After the i5 server is installed and ready to go, it is time for you to take over the rest of the installation process. This section gives you some basic advice.
You should resist the temptation (and pressure from other people in your organization) to connect the display stations and printers at this stage because it is still premature. Before doing that, you must set up security, subsystems, user profiles, and device descriptions (at the very least).
To justify your actions when people request to be connected at once, tell them that it is like moving into a new house that doesn't have water, power, carpeting, or even finished walls. You need time to finish the "house" before you let the new tenants move in.
Security is very important. The i5 provides five levels of security: 10 (no longer supported on new systems), 20, 30, 40, and 50 (in order of increasing security). When IBM finishes the installation, security is set to security level 40. This should be sufficient for most routine uses of the server.
Because a person must enter a user profile name (also called "user ID") and a password, which must have been set up beforehand, security level 20 allows you to control who can sign on to the system. Still, once a user signs on, there is no limit as to what he may do. The only way to control users when your system is at security level 20 is to provide them with a menu that does only what they need to do on the system, and give them limited capabilities so they cannot enter any commands at the command line provided by the menu. Limited capabilities can be assigned using the LMTCPB parameter of the Create User Profile (CRTUSRPRF) or Change User Profile (CHGUSRPRF) commands. These commands are explained in some detail in Chapter 13.
Security levels 30, 40, and 50 are similar in that they all require not only a user ID and password to sign on, but they cause the system to check authorizations whenever the user attempts to perform tasks on objects or resources. In addition, levels 40 and 50 prevent users from accessing system objects (such as internal programs) or doing anything without going through "proper channels." Although the difference between 40 and 50 is small, level 50 also prevents passing invalid parameter values to system programs.
To change your system security level, change the system value QSECURITY with the Change System Value (CHGSYSVAL) command, and then IPL the system. When the IPL is complete, your system will operate under the new security level. To change the security level to 50, do the following:
CHGSYSVAL SYSVAL(QSECURITY) VALUE('50') ENDSBS SBS(*ALL) OPTION(*IMMED) PWRDWNSYS RESTART(*YES)
The first command changes the security level to 50. If you want to change it to 30 or some other value, replace ‘50’ for the appropriate value. The second command ends all subsystems and prepares the system for the IPL performed by the last command.
Device descriptions are objects that describe a device to the system. The word "object" means something different to the system than it does to you. An object is a section of disk storage that contains information, has a name, and is contained in a library. For a better description of libraries and objects, refer to Chapter 19.
To configure peripherals on the i5, you need to create a device description for every display station and every printer you plan to connect to the system. This configuration process can be performed at any time, even when users are actively using the system. Older midrange computers, such as the S/36, force you to IPL the system before a new device can be used. The i5 does not need an IPL; the new device becomes available immediately.
i5/OS is capable of configuring devices automatically, or it can let you do it manually. If you want to use automatic configuration, change system value QAUTOCFG to ‘1.’ To disengage automatic configuration (so that you must configure devices manually), change that system value to ‘0.’ You change the system value using the CHGSYSVAL command. For example, to activate automatic configuration:
CHGSYSVAL SYSVAL(QAUTOCFG) VALUE('1')
Automatic configuration has some obvious advantages. The most visible advantage is that you don't have to worry about it. All you do is plug in a new display or printer and turn it on, and i5/OS configures it and makes it available. Before you use automatic configuration, please consider the following disadvantages:
The device must be connected and powered on before the system configures it. This can reduce your chances to control how the device is configured and who has access to it, because the system makes it available to users immediately.
You have no control over the name given to the device. Under automatic configuration, the system uses generic and meaningless names such as DSP02 and PRT03, although you can change the system-generated name using the Rename Object (RNMOBJ) command. Devices can have names of up to 10 characters, which makes it possible for you to come up with names that mean something. If you decide to turn off automatic configuration, run the following command before you attach any other devices:
CHGSYSVAL SYSVAL(QAUTOCFG) VALUE('0')
Now go to Chapter 13 for instructions for the creation and maintenance of device descriptions.
You must create a user profile for each person you want to have access to the system. The user profile is actually another system object that you can create and maintain. Chapter 11 has detailed information about creating user profiles, including guidelines about naming and organizing them sensibly.
Because your system ships with security level 40, no one can sign on to the system before you create a user profile for that person, unless that person knows about the user profiles provided by IBM (such as QSECOFR and QSYSOPR) and their passwords.
Before you give your users access to the system, you must change the passwords of the IBM-supplied user profiles because the passwords they have when your i5 server is installed are too obvious. See Chapter 11 for more information.
A subsystem description is another type of object, used to describe a subsystem to the computer. All work in the system is carried out by the different subsystems. When the i5 is first installed, almost all work is performed by subsystem QBASE. Although this arrangement has the benefit of simplifying management of the computer (which is a big bonus for beginners), it doesn't take advantage of the system resources. Your system will not perform as well as it could.
IBM ships the server with a set of subsystems you can use instead of QBASE. You can read more about them in Chapter 4 or in IBM's Work Management Guide (although IBM's manual is not light reading).