Skip Headers
JD Edwards EnterpriseOne Tools Server and Workstation Administration Guide
Release 8.98 Update 4

Part Number E14718-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Administering the IBM i Server

This chapter contains the following topics:

2.1 Understanding Server Administration for IBM i

Oracle's JD Edwards EnterpriseOne enterprise servers are supported on the IBM i platform. The IBM i enterprise server can operate in a logic server or database server environment. You need to perform certain administration procedures on the enterprise server to ensure that JD Edwards EnterpriseOne runs properly. This section discusses:

2.1.1 JD Edwards EnterpriseOne IBM i Architecture and Process Flow for IBM i

This flowchart illustrates the actions that the host server processes perform:

Figure 2-1 IBM i Process Flow

Description of Figure 2-1 follows
Description of "Figure 2-1 IBM i Process Flow"

All communications between the client and the host server occur using sockets. The communications between JDENET_N (network processes) and JDENET_K (kernel processes) occur with shared memory.

The process flow is:

  1. The STRNET command runs the master NETWORK (JDENET_N) job in a newly started subsystem. The jdenet_n Master process spawns jdenet_n slave and jdenet_k processes (also called kernels) at startup or as they are needed. JD Edwards EnterpriseOne uses a number of different types of kernels to handle different types of processing, even though all of these have the same process name in the operating system (jdenet_k). The definitions for the number of processes to start and what types to start are stored in the jde.ini file.

  2. The JDENET_N process listens to the socket (port) as specified in the jde.ini file by the keywords ServiceNameListen and ServiceNameConnect. These two keywords should be set to the same number, and this number must be the same for every client who wants to connect to the JD Edwards EnterpriseOne server. The definitions for the particular jdenet_k processes to start are also given in the jde.ini file. They are listed in the sections headed by [JDENET_KERNEL_DEFx]. Each of these entries lists the type of jdenet_k processes to start and the maximum number of JDENET_K processes of this type to start.

    The number of JDENET_N slave processes to start is listed in the jde.ini file under the keyword maxNetProcesses. The purpose of these slave processes is to provide parallel processing for the job of listening to the socket and to put the associated messages on the message queues for the JDENET_K processes to finish.

  3. JDENET_K processes (kernel processes) do the actual work on the enterprise server. When a JDENET_K process starts, it can be any type of kernel process. The JDENET_N process assigns each kernel process to a certain type.

  4. The JDENET_K process that becomes a CallObject kernel has the job of calling business function logic on the server. Business function logic is written in C code and compiled into Service Program (SRVPGM). SRVPGM is loaded onto the JDENET_K processes and then called directly through a C function call.

  5. The JDENET_K process that becomes a batch process kernel waits for requests to run batch processes from the client. When a request to run a batch process is submitted, these events occur:

    • JDENET_K (UBE kernel) adds a record to the F986110 database table with a status of W for waiting.

    • JDENET_K (UBE kernel) submits a job to the queue

      If you are using native IBM i job queues, JDENET_K submits a job to the IBM i queue. This job calls the JD Edwards EnterpriseOne program PRINTUBE on the IBM i enterprise server.

      If you are using the JD Edwards EnterpriseOne queue kernel, JDENET_K sends a message to the queue kernel, alerting it that a new job request was submitted. When the job is ready, the queue kernel executes the PRINTUBE program.

  6. The PRINTUBE process runs the batch application, and changes the status of the record in the F986110 table to P for processing.

  7. If the batch application runs successfully, the software changes the status of the record in the F986110 table to D for done.

    If the batch application fails, JD Edwards EnterpriseOne changes the status of the record in the F986110 table to E for error.

2.1.2 JD Edwards EnterpriseOne Initialization for IBM i

This initialization occurs when you start JD EdwardsEnterpriseOne programs such as PRINTUBE:

  • The JD Edwards EnterpriseOne environment name is passed as an argument to the program.

  • This environment might be translated to a different environment, based on the settings in the [SERVER ENVIRONMENT MAP] section of the .INI file.

  • The software verifies that the environment is a valid entry in the Library ListMaster File table (F0094) and that it has a valid corresponding path code in the Environment Detail - OneWorld table (F00941).

  • The Library .INI file setting in the [DB SYSTEM SETTINGS] section indicates where the JD Edwards EnterpriseOne server startup tables, such as Data Source Master (F98611), Object Configuration Master (F986101), and so on, are located.

  • Using this information, the software opens the F986101 (OCM) table in the specified database on the server.

  • If an override for a given table, BSFN, and so on, or the current user exists, that data source (the OMDATP field in the F986101 table) is used for the given object or user and environment. Otherwise, the data source in which OMOBNM=DEFAULT for the given environment is used. Ignore any inactive records (that is, OMSTSO=NA).

    Note:

    We highly recommend that you do not have any default (OMOBNM=DEFAULT) records for reports (OMFUNO=UBE) or for BSFNs that are mapped to the server. These records might prevent report interconnections (one report calling another report) from starting correctly.

    Each unique data source in the F986101 table should correspond to one entry in the F98611 table. The corresponding information in the F98611 table must be correct. In particular, the OMDLLNAME field must display the correct SRVPGM (.DLL) for the database to which the data source points:

  • DBDR for files located on the IBM i enterprise server.

  • JDBNET for files not located on the IBM i enterprise server.

2.2 Starting the Enterprise Server for IBM i

This section provides overviews of the JD Edwards EnterpriseOne library structure and startup options for IBM i, lists prerequisites, and discusses how to:

2.2.1 Understanding the IBM i Library Structure for JD Edwards EnterpriseOne

You can set up an initial program to create the library list. Also, you should add this library to the top of the library list before you start JD Edwards EnterpriseOne on the enterprise server: releaseSYS (or the system library name). The variable release is the JD Edwards EnterpriseOne release level, such as E900SYS.

The releaseSYS library contains these objects:

Object Description
INI The jde.ini file used to initialize JD Edwards EnterpriseOne on the IBM i enterprise server.
*PGM and *SRVPGM The various programs and service programs required to run the JD Edwards EnterpriseOne IBM i enterprise server.
CHGLIBOWN (*CMD) A JD Edwards EnterpriseOne utility command used to change ownership of all objects contained in a library.
SHOW (*CMD) A JD Edwards EnterpriseOne utility command used to display runtime output.
UPDLF (*CMD) A JD Edwards EnterpriseOne utility command used to modify the maintenance attribute of logical files.
DPSPSTMF (*CMD) The display stream file, which displays IBM i Integrated File System (IFS) text stream files.

The JD Edwards EnterpriseOne log files, jde.log and jdedebug.log, typically reside in a directory called PSFTrelease, where release represents the JD Edwards EnterpriseOne release, such as /PSFT900.

LINKBSFN (*CMD) The command used to relink business functions to their respective service programs (*SRVPGM). Typically, the system uses this command during an upgrade of the JD Edwards EnterpriseOne system library.
PID2JOB (*CMD) The Convert Process ID to Job command, which returns the job information when the system passes a process ID to the command. The system writes the process ID in the JDE.LOG files. This command returns job information only while the job is still active.
PORTTEST (*CMD) The command that runs the JD Edwards EnterpriseOne test program PORTTEST.
RUNUBE (*CMD) The command that interactively runs a batch program. If you need to run a batch program, use the SBMJOB command to submit the RUNUBE command to batch.
PRINTQUEUE (*FILE) The file that contains the output from a batch program. This output is stored as ASCII PDF members.
*PGM and *SRVPGM The programs and server programs required to run the JD Edwards EnterpriseOne network.
JDENET (*JOBQ) The job queue used by the JD Edwards EnterpriseOne IBM i network jobs.
NETJOBD (*JOBD) The job description used by JD Edwards EnterpriseOne IBM i network jobs.
JDENET (*CLS) The class used to create the routing entry for the JDENET subsystem.
ENDNET (*CMD) The command that ends the JD Edwards EnterpriseOne IBM i network jobs and cleans up the network runtime structures.
IPCS (*CMD) The utility command that indicates the status of objects used by the JD Edwards EnterpriseOne IBM i network jobs and as a backup method for cleaning up the IPCS objects.
STRNET (*CMD) The command that starts the JD Edwards EnterpriseOne IBM i network jobs.
CLRIPC (*CMD) The command used to clear IPC structures.
DSPIPC (*CMD) The command used to display IPC structures.
PSFTrelease (*SBSD) The subsystem description under which the JD Edwards EnterpriseOne network jobs run. The variable release is the JD Edwards EnterpriseOne release level, such as PSFT900.

2.2.2 Understanding Startup Options for the Enterprise Server for IBM i

You can start the JD Edwards EnterpriseOne enterprise server for the IBM i either manually or automatically.

You manually start the enterprise server for IBM i by starting JDENet from the command line, and then starting the PORTTEST program, which verifies that the enterprise server software was installed correctly. If it was, PORTTEST initializes an environment and user.

If you start the server automatically, it is recommended that you separate the JD Edwards EnterpriseOne add library list entry (ADDLIBLE) and startup (STRNET) commands from the IBM i startup program. You should create a separate JD Edwards EnterpriseOne startup program and call that program from the IBM i startup program. This action ensures that commands subsequent to the JD Edwards EnterpriseOne add library list entry and startup are not associated with the modified library list. This recommendation also ensures that the JD Edwards EnterpriseOne library list is set correctly before issuing the STRNET command. In addition, the separately-called program provides you with a single location in which to locate and maintain JD Edwards EnterpriseOne startup commands on the IBM i.

