Co-author:

Mark A. Short
Solution Architect
PowerVS Center of Excellence

Overview

IBM Power Virtual Server allows you to create VSIs (LPARs) in minutes. You can deploy VSIs using images you have created and imported from on-premises LPARs or choose from stock images of AIX, IBM i, and various Linux distros. When provisioning VSIs using IBM i stock images there are several administrative tasks that need to be performed such as accepting software licenses before the operating system can be used. This article walks through many of the common tasks such as:

• setting QSECOFR passwords for service tools and login
• accepting license agreements
• enabling QSECOFR or another user admin to login through a network session
• setting system time and timezone
• adding additional volumes to the system ASP

Another common task, Certificate configuration for IBM i communication with IBM Cloud Object Storage, is covered in this blog.

Some of these initial configuration tasks are also covered in the Power Virtual Server documentation.

Version note:  

This article is using an IBM i 7.5 stock image. The steps and screenshots may vary slightly for other IBM i versions.

Terms:

In this document the terms virtual server, virtual server instance (VSI), partition, logical partition (LPAR) are used interchangeably and can be considered analogous terms.

Deployment time options

If you plan to SSH to the IBM i server or connect the server to IBM Cloud Object Storage using IBM i Cloud Storage Solutions (ICC) you should provide the public SSH key and check the IBM i Cloud Storage Solutions license option during deployment:

Open the Console from the cloud portal

This will open a novnc window for the console. Some tips work working in the console can be found here.

Some pertinent ones are:

• IBM i uses function keys extensively. At the bottom of the console, you can see PF1 through PF12. To get to PF13 to PF24, click the Next... button.
• If you see a red X in the console during the configuration process, use your keyboard's CONTROL button to exit.
• You can use CONTROL+W to end a hung session. If this happens, you must perform a bypass by clicking PF18 and logging on again.
• If you are using a Mac computer, the Page Down key is the same as FN + Down Arrow.

Initial boot and license acceptance

When an IBM i instance is created from a stock IBM i image in the cloud it will boot into the dedicated service tools (DST) screen. The instance needs to be rebooted from DST, in IBM i operating system reboots are called “IPL” which means Initial Program Load. After the IPL the software license agreements must be accepted.

The initial login to the service tools is user: QSECOFR password: QSECOFR. You must change the password at first sign on. Note that the service tools password is a different than the password the used to do normal system signons. Both passwords are initially set to “QSECOFR” and require change on first use. The login password can be set to a different value from the service tools password.

After changing the QSECOFR password you reach the initial DST screen. Choose option 1 to Perform an IPL:

The IPL may take a while (5-30 minutes) depending on the VSI's core, memory, and disk tiers.

After the IPL, you may receive another login prompt for DST. You can press PF18 in the terminal window to bypass the DST login and proceed to the “regular” login. The regular login screen looks like this:

Login again with QSECOFR/QSECOFR and change the login password.

The next step is to accept all the license agreements:

Put 5 on every line, page down through all pages and ensure there is a ‘5’ on every line, then press enter.

You will be presented with each license agreement which you can read and then press PF15 to accept all.

This will prompt you to press enter to confirm the acceptance:

Once all the agreements are accepted the login proceeds to the main menu:

Allow QSECOFR login

This article uses the QSECOFR user for SSH and network terminal logins. This may not be desirable for your organizations security policy which may limit security officer level profiles from logging in over a network or may require a different user profile with similar authority to be used of QSECOFR.

Enable QSECOFR for non-console logins

By default the QSECOFR is disabled from non-console logins. To enable the QSECOFR profile run the CHGUSRPRF QSECOFR command and press PF4 to prompt for values.

Change the Status to *ENABLED and press Enter.

Change login and session related system values

To allow QSECOFR to login, system value security changes need to be made and this needs to be enabled from the System Service Tools.

Perform the following option selections and steps to allow changes for QSECOFR:

Run the STRSST command to start System Service Tools:

Log into the service tools as QSECOFR and choose option 7: Work with System Security

Change: “Allow system value security changes to “1” (1=Yes).

Press PF3 to back up to the main SST menu

Press PF3 to exit SST, then Enter to confirm exit

System values are changed with the CHGSYSVAL command. The PF4 key can be pressed to allow prompt entry of the key and value. Change the QLMTSECOFR, QLMTDEVSSN, and QAUTOVRT system values:

The QLMTSECOFR system value must be set to ‘0’, single quote included:

QLMTDEVSSN should be set higher than the default to allow concurrent SSH, network terminal, and console logins. The value needs to be single quoted and the max value is ‘9’.

QAUTOVRT should be set greater than 0, a value of 10 should work well. This value does not need to be quoted.

Wait for cloud-init to configure networking

Cloud-init runs on the first boot of the instance. It configures various parts of the system which includes configuring the network interfaces. If the system is rebooted before cloud-init finishes, the instance becomes unusable and must either be deleted or recovered by support.

Before continuing, wait for cloud-init to configure the network interfaces. This can be checked by running the CFGTCP command and choosing option 1. When cloud-init has configured the interfaces they should look like this:

Configure system hostname and fully qualified domain name

After cloud-init has configured the network interface, enter the CFGTCP option 10 to update the host table entries. Choose option 2 (change) on the IPv4 address. 

