IBM Support

New System Setup - Beyond the Basic Console Connection

Technote (troubleshooting)


Problem(Abstract)

This document provides additional basic setup tasks for a new system, once console is successfully connected and the first IPL has completed.

Resolving the problem

IBM suggests that after successfully connecting the console, you should consider changing the following default settings in service tools. Topics include Console Related Service Tools and System Security Settings. Some settings can only be changed in Dedicated Service Tools on the console. Others can also be changed in System Service Tools.

There are three major sections. The following table provides a brief description for each:

Section A: Console Related Service Tools Tasks Section B: System Security Settings Section C: Non-Console Settings
Enable ability to Work with Service Tools Device IDs in SST Service Tools user IDs Some very basic system values
Autocreate service tools device IDs Configure Service Tools sign-on parameters Identify valid Ethernet resource name
Grant RCP by Default for Autocreated Service Tools Devices Create additional Service Tools user ID Configure Ethernet resource for network connectivity
Create additional service tools device IDs
Enable Console recovery and take over by another console

To access Dedicated Service Tools on the console

If your system does not have an HMC, you will need to do the following from the physical control panel of the system (or from the Remote Control Panel on the console, if available):
1. Put system in manual mode.
a. Press Up Arrow until 02 is displayed, and press Enter.
b. Press Enter again to move pointer (<) over to the N.
c. Press Up Arrow to change N to M.
d. Press Enter until panel displays only 02 (2 or 3 times).

System is in manual mode
2. Force DST to console.
a. Press Up Arrow until 21 is displayed, and press Enter.

Service Tools logon should now be displayed on the console.
3. Important Note: Once you have exited DST, return the system to normal mode.
a. Press Up Arrow until 02 is displayed, and press Enter.
b. Press Enter again to move pointer (<) over to the M.
c. Press Up Arrow to change M to N.
d. Press Enter until panel displays only 02 (2 or 3 times).
e. Press Down Arrow to 01, press Enter.

System is in normal mode.

If your system has an HMC running V6 or earlier, you should do the following:
1. Service Applications - Service Focal Point - Service Utilities.
2. Click to highlight System, and click Selected at top of window.
3. Select Operator Panel Service Functions.
4. In the Operator Panel Service Functions window, select the partition, then click on Partition Functions.
5. Select Activate Dedicated Service Tools (21) - i5/OS.
Service Tools logon should now be displayed on the console.

If your system has an HMC running V7, you should do the following:
1. In left panel, expand Systems Management - Servers, and then click on the server name to display partitions in right panel.
2. Check the box for the partition you are working with.
3. Under Tasks, expand Serviceability, then expand Control Panel Functions.
4. Click on (21) Activate Dedicated Service Tools.
5. Click OK in popup window confirming Operation panel function 21 initiated.

To access System Service Tools
1. On a command line (does not have to be the console), type STRSST (Enter).
2. Log on with QSECOFR service tools ID/password. The default password is QSECOFR (all uppercase).


Section A

Console Related Service Tools Tasks

Enable ability to Work with Service Tools Device IDs in SST

Service Tools Device IDs are used only with LAN Operations Console. By default, access to Service Tools Device IDs in SST is disabled. There are two occasions when access through SST (rather than forcing DST or using physical control panel) can be easier and faster: 1) creating service tools device IDs for additional LAN consoles; and 2) resetting the password associated with a service tools device ID.

The setting to enable access to service tools device IDs in SST can only be changed through DST.

To enable access, do the following:

o Force DST to the console (see steps above), log on as QSECOFR

Step A. If server is running V5R4 or later (skip to Step B. if server is running V5R2 or V5R3):

o Option 5. Work with DST environment.
o Option 6. Service tools security data.
o Option 7. Work with lock for device IDs from SST (option 7 toggles between Enabled and Disabled).

Work with Service Tools Security Data

Note: Option 11 was added at V6R1M0; Options 12-14 were added at V6R1M1.

o Press F3 two times to return to the Use Dedicated Service Tools (DST) menu. When you are ready to exit DST, press F3 once more and select Option 1. Exit Dedicated Service Tools.


Autocreate service tools device IDs

With V6R1M0 and later, the system can autocreate new service tools device IDs to support new console connections. The default setting will allow autocreate of up to 10 service tools device IDs. These autocreate device IDs will be named QCONSOLE00, QCONSOLE01, etc., up to the maximum number allowed. (At earlier releases, service tools devices must be managed manually - see following section titled "Create additional service tools device IDs".)