2.2.3 Prerequisites

Before you complete the tasks in this section:

  • Install JD Edwards EnterpriseOne as described in the JD Edwards EnterpriseOne Installation Guide. In that guide, you should have performed all steps up to the Installation Workbench.

  • Run the clear CLRIPC command before you start the server to ensure that the server is clear. If you do not run this command prior to starting a server, the startup process will fail.

2.2.4 Starting the Enterprise Server for IBM i Manually

To start the enterprise server for IBM i manually:

  1. Sign on to the IBM i as ONEWORLD.

  2. Start JDENet using this command:

    STRNET
    
  3. Start the PORTTEST program using this command to verify that the basic enterprise server software was correctly installed:

    PORTTEST userID password environment
    

    Where userID represents the JD Edwards EnterpriseOne IBM i user ID, password represents the password, and environment represents the environment that you want to test.

    The PORTTEST program initializes an environment and user if JD Edwards EnterpriseOne was correctly installed and configured. The program opens a table and displays up to 99 rows of data. You should see results similar to those in this example:

    Running porttest for JDESVR on M9ASD2 with password JDESVR
    Initializing Environment M9ASD2,... 
    Environment M9ASD2 was initialized successfully.
    Initializing JDESVR/JDESVR (User/Password),... 
    JDESVR/JDESVR (User/Password) Initialized successfully.
    Opening table F986110,... 
    Opened table F986110 successfully.
    Closing table F986110,... 
    Closed table F986110 successfully.
    Opening table F0902,... 
    Opened table F0902 successfully.
    Performing select all on table F0902,... 
    Select all on F0902 succeeded.
    Printing up to 99 records in the table F0902,...
    f0902.gbaid f0902.gbawtd
    ------------ ------------
    [98] 00009697 24060973
    [97] 00009806 13540877
    [96] 00010102 3140380...
    [1] 00068798 10000
    [0] 00058798 250000
    Total number of rows printed = 99
    Calling DataDictionary Validation function,... 
    Data Dictionary Validation Succeed for CO 00001.
    Closing table F0902,... 
    Closed table F0902.
    Freeing user JDESVR,... 
    Freed user JDESVR successfully.
    Cleaning up environment M9ASD2,... 
    Cleaned up environment M9ASD2 successfully.
    Congratulations! Porttest completed successfully.
    All Done! 
    BYE!
    

    If the table in the environment that you specified is empty, the total number of records that the program prints will equal zero.

  4. Enter this command:

    WRKACTJOB SBS(PSFTrelease)
    

    The variable release is the JD Edwards EnterpriseOne release level that the site is using, such as PSFT900.

  5. Verify that the entry NETWORK with function PGM-JDENET_N and status of SELW is running (until a net request is performed, the CPU will be 0).

2.2.5 Starting the Enterprise Server for IBM i Automatically

To start the enterprise server for IBM i automatically:

  1. Create a CL program.

    You will use this program to establish the appropriate JD Edwards EnterpriseOne library list and execute the command to start the IBM i server job (JDENet).

    The CL program should be similar to:

    PGM
    CHGLIBL LIBL(E900SYS QTEMP QGPL)
    STRNET
    ENDPGM
    
  2. Identify and modify the program called during the IBM i IPL to submit a job to call the previous program.

    The program name and location are set in the IBM i system value, QSTRUPPGM.

  3. Determine the QSTRUPPGM value by entering this command:

    DSPSYSVAL SYSVAL(QSTRUPPGM)
    
  4. Determine where the source of the program is located by executing this command against the library and program (as set in the system value):

    DSPPGM LIBRARY/PROGRAM NAME
    
  5. Modify the source of the startup library and program by inserting a SBMJOB command that calls the program created in Step 1.

  6. Verify that the startup program is created correctly by recreating it and ensuring that it is created in the library specified by the system value.

    Use CRTCLPGRM and prompt (using F4) for the appropriate parameters.

2.3 Shutting Down the Enterprise Server for IBM i

You can manually shut down the enterprise server for the IBM i with the command, ENDNET. This command is in the system library. For example, ENDNET causes JD Edwards EnterpriseOne to end the JDENet jobs and clean up all JDENet runtime structures.

2.3.1 Prerequisite

Ensure that the library is set correctly before performing this command.

2.4 Using IBM i Integrated File System Logging Support

To achieve better performance and to allow easier access to log files from the workstation, JD Edwards EnterpriseOne generates log files for the IBM i in the Integrated File System (IFS) rather than the traditional file system on the IBM i.

With IFS, JD Edwards EnterpriseOne generates log files as stream files (STMF) in an IFS directory, based on the IBM i jde.ini file settings.

2.4.1 Example: Easy Access to Log Files

These examples illustrate how to modify the jde.ini file to enable easier access to log files from the workstation:

[DEBUG]
DebugFile=jdedebug
JobFile=jde.log

JD Edwards EnterpriseOne generates log files in the IFS root directory.

[DEBUG]
DebugFile=/psft900_a/jdedebug
JobFile=/psft900_a/jde.log
JD Edwards EnterpriseOne generates log files in the IFS directory called /psft900_
a.

Note:

The directory must exist with proper authority granted to the logging job.

2.5 Cleaning Up the Enterprise Server for IBM i

This section provides an overview of enterprise server cleanup for IBM i and discusses how to:

2.5.1 Understanding Enterprise Server Cleanup for IBM i

When JD Edwards EnterpriseOne ends abnormally, you might need to manually perform cleanup tasks on the IBM i enterprise server. Interprocess Communication (IPC) structures might not be cleaned up after an execution of ENDNET, which might cause further problems when you start JDENet. If the IPC structures are not properly removed by ENDNET, you can manually remove them. IPC structures might become locked by an interactive job. For example, you might have to sign off and sign back on to perform a successful cleanup.

The JD Edwards EnterpriseOne IBM i server is shipped with the DSPIPC and CLRIPC commands, which enable you to display the IPC-related information and to remove IPC structures.

If tracing is turned on in addition to IPC, you should clear the jde.log and jdedebug files. This action keeps the files from becoming too large and removes old messages from it.

Note:

Clear IPC structures only when you are ready to restart the JDENet process.

2.5.2 Prerequisite

Ensure that the library list is correct before executing the IPC commands. Each of the commands calls the IPCS command for all of the IPC types. Each command has two parameters: from and to. Use these parameters to specify the starting and ending IPC addresses on which you want to operate. The default value for the from parameter is *INI; this is the address specified in the .INI file. The default value for the to parameter is *CALC; this means that the value is calculated based on the value of the from parameter. For example, you could specify 999 more than the from parameter.

Note:

IBM Opti-Connect and Opti-Mover products use the IPC shared memory address 9999. Avoid setting the jde.ini file setting IPCStartKey to a starting value that uses the range of 9000 to 9999.

2.5.3 Cleaning Up the Enterprise Server for IBM i

To clean up the enterprise server for IBM i:

From an IBM i command line, enter these IPCS commands:

DSPIPC
CLRIPC

2.5.4 Clearing the jde.log and jde.debug Files for IBM i

For IBM i:

  1. To clear the jde.log stream files, enter this command:

    DEL `/PSFTrelease/jde_*'
    

    Where release is the JD Edwards EnterpriseOne release, such as psft900.

  2. To clear the jdedebug log, enter this command:

    DEL `/PSFTrelease/jdedebug_*'
    

    Where release is the JD Edwards EnterpriseOne release, such as psft900.

2.6 Setting Up a Printer for IBM i

This section provides an overview of printer setup for IBM i and discusses how to:

2.6.1 Understanding Printer Setup for IBM i

For printing, JD Edwards EnterpriseOne IBM i servers generate PostScript, PCL, or line printer reports. The line printer OUTQ configuration is similar to most typical IBM i OUTQ configurations. This section provides the steps necessary to set up the Postscript and PCL OUTQ configurations.

Unless otherwise specified in the printer definition, the default OUTQ used for printing batch process reports is the same as the default OUTQ of the user submitting the job.

2.6.2 Creating the OUTQ

To create the OUTQ, enter this command:

CRTOUTQ OUTQ(QGPL/outqname) RMTSYS(*INTNETADR) RMTPRTQ(`') 
CNNTYPE(*IP) DESTTYPE(*OTHER) TRANSFORM(*NO) INTNETADR(`IP Address of 
your printer')

Note:

Some printers require that you set the parameter RMTPRTQ to something other than `'. See the instruction manual for the printer for additional information. For example, you must set this parameter to PASS for the IBM Network Printer 4317.

2.6.3 Starting the OUTQ

To start the OUTQ:

  1. Enter this command:

    STRRMTWTR outqname
    

    For example:

    STRRMTWTR QGPL/JDE_HP4PSB
    
  2. If you need to release the outqueue before using it, enter this command:

    RLSOUTQ outqname
    

    For example, enter DEL '/PSFTrelease, where release is the JD Edwards EnterpriseOne release, as in PSFT900.

2.6.4 Printing Multiple Copies to a Remote Printer

This task is necessary only when the output queue does not support printing multiple copies, and it applies to remote output queues only. Only system administrators can print multiple copies to a remote printer.

  1. End the remote writer to which the output queue is connected.

  2. Use the Change Output Queue (CHGOUTQ) command to change the Display Options (DSPOPT) parameter so that it contains the value XAIX.

