# Kato Spaces Documentation
---
# Connecting Using a Public IP
> Explains how the Kato Spaces firewall allow list controls access via public IPv4 addresses, including the types of rules available and how to request changes.
Your system was most likely issued with a public IPv4 address when it was provisioned. Kato Spaces systems make use of a firewall allow list to manage access via the public IP. The firewall is managed by the Kato Spaces support team.
By default, all inbound traffic is blocked by the firewall. The firewall allows us to create rules that allow access restricted by IP address, port, or by a range or ports or services. For example, any of these would be valid rules that we could create in the firewall:
- Grant access to all traffic originating from a specific IP address
- Grant access to traffic originating from any IP address that is targeting port 80
- Grant access to traffic originating from any IP address that is targeting any port in the range 16750-16800
You can create any number of firewall rules for your public IP - you are not restricted to a limited number of open ports or allowed IP addresses.
If you need to make changes to your firewall allow list, please reach out to our support team at team@katointegrations.com.
---
# Connect Using an SSL VPN Client
> Guide to connecting via Cisco AnyConnect SSL VPN, including account setup, client installation and configuration, and accessing IBM i using local IP addresses once connected.
We offer the Cisco AnyConnect SSL VPN client to allow secure connections from any IP address to your IBM i. The SSL VPN client is an alternative to utilizing the allow list in the [firewall](https://isupport.katointegrations.com/kato-spaces/publicip.md), and can be beneficial for users that travel or who connect from a location that does not have a static IP address.
To request an SSL VPN user account, please email us at team@katointegrations.com; one account is included in your Kato Spaces monthly subscription, and additional SSL VPN user accounts are $5/month.
## Installing the SSL VPN Client
First, you need to download and install the Cisco AnyConnect client for your operating system - the web site should auto-detect this and provide the correct download. Open your preferred browser and go to [vpn.katointegrations.com](https://vpn.katointegrations.com). Select the "Users" group from the drop down, then enter your username and password as provided by our support team and click Login:
Once the login completes, click the button to download the client:
Follow the installation wizard:
Once you have it installed, open up the Cisco AnyConnect Client and enter in the VPN address in the box and click "Connect":
Ensure that the Users group is selected from the drop down and login with your credentials:
You should now be connected to the VPN:
## Connecting to Your IBM i With the SSL VPN
When you are connecting over the VPN, you should connect to your IBM i using the local IP address. This is the address that generally starts with 172:
The VPN only redirects traffic destined for your IBM i - it will not redirect other traffic.
---
# Set Up SSL/TLS for TELNET
> Step-by-step instructions for securing TELNET connections with SSL/TLS, covering self-signed certificate creation in DCM and configuring IBM Access Client Solutions to use SSL.
Your IBM i can be configured to allow you to connect via TELNET using TLS/SSL, which offers a more securable connection. This guide demonstrates how to create a self-signed certificate to use to authenticate the TELNET connections, and how to assign it to the TELNET service.
## Creating the Self-Signed Certificate
First, you need to ensure that the ADMIN server is running on your system. If you are unsure, see our page on [Navigator for i](https://isupport.katointegrations.com/kato-spaces/navigator.md) for more information.
Open your preferred browser and navigate to DCM - Digital Certificate Manager - for your IBM i at the following URL:
`http://[your IBM i IP]:2006/dcm/login`
If you are connected using our [SSL VPN client](https://isupport.katointegrations.com/kato-spaces/sslvpn.md), the IP address you would reference is the local IP address. Otherwise if you are [whitelisted in the firewall](https://isupport.katointegrations.com/kato-spaces/publicip.md), use the public IP address of your system.
Login to your system using a profile with elevated permissions. Each Kato Spaces customer has QSECOFR access to their system.
Click "Open Certificate Store" and select \*SYSTEM:
Enter your password, if you have set one for the \*SYSTEM store. If you don't know your \*SYSTEM store password, you can reset the password.
Click "Create" to start the wizard to create a new Certificate Authority:
Select "Local CA":
Fill in the required fields. For "Common Name", which expects a URL, you can use your IP address as well. Click "Create" at the bottom of the page to continue.
## Assigning the Self-Signed Certificate
You should now be at the main page for the \*SYSTEM store and see your new certificate in the list of Server/Client certificates in DCM:
Click "View" on the certificate card to pull up the certificate page, then click "Assign" from the top navigation to go to the list of SSL applications:
Scroll down the list until you find the application named Q_QTV_TELNET_SERVER, the IBM i TCP/IP Telnet Server. There will be two similar listings, be sure you are selecting the SERVER listing, not the CLIENT listing:
Check the box for the server, then click "Replace" (if it is available) or "Add" at the top:
You should see a success message:
## Configuring Your Client
Access Client Solutions needs to be configured to attempt to connect using TLS settings. If you are not using Access Client Solutions, you'll need to make similar changes but your user interface will be different.