To change the number of autocreate service tools device IDs allowed, do the following:

o Force DST to the console (see steps above), log on as QSECOFR
o Option 5. Work with DST environment
o Option 6. Service tools security data
o Change the value for Option 11, then type 11 on the Selection parameter at the bottom of the screen and press Enter to store the change. Valid values are 0 to 49. A value of 0 turns off autocreate.

Work with Service Tools Security Data


Grant RCP by Default for Autocreated Service Tool Devices

With V6R1M0 and later, when an additional console PC is configured and connected, the system will autocreate a service tools device ID to support the new console connection. By default, the autocreated device ID will have permission Granted for the 5250 session, but the Remote Control Panel (RCP) permission is Revoked. At V6R1M1 and later, you can change the default so that new console connections automatically have permission granted for the RCP. (At earlier releases, service tools devices must be managed manually - see following section titled "Create additional service tools device IDs".)

To grant permission for RCP by default, do the following:

o Force DST to the console (see steps above), log on as QSECOFR
o Option 5. Work with DST environment.
o Option 6. Service tools security data.
o Option 12. RCP provilege on autocreated device IDs (option 12 toggles between Revoked and Granted).

Work with Service Tools Security Data

Note: Option 11 was added at V6R1M0; Options 12-14 were added at V6R1M1.

o Press F3 two times to return to the Use Dedicated Service Tools (DST) menu. When you are ready to exit DST, press F3 once more and select Option 1. Exit Dedicated Service Tools.


Create additional service tools device IDs

NOTE:Option 7 change attributes will allow you to grant or revoke Console or partition remote panel

If you plan to configure LAN Operations Console on additional PCs, you will need to create an additional service tools device ID for each PC configured as a console.

These device IDs can be created through DST. And if you have already enabled the ability to work with service tools device IDs through SST (see previous section of this document), they can be created through SST.

To create device IDs through SST, do the following:

o Type STRSST on a command line, press Enter, and log into SST with QSECOFR service tools ID.
o Option 8. Work with service tools user IDs and Devices.
o Option 2 Service tools Device IDs.
o Enter Option 1, and the name of the service tools device ID you want to create.

Service tools device ID screen

o Enter a Description if you choose, then press F5=Change attributes.

Create service tools device ID screen

o Operations Console (LAN) should have status of Granted.
o Partition remote panel should have status of Granted if you want the console PC using this device ID to have the Remote Control Panel.

Change service tools device ID screen

o Press F12 to create the device ID and return to the Work with Service Tools Device IDs display.
o Repeat the above steps to create any additional device IDs you may require.
o Press F3 two times to return to the System Service Tools (SST) menu. When you are ready to exit SST, press F3 once more and press Enter to continue ending SST.


Enable Console recovery and console can be taken over by another console

Console recovery allows the system to attempt to recover the console when a temporary console loss occurs. The Recovery capability of this feature works for LAN Operations Console, Direct (serial-attached) Operations Console, and HMC 5250 console (it does not apply to twinax console). Console takeover allows a LAN Operations Console PC to “take” the console session from another LAN Operations Console PC. IBM support recommends you enable this function if you have LAN Operations Console, Direct Operations Console, or HMC 5250 console.

The takeover and recovery feature can be enabled/disabled in either SST or DST.

To enable/disable through SST, do the following:

o Type STRSST on a command line, press Enter, and log into SST with QSECOFR service tools ID.
o Option 8. Work with service tools user IDs and Devices.
o Option 3. Select console.
o Allow console recovery and console can be taken over by another console:
Select 1=Yes to enable
Select 2 = No to disable
Press Enter to continue

Select console screen

o If the Verify Service Tools LAN Adapter display is shown, press Enter again.
o F3 one time to return to the System Service Tools (SST) menu. When you are ready to exit SST, press F3 once more and press Enter to continue ending SST.

To enable/disable through DST, do the following:

o Force DST to the console (refer to steps at the beginning of this document), log on as QSECOFR.
o Option 5. Work with DST environment.
o Option 2. System devices.
o Option 6. Select console.
o Allow console recovery and console can be taken over by another console:
Select 1=Yes to enable
Select 2 = No to disable
Press Enter to continue

Select console screen

o If the Verify Service Tools LAN Adapter display is shown, press Enter again.
o Press F3 one time to return to the Dedicated Service Tools (DST) menu. When you are ready to exit DST, press F3 once more and select Option 1. Exit Dedicated Service Tools.