  3. Restart the remote writer.

    The output queue should now be able to send multiple copies of the documents to the remote printer.

2.7 Administering Batch Processes for IBM i

This section provides an overview of batch process administration for IBM i and discusses how to:

2.7.1 Understanding Batch Process Administration for IBM i

Administering batch processes involves knowing what processes run when JD Edwards EnterpriseOne starts, where files are placed before and after printing, and how to watch those processes.

Depending on how the software is installed, jobs run under several subsystems on the IBM i. The first subsystem, PSFT900, is created during the installation process and is responsible for running the JD Edwards EnterpriseOne net and kernel processes. QBATCH is the default subsystem in which jobs run, but you can use other subsystems to distribute the workload.

When you send a batch process report to an IBM i server for processing, the network jobs are responsible for accepting and queuing the request, while the QBATCH subsystem is responsible for executing the report. To monitor the batch requests, use the WRKACTJOB command, specifying QBATCH as the subsystem.

A job appears indented underneath the subsystem. A job such as the R0006P job is the actual report that is running at this time. The program PRINTUBE is the job that is responsible for running and printing the request. When the job is finished, it leaves the queue, and the print job is either printed and deleted, or saved in the E900SYS/PRINTQUEUE file.

When users submit batch reports to run on the IBM i, a corresponding Portable Document Format (PDF) file is created on the enterprise server.

The default location for the PDF files is under the PRINTQUEUE folder of the installation directory in IFS, for example, /E900SYS/PRINTQUEUE. Users can access the PDF files directly on the enterprise server, or go to the submitted jobs on the client and view the PDF file.

The naming convention for each member is based on the JD Edwards EnterpriseOne job number, which is a unique number that the system assigns when the report is submitted. This number is a unique print request ID and increments each time a report is submitted to the enterprise server, regardless of whether the job is successful or fails. It is not related to the process ID or job number that the IBM i assigns to the batch job.

If you submit a batch process report to a specific server, the OUTQ for printing dependents on the jde.ini file settings for the workstation. You must change the default OUTQ specified in the jde.ini file of the enterprise server. This setting is in the [Network Queue Settings] section and is called DefaultPrinterOUTQ. This OUTQ is used when no OUTQ is passed to the enterprise server from the workstation, or when the OUTQ name that is passed to the enterprise server is Default.

Two other settings, based on the jde.ini file on the workstation, tell the server whether to print the report immediately upon completion and whether to save the output from the report or delete it. Both of these settings are set in this manner:

[NETWORK QUEUE SETTINGS]
SaveOutput=TRUE
PrintImmediate=TRUE

Setting SaveOutput to TRUE causes the enterprise server to save the PDF files in E900SYS/PRINTQUEUE until you explicitly delete them. Setting PrintImmediate to TRUE tells the enterprise server to print the job immediately after completing the report.

You should encourage workstation users to use the SaveOutput=FALSE entry in their jde.ini files. If users at workstations decide to save their output, they should periodically delete the entries using the correct JD Edwards EnterpriseOne Job Master Search in the Job Control Master program (P986110B).

Note:

To display job numbers, end-users can use the Job Control Master program (P986110B). Similarly, system administrators can use the Work With Servers application (P986116). While both applications perform similar functions, most sites generally use security to restrict access to the Work With Servers application to system administrators. Both programs use the Job Master Search form to display job numbers that correspond to member names. You can use either program to delete .PDF files by deleting appropriate entries.

Finally, if you have the proper authority, you can run batch process reports from the server command line with this command:

RUNUBE USER(USER) PASSWORD(PASSWORD) ENVIRON(ENVIRONMENT) 
REPORT(REPORTNAME) VERSION(VERSION)

2.7.1.1 Example: Running Reports from the Command Line for IBM i

This example displays a command for executing the Business Unit Report (R0006P):

RUNUBE USER(SF5488324) PASSWORD(PASSWORD) ENVIRON(PD900) 
REPORT(R0006P) VERSION(XJDE0001)

This command begins processing version XJDE0001 of the report in the PD900 environment. After completion, the PostScript spool file resides on the printer_1 OUTQ. The spool file leaves printer_1, and the .PDF file is not deleted.

2.7.1.2 Example: Scheduling Reports from the Command Line for IBM i

You can schedule a report from the command line for processing on a future date. You do this with the SBMJOB (submit job) command. Many options are available for this command, but the general form will be similar to these example:

SBMJOB CMD(RUNUBE USER(SF5488324) PASSWORD(PASSWORD) ENVIRON(PD900) 
REPORT(R0006P) VERSION(XJDE0001)) SCDDATE(*FRI) SCDTIME(0600)

This command schedules the XJDE0001 version of the Business Unit Report (R0006P) to run on the next Friday at 06:00am. This job is submitted in the default job queue for the user who submitted the job. You can specify overrides on the command line or by prompting (F4) for more information.

You can review reports that have been submitted in this method by using the WRKSBMJOB command. This command displays all jobs submitted by the current user for batch processing. Information that this command displays includes the job name, the user who submitted the job, the type of job (BATCH), and the status. Using F11 also displays scheduling information for jobs that have been submitted but not yet run.

2.7.2 Monitoring Batch Processes

To monitor batch processes:

  1. Sign on to the IBM i enterprise server using an administrative account.

  2. Enter this command, substituting Subsystem with the appropriate subsystem name:

    WRKACTJOB SBS(Subsystem)
    

2.7.3 Reviewing Batch Output Files

To review the PDF output files:

  1. From Windows Explorer, use this command to map a drive to the root directory of IFS on the IBM i machine:

    //machinename/root

  2. Navigate to the PrintQueue folder in the System directory (for example, the directory might be called /E900SYS/PrintQueue), and view the PDF files.

2.7.4 Encoding the Passwords of Users Who Submit Batch Jobs

On the IBM i, when you want to encode user passwords for batch jobs, you need to change settings in the [SECURITY] section of the JDE.INI file.

Change these setting in the JDE.INI file to False to deactivate encoding:

[SECURITY]
ServerPswdFile=TRUE

2.8 Running Multiple Instances of JD Edwards EnterpriseOne on the IBM i

This section provides overviews of running multiple instances of JD Edwards EnterpriseOne and database security parameters on the IBM i and discusses how to:

Server Manager fully supports multiple foundations. This includes the installation and management of multiple instances of JD Edwards EnterpriseOne on a single server.

See Also:

  • 8.98 Server Manager Guide on My Oracle Support, sections: Register/Install on JD Edwards Enterprise Server for EnterpriseOne..

2.8.1 Understanding Running Multiple Instances of JD Edwards EnterpriseOne

You might want to run multiple instances of JD Edwards EnterpriseOne on an IBM i server for these reasons:

  • To test a new service pack.

  • To upgrade to a new version of JD Edwards EnterpriseOne.

    Note:

    You cannot use JD Edwards EnterpriseOne Planner to help you set up data for multiple instances of JD Edwards EnterpriseOne. Be prepared to manually copy data and to set up new Object Configuration Manager (OCM) mappings for each new instance.

A JD Edwards EnterpriseOne instance on the IBM i server is uniquely identified by these objects:

  • JD Edwards EnterpriseOne system directory (integrated file system, or IFS) and library (QSYS file system).

  • Path codes (IFS and QSYS file systems).

  • Use of selected .ini file settings.

The JDE.INI settings that you use to uniquely define a JD Edwards EnterpriseOne instance are summarized in this table:

Section in server JDE.INI file Parameter Purpose
[INSTALL] DefaultSystem= The name of the JD Edwards EnterpriseOne System library. This value must be unique for each JD Edwards EnterpriseOne instance.
[JDEIPC] StartIPCKeyValue= The value of the first interprocess communication (IPC) ID of a range of keys, which JDEIPC uses for shared memory. This value, plus the value of the maxNumberofResources parameter, defines the range of IPC IDs that the software uses for an instance of JD Edwards EnterpriseOne.
[JDENET] ServiceNameListen= The TCP/IP port number that the server uses for receiving communications packets from workstations and other JD Edwards EnterpriseOne servers.
[JDENET] ServiceNameConnect= The TCP/IP port number that the server uses for sending communications packets to workstations or other JD Edwards EnterpriseOne servers.
[DBSYSTEM SETTINGS] Default Env= The default environment for an instance of JD Edwards EnterpriseOne.
[DB SYSTEM SETTINGS] Default PathCode= The data source for an instance of JD Edwards EnterpriseOne.
[DB SYSTEM SETTINGS] Library= The database library that stores the system tables used by JD Edwards EnterpriseOne at startup.

Similarly, to apply JD Edwards EnterpriseOne security throughout multiple instances, you use these items to uniquely identify an instance:

  • OCM mappings.

  • Database.

  • JD Edwards EnterpriseOne user profile (the owner and default user ID under which JD Edwards EnterpriseOne jobs start).

  • Selected settings in the JDE.INI file.

The JDE.INI settings that you use to uniquely define a JD Edwards EnterpriseOne instance when you are applying security throughout multiple instances are summarized in this table:

Section in server JDE.INI file Parameter Purpose
[DEBUG] DebugFile Specifies the location of the jdedebug.log file.
[DEBUG] JobFile Specifies the location of the jde.log file.
[DEBUG] JDTSFile Specifies the location of the lock manager trace file on the IBM i.
[DB SYSTEM SETTINGS] Database Specifies the name of the database in which the system tables reside.
[SECURITY] DataSource Specifies the name of the JD Edwards EnterpriseOne data source that contains the security tables and is used for user validation.

