IBM i safe from OpenSSL Heartbleed bug

Clients have asked me whether their IBM i servers may be vulnerable to hackers due to the widely publicized OpenSSL Heartbleed bug.

The answer is no. IBM i is safe from this bug, which is present only in specific OpenSSL versions: 1.0.1 through 1.0.1f (inclusive). IBM i’s latest version of OpenSSL, shipped with the “Portable Utilities for i” licensed program product 5733SC1, is 0.9.8, which does not contain the bug.

To make doubly certain, check what version of OpenSSL is installed on your IBM i. Run these two commands, which, respectively, start a PASE interactive terminal session and check the openssl version:
call qp2term
openssl version

For me, the above commands returned “OpenSSL 0.9.8m 25 Feb 2010,” confirming that I’m not affected.

Press F3 afterward to leave the PASE environment.

Thanks to Jim Oberholtzer of Agile Technology Architects for his contribution to this answer.

UPDATE from IBM: System SSL and IBMJSSE2 are also safe from the vulnerability on IBM i.

ZF2 and DB2 for IBM i

I’d like to address questions about DB2 support in Zend Framework 2.x. Because I helped create the IBM i-friendly DB2 adapter for Zend Framework 1.x, I’ve followed the development of a similar adapter for ZF2.

(updated January 30, 2013, upon the release of ZF 2.1)

Q. Does ZF 2 include an adapter for DB2?
A. Yes! Starting with ZF 2.1, which was released today.

Q. Is Alan’s IBM i-friendly DB2 adapter for Zend Framework 1.x needed in 2.x?
A. No. Because ZF’s Zend_Db equivalent in 2.x works differently than in 1.x, my 1.x component is not needed in 2.x.

Q. Does ZF 2.1’s DB2 adapter work with IBM i?
A. Yes! Please try it and provide feedback to the ZF team.

Which version of Zend Server for IBM i do I have?

Here is the easiest way to learn the version of Zend Server installed on an IBM i system.
[Updated December 20, 2017]

From a 5250 command line, follow these four steps:

1. GO LICPGM
2. Take option 10 (Display installed licensed programs)
3. Scroll down to the licensed program 2ZSVRPI, 6ZSVRPI, or 7PHPZND 
     (on my system, it's the last entry)
4. Read the product description,
     containing version numbers for Zend Server and PHP,
     in the form "Zend Server for IBM i [version] ( PHP [version])"

On my IBM i, I see:
7PHPZND   *INSTALLED   Zend Server for IBM i 9.1.2 ( PHP 7.1 )
so Zend Server is at 9.1.2 and PHP is 7.1.

Thanks to Zend’s Sam Pinkhasov for this tip.

We’ve been named a Top 10 IBM i blog

This blog, alanseiden.com, has been named to the “Best i Blog Bets” top 10 list by Alex Woodie, Senior Editor of IT Jungle.

Thank you to Alex for this honor. This site will continue to offer articles, presentations, event listings, and news about PHP, Zend Framework, IBM i, and other topics of interest to the PHP/i community.

Zend/PHP 2011 Photos, Part 1 (IBM i)

IBM i had a solid presence at ZendCon, the Zend/PHP conference. IBM itself was a sponsor and staffed a booth (Tim Rowe and Tony Cairns). Here are a few photos from the conference. I’ll post more when I get time.

IBM i for Business / PHP pin

PHP/IBM i pin given out at IBM booth at ZendCon 2011

Chris Pharo from CrossPointe LLC's UnCon presentation showing green screen and PHP webified version

Chris Pharo from Crosspointe, LLC, demonstrating how their "TERMS 2020" school district ERP package evolved from a green screen interface to PHP/web, all on IBM i

Alan Seiden with elePHPant at ZendCon 2011

Alan with elePHPant

NEUGC and COMMON are coming right up

Next week I’ll be in Framingham to present at the Northeast System i Users Groups Conference (NEUGC). In early May,  it’s Minneapolis for the COMMON 2011 annual meeting. Here are the dates and places of these great conferences:

NEUGC: April 11-13, 2011, in Framingham, Mass.
COMMON: May 1-4, 2011, in Minneapolis, Minn.

At each conference I’ll be presenting 6 talks:

  • 4 about PHP on IBM i: web services, batch jobs, Zend Framework, and my research into best practices for db2
  • one about making web development easier with free tools that run in a web browser (a fun one)
  • one non-technical talk about how to stay healthy despite years of professional computer use (fun and interactive)

Both conferences have an exciting lineup of speakers and topics. I plan to learn a lot and meet many great people. If you are there, please say hello.

SSH on IBM i

Secure Shell (SSH), a network protocol used every day by software developers, provides a fast, secure means to transfer files and submit commands to remote servers.

Zend Studio 8.0‘s SSH support allows users to save their PHP scripts onto remote servers such as IBM i.

How to set up SSH on IBM i

SSH runs as a server program, the SSH daemon (sshd). Before sshd can run, it requires a set of public/private key pairs.

Instructions for creating the key pairs and starting the server are given below.  There are two versions of instructions, depending on the version of OS.