With Console Takeover and Recovery enabled, you may see the following service tools sign on screen when you first connect a console session. You should sign on with a service tools user ID that has authority to takeover the console, such as QSECOFR. You can also create new service tools user IDs, and grant permission to Takeover console.

CAUTION: Note at the bottom of this takeover authentication screen is an F18 option, which bypasses the requirement to enter a valid service tools user ID/password. Be aware that if you use F18 to bypass the service tools logon, you will cause the existing console job to end and a new signon display will be presented. If the status of the console job is Signon Display, sitting at a menu, etc., this is generally not an issue. However, if a job is currently running on the console, i.e. a system backup, using F18 will cancel the backup. Therefore the recommendation is to always sign on with a valid service tools user ID/password and not get in a habit of using the F18 to bypass.





Section B

System Security Settings

Service Tools User IDs

By default, a service tools user with default or expired password cannot reset their own password. Use the following command to display current setting:
DSPSECA (Enter)

The biggest impact of this setting is when the QSECOFR service tools password is lost or disabled. If you run the CHGDSTPWD *DEFAULT command to set the QSECOFR password back to the default and this value is set to *NO, you will have to force DST to the console to reset the expired password. When this value is set to *YES, service tools user IDs that have a default or expired password will be allowed to change their password during SST sign on (by selecting F9 on the STRSST sign-on display) or with the QSYCHGDS API. A default password is a password that is the same as the service tools user ID.

To change this value to *YES, do the following:

o Force DST to the console (refer to steps at the beginning of this document), log on as QSECOFR.
o Option 13. Work with system security.
o Change “Allow a service tools user ID with a default and expired password to change its own password” to 1=Yes.

Work with system security screen

o Press Enter, then F3 to return to the Dedicated Service Tools (DST) menu. When you are ready to exit DST, press F3 once more and select Option 1. Exit Dedicated Service Tools.


Configure Service Tools sign-on parameters

o Force DST to the console (refer to steps at the beginning of this document), and log on as QSECOFR.
o Option 5. Work with DST environment.
o Option 6. Service tools security data.

The Work with Service Tools Security Data screen is displayed:

Work with service tools security screen

You may want to consider removing or loosening the restrictions on service tool sign-ons.

o To remove or change the password expiration interval:

Important Note: Password expiration setting Option 8 is only for type SHA password, password level 2. It has no affect if the password level is 1, DES.

- Type 0 to remove, or the desired expiration interval, next to option 8. Password expiration interval in days
- Type 8 on the selection line and press Enter

o To change the maximum sign-on attempts allowed:
- Type the desired number (5 for example) next to option 9. Maximum sign-on attempts allowed
- Type 9 on the selection line and press Enter

o To disable or change the duplicate password control (default of 18 means you can't enter a new password that is the same
as any of the last 18 passwords used):
- Type 0 to disable, or the desired number, next to option 10. Duplicate password control
- Type 10 on the selection line and press Enter

Note: You may see different options on the above display, depending on your release and PTF levels.

o Press F3 two times to return to the Dedicated Service Tools (DST) menu. When you are ready to exit DST, press F3 once more and select Option 1. Exit Dedicated Service Tools.


Create additional Service Tools User ID

IBM support recommends configuring at least one additional service tools user ID with all privileges (as a backup for QSECOFR).

This task can be done from either SST or DST.

To create an additional service tools user ID through SST, do the following:

o Type STRSST on a command line, press Enter, and log into SST with QSECOFR service tools ID.
o Option 8. Work with service tools user IDs and Devices.
o Option 1. Service tools user IDs.
o Enter Option 1 and new User ID name, press Enter.

Work with service tools user ID screen

o Enter the new password.
o Change "Set password to expire" to 2=No.
o Enter a description, if desired.
o Press F5=Change privilege.

Create service tools user id screen

o Type Option 2 to Grant for all functions (be sure to page down to get them all), and press Enter.

Change Service Tools User Privileges

o Press F3 three times to return to the System Service Tools (SST) menu. When you are ready to exit SST, press F3 once more and press Enter to continue ending SST.


To create an additional service tools user ID through DST, do the following:

o Force DST to the console (refer to steps at the beginning of this document), log on as QSECOFR
o Option 5. Work with DST environment
o Option 3. Service tools user IDs
o Use the same steps as shown above for SST to create the new service tools user ID
o Press F3 three times to return to the Dedicated Service Tools (DST) menu. When you are ready to exit DST, press F3 once more and select Option 1. Exit Dedicated Service Tools


Section C

Non-Console Settings

Some very basic system values

This is not intended to be a comprehensive review of systems values. This simply highlights a few system values that will need to be reviewed and possibly changed to get you started.