To create an instance of JD Edwards EnterpriseOne on the IBM i, complete these tasks:

  • Copy needed libraries and directories and modify the values of selected parameters in the .ini library.

    To create an instance of JD Edwards EnterpriseOne on the IBM i, you copy these objects:

    • System library

    • System directory

    • Path code library

    • Path code directory

  • Apply security to multiple instances of JD Edwards EnterpriseOne, if you desire to do so.

    If you want to apply security to multiple instances of JD Edwards EnterpriseOne, complete the steps in these task. If you do not want to apply security to multiple instances, proceed to the steps for creating a JD Edwards EnterpriseOne subsystem and starting a JD Edwards EnterpriseOne service.

  • Create a new JD Edwards EnterpriseOne subsystem identification.

    On the IBM i platform, a subsystem is a logical process that is used to run system jobs, whether they are JD Edwards EnterpriseOne or other application jobs. JD Edwards EnterpriseOne network and kernel jobs run under the IBM i subsystem, which we ship with a default description. You can use this description without modification when you are running a single instance of JD Edwards EnterpriseOne on the IBM i server.

    If you decide to run multiple instances of JD Edwards EnterpriseOne, you need to create a new subsystem with a unique description for each instance of JD Edwards EnterpriseOne that you create. To create a new JD Edwards EnterpriseOne subsystem description, you use the CRTOWSBS command.

2.8.2 Understanding IBM i Database Security Parameters

You use the IBM i database security parameters to modify user and administrator profiles, to secure objects, and so on. These parameters appear on the Set Up OneWorld Authority (SETOWAUT) form.

2.8.2.1 Type

Depending on the value that you enter in this field, you can implement a full security setup, modify only the security profiles, or modify only the datapaths authority. A full security setup includes the system library, datapath, pathcode, and user profiles.

  • Use *FULL when you initially implement SETOWAUT. This value directs SETOWAUT to perform all of the security routines.

  • Use *DTAPATH only when you need to secure one or more datapaths.

  • Use *PROF to perform only the user profile routines. SETOWAUT uses the user profile settings in the command to direct the process.

  • Use *SYSTEM to perform the System library authority functions. If you are running a single instance of JD Edwards EnterpriseOne, *SYSTEM secures the System library and all of the objects within it with the AUTL OWADMINL. If you are running multiple instances of JD Edwards EnterpriseOne, *SYSTEM secures the library and all the objects contained within it with the administrative authorization list created by the SETOWAUT program for each individual instance of JD Edwards EnterpriseOne. Note that SETOWAUT must be run separately for each instance of JD Edwards EnterpriseOne.

    Additionally, all the *PGM objects with attributes of *CLP, *CLLE, or *CLE will have the program attributes modified for adopt authority. The system library is treated differently to enable the administration of JD Edwards EnterpriseOne.

    You can use this parameter to lock other non-system libraries that contain objects that you can use to administer JD Edwards EnterpriseOne.

2.8.2.2 Additional Profile Work That SETOWAUT Performs When You Use Types *FULL or *PROF

When you enter Type *FULL or *PROF, SETOWAUT does these:

  • Creates the ONEWORLD and OWADMINL authorization lists (if they do not already exist) if you are running a single instance of JD Edwards EnterpriseOne. If you are running multiple instances of JD Edwards EnterpriseOne, SETOWAUT creates both authorization lists and uses the names that you specified for each instance of JD Edwards EnterpriseOne.

  • Changes the owner of both lists to ONEWORLD if you are running a single instance of JD Edwards EnterpriseOne. If you are running multiple instances of JD Edwards EnterpriseOne, SETOWAUT changes the owner of both lists to the user profile name that you specified for each instance of JD Edwards EnterpriseOne.

  • Adds JDE to both lists if you are running a single instance of JD Edwards EnterpriseOne.

  • Adds PSFT to both lists if you are running a single instance of JD Edwards EnterpriseOne.

  • Changes *PUBLIC entry to *EXCLUDE in both lists.

2.8.2.3 INILIB (INI Library)

This field identifies the library in which the JDE.INI file resides for the security application. The *NONE value enables you to specify that the JDE.INI file is either not needed or not available.

Note:

You cannot use the parameter value *NONE if the Type parameter value is *FULL or *SYSTEM.

Use a library name if all of these requirements are true:

  • A JD Edwards EnterpriseOne INI library is located on the host system.

  • The control files (OCM) are located on the host system.

  • The JDE.INI file references the OCM library.

    When the Type field contains the value *FULL or *SYSTEM, the library and all of the objects will be secured with SYSTEM attributes. SETOWAUT uses the JDE.INI file to perform all of the INI retrievals.

When any of the previous requirements are false, use *NONE. This setting requires you to enter actual values in any parameter that allows the value *INI.

2.8.2.4 DTAPATH Datapath (library)

If you set the INI library field to *NONE, you must manually set datapaths in this field.

Type *INI in this field to use the datapaths that are set in the JDE.INI file. You can also type specific datapaths in this field. You can type up to 10 datapaths at a time.

Use *INI when these are true:

  • SETOWAUT will modify each library based upon the ALLOBJECTS parameter.

  • The INILIB parameter contains the library name in which the JDE.INI file is located (the INILIB value is not *NONE). This parameter tells SETOWAUT to use the JDE.INI file to retrieve the datapath libraries. SETOWAUT retrieves the library name from the JDE.INI value in the [DB SYSTEM SETTINGS] Library and uses this setting to access the Object Configuration Master (F986101) and Data Source Master (F98611) tables. SETOWAUT selects all of the library names (F98611.OMDATB2) that meet these criteria:

    • F986101.OMDATP = F98611.OMDATP

    • OMUGRP = *PUBLIC, OMSTSO = `AV'

    • OMSRVR = the host name

2.8.2.5 Modify System Profile

Values for this field are Y and N.

Note:

This field does not appear when you set up authorization for multiple instances of JD Edwards EnterpriseOne and you enter a value other than ONEWORLD in the USRPRF field.

Enter Y when you want to do these:

  • Modify or create the system profile that has not yet been modified. For example, you might enter this information to modify a system profile:

    • *NONE in the GRPPRF field.

    • *NONE in the SUPGRPPRF field.

    • *USER in the USRCLS field.

    • *SIGNOFF in the INLMNU field.

    • *NONE in the INLPGM field.

    • *JOBCTL in the SPCAUT field.

  • Grant authority to change the profile ONEWORLD to *USE profile QSECOFR.

  • Revoke *ALL authority from *PUBLIC.

Enter N only when the system profile has the correct attributes.

2.8.2.6 Modify JDE Profile

Values for this field are Y and N.

Note:

This field does not appear when you set up authorization for multiple instances of JD Edwards EnterpriseOne and you enter a value other than ONEWORLD in the USRPRF field.

Enter Y when you want to do these:

  • Modify or create the JDE profile that has not been modified. For example, you might enter these to modify a JDE profile:

    • *NONE in the GRPPRF field.

    • *NONE in the SUPGRPPRF field.

    • *USER in the USRCLS field.

    • *NONE in the INLPGM field.

    • *JOBCTL *SAVSYS in the SPCAUT field.

  • Revoke *ALL authority from *PUBLIC.

Enter N only when the profile JDE has the correct attributes.

2.8.2.7 Modify Security Profile

You can enter up to 10 security profiles at a time in this field to modify using the SETOWAUT program.

Note:

It is recommended that you delete existing security profiles before running SETOWAUT. After running SETOWAUT and creating security profiles, the passwords must be changed to correspond with passwords that were set up using JD Edwards EnterpriseOne User Security. The security user is used as the system user in JD Edwards EnterpriseOne User Security.

SETOWAUT must be run with the PSFT user profile specified as a security profile when using JD Edwards EnterpriseOne. If you enter a security profile that does not already exist, SETOWAUT creates the profile and modifies the profile accordingly. You can do any of these:

  • Create or modify the profile by entering information such as these:

    • *USER in the USRCLS field.

    • *SIGNOFF in the INLMNU field.

    • *NONE in the INLPGM field.

    • *NONE in the SPCAUT field.

    • ONEWORLD in the GRPPRF field, if you are running a single instance of JD Edwards EnterpriseOne. If you are running multiple instances of JD Edwards EnterpriseOne, enter in the GRPPRF field the JD Edwards EnterpriseOne User Profile name that you entered in the USRPRF field.

    • JDE in the SUPGRPPRF field, if you are running a single instance of JD Edwards EnterpriseOne. If you are running multiple instances of JD Edwards EnterpriseOne, enter in the SUPGRPPRF field the JD Edwards EnterpriseOne User Profile name that you entered in the USRPRF field.

  • Revoke *ALL authority from *PUBLIC.

  • Grant profile ONEWORLD *CHANGE authority to the security profile.

  • Grant security profile *CHANGE authority to ONEWORLD.

    Sample Results for SETOWAUT in the JD Edwards EnterpriseOne Tools 8.94 Implementation Guide: Server and Workstation Administration.

