Ever since the creation of the Power Systems brand, you’ve been introduced to products that span the IBM Power Systems family, at least at some level. For example, the hypervisor that sits below IBM i, AIX and Linux is PowerVM. The PowerHA product set addresses the same kinds of high availability requirements no matter which operating system sits beneath it. And then there’s IBM Systems Director, which can manage all of the operating systems, and more.

Recently, another product has been announced, called PowerSC. The “SC” refers to security and compliance. The product is focused primarily on AIX workloads, but some functions work on any type of VM. I thought I’d spend today’s blog talking about that, because this product demonstrates one of the differentiating attributes between the Power operating systems.

As long time users of this operating system are well aware, “i” stands for integration. As they are also aware, the IBM i operating system has an underlying security and integrity architecture that provides an exceptional level of protection, control and auditability. When the PowerSC product was conceived for AIX, we took a look at the planned functions for PowerSC and noticed that several of the key features are already integrated into the IBM i architecture.

As a recognition of that fact, we are applying the PowerSC name to a couple of key security and integrity functions within IBM i.

PowerSC Trusted Audit Data Repository in IBM i:  One of PowerSC’s added functions is called “Trusted Logging.” This feature helps AIX clients implement a logging scheme that will satisfy security auditors. What it accomplishes on AIX is very similar to the auditing features which are very familiar to our IBM i clients. The audit data repository itself, the QAUDJRN journal and associated journal receivers, are read-only objects. This means that once the OS deposits an entry in the audit journal, the data itself cannot be modified by any user on the system, including security officers. And, of course, these features are built into the IBM i OS, without having to buy or install anything else.

PowerSC Trusted Digital Signature Verification in IBM i: Another key feature of PowerSC for AIX is called “Trusted Boot.” This allows a customer to be assured that, when AIX is booted, it is booted from an unaltered version of the booted code. Security auditors are concerned about ensuring that data integrity cannot be compromised by loading a version of the operating system, which has been altered. What about IBM i?

The IBM i OS provides the ability to digitally sign and verify any executable on the server. This includes user and business partner applications. The CHKOBJITG command allows signature verification for everything, including verifying OS executables. 

When you buy the IBM i OS and program products, everything (IBM program products, the OS, the licensed internal code, the firmware and any subsequent PTF delivered by IBM) are digitally signed by IBM. This means you can verify the executables (at any time) to ensure no patches/alterations have been made to the IBM delivered executables. This allows you to look for instruction streams that have been patched after the executable has been created. And most of this capability has been in the operating system for a long time: most of it was introduced in V5R1 of OS/400 in 2001, with the latest enhancements delivered in 2008 with version 6.1.

PowerSC also has other specific functions for security, compliance and real-time compliance. IBM i has built in functions that can be used to setup, monitor and enforce things like password security, authorization to files, programs, manage users, manage system wide security configuration settings, etc. In addition, more than 30 IBM business partners provide security and compliance solutions based on the IBM i integrated functions, and these security partners provide advanced capabilities.

However, I want to point out that PowerSC does have two features that can help all users of Power Systems though, and which might be important in some customer environments: Trusted Firewall and Trusted Surveyor. 

The Trusted Firewall, which is shipped as part of the PowerSC product, is really a performance assist function that creates a fast path between VLAN when the VMs are on the same server. This includes support for AIX, IBM i and Linux partitions. Customers still use traditional firewalls to protect VMs externally.

Trusted Surveyor discovers virtual networks and monitors compliance to network segregation. It also monitors configuration drift by allowing the network configuration to be captured at a point in time and allows comparison of the current configuration to the previous configuration.

The members of the Power Systems family of operating systems are clearly different from one another. They have different architectures, different histories and different value propositions. Nevertheless, business customers have similar needs, no matter what platform they happen to use. Like other UNIX implementations, AIX provides answers to some of those needs via products that require additional purchase and additional installation and management. However, as the “Power Systems Integrated Operating System,” IBM i has key integrated features that are delivered as part of the OS. 

So, when you hear about PowerSC, or other products in the future, you might want to take a look at whether these new products provide something for you, as an IBM i client, or whether your integrated operating system was ahead of its time, giving you those capabilities along with the rest of this secure, reliable platform.

Today IBM has a very large set of announcements. We will be covering many of them over the next weeks in the blogs written by the IBM i team. Today in this blog, I will point out the highlights. Be sure to check out the other blogs, and then when you want to get the details, see the IBM i developerWorks pages and remember to that the features have been incorporated in the IBM i 7.1 Information Center.

First, I am happy to announce that IBM i 7.1 Technology Refresh 5 (TR5) will be available October 12.  I’ve talked about TRs several times here, and many more times when I’ve been speaking over the past two years. To review, the TR mechanism allows IBM i to deliver important new enhancements in I/O, virtualization and processor technology without requiring a major release or a “point release.”  We are producing these Technology Refreshes twice a year to add important new capabilities in between our major IBM i releases. By the way, to ensure that everyone understands what this means let me make it clear:

There will be more major releases of IBM i. IBM i 7.1 is the most recent major release, which became available in the spring of 2010.  There will be other major releases. There are some enhancements which are simply too large and too pervasive for Technology Refreshes. In fact, our IBM i development team is working on two major releases after 7.1 already. But, in order to reduce the number of times our customers need to plan for and implement release upgrades, we created the TR concept to deliver key functions without releases.

In particular, this TR—IBM i 7.1 Technology Refresh 5—adds support for the new POWER7+ processors, as well as support for new USB-attached I/O, and allows IBM i partitions to be managed by IBM Systems Director VMControl as part of its “System Pools.”

You also need to know about the software enhancements which are being announced at the same time as TR5. There are many of them in a wide variety of areas. No matter how you use IBM i, you are likely to find something interesting in today’s announcements. Here are some highlights.

IBM Navigator for i: We’re delivering a major revision of the user interface with a dynamic navigation area, tab support, and added DB2 capabilities. Plus, with this browser based solution, initially released as part of IBM i 6.1, there’s no Windows client to manage. See Tim Rowe’s blog for more information.

DB2 capabilities: As usual, our DB2 development team has added new features for self-management, as well as improving performance. In addition, with the announcement of POWER7+ we are highlighting the Symmetric Multiprocessing (SMP) Option for DB2 for i, because this option can take significant advantage of the multi-core, multiple-threads per core available to improve throughput on index builds, index rebuilds SQL query execution and more. Starting today with the DB2 enhancements, Mike Cain’s blog will look at these topics in more detail.

Guardium support: Do you have a requirement to do secure auditing of your database use? The Guardium product is for you. And it’s even better now, because Guardium can monitor for SQL activity in DB2 for i.  We’ve added extensive filters for allowing you to  select the information you need. An excellent article on this new collaboration between IBM i and Guardium will be available soon on developerWorks.

BRMS Enterprise capabilities: For clients who have several systems, managing backups can be a chore. The new Enterprise features of BRMS, which are part of the BRMS Advanced feature, make it easier to do centralized management in these environments.

These new capabilities are just part of what we’ve announced. Over the next several weeks, I’ll have more to say about other pieces of the announcement. So stay tuned!

Meanwhile, be sure to look for details about your favorite new deliveries in the blogs and in developerWorks.