Click on "System Configurations":
Select your system and click "Edit"
Check the box for "Use SSL for connection", then click "Verify Connection":
While verifying the connection, it will prompt you to accept the new certificate we assigned to the connection:
Click "Yes" to accept the certificate. The connection verification will complete. Click "Apply" in the system configuration menu to finish configuration
---
# Managing the FTP Server
> Covers checking FTP server status, starting the FTP server, and verifying it is running on an IBM i Kato Spaces system.
You are able to use FTP to transfer data to and from your Kato Spaces IBM i. IBM offers documentation on managing your FTP server using their System i Navigator: [https://www.ibm.com/docs/en/i/7.5?topic=i-managing-ftp-server](https://www.ibm.com/docs/en/i/7.5?topic=i-managing-ftp-server)
Here are alternative directions for managing your FTP server using the command line interface.
## Check If Your FTP Server Is Running
1. On a 5250 session command line, type `NETSTAT` and press enter.
2. Take option `3`.
3. Look for an entry with the Local Port value of `ftp-con`. If this entry is present, your FTP server is running.
## Starting the FTP Server
1. On a 5250 session command line, type `STRTCPSVR *FTP` and press enter.
2. The FTP server will start shortly.
3. You can confirm that the FTP server is running by calling `WRKACTJOB JOB(QTFTP*)` - if there are one or more jobs present in that list, the FTP server has started.
---
# Client Applications and Emulators
> Guide to IBM Access Client Solutions (ACS) for connecting to Kato Spaces, including installation, system configuration, 5250 terminal emulation, and IFS/SQL access.
While there are many options to connect to your IBM i, we recommend and support connecting with IBM's Access Client Solutions.
You can download the IBM Access Client Solutions package here: [https://www.ibm.com/support/pages/ibm-i-access-client-solutions](https://www.ibm.com/support/pages/ibm-i-access-client-solutions)
Follow the instructions on the above page specific to your operating system to install the package.
## Connecting to Your IBM i
Open Access Client Solutions and click on "System Configurations":
Click on "New":
Enter the IP address in the "System name" field. Click "OK" to save the new system:
You'll be returned to the System Configurations list, will which now display the new system:
You can also configure a new system using a "pretty" name (for example, the system name) or a domain name, and specify the IP address for the connection. In the "Add New System" page on the "General" tab, enter the desired name in the "System name" field (in this case, we're using a domain name):
Now, click over to the "Connection" tab. Click the drop-down menu next to "IP address lookup frequency" and select "Never - Specify IP address". Then, populate the system IP address in the text box below:
Click "OK" to create the new system configuration. You'll again be returned to the list of systems and, in our case, see both configured systems:
Note how the second entry - the one where we specified the IP address in the Connection tab - lists the IP address on this pane but the first entry does not.
Now, to connect to a terminal session, close the System Configurations menu and return to the main IBM i Access Client Solutions (ACS) window. Click on the System dropdown and select your system. Then, click on the "5250 Emulator" link:
An emulator window should open with a login box. Enter your system credentials to connect.
## Other Features of Access Client Solutions
IBM has added many powerful features to their Access Client Solutions product. You can directly access the IFS for FTP and file transfer using the "Integrated File System" link. You can view spooled files with the "Printer Output" link. The "Run SQL Scripts" link can be used to retrieve records from database files using SQL queries. We recommend using ACS to connect with your Kato Spaces IBM i and explore the connection utilities it offers.
---
# Licensed Programs
> Lists the licensed programs available on Kato Spaces systems, either pre-installed or available on request at no additional cost.
Kato Spaces systems come with a number of License Programs either preinstalled or available for install on request at no additional cost.