2.8.2.8 JD Edwards EnterpriseOne DB Admin Profile

When you type *INI in this field, SETOWAUT retrieves the user and password values from the [SECURITY] section of the JDE.INI file. If you type a value that does not exist, SETOWAUT creates a profile with a password that is the same as the profile name. If the profile exists, SETOWAUT modifies the profile to be a JD Edwards EnterpriseOne database administrator.

Enter a profile to be used as a database administrator. This profile will have all rights to all JD Edwards EnterpriseOne objects. These database administrator profiles are allowed to perform certain JD Edwards EnterpriseOne processes (RUNUBE and PORTTEST) that an administrator with normal privileges cannot perform.

If the profile does not exist, the system creates the profile with a password that is the same name as the profile. If the profile does not exist, you should set the password to expire (PWDEXP = *YES). For example, this occurs:

  • If BV3C is in library list, SETOWAUT will place this program as the initial program. (This program lists all of the JD Edwards EnterpriseOne occurrences to enable the user to select one occurrence at signon).

  • USRCLS is set to *PGMR.

  • SPCAUT is set to *NONE.

  • GRPPRF is set to ONEWORLD if you are running a single instance of JD Edwards EnterpriseOne. If you are running multiple instances of JD Edwards EnterpriseOne, GRPPRF is set to the JD Edwards EnterpriseOne User Profile name that you entered in the USRPRF parameter field.

This profile revokes *ALL authority from *PUBLIC and grants ONEWORLD *USE rights to the DB ADMIN profile.

2.8.2.9 BSFNLIB (Libs or *INI (Default PathCode))

Type *INI in this field to use the pathcode library and the associated specification file directory that is set in the JDE.INI file. You can also type specific pathcode libraries in this field. You can type up to 10 pathcodes at a time.

Note:

If you enter *NONE in the INI library field, you must set pathcodes in this field.

Use *INI when the INILIB parameter contains the library name in which the JDE.INI file is located (INILIB does not contain *NONE). This parameter tells SETOWAUT to use the JDE.INI file to retrieve the application pathcode libraries. SETOWAUT retrieves the library name from the JDE.INI value in [DB SYSTEM SETTINGS] Library and uses this setting to access the Object Configuration Master (F986101) and Data Source Master (F98611) tables. SETOWAUT selects all of the library names (F98611.OMLIB) that meet these criteria:

  • F986101.OMDATP = F98611.OMDATP

  • OMUGRP = *PUBLIC

  • OMSTSO = `AV'

  • OMDBNM = F00942

SETOWAUT retrieves EMPATHCD (pathcode) from each record in the Object Path Master File table (F00942) for each library (F98611.OMLIB).

For each pathcode, SETOWAUT modifies the library and associated IFS directory (specifies path) accordingly.

2.8.2.10 Secure Log Path

Y and N are values for this field. The recommended value is N.

Enter N when you do not want to secure JDE log paths.

Enter Y only when you need to secure the log paths. One situation in which you might secure JDE log paths is when logs are being deleted without permission.

Only DB administrators have permission to access the logs in the log path.

2.8.2.11 Secure All Objects

Use this field to secure objects when you are running multiple instances of JD Edwards EnterpriseOne. The parameter appears on the SETOWAUT form only when you configure an instance of JD Edwards EnterpriseOne by entering a value other than ONEWORLD in the USRPRF field.

*NONCOEXIST is the default value for the Secure All Objects parameter, and we recommend that you use this value. This value secures all directories, but not the files in the directories.

Entering COEXIST secures the files as well as the directories. Entering COEXIST can degrade performance because the system must verify authority for every object that the user wants to access. This value is the equivalent of entering *ALLOBJECTS when you run a single instance of JD Edwards EnterpriseOne. The value *COEXIST can only be used for OneWorld Xe, and must never be used for JD Edwards EnterpriseOne.

2.8.3 Prerequisites

Before you complete the tasks in this section:

  • Verify that enough space exists on the direct access storage device (DASD) to create a new instance of JD Edwards EnterpriseOne.

  • Assess data storage and backup requirements.

  • Consider the procedure that you will follow for updating the JD Edwards EnterpriseOne server with new versions of JD Edwards EnterpriseOne.

  • Determine the strategy for performing server package builds and updates. This might include, for example, setting up a second deployment server.

  • Create a new environment for use with each new JD Edwards EnterpriseOne instance.

  • Set up security for multiple instances of JD Edwards EnterpriseOne.

2.8.4 Copying Libraries and Directories

To copy libraries and directories:

  1. End JD Edwards EnterpriseOne services, if necessary.

  2. Remove JD Edwards EnterpriseOne security, if necessary.

  3. From the IBM i main menu, copy the JD Edwards EnterpriseOne system library in the QSYS file system by typing this command:

    CPYLIB E900SYS E900CST
    

    Where E900CST is the name for the system library in the new instance of JD Edwards EnterpriseOne.

  4. From the IBM i main menu, copy the JD Edwards EnterpriseOne system directory in the IFS by first the using this command to create a temporary library:

    CRTLIB TEMPLIB
    
  5. Create a save file in the temporary library for the system directory by typing this command:

    CRTSAVF FILE (TEMPLIB/E900SYS)
    
  6. Save the system directory into the save file by typing this command:

    SAV DEV ('/QSYS.LIB/TEMPLIB/E900SYS.FILE') OBJ(('/E900SYS)) USEOPTBLK(*NO) DTACPR
    (*YES)
    
  7. Restore the save file for the system directory to a directory with a new name by typing this command:

    RST DEV('/QSYS.LIB/TEMPLIB/E900SYS.FILE') OBJ(('/E900sys/*' *INCLUDE/E900cst'))
    

    Where E900cst is the name of the new system directory.

    Note:

    Throughout the entire copying procedure, the name for the new directories and libraries must match.
  8. From the IBM i main menu, copy the path code library in the QSYS file system by typing this command:

    CPYLIB PRD900 CST900
    

    Where CST900 is the name for the path code library in the new instance of JD Edwards EnterpriseOne. The name of the library for the new instance cannot exceed eight characters in length.

    Note:

    The path code directory for any environment that you intend to use for a new instance of JD Edwards EnterpriseOne must be copied to the new directory. You cannot share path code directories between two or more instances of JD Edwards EnterpriseOne because this might corrupt the specification file.
  9. From the IBM i main menu, copy the path code directory in the IFS by first using this command to create a save file in the temporary library:

    CRTSAVF FILE(TEMPLIB/PRD900)
    

    Note:

    You must follow the procedure for copying the path code directory for each path code that you copy.
  10. Save the path code directory into the save file by typing this command:

    SAV DEV('QSYS.LIB/TEMPLIB/PRD900.FILE') OBJ(('/prd900/*')) USEOPTBLK(*NO) DTACPR
    (*YES)
    
  11. Restore the save file for the path code directory to a directory with a new name by typing this command:

    RST DEV('QSYS.LIB/TEMPLIB/PRD900.FILE') OBJ(('/prd900/*' INCLUDE '/cst900'))
    

    Where cst900 is the name of the new path code directory.

  12. From the IBM i main menu, create a JD Edwards EnterpriseOne subsystem from the system library by typing this command:

    CRTOWSBS <subsystem name> <system library>
    

    Where <subsystem name> is the name you give to the JD Edwards EnterpriseOne subsystem for the new instance of JD Edwards EnterpriseOne, and <system library> is the name of the system library in the QSYS file system for the new instance of JD Edwards EnterpriseOne.

    Note:

    You can use the same subsystem for multiple instances of JD Edwards EnterpriseOne.
  13. Modify these parameters in the INI library:

    [INSTALL]
    DefaultSystem=<System Library>
    
    [JDEIPC]
    startIPCKeyValue=<Unused start key not within another instance's IPC range>
    
    [JDENET]
    serviceNameListen=<Available port>
    serviceNameConnect=<Available port>
    
    [DB SYSTEM SETTINGS]
    Default Env=<New environment>
    Default PathCode=<New path code>
    

2.8.5 Applying Security to Multiple Instances of JD Edwards EnterpriseOne on the IBM i

To apply security to multiple instances of JD Edwards EnterpriseOne on the IBM i:

  1. Copy the OCM library.

  2. Copy the database libraries, such as SYS900, 900MAP, and so on.

  3. Create a new IBM i user profile for each new instance of JD Edwards EnterpriseOne.

  4. From the IBM i main menu, create a new log path in the IFS by typing this command:

    CRTDIR DIR('/900CSTLOG')
    

    Where CSTLOG is the name of the new IFS log directory.

  5. Modify these parameters in the INI library:

    [DEBUG]
    DebugFile=<new log path>/JDEDEBUG.LOG
    JobFile=<new log path?/JDE.LOG
    JDETSFile=<new log path>/JDETS.LOG
    
    [DB SYSTEM SETTINGS]
    Database=<new OCM library>
    
    [SECURITY]
    DataSource=<Location of new F98OWSEC library>
    

    Note:

    The parameter values in the [DEBUG] section must be uppercase.

2.8.6 Creating a JD Edwards EnterpriseOne Subsystem on the IBM i

To create a JD Edwards EnterpriseOne subsystem on the IBM i:

  1. Stop JD Edwards EnterpriseOne services.

  2. From the IBM i main menu, type this command, and then press Enter or press the F4 key:

    CRTOWSBS
    
  3. On the CREATE New JD Edwards EnterpriseOne Subsystem form, enter character values for these parameters, and then press Enter:

    • SUBSYSTEM

    • SYSLIB

      Note:

      The maximum number of characters allowed for the description of each parameter is 10. Verify that the name of the system library matches the name that you created when you copied the JD Edwards EnterpriseOne system library in the QSYS file system.