Add a "+" to the "for more values" field and press enter:

Add the fully qualified domain name to the additional field and press enter:

Enter CFGTCP option 12 and set the hostname and domain name:

Start network services

The HTTP, telnet, and sshd services should be started to allow login with 5250 terminal emulation sessions, SSH, and administrative tools such as Navigator for i and Digital Certificate Manager. To start the services run these commands:

STRTCPSVR *SSHD
STRTCPSVR *HTTP
STRTCPSVR *TELNET

To set the services to start automatically on reboot run these commands:

CHGTCPSVR *SSHD AUTOSTART(*YES)
CHGTCPSVR *HTTP AUTOSTART(*YES)
CHGTCPSVR *TELNET AUTOSTART(*YES)

Now that the network services are started, a 5250 session can be used instead of the novnc Cloud console. IBM i Client Access Solutions 5250 sessions provide a better user experience than the nonvc system console.

Set the system time

The system time must be set correctly, or things like IBM Cloud Object Storage access will fail. Setting the system time involves having both the time and the timezone value set correctly.

One way to ensure the time is set correctly is to follow these steps:

1. Change the time zone to UTC using WRKTIMZON and option 8.
2. Change QTIME to be correct for UTC using CHGSYSVAL. Here is an example of setting the time to 16:43:00: CHGSYSVAL SYSVAL(QTIME) VALUE('164300')
3.  Change the time zone to the desired time zone, paying particular attention to time zone values for daylight and standard times using WRKTIMZON. For example, if you were in the US eastern time zone in daylight savings time you would want to choose the QN0500EST or QN0500EST3 time zones since they support daylight time. To see the different names for time zones, and cycle through Standard, Daylight, and Alternate names you can press PF11.

This screen shot is showing the Daylight names of the time zones:

Configure SSH key-based authentication

If a public SSH key was selected during instance creation it is added to the QCIUSER’s authorized_keys file. To SSH to the instance as QSECOFR using key-based authentication, the QSECOFR user needs the authorized_keys file. To copy the authorized_keys file from QCIUSER to QSECOFR run the following commands:

QSH
cd /home/qsecofr
mkdir .ssh
chmod 700 .ssh
cp ../qciuser/.ssh/authorized_keys .ssh/
PF3 / F3 key to exit QSH

After copying the authorized_keys file you can SSH to the VSI using the private SSH key like this: ssh -i privatekeyfile qsecofr@<VSI IP>

Add Additional Disks to ASPs

When a VSI is created, you have the option to attach additional disk storage. Once the VSI is up and running, you need to add those disk units to an ASP in order for the IBM i system to be able to access that storage. The following steps show how to add a disk to ASP1, the system ASP. The addition of disks to ASPs is a longer running task. If you are on the partition console opened from the cloud portal there is a timeout period which may cause the console to close before the disk units are fully formatted and added. Consider using a 5250 session instead for when adding multiple disks or large disks.

Perform the following option selections and steps to work with disk units:

Run the STRSST command to start System Service Tools and login as QSECOFR.

Choose Option 3: Work with disk units. This will bring you to the Work with Disk Units menu.

Choose Option 2: Work with disk configuration:

 On the Work with Disk Configuration menu, choose option 2: Add units to ASPs

On the Add Units to ASPs menu choose option 3: Add units to existing ASPs

On the "Specify ASPs to Add Units to" menu, enter the number of the ASP you want to add the existing disk unit attached to the VSI. Use number 1 for the ASP1 / System ASP or use a different number between 2 and 32 to create a new ASP.

When you add the disk unit you will receive a problem report for the disk.  You can  Choose option 5 to display the detailed report and use F1 for help about the report. The error report is warning you that the volumes may already configured and formatted. Since these volumes were newly created for this volume you can press F10 to Ignore problems and continue.

On the "Confirm Add Units" menu, press F10 to confirm your choice for Add units and balance data.

The unit will start to be added to the ASP. The read/write speed (IOPs) of the volumes in the ASP can be changed to a faster storage tier to speed up the add operation. This can be accomplished by navigating to the VSI in the cloud portal, and clicking on it to see details. You can scroll down to see the volumes attached to the VSI and use the 3 dot menu to edit the volume. The volume storage volume tier can be changed from this screen:

Wait for the the status to reach 100%

After the disk addition is complete you can change tier of the storage volumes back to their original values. In the 5250 session you are returned to the "Add Units to ASPs" menu. Press F12 to cancel and return to the Work with Disk Units screen. Choose option 1 Display disk configuration:

On the "Display Disk Configuration" menu choose option 2 Display disk configuration capacity.

See the added disk capacity:

To return to the main IBM i menu, press Enter to continue, F3 to Exit, F3 to Exit, F3 to Exit SST, and hit Enter to confirm.

Conclusion and next steps

The VSI is now ready for general use. Additional configuration such as certificate configuration for IBM i communication with IBM Cloud Object Storage or installation of applications can now be performed.

The virtual server can also be captured as an image into the Power Virtual Server's image catalog. This allows new VSIs to be created that already have the configuration steps in the article completed. The new VSIs will have their own network configuration auto-configured by cloud-init. For more information on capturing virtual server images see the Power Virtual Server capture documentation.