If there are programs on this list that are not installed on your system and you would like to request that they be installed, please reach out to our team at team@katointegrations.com.
| Product ID | Name | Notes |
|------------|------|-------|
| 5770-DG1 | HTTP Server for i | |
| 5770-JV1 | Developer Kit for Java | |
| 5770-NAE | Network Authentication Enablement for i | |
| 5733-SC1 | Portable Utilities for i | |
| 5770-TC1 | TCP/IP | |
| 5770-TS1 | Transform Services for i | |
| 5770-UME | Universal Manageability Enablement for i | |
| 5770-XE1 | IBM i Access for Windows | We do not support connections via Access for Windows; it is recommended that IBM Access Client Solutions is used instead |
| Zend | | |
| 5733-ARE | IBM Administration Runtime Expert | |
| 5798-FAX | IBM Facsimile Support for i | |
| 5770-SM1 | IBM System Manager for i | |
| 5770-DFH | IBM CICS Transaction Server for i | |
| 5770-MG1 | IBM Managed System Services for i | |
| 5770-SS1 | IBM i Option 23, OptiConnect | |
| 5770-SS1 | IBM i Option 44, Encrypted Backup Enablement | |
| 5770-SS1 | IBM i Option 45, Encrypted ASP Enablement | |
| 5770-SS1 | IBM i Option 18 Media & Storage Extensions | |
| 5770-SS1 | IBM i Option 26 DB2 Symmetric Multiprocessing | |
| 5770-SS1 | IBM i Option 27 DB2 Multisystem | |
| 5770-SS1 | IBM i Option 38 PSF for IBM i Any Speed Printer Support | |
| 5770-SS1 | IBM i Option 41 HA Switchable Resources | |
| 5770-SS1 | IBM i Option 42 HA Journal Performance | |
| 5761-AMT | Rational Application Management Toolset | |
| 5770-AP1 | Advanced DBCS Printer Support | |
| 5733-B45 | AFP Font Collection for i | |
| 5770-BR1 | Backup, Recovery and Media Services | |
| 5761-DB1 | System/38 Utilities | This has been discontinued on 7.5 |
| 5761-CM1 | Communications Utilities | |
| 5761-DS2 | Business Graphics Utility | |
| 5648-E77 | InfoPrint Fonts | |
| 5769-FN1 | AFP DBCS Fonts | |
| 5769-FNT | AFP Fonts | |
| 5770-JS1 | Advanced Job Scheduler for i | |
| 5770-PT1 | Performance Tools | |
| 5770-QU1 | Query for i | |
| 5770-ST1 | DB2 Query Manager and SQL Dev Kit for i | |
| 5733-XT2 | XML Toolkit | |
| 5770-XW1 | IBM i Access Family | Unlimited users included |
There may be additional packages not listed here that are available. If you have questions, please reach out to our team.
---
# Installing PTFs
> Complete guide for independently ordering and installing IBM i PTFs (single, cumulative, and group packages) including apply options and verifying PTF status.
As a Kato Spaces hosting customer, you have a QSECOFR profile and full access to your system. This allows you to order and install any PTFs - including Technology Refreshes and CUME packages - for your system.
Installing Technology Refreshes is more complex than installing single PTFs or packages. If you want to install a TR, we'd recommend following IBM's guidance - including reading their upgrade planning and customer notices - found here: [https://www.ibm.com/support/pages/ibm-i-technology-refresh](https://www.ibm.com/support/pages/ibm-i-technology-refresh)
The easiest way to manage PTF installations is through the `GO PTF` menu:
## Ordering PTFs
Take option `6` to open the Send PTF Order menu:
Enter either the PTF number in the first first, or you can specify a special value to order a cumulative package or group package:
*Send PTF Order menu configured for a specific PTF:*
*Send PTF Order menu configured for a cumulative PTF package:*
Press Enter to confirm the pre-populated contact information:
Take option 1 to send the service request and order the PTF:
You'll see a variety of diagnostic and progress messages as the PTF downloads:
Once the download is complete, you'll see a success message and be returned to the `GO PTF` menu:
## Installing PTFs
From the `GO PTF` menu, take option `8` to open the Install Options for Program Temporary Fixes menu:
Specify `*SERVICE` for the Device parameter. Set Automatic IPL to `N` - you can perform a manual IPL afterwards if needed. Set Other options to `Y`.
On the Other Install Options screen, change Apply type to `2` to Apply immediate and set delayed PTFs:
Press Enter to continue. The install will begin and progress messages will be displayed at the bottom of the screen:
Once the load is complete, you'll be returned to the `GO PTF` menu. If needed, you can proceed to performing an unattended IPL with `PWRDWNSYS`.
## Confirming PTF Status
From the `GO PTF` menu, take option `5` to Display a Program Temporary Fix:
You can either populate information for a specific PTF or leave the parameters populated with `*ALL` to view PTF information for all installed PTFs. In our example, we'll look at the PTF we just installed above, SI84743. Note that when specifying a single PTF number, you must specify the product parameter as well:
Press Enter to be brought to the Display PTF Details menu:
From here, you can view information about the PTF. If you take option `1` to view General Information:
It shows basic information about the PTF but importantly it shows that the PTF is **Temporarily applied**, because we just performed the installation (but we have not performed an IPL). Once we perform an IPL, this PTF will be **Permanently applied**. Let's look at another PTF:
This PTF status is **Superseded** - it was effectively replaced by a newer PTF and no longer needs to be installed separately. Instead, the newer superseding PTF should be installed.
