Geeking Out on IBM i - Part 2

(This is part 2 of a three part series.  To view part 1, click here)

Network Configuration

This part in the three-part "Geeking Out on IBM i" series focused on network configuration. This series is an effort to make IBM i (AS/400) lingo and concepts easily accessible to the hacker community, hoping to reduce the barrier of entry for security research.


Configuring the IBM i Network Interfaces was an interesting challenge for me, a primarily Linux/Unix person.  When we finally got time to work on this project, Michigan was just heading into COVID19 lockdown, and remote-access to the machine was becoming urgent.  That made all of this a little more stressful.  I found a couple different “configuring TCP/IP on IBM i” articles on the Internet.  As usual, they were written for other versions of the OS, probably naming the system “AS/400” or “iSeries.”  This created some anxiety for this newly-minted IBM i geek.  I guess I have seen the exact same thing on all the different versions of Linux, but let’s face it, that’s familiar and this was not.  I guess I have a new appreciation for what others feel when reading Linux docs.  :\


Before we begin, it’s important to point out that there are two machines that need TCP/IP configured correctly: the HMC and the IBM i machine itself.  The HMC has an initial setup script that is pretty self-explanatory, and will not be included in this blog post.  From here on, we’ll be discussing the IBM i machine hardware and setup process.  


Once configured, I (as an administrator) can log into the IBM i in two different ways:  Directly against the IBM i using my 5250 terminal emulator, and through the HMC’s “Console” connection (also using 5250).  The key differences are which IP and which TCP port I use.  (The IBM i port is 23 and the HMC port is 2301).  Oh, and out the gate, I can connect using TLS to the HMC, but my connections fail if I try to connect to the IBM i using TLS.


Major Spoiler: Much of my frustration while setting this up the first time was caused by being remote and not understanding how the machine behaves (such as how the system responds when trying to configure a network interface that isn’t currently connected to a network).  Yep, you guessed it, I was setting up a Network port that wasn’t connected, and it was failing miserably… and there were 8 ports.  Not knowing what I was doing, moving through those 8 ports was annoying and disheartening.


Lingo HINT: In Linux we like to say that our network adapter is “up” or “down”.  In Windows, we say “Enabled” or “Disabled”.  The verbs follow as “bringing the NIC up/down” or “enabling the NIC,” etc…  In IBM-land, we “vary on” or “vary off” the various hardware devices, and they are said to be “varied on” or “varied off”.


In order to configure a network adaptor, we need to figure out some information about our hardware.  To do this, we get into “WORK with HARDWARE RESOURCES” and specify “*CMN” as the resource type:



This brings up the Work with Communication Resource screen, which lists resources (and description), their type (a number), and the status.  The items we’re most interested in are the Ethernet Ports, but it’s important to note what LAN Adapter (and Comm Processor) they fall under.  




Note that this screen shows that Ethernet Ports CMN03 thru CMN06 are on the LIN04 LAN Adapter, which is part of the CMB06 Comm Processor.


Armed with this information, we can set up the Ethernet Port to use 100MBPS line speed.  In this line, we’re configuring the first Ethernet Port (CMN03) on LIN04.



Once you have it configured, you may need to vary on the port as follows:

vrycfg cfgobj(ETHLINE) cfgtype(*lin) status(*on)


To see if everything is working, check the interface using the following command:

wrkcfgsts cfgtype(*lin) cfgd(ETHLINE)



It’s probably good to note that our IBM i came with two (2) LAN Adaptors, with a total of 8 Ethernet Ports.  The secondary card is part of the CMB07 Comm Processor, and extends on to the next screen.


However, as we work with the individual Ethernet Port, we can use the Display Resource Detail screen:



Once we have configured the Ethernet Port properly, we configure TCP/IP by entering the cfgtcp command, which will display the Configure TCP/IP menu:



Choose Work with TCP/IP Interfaces:



Now configure a new TCP/IP Interface (assuming you don’t already have the correct one configured).  The following screen will be displayed:



Enter the IP address and Line Description you want.  For this example, we’ve used “192.168.20.11” and “lin04”, keeping the default 24-bit mask (“255.255.255.0”).



Pressing enter is all that’s necessary to create the TCP/IP Interface.  That takes us back to the Work with TCP/IP Interfaces screen, with the added IP configuration entry:



ALTERNATELY, if you would prefer to just add a TCP/IP configuration to an interface, you can use the following command:



Once you’ve added the TCP interface, you may need to “start” it.  You may do so with this command:



Now on to routing.  We’ll go back to the menuing system for routing.  From the Configure TCP/IP screen, choose #2: “Work with TCP/IP Routes” and edit the “default” route:

When


you’re complete, this is what you should see on the Routing screen:



Errors (in my case, I enabled a port that wasn’t connected) were discovered in the QSYSOPR’s Message queue:



Cheat Sheet Commands for Network Configuration:

wrklind

wrkcfgsts *lin

wrkhdwrsc *cmn

cfgtcp

crtlineth

vrycfg

wrksysval

wrkmsg QSYS/QSYSOPR


Conclusion

Today we talked about how TCP/IP networking and network-hardware is configured on IBM i.  While the concepts are largely the same between the different operating systems, IBM i configuration certainly comes with it's own flavor. Hopefully this has been beneficial to you.  Let us know at info@grimm-co.com if you have any additional remarks!

Check back in a few weeks for the conclusion of "Geeking Out on IBM i."  

Popular posts from this blog

New Old Bugs in the Linux Kernel

Mama Always Told Me Not to Trust Strangers without Certificates

SOHO Device Exploitation