IBM i v6.1 and higher: one step creates public/private keys (if needed) and starts server

STRTCPSVR *SSHD

V5R3 and V5R4: two steps are required

1. First, create the public/private key pairs (only needs to be done once):

CALL QP2TERM
ssh-keygen -t rsa1 -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_key -N ""
ssh-keygen -t dsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_dsa_key -N ""
ssh-keygen -t rsa -f /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc/ssh_host_rsa_key -N ""

2. Then start sshd (“&” means to run in background):

/usr/sbin/sshd &
Either way, the daemon should now be running. To check, type NETSTAT *CNN on an ordinary 5250 command line. Look for a local port called “ssh” or 22.
For more information about setting up SSH, including prerequisites, see this “Young i Professionals” SSH wiki article and this old but still useful SSH article from Zend’s Knowledge Base.

Q&A: Upgrading from Zend Core to Zend Server

Zend Core and Zend Platform will reach “end of life” on July 1, 2011. Some of my clients have asked me what this will mean to them. In this article I’ll answer some common questions.

Q. What does “end of life” mean?

A. According to the official announcement,  effective immediately, Zend Core and Zend Platform will no longer be sold except in special circumstances. Support will continue to be offered by Zend, for those customers with a support contract, until July 1, 2011.

Q. What software replaces Zend Core and Zend Platform?

A. Zend Server replaces both Zend Core and Zend Platform.

Q. If I currently use Zend Core/Platform and take no action, will my PHP scripts continue to run on and after July 1?

A. Yes, your PHP scripts will continue to function. The products will still work.

Q. Why should I upgrade to Zend Server?

A. You should upgrade to continue to get security patches, improvements, and, if you have a contract, support (whether at free or paid levels).  In addition, Zend Server comes with the performance-boosting Optimizer+, new versions of the ibm_db2 driver, and PHP 5.3, which offers better memory usage and other benefits.

Q. Do I have to pay?

A. As with Zend Platform, advanced functionality and phone support are chargeable. As with Zend Core, basic functionality comes at no charge to you. The advanced version is called Zend Server. The no-charge version is called Zend Server Community Edition (CE). For more information, see Mike Pavlak’s blog post or ask me for assistance.

Q. Why the two versions of Zend Server?

A. It’s really one version with two modes. If you install the license, you get the advanced functionality. (You can get a trial license that allows you to try the advanced features for 30 days.) If you do not install a license, or after your trial license expires, you’ll have the basic (CE) functionality.

Q. Where can I get a trial license for advanced functionality, such as code tracing and monitoring?

A. http://www.zend.com/en/products/server/license

Q. How do I download Zend Server?

A. For IBM i, go to http://www.zend.com/en/products/server/downloads
and click the “IBM i” tab. Choose an installer for “Zend Server for IBM i (PHP 5.3).” You’ll see one labeled “Windows installer” and one not labeled. The Windows installer might be easier for users less experienced with save files and FTP. The unlabeled one is a smaller download and is fine for anyone comfortable with save files and FTP.

Q. We’re using PHP 5.2.4. Can we continue to use a 5.2.x version of PHP?

A. Zend Server does offer PHP 5.2 versions, but I’d suggest using a 5.3 version if you can. The main thing to watch for is that some 5.2 functions are “deprecated” in 5.3, meaning they still work, but may trigger a warning message. Here is the full list of deprecated functions.

Q. What are the technical differences between Zend Core and Zend Server?

A. One major difference: Zend Server runs under a single native IBM i Apache web server rather than being split between two Apache servers. To see some of the configurations that differ, read my blog post, Differences between Zend Core and Zend Server on IBM i.

Q. Does user NOBODY still run the show (I have it hard-coded in a couple of programs)?

A. No. QTMHHTTP, the default IBM i Apache web server user,  is the new user running the show. You’ll have to replace any NOBODY references with QTMHHTTP references.

Q. Any prerequisites before I install Zend Server?

A. Yes. For the list of prerequisites, go to the Zend Server resources page and find the heading “Zend Server for IBM i.” Underneath, click on “Release Notes.”  Be sure to install the most current HTTP Group PTF level. If you do that, you’ll automatically be installing the FastCGI PTFs as well. Here are IBM’s instructions for checking your HTTP group level.

Q. Can I run Zend Server at the same time as Zend Core?

A. Yes. If you run them simultaneously, you should make a configuration change to PHP.INI regarding PHP sessions, to ensure that your Core and Server session files do not collide.  In /usr/local/zendsvr/etc/php.ini, add these lines:

; Keep Zend Server's session data separate from Zend Core's.
; Be sure to actually create the /tmp/ZS folder first.
session.save_path = "/tmp/ZS"

Q. The release notes say that I should remove previous versions of Zend Server and any older version of the FastCGI PTFs. Do I have to do that?

A. Only if you previously installed a beta version of Zend Server. Most likely, you didn’t install those FastCGI PTFs unless you installed Zend Server before.

Q. Is upgrading to Zend Server worth the trouble?

A. Yes. Besides the importance of being supported, Zend Server will grow with your PHP development efforts, while Core will be frozen at old levels. No need to rush or panic, but do create an upgrade plan. Try to do it before July 1.

If you have more questions or would like a demo of Zend Server’s advanced functionality, get in touch. I’m also offering my clients an affordable block of time to help them upgrade smoothly from Zend Core/ Zend Platform to Zend Server with a minimum of disruption. If you are interested in getting help with your upgrade, write to me on my contact page and specify “Upgrade help.”