You can also view PTF status if you choose to take option `5` from the `GO PTF` menu and pull up all PTFs - you can then use `F17` (Position to) to search for a specific PTF:
---
# Change System Configuration
> Explains how to request changes to system resources (memory, CPW, disk) and iASP provisioning, including typical turnaround, billing, and downtime expectations.
Your system is highly configurable. We can increase your system memory, CPW, and disk space upon request, generally within the same business day and without requiring system downtime.
You can also request the provisioning of an iASP. If this is not requested during the initial provisioning of the system, you will generally need to purchase additional disk space in order to properly allocate disk resources to the iASP.
To request changes to system configuration, please reach out to our team at team@katointegrations.com with your desired system change. When increasing system resources, additional monthly charges will apply and you will be subject to a pro-rated charge for the remainder of your current month's service.
**Note:** In circumstances where system downtime is needed to change system resources, this will be communicated before any changes are made. Downtime is usually not longer than the duration of an IPL.
If you'd like to review pricing for each upgrade, please see our order form at katointegrations.com.
---
# Requesting Support from Kato Integrations
> Describes how to contact the Kato Integrations support team for troubleshooting and system issues.
Our support team can assist with most troubleshooting and issues with your system. To reach our team, email us at team@katointegrations.com.
---
# Requesting OS Upgrades
> Covers the process for requesting an OS upgrade, including downtime requirements, scheduling, backup options, and the information needed to submit a request.
Your Kato Spaces system has access to operating system upgrades, performed by our team.
Operating system upgrades generally require about 6-8 hours of system downtime, and need to be scheduled a few weeks in advance. An optional full system save can be performed before the upgrade takes place, which provides an additional level of safety in the event that a rollback is needed. While there is no charge for the operating system upgrade itself, the system save/backup is an additional charge (except for customers who have our 14-day VTL backup package, who do not incur this additional charge).
To schedule an operating system version upgrade, please provide the following information:
1. The operating system version you want to upgrade to
2. When you would like to schedule your upgrade - a specific date/time, or a range (ie. "any time on weekends" or "weekdays after 5PM Central")
3. Whether you would like to include the full system backup
4. If there are any concerns about compatibility with third-party programs
Please email our team at team@katointegrations.com with this information to schedule your operating system upgrade.
---
# Escalating Support to IBM
> Guide for opening IBM support cases for Kato Spaces systems, including how to retrieve required system and PTF information and IBM contact details.
Your Kato Spaces IBM i system includes access to IBM support. You can open a case through [IBM's support page](https://www.ibm.com/mysupport/s/?language=en_US) or by calling their service line: 1-800-IBM-SERV (1-800-426-7378)
You will need to provide information about your IBM i partition. To retrieve system serial and partition information, execute the following steps:
1. `CALL QCMD`
2. `CALL QSYS/QLZARCAPI`
You should see output like this:
You will also need to confirm information about the PTF levels of your system - you can retrieve this information by calling `STRSQL` (or another utility to run SQL scripts on your IBM i), then executing the following query:
`SELECT * FROM systools.group_ptf_currency`
You should see output like this:
This shows the update status of your PTF groups, and you should take note of which groups are not up to date and check the installed levels with `WRKPTFGRP`.
If asked to provide the owner and maintainer of the system, the IBM i hardware is owned and maintained by Connectria.
---
# Frequently Asked Questions
> Answers common questions about Kato Spaces covering user profiles, data restoration, initiating an IPL, and IPSec VPN provisioning.
Here, we've collected some of the most frequently-asked questions, or questions that didn't fit into other pages on our support site.
If you have a quesiton that isn't addressed here or elsewhere, please reach out to us at team@katointegrations.com.
**Q: How many users are licensed on the system?**
A: You have unlimited IBM i user profiles.
**Q: Can you restore my system save onto my partition?**
A: Yes - please reach out to us at team@katointegrations.com and we can make arrangements to restore your data.
**Q: Can we IPL our system?**
A: Yes, you can IPL your system without needing to request our permission or give us notice. Make sure that you specify `RESTART(*YES)` on your `PWRDWNSYS` command to ensure that the system comes back up on its own, since you do not have access to the console.
**Q: Can we configure an IPSec VPN tunnel?**
A: Yes - please reach out to us at team@katointegrations.com as we need to collect additional information about your network in order to provision the IPSec tunnel.