with user profiles disabling randomly.

Answer 1. It sounds like someone has used the Security Toolkit to activate the "automatically disable inactive profiles" option. That's not really it's name. It's name is "Analyze Profile Activity" on the menu option, which sounds benign enough, but in fact it will initiate this scheduled auto-disable.

From the Security Toolkit (GO SECTOOLS) choose option 4 (ANZPRFACT) and set the number of days to *NOMAX. This will prevent any profile from being automatically disabled by this new feature.

Alternately, you could leave the auto-disable at 90 days, and then use options 2 & 3 on that same menu to exclude certain profiles from being disabled.

More snippets of mostly outdated stuff... but worth saving online because I'm contsantly amazed by the lax security setup at some shops I visit:

AS/400 and Internet Security:

Question:  What security level (30, 40, or 50) is adequate for an AS/400 on the Internet?

Answer 1. Levels 40 and 50 will have little or no impact in regard to remote connections. Level 30 provides logon and resource security. Level 40 adds user and system domain differentiation, and makes sure that only the officially "blessed" interfaces and APIs will run. Level 50 adds DOD data protection and auditing features that are supposedly resource hogs, and probably completely unnecessary unless you're keeping military secrets at your site.

Question:  Can anyone tell me how OS/400 compares to unix where Internet security is concerned?

Answer 1. Unix has security???? :)

I must admit to being a little baffled by cryptography, data encryption and all that SSL nonsense... so this was very intersting to read:

Cryptography and the AS/400

Question: I need some help. I have AS/400 F20 in central site and about 30 terminals and PC connected to it by several HDLC lines or X.25 satellite lines. I'm looking for companies offering cryptographic modems, cryptographic cards, ciphering programs or other solutions providing security in this system.

Answer:  For AS/400, there are 2 different cryptography products available. The first is Cryptographic Support/400. This is software implementation of the DES. It contains around 10-12 API verbs for encipher/decipher, PIN functions, MAC functions, and some key management. The second product is the Cryptographic Processor, feature 2620 (or 2628) along with PRPQ IBM Common Cryptographic Architecture Services/400. This is a hardware implementation of DES. On V3R1, the RSA public key algorithm is also supported. The PRPQ contains CL commands for initializing and starting the processor, 99 API verbs, and key storage. The API is a superset of IBM's Common Cryptographic Architecture and contains support for encipher/decipher, MAC functions, MDC, PIN functions, digital signatures, and Key management including ANSI X9.17.

Today, I was talking *techie* to a colleague in I.T. who still calls the IBMi Operating System - 'The AS/400'.    We bumped over a few technology sleeping policemen during the conversation. Software is easy to upgrade. Mindsets are sometimes overlooked. This reminded me of the importance of keeping our skill sets current. If we don't move with the times, then our knowledge in our field of expertise quickly becomes out of date and hence 'of less worth'. I never want to be deprecated in favor of a new version of me. I want to make my own Nick Two Point Oh.

Anyway, the gray haired dusty shouldered gentleman in question was proudly proclaiming that the AS400 would be around forever because it was the most secure machine on the planet. Then proceeded to spout some un-verifiable (and almost certainly delusional) points about the AS400 still being used to power Google Servers, the president has one and its the only machine that has never ever had a virus.

Much as I like the IBMi operating system, this made me think "exactly what is it that defines a Virus?" 

Mister Number is a very cool app that lets you know if incoming calls/texts are from Spammers... and even gives you names of people calling if they're not in your address book. This is a tight contender for my favorite app.

The whole concept that I get a call from a number that I dont recognize, that has never called before, and Mr Number will tell me its from Fred Blogs a Car Salesman in New York. It' groovy and no mistake

GMAIL - by Google (duh!).

So much better than the integrated Android email functions and lets you get the exact same visual GUI as checking googlemail online. This is normally the first thing I install.

https://market.android.com/details?id=com.google.android.gm&feature=search_result

The huge choice of free apps on Android is the main reason I'm so impressed by this operating system I was briefly on iPhone4 before being lured to Android on my Motorola DroidX.

I honestly dont see what the fascination with iPhone is? It's an inferior operating system and everything (and I mean everything) costs money.

God I hate iTunes... its just so... so... clunky!