      The CRTOWSBS command creates a new subsystem description in the JD Edwards EnterpriseOne system library and updates the STRNET and ENDNET programs with the new subsystem name as the default parameter.

  4. To delete the old subsystem description from the system library, type this command, and then press Enter or press the F4 key:

    WRKOBJ OBJ <SUBSYSTEM NAME>/<SYSTEM LIBRARY NAME>) OBJTYPE(*SBSD)
    

    Where SUBSYSTEM NAME is the subsystem description that you want to delete and SYSTEM LIBRARY NAME is the system library where the subsystem description is located.

  5. In the Work with Objects form, type 4 for Delete, and then press Enter.

  6. From the IBM i main menu, clear IPC memory by typing this command:

    CLRIPC
    
  7. From the IBM i main menu, start JD Edwards EnterpriseOne IBM i services by typing this command:

    STRNET
    

2.9 Administering Security JD Edwards EnterpriseOne Database Security for IBM i

This section provides an overview of JD Edwards EnterpriseOne data base security administration and discusses how to:

2.9.1 Understanding JD Edwards EnterpriseOne Database Security Administration

You can secure profiles and objects for JD Edwards EnterpriseOne on the IBM i with the Set Up OneWorld Authority (SETOWAUT) command. When you enter this command, a form appears that enables you to enter specific security information for the system. The authority is implemented only on the IBM i machine on which you execute the command.

Note:

If you upgraded to JD Edwards EnterpriseOne from an existing ERP installation and do not intend to rerun SETOWAUT, then you must manually add the PSFT user profile to the existing security profile authorization list. (The default name for authorization list is OneWorld.)

The SETOWAUT command enables you to set up security for a single instance of JD Edwards EnterpriseOne or for multiple instances of JD Edwards EnterpriseOne. If you run multiple instances of JD Edwards EnterpriseOne, you can set up separate user profiles for each instance. The SETOWAUT command sets up the authorities for each JD Edwards EnterpriseOne instance, adds profile names to an authorization list, and sets object ownership for each JD Edwards EnterpriseOne instance.

Two separate authorization lists exist for maintaining security. Values in two parameters of the SETOWAUT program specify the authorization lists.

The USRPRF parameter value specifies the JD Edwards EnterpriseOne user profile. When you run the SETOWAUT program, the program automatically creates a user profile authorization list with the same name. This list secures all JD Edwards EnterpriseOne objects.

The ALLOBJECTS parameter determines how SETOWAUT secures JD Edwards EnterpriseOne objects. The recommended setting for this parameter is *NONCOEXIST. Using this setting, the resulting authorization list secures only the root directories and the libraries. This is true for all libraries except the System library; SETOWAUT secures all of the objects in the system library. The value ALLOBJ secures every object in all JD Edwards EnterpriseOne libraries and directories. This parameter is not recommended because it negatively affects JD Edwards EnterpriseOne performance.

The COEXIST option can be used for OneWorld Xe, but never for JD Edwards EnterpriseOne. COEXIST is not valid with JD Edwards EnterpriseOne.

This release of JD Edwards EnterpriseOne introduces the PSFT user profile. To use JD Edwards EnterpriseOne software, this user profile must have access to objects that are owned by this instance of the software, regardless of whether SETOWAUT is used (that is, the default profile is the ONEWORLD user profile). To provide the PSFT user profile access to objects, you must do these:

  • Change PSFT user profile attribute GRPPRF to the name of the JD Edwards EnterpriseOne or multiple instance USRPRF (the default value is ONEWORLD).

  • Verify that the PSFT user profile attribute OWNER is set to *GRPPRF. If it is not, manually set this value to *GRPPRF.

The USRAUTL parameter value specifies the administrative authorization list. When you run the SETOWAUT program, the program automatically creates an administrative authorization list that gives specified users administrative access to JD Edwards EnterpriseOne. Any user who will perform basic JD Edwards EnterpriseOne administration tasks, such as Start, End, Clear IPC, and so on, on the IBM i must be added to this list. CRTOWADPRF is a supplied command that adds administrative users to this list; RMVOWADPRF is a supplied command that removes such users from the list.

Use PROFTYPE(*USER) to perform basic JD Edwards EnterpriseOne administrative tasks. Use PROFTYPE(*ADMIN) for users who need access to all JD Edwards EnterpriseOne objects. (*ADMIN is similar to security officer but can only be used for JD Edwards EnterpriseOne.

Whether you want to set up security for one instance of JD Edwards EnterpriseOne or for multiple instances, the Set Up OneWorld Authority (SETOWAUT) form appears when you run the SETOWAUT command. However, the parameter values that you enter and the parameter fields that appear on the form differ, depending on whether you set up security for one instance or for multiple instances. These parameter differences are explained in these three tables:

Parameters Present in SETOWAUT Form for Both Single and Multiple Instances of JD Edwards EnterpriseOne Meaning Value to be Entered for a Single Instance of JD Edwards EnterpriseOne Value to be Entered for Multiple Instances of JD Edwards EnterpriseOne
USRPRF JD Edwards EnterpriseOne User Profile JD Edwards EnterpriseOne Configurable. Enter a new value for each instance of JD Edwards EnterpriseOne.
USRAUTL Admin. Authorization List OWADMINL Configurable. Enter a new value for each instance of JD Edwards EnterpriseOne.

Parameters Present in SETOWAUT Form for Single Instance of JD Edwards EnterpriseOne Only Meaning Value to be Entered for a Single Instance of JD Edwards EnterpriseOne Value to be Entered for Multiple Instances of JD Edwards EnterpriseOne
OWPRF Modify ONEWORLD Profile Y is the default value. Parameter is not present if you enter a value other than ONEWORLD for the USRPRF parameter.
JDEPRF Modify JDE Profile Y is the default value. Parameter is not present if you enter a value other than ONEWORLD for the USRPRF parameter.

Parameter Present in SETOWAUT Form for Multiple Instances of JD Edwards EnterpriseOne Only Meaning Value to be Entered for Multiple Instances of JD Edwards EnterpriseOne Value to be Entered for Single Instance of JD Edwards EnterpriseOne
OBJOPT Secure All Objects N is the default value. Enter Y if you want to secure all objects that appear in one or more directories. Because it can degrade system performance, entering Y is not recommended. Parameter is not present if you enter OneWorld as the value for the USRPRF parameter.

This information provides a summary of the security model when you run a single instance of JD Edwards EnterpriseOne:

Library Description of Security
JD Edwards EnterpriseOne System Library SETOWAUT secures all of the objects in the system library. Administrative programs, such as CLRIPC, STRNET, ENDNET, and PORTTEST, are set to adopt the authority of the owner.

You can set up security for a single instance of JD Edwards EnterpriseOne, or you can set up security for separate JD Edwards EnterpriseOne instances. In the latter case, the SETOWAUT program creates a user profile and individual authorization lists for each instance, which establishes object ownership.

You can set up security for separate instances of JD Edwards EnterpriseOne as well. To do so, you enter a value other than ONEWORLD for the User Profile parameter and a value other than OWADMINL for the Admin. Authorization List parameter. You enter different values for these parameters for each instance of JD Edwards EnterpriseOne that you run.

Note:

Use caution when you use JD Edwards EnterpriseOne security to lock a library that contains third-party software. We do not support the IBM i JD Edwards EnterpriseOne database security with third-party software.

2.9.1.1 Sample Results for SETOWAUT

You can expect these examples for each of the various commands. Using Client Access, sign onto the IBM i, type each command on the command line, and press F4. For libraries (data sources and pathcodes), the required parameters are object type (*LIB) and the name of the library.

If you set up multiple instances of JD Edwards EnterpriseOne, the owner of each instance is the user profile that you entered in the JD Edwards EnterpriseOne User Profile parameter during the authority setup. If you set up a single instance of JD Edwards EnterpriseOne, the owner is ONEWORLD.

Similarly, if you set up multiple instances of JD Edwards EnterpriseOne and you display object authority, the value that appears is the name of the user profile for all objects except the SYSTEM library. The object authority for the SYSTEM library when you run multiple instances of JD Edwards EnterpriseOne is the name of the Admin. Authorization List. If you set up a single instance of JD Edwards EnterpriseOne, all objects are secured by the authorization list, except the SYSTEM library, which is secured by the OWADMINL authorization list.

This is an example of the data source DSPOBJAUT:

Figure 2-2 Data Source DSPOBJAUT

Description of Figure 2-2 follows
Description of "Figure 2-2 Data Source DSPOBJAUT"

This is an example of the data source DSPOBJAUT:

Figure 2-3 Pathcode DSPOBJAUT

Description of Figure 2-3 follows
Description of "Figure 2-3 Pathcode DSPOBJAUT"

This is an example of the data source DSPLIBD:

Figure 2-4 Data source DSPLIBD

Description of Figure 2-4 follows
Description of "Figure 2-4 Data source DSPLIBD"

This is an example of the pathcode DISLIBD:

Figure 2-5 Pathcode DSPLIBD

Description of Figure 2-5 follows
Description of "Figure 2-5 Pathcode DSPLIBD"

Note:

Authority for objects in data sources and pathcodes should remain the same after you run SETOWAUT. You can see this by displaying the authority for an object in each library before and after you run SETOWAUT. The forms should be identical. The required parameters are object name, object type (*FILE or *PGM), and the library name in which the object resides.