For a list of all system values:
WRKSYSVAL (Enter)

To work with a specific system value (for example, QAUTOVRT):
WRKSYSVAL QAUTOVRT (Enter)

Use Option 5 to Display the current setting. Use Option 2 to change the current setting.

QAUTOVRT:
This value determines whether the system will automatically configure virtual devices (in other words, QPADEVxxxx). The default setting is 0. For devices other than the console to connect, you must either change this value, or manually create the required devices.

QLMTSECOFR:
This system value controls whether users with *ALLOBJ or *SERVICE special authorities need explicit authority to specific workstations. The default setting is 1=Explicit device access needed. For QSECOFR or another user with *ALLOBJ or *SERVICE special authorities to sign onto a workstation other than the console, you must either change this system value, or GRTOBJAUT for the user to each workstation they want to use.

QCTLSBSD:
This system value defines the controlling subsystem. The default setting is QBASE. The more common setting is QCTL. Some users create their own controlling subsystem. A change to this system value takes effect at the next IPL.

QASTLVL:
This system value specifies the level of assistance available to users of the system. The default value is *BASIC. The system value can be overridden at the user profile level.

QDATE, QTIME, QTIMZON:
Use these system values to correctly set date and time.

Configure network connection

This section describes a basic network configuration. It is not intended to be a thorough guide for creating network connections. For further detail, refer to Rochester Support Center knowledgebase document New, TCP/IP Fastpath Setup. To link to document New immediately, click here:


Identify valid ethernet resource name

o On the command line, type:
GO HARDWARE (Enter)

o Select Option 1. Work with communication resources

o Use Option 7. Display resource detail to display the Location information for each Ethernet Port.
Reference info:
Resource type 1818 = dual 1Gbps ethernet on an M15, M25, M50, 8203 and 8204
Resource type 1819 = quad 1Gbps ethernet on an M15, M25, M50, 8203 and 8204
Resource type 181A = dual 1Gbps ethernet on MMA
Resource type 181C = quad 1Gbps ethernet on MMA
Resource type 5706 = 1Gbps ethernet on 9406-515, 520, 525, 570

Important Note: If you are using LAN Operations Console, first determine what resource is used by the console (usually the first embedded port). The console Ethernet port cannot be shared at V5R4M5 and earlier. Starting with V6R1, it is possible; however, not recommended, for console and regular Ethernet connection to share the same physical Ethernet port.


Configure Ethernet resource for network connectivity

Create Line Description

o Option 5. Work with configuration descriptions for another (non-console) Ethernet port.
o Option 1=Create, Description=name of new line description:

Work with configurations descriptions screen

o Press Enter. You will see the Create Line Description (Ethernet) display. Make any changes that might be required for your local network, and press Enter again to create the line description.


Configure TCP/IP Interface

o On the command line, type the following:
CFGTCP (Enter)
o Option 1. Work with TCP/IP interfaces
o 1=Add, under Internet Address column, type IP address

Work with TCP/IP interface screen

o Press Enter.
o On the Add TCP/IP Interface (ADDTCPIFC) display, fill in the name of the Line description you just created, and the Subnet mask of your local area network. Again, make any additional changes required by your local network.

Add TCP/IP interface screen

o Press Enter to create Interface.


Add Default TCP/IP Route

o On the command line, type the following:
CFGTCP (Enter)
o Option 2. Work with TCP/IP routes
o Option 1 to Add, press Enter

Work with TCP/IP routes screen

o Enter the following:
Route Destination = *DFTROUTE
Subnet Mask = *NONE
Next Hop = <ip address of your local network gateway device>
Press Enter to create default route

Add TCP/IP route screen

Start the new Ethernet interface

o Connect a cable from the Ethernet resource on the system to a port on your local LAN switch/hub
o Vary on the line description:
WRKCFGSTS *LIN <line description name>
Option 1 = Vary on
o Start the interface
CFGTCP
Option 1 Work with TC/IP interfaces
Option 9 = Start
F11 to change view to show Interface Status


Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.1
Operating System IBM i 6.1
Operating System IBM i 7.2

Historical Number

521205188

Document information

More support for: IBM i
System Console

Software version: 5.4.0, 5.4.5, 6.1.0, 6.1.1, 7.1.0, 7.2

Operating system(s): IBM i

Reference #: N1018613

Modified date: 22 July 2013