Tabula Rasa

Our title’s Latin translation is “scraped tablet” or “blank slate”. I find it fitting since I intend to talk about the ‘best’ way to fully erase your system using native iSeries support. This question arises frequently when Disaster Recovery testing is performed at an offsite location or company has upgraded their iSeries and is relocating the old box. Most businesses require system is totally scrubbed before hand-off.

Over the years I have seen many methods used to clear user data off of iSeries. One of the most simple methods I’ve seen is:

  • DLTLIB on all user libraries
  • RCLSTG

But then you have to worry about folders, user profiles, spooled files, output queues, job queues, network attributes, authorization lists…. some folks pursue this list in perpetuity, but I don’t feel this is the right approach.

IBM does offer tips on how to wipe off data off your disk and one I like the best involves using LIC install and DST to initialize all the drives with zeros. Here are detailed steps on how to go about that:

  1. do a D Manual IPL using a SAVSYS, full system save or LIC install CD
  2. select option 1 to “Install LIC”
  3. select option 5 to “Install Licensed Internal Code and Initialize System”
  4. after the install of LIC is complete, the system will IPL to the DST primary menu
  5. Add all the disk drives to system ASP (ASP 1). This writes zeroes on the disk drives so only LIC is loaded
    • take option 3 to “Use DST”
    • Work with Disk Units
    • Work with Disk Configuration
    • Work with ASP Configuration
    • Add units to ASPs
    • type 1 in front of all the available units (if using LIC install CD (I_Base) default password for QSECOFR is QSECOFR
  6. Power off the system by pressing the power button two times. System is clean and ready to go!

For partitioned systems, there is more work following step 4. Basically, all the partition drives have to be re-added back to system ASP.

Here are step 4-b instructions for partitioned system. You will be presented with these options while in DST:

  • Work with system partitions
  • Recover configuration data
  • Clear non-configured disk unit configuration data
  • Exit back to DST primary menu
  • Follow steps 5 and 6 from this point on.

This type of clean up is sufficient for most iSeries shops.

If however your system contains state secrets, note that this type of disk cleanup does not follow DoD (Department of Defense) 5220.22-M standard. No 3rd party application can have access to a non-configured disk unit on the iSeries, so there is currently nothing available for the iSeries. IBM recommends disks be physically destroyed if DoD standard has to be enforced.

I on the other hand believe that one could try configuring the iSeries disk drive inside a PC and use a vendor tool that complies with DoD 5220.22-M (i.e. KillDisk) to wipe all the data off of it.

Happy cleaning.

6 Replies to “Tabula Rasa”

  1. Thank you!!!!
    This was exactly what I was looking for.
    Very good help.

    Only thing that was different for me was step #3:
    > select option 5 to “Install Licensed Internal Code and Initialize System”
    Mine was option 2, but still had the text, “Install Licensed Internal Code and Initialize System”.

    Again, thank you for your blog!

  2. Great work!

    If adding the disks to the ASP actually writes zeros to those disks then what does the optiion 2(install LIC and initialize system) do?..apart from install the LIC?….Does it keep disk config and lpar config intact on disk 1?…doesn’t this step also deletes all data from disks in ASP 1?

    Thanks – and if you can answer the above that would be great!

  3. Here is a more detailed version (especially useful for newbies, etc.):

    To properly erase or clear all of the data from a system (AS400-iSeries-System i) you will need to format or initialize the disk drives — for example, when you are selling a system or otherwise discarding it (this will effectively write “zeros” to all the drives and overwrite the data that was on them):

    You will want to perform (or otherwise have a recent copy of) a full “21” save of the system before starting this procedure if you need any of existing data.

    These are base instructions that were originally provided by IBM Rochester and have been modified accordingly to be more intuitive and user friendly.

    🙂

    Insert the CD labeled “I_BASE_01” (it should have Licensed Internal Code or LIC written on it) into the system CD/DVD drive (preferably the newest CD that you can find that matches your currently installed operating system i.e. V5R3, V5R4, etc. — usually indicated by a re-spin or revision code beginning with RS* example: RSB, RSF, RSK, etc.).
    Change the front panel of the system to MANUAL mode (Use the front panel buttons to change/increment the 01 to 02 and press the accept button — usually the middle one — and continue to adjust each letter from there until the panel shows “02 D M”)
    Once the system shows “02 D M”, change the 02 back to 01 so the front panel shows “01 D M” and press the accept button and confirm the change.
    Once the front panel shows “01 D M”, sign on to the system (preferably the system console and preferably with QSECOFR authority) and type the following command on the command line: PWRDWNSYS *IMMED *YES and press enter. This will cause the OS to perform a “D” mode IPL (or reboot) of the system (“D” tells the system to boot from the CD/DVD drive).
    This will usually take 30-45 minutes and will then display a screen on the console to select a language for the Licensed Internal Code (LIC). Select the language 2924 if requested and press to confirm.
    The first menu should show an Option 1 to Install Licensed Internal Code. Take this option and press .
    The next menu should show an Option 2 to Install Licensed Internal Code and Initialize System. Take this option and press .
    Press the appropriate function key (usually F10) to continue the install of the Licensed Internal Code (LIC). The system will initialize the load source drive and install LIC from the CD. This process usually takes about 60 to 90 minutes, sometimes longer.
    Once the load source is initialized and LIC installation is complete, the system will perform an IPL of the Licensed Internal Code (LIC).
    You may get a couple of messages regarding disk or console settings, just press F10 as necessary to continue through these messages.
    The system should then take you to IPL / Install Operating System / Dedicated Service Tools (DST) menu.
    Take the option to go into DST (usually option 3)
    Sign on to DST with user profile QSECOFR and pwd QSECOFR (all caps).
    Take the option to Work with Disk Units — usually option 4.
    Take the option to Work with Disk Configuration — usually option 1.
    Take the option to Work with ASP Configuration — usually option 3.
    Take the option to Add Units to the ASPs — usually option 3.
    Type a “1” in front of all the available disk drive (DASD) units on the screen (you may need to page down to get all of them) and press to confirm. (You may get some messages regarding disk or DASD settings, press F10 as necessary to continue through these messages.) The process to add these drives may take up to two hours, depending on your system and the quantity and size of disk drives you are adding.
    Once the drives are added, power down the system by pressing the white power button on the front panel. Some systems require you to press the button a second time and some require you to hold the button down for several seconds until it starts to shut down. Otherwise, you can just unplug it and you are done!

    Regards,
    Reid Collier
    Sr. Technical Solutions Engineer
    IBM Certified Solutions Expert
    ibmmidrangeguy@gmail.com

  4. This all sounds great but I truly an a NEWBE and I am trying to scrud a single partition on a multiple partitioned machine. Most of the examples above deal with a single partitioned system. I would certainly appreciate any additional recommendations on how to deal with this issue, especially when directions state that I sould IPL from the panel. Both of my systems are controlled via an HMC. Would I have to bring down ALL partitions?

  5. Actually, simply deleting ASP data from ASP1 (*SYSBAS) from an manual A IPL to DST will wipe everything but LIC and force an OS reload. IBM now also provides a DOD level wipe utility.

  6. I tried to delete ASP data from ASP1 and manual A IPL to DST and it wiped everything but LIC, but then my coworker (who bet me he could) was able to simply install the OS again and recover the confidential data. This is NOT what I wanted. I want the data completely wiped, but I didn’t want to take a long time to do it before getting rid of this system.

Leave a Reply

Your email address will not be published. Required fields are marked *