Owner, object security, and authority creation differ depending on whether you are running a single instance of JD Edwards EnterpriseOne or multiple instances.

SETOWAUT changes the authority on system libraries. You can view this for both DSPOBJAUT and DSPLIBD on system libraries. The shaded information in these illustrations should correspond to the information that appears on the form. The required parameters are the object name, object type (*PGM), and the name of the library in which these objects reside.

This is an example of the system library DSPOBJAUT:

Figure 2-6 System library DSPOBJAUT

Description of Figure 2-6 follows
Description of "Figure 2-6 System library DSPOBJAUT"

This is an example of the system library DSPLIBD:

Figure 2-7 System library DSPLIBD

Description of Figure 2-7 follows
Description of "Figure 2-7 System library DSPLIBD"

The authority changes for objects within system libraries that either contain the attributes CLLE or CLP or that share the same name. You can use commands to review the authority on these objects. The required parameters are object name, object type (*PGM or *CMD), and the name of the library in which these objects reside.

2.9.1.2 Sample Results for Authorization Lists

Use these commands to view the authorization list authorities. The name of the list is the only necessary parameter:

  • IFS directories (specification files).

  • WRKLNK - option 9 Work with authority.

This is an example of DSPAUTL:

Figure 2-8 Display Authorization List

Description of Figure 2-8 follows
Description of "Figure 2-8 Display Authorization List"

This is an example of DSPAUTL:

Figure 2-9 Edit Authorization List

Description of Figure 2-9 follows
Description of "Figure 2-9 Edit Authorization List"

2.9.2 Prerequisite

Before you enter a value for the USRPRF and USRAUTL parameters, verify that the value is not being used for an authorization list for any other instance of JD Edwards EnterpriseOne. To do so, run the DSPAUTL command. On the Display Authorization form, you can enter the value that you intend to use to make sure that it is unique.

2.9.3 Setting Up IBM i Database Security for a Single JD Edwards EnterpriseOne Instance

To set up IBM i database security for a single JD Edwards EnterpriseOne instance:

  1. In the SETOWAUT library, on the command line, type this command, press F4, and then press F11:

    SETOWAUT
    

    Note:

    Verify that the SETOWAUT library is in the library list. If it is not, run the ADDLIBLE command.

    The Set Up OneWorld Authority (SETOWAUT) form appears.

  2. On Set Up OneWorld Authority (SETOWAUT), complete the USPRF field with OneWorld, and then press Enter:

    The form displays additional security parameters. You can specify various security settings, including library access.

  3. Complete these required fields, and then press Enter:

    • USRAUTL

      Enter OWADMINL.

    • TYPE

    • INILIB

  4. Complete any additional fields, if necessary.

  5. Press Enter.

2.9.4 Setting Up IBM i Database Security for Multiple JD Edwards EnterpriseOne Instances

To set up IBM i database security for multiple JD Edwards EnterpriseOne instances:

  1. In the SETOWAUT library, on the command line, type this command and press F4:

    SETOWAUT
    
  2. On Set Up OneWorld Authority (SETOWAUT), complete the USRPRF field, and then press Enter:

    The SETOWAUT program uses this name when it creates a user profile authorization list.

  3. The form expands to reveal an additional security parameter. The Modify OneWorld Profile (OWPRF) and Modify JDE Profile (JDEPRF) parameters, which appear when you enter OneWorld as the User Profile parameter value, do not appear when you enter a value other than OneWorld.

  4. Complete these required fields and press Enter:

    • USRAUTL

      Enter a name that identifies the administrative authorization list.

    • TYPE

    • INILIB

  5. Complete any additional fields, if necessary.

  6. Press Enter.

2.9.5 Adding Administrators

You can add administrators to the administrative authorization list by running the CRTOWADPRF command. The command also enables you to designate levels of authority to the administrators whom you are adding to the list.

  1. On the command line, enter this command and press F4:

    CRTOWADPRF USRPRF
    
  2. On Set Up OW User Profile (CRTOWADPRF), in the ADMIN USER Profile field, enter the name of an administrator whom you want to add to the administrative authorization list. You can add up to 10 administrators at a time.

  3. In the JD Edwards EnterpriseOne USER Profile field, Type the JD Edwards EnterpriseOne user profile name that you entered in the USRPRF field during setup.

  4. In the ADMIN Authorization List, Type the Admin. Authorization List name that you entered in the USRAUTL field during setup.

  5. In Profile Type, type *USER to give the profiles basic administration capabilities, such as STRNET, ENDNET, CLRIPC, CLRLCK, DSPIPC, DSPSTMF, IPCS, LINKBSFN, and PID2JOB.

    Type *ADMIN if the profiles need rights to PORTTEST and RUNUBE, as well as the basic administration capabilities.

  6. In Initial program to call, type BV3C if you want the system to display a list of environments when the administrators sign on to JD Edwards EnterpriseOne, *SAME to use the current initial program setting, or *NONE to remove the initial program setting.

Note:

For JD Edwards EnterpriseOne, the initial program to call by default is BV3C. This program sets the IBM i to provide a choice of environments at signon. A user with an administrator profile who signs on to an environment can then perform JD Edwards EnterpriseOne commands on the IBM i server.

2.9.6 Removing Administrative Authority from User Profiles

To remove a user's administrative authority, you run the RMVOWADPRF command and complete the Remove OW Profile Authority form.

Note:

Submit this command to a batch subsystem.
  1. On the command line, enter this command and press F4:

    RMVOWADPRF
    
  2. On Remove OW Profile Authority (RMVOWADPRF), complete these fields and press Enter:

    Field Description
    User Profile Enter the name of the user from whom you want to remove authority.
    Admin. Authorization List Type the Admin. Authorization List name that you entered in the USRAUTL field during setup.
    JD Edwards EnterpriseOne User Profile Type the JD Edwards EnterpriseOne user profile name that you entered in the USRPRF field during setup.

2.9.7 Displaying User Profile Information

After you run SETOWAUT, you can review user profiles and authorization lists to verify that the information is correct.

  1. On the command line, enter this command:

    DSPUSRPRF
    
  2. On Display User Profile (DSPUSRPRF), type the name of a user profile in the User Profile field, and then press Enter.

    Information similar to this example appears:

    User profile . . . . . . . . . . . . . . . :  ONEWORLD
    Previous sign-on . . . . . . . . . . . . . :  03/23/04 15:16:53
    Sign-on attempts not valid . . . . . . . . :  0       
    Status . . . . . . . . . . . . . . . . . . :  *ENABLED    
    Date password last changed . . . . . . . . :  02/27/03    
    Password expiration interval . . . 
    . . . . :  *NOMAX     Set password to expired . . . . . . . . . :  *NO      
    User class . . . . . . . . . . . . . . . . :  *USER     
    Special authority . . . . . . . . . . . . :  *JOBCTL   
    Group profile . . . . . . . . . . . . . . :  *NONE     
    Owner . . . . . . . . . . . . . . . . . . :  *USRPRF    
    Group authority . . . . . . . . . . . . . :  *NONE     
    Group authority type . . . . . . . . . . . :  *PRIVATE    
    Supplemental groups . . . . . . . . . . . :  *NONE     
    Assistance level . . . . . . . . . . . . . :  *SYSVAL  
    Current library . . . . . . . . . . . . . :  *CRTDFT  
    Initial program . . . . . . . . . . . . . :  *NONE
                    Library . . . . . . . . . . . . . . . . : 
    Initial menu . . . . . . . . . . . . . . . :  *SIGNOFF
                    Library . . . . . . . . . . . . . . . . : 
    Limit capabilities . . . . . . . . . . . . :  *NO    
    Text . . . . . . . . . . . . . . . . . . . :                              
    Display sign-on information . . . . . . . :  *SYSVAL  
    Limit device sessions . . . . . . . . . . :  *SYSVAL  
    Keyboard buffering . . . . . . . . . . . . :  *SYSVAL  
    Storage information:              
       Maximum storage allowed . . . . . . . . :  *NOMAX
       Storage used . . . . . . . . . . . . . . :  286236536
       Storage used on independent ASP . . . . :  *NO  
    Highest scheduling priority . . . . . . . :  3   
    Job description . . . . . . . . . . . . . :  ONEWORLD
            Library . . . . . . . . . . . . . . . . :   QGPL
    Accounting code . . . . . . . . . . . . . :     
    Message queue . . . . . . . . . . . . . . :  ONEWORLD
                    Library . . . . . . . . . . . . . . . . :   QUSRSYS
    Message queue delivery . . . . . . . . . . :  *NOTIFY 
    Message queue severity . . . . . . . . . . :  00  
    Output queue . . . . . . . . . . . . . . . :  *WRKSTN
                    Library . . . . . . . . . . . . . . . . :     
    Printer device . . . . . . . . . . . . . . :  *WRKSTN
    Special environment . . . . . . . . . . . :  *SYSVAL
    Attention program . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Sort sequence . . . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Language identifier . . . . . . . . . . . :  *SYSVAL
    Country identifier . . . . . . . . . . . . :  *SYSVAL
    Coded character set identifier . . . . . . :  *SYSVAL
    Character identifier control . . . . . . . :  *SYSVAL
    Locale job attributes . . . . . . . . . . :  *SYSVAL
    
    User profile . . . . . . . . . . . . . . . :  JDE
                                      
    Previous sign-on . . . . . . . . . . . . . :  03/23/04 15:25:53
    Sign-on attempts not valid . . . . . . . . :  0       
    Status . . . . . . . . . . . . . . . . . . :  *ENABLED    
    Date password last changed . . . . . . . . :  02/27/03    
    Password expiration interval . . . . . . . :  *NOMAX     
    Set password to expired . . . . . . . . . :  *NO      
    User class . . . . . . . . . . . . . . . . :  *USER     
    Special authority . . . . . . . . . . . . :  *JOBCTL
                                                 *SAVSYS
    Group profile . . . . . . . . . . . . . . :  *NONE     
    Owner . . . . . . . . . . . . . . . . . . :  *USRPRF    
    Group authority . . . . . . . . . . . . . :  *NONE     
    Group authority type . . . . . . . . . . . :  *PRIVATE    
    Supplemental groups . . . . . . . . . . . :  *NONE     
    Assistance level . . . . . . . . . . . . . :  *SYSVAL  
    Current library . . . . . . . . . . . . . :  *CRTDFT  
    Initial program . . . . . . . . . . . . . :  J98INIT
                    Library . . . . . . . . . . . . . . . . :   JDFOBJ7R2
    Initial menu . . . . . . . . . . . . . . . :  *MAIN
                    Library . . . . . . . . . . . . . . . . :   *LIBL
    Limit capabilities . . . . . . . . . . . . :  *NO    
    Text . . . . . . . . . . . . . . . . . . . :                              
    Display sign-on information . . . . . . . :  *SYSVAL  
    Limit device sessions . . . . . . . . . . :  *SYSVAL  
    Keyboard buffering . . . . . . . . . . . . :  *SYSVAL  
    Storage information:                 
    Maximum storage allowed . . . . . . . . :  *NOMAX
    Storage used . . . . . . . . . . . . . . :  11243168
    Storage used on independent ASP . . . . :  *NO  
    Highest scheduling priority . . . . . . . :  3   
    Job description . . . . . . . . . . . . . :  JDE
                    Library . . . . . . . . . . . . . . . . :   QGPL
    Accounting code . . . . . . . . . . . . . :     
    Message queue . . . . . . . . . . . . . . :  JDE
                    Library . . . . . . . . . . . . . . . . :   QUSRSYS
    Message queue delivery . . . . . . . . . . :  *NOTIFY 
    Message queue severity . . . . . . . . . . :  00  
    Output queue . . . . . . . . . . . . . . . :  *DEV
                    Library . . . . . . . . . . . . . . . . :     
    Printer device . . . . . . . . . . . . . . :  *WRKSTN
    Special environment . . . . . . . . . . . :  *SYSVAL
    Attention program . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Sort sequence . . . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Language identifier . . . . . . . . . . . :  *SYSVAL
    Country identifier . . . . . . . . . . . . :  *SYSVAL
    Coded character set identifier . . . . . . :  *SYSVAL
    Character identifier control . . . . . . . :  *SYSVAL
    Locale job attributes . . . . . . . . . . :  *SYSVAL
    
    User profile . . . . . . . . . . . . . . . :  JDEOW
                                      
    Previous sign-on . . . . . . . . . . . . . :  03/23/04 15:28:02
    Sign-on attempts not valid . . . . . . . . :  0       
    Status . . . . . . . . . . . . . . . . . . :  *ENABLED    
    Date password last changed . . . . . . . . :  02/27/03    
    Password expiration interval . . . . . . . :  *NOMAX     
    Set password to expired . . . . . . . . . :  *NO      
    User class . . . . . . . . . . . . . . . . :  *USER     
    Special authority . . . . . . . . . . . . :  *NONE
    Group profile . . . . . . . . . . . . . . :  ONEWORLD     
    Owner . . . . . . . . . . . . . . . . . . :  *GRPPRF    
    Group authority . . . . . . . . . . . . . :  *NONE     
    Group authority type . . . . . . . . . . . :  *PRIVATE    
    Supplemental groups . . . . . . . . . . . :  JDE     
    Assistance level . . . . . . . . . . . . . :  *SYSVAL  
    Current library . . . . . . . . . . . . . :  *CRTDFT  
    Initial program . . . . . . . . . . . . . :  *NONE
                    Library . . . . . . . . . . . . . . . . :   
    Initial menu . . . . . . . . . . . . . . . :  *SIGNOFF
                    Library . . . . . . . . . . . . . . . . :  
    Limit capabilities . . . . . . . . . . . . :  *NO    
    Text . . . . . . . . . . . . . . . . . . . :                              
    Display sign-on information . . . . . . . :  *SYSVAL  
    Limit device sessions . . . . . . . . . . :  *SYSVAL  
    Keyboard buffering . . . . . . . . . . . . :  *SYSVAL  
    Storage information:                 
                    Maximum storage allowed . . . . . . . . :  *NOMAX
                    Storage used . . . . . . . . . . . . . . :  147904
                    Storage used on independent ASP . . . . :  *NO  
    Highest scheduling priority . . . . . . . :  3   
    Job description . . . . . . . . . . . . . :  QDFTJOBD
                    Library . . . . . . . . . . . . . . . . :   QGPL
    Accounting code . . . . . . . . . . . . . :     
    Message queue . . . . . . . . . . . . . . :  JDEOW
                    Library . . . . . . . . . . . . . . . . :   QUSRSYS
    Message queue delivery . . . . . . . . . . :  *NOTIFY 
    Message queue severity . . . . . . . . . . :  00  
    Output queue . . . . . . . . . . . . . . . :  *WRKSTN
                    Library . . . . . . . . . . . . . . . . :     
    Printer device . . . . . . . . . . . . . . :  *WRKSTN
    Special environment . . . . . . . . . . . :  *SYSVAL
    Attention program . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Sort sequence . . . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Language identifier . . . . . . . . . . . :  *SYSVAL
    Country identifier . . . . . . . . . . . . :  *SYSVAL
    Coded character set identifier . . . . . . :  *SYSVAL
    Character identifier control . . . . . . . :  *SYSVAL
    Locale job attributes . . . . . . . . . . :  *SYSVAL
    
    User profile . . . . . . . . . . . . . . . :  OWDBADMIN
                                      
    Previous sign-on . . . . . . . . . . . . . :  03/23/04 15:30:12
    Sign-on attempts not valid . . . . . . . . :  0       
    Status . . . . . . . . . . . . . . . . . . :  *ENABLED    
    Date password last changed . . . . . . . . :  02/27/03    
    Password expiration interval . . . . . . . :  *NOMAX     
    Set password to expired . . . . . . . . . :  *NO      
    User class . . . . . . . . . . . . . . . . :  *PGMR     
    Special authority . . . . . . . . . . . . :  *NONE
    Group profile . . . . . . . . . . . . . . :  ONEWORLD     
    Owner . . . . . . . . . . . . . . . . . . :  *GRPPRF    
    Group authority . . . . . . . . . . . . . :  *NONE     
    Group authority type . . . . . . . . . . . :  *PRIVATE    
    Supplemental groups . . . . . . . . . . . :  JDE     
    Assistance level . . . . . . . . . . . . . :  *SYSVAL  
    Current library . . . . . . . . . . . . . :  *CRTDFT  
    Initial program . . . . . . . . . . . . . :  *NONE
                    Library . . . . . . . . . . . . . . . . :   
    Initial menu . . . . . . . . . . . . . . . :  MAIN
                    Library . . . . . . . . . . . . . . . . :   *LIBL
    Limit capabilities . . . . . . . . . . . . :  *NO    
    Text . . . . . . . . . . . . . . . . . . . :                              
    Display sign-on information . . . . . . . :  *SYSVAL  
    Limit device sessions . . . . . . . . . . :  *SYSVAL  
    Keyboard buffering . . . . . . . . . . . . :  *SYSVAL  
    Storage information:                 
                    Maximum storage allowed . . . . . . . . :  *NOMAX
                    Storage used . . . . . . . . . . . . . . :   0
                    Storage used on independent ASP . . . . :  *NO  
    Highest scheduling priority . . . . . . . :  3   
    Job description . . . . . . . . . . . . . :  QDFTJOBD
                    Library . . . . . . . . . . . . . . . . :   QGPL
    Accounting code . . . . . . . . . . . . . :     
    Message queue . . . . . . . . . . . . . . :  JDEOW
                    Library . . . . . . . . . . . . . . . . :   QUSRSYS
    Message queue delivery . . . . . . . . . . :  *NOTIFY 
    Message queue severity . . . . . . . . . . :  00  
    Output queue . . . . . . . . . . . . . . . :  *WRKSTN
                    Library . . . . . . . . . . . . . . . . :     
    Printer device . . . . . . . . . . . . . . :  *WRKSTN
    Special environment . . . . . . . . . . . :  *SYSVAL
    Attention program . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Sort sequence . . . . . . . . . . . . . . :  *SYSVAL
                    Library . . . . . . . . . . . . . . . . :    
    Language identifier . . . . . . . . . . . :  *SYSVAL
    Country identifier . . . . . . . . . . . . :  *SYSVAL
    Coded character set identifier . . . . . . :  *SYSVAL
    Character identifier control . . . . . . . :  *SYSVAL
    Locale job attributes . . . . . . . . . . :  *SYSVAL