Online Product Support

For more in-depth questions, or any question that is not included in the FAQ’s, please contact your local Safestone support office for assistance.

General Questions

  1. How many new releases of DetectIT will be available during the year?

    There will be at least one main release per year, with 3 further sub-releases, normally at the end of each quarter.

  2. How can I obtain the current release of DetectIT?

    Contact your DetectIT Advisor and they will arrange this for you.

  3. Before activating DetectIT Network Traffic Controller do I need to check whether I am already using the OS/400 exit points?

    When activated, the DetectIT Network Traffic Controller will replace any currently registered exit point programs. Therefore you should check whether you have existing programs attached to the IBM exit points. Please perform the following:

    1. Sign on as the ALERT profile
    2. Run the command: RTVINFEXTP
    3. The result of this command is generated into file MSF577 in library @MS. Please send this file to your local Safestone support team for them to analyze.
  4. Can we change the ALERT and ALERT01 profiles to have less authority?

    DetectIT was created to perform security related functions on the System i. Some of these tasks require the same level of authority as the OS/400 security officer, QSECOFR; therefore the high level authorities we grant to these profiles are essential.

    Without *SECOFR user class level authorities, the ALERT and ALERT01 profiles will not be able to perform certain tasks, for example:

    • QAUDJRN system auditing
    • Profile maintenance
    • Policy compliance

    During installation / upgrade, both ALERT and ALERT01 are created / updated with the values USRCLS (*SECOFR) and SPCAUT (*USRCLS). This ensures these profiles have the correct level of authorities irrespective of the OS/400 release. If IBM were to add additional authorities for the QSECOFR profile, this will ensure the additional authorities are granted to the ALERT and ALERT01 profiles also.

    Please note that the ALERT profile is the security officer for DetectIT, while ALERT01 is used primarily to process network activity for DetectIT.

  5. How do I find out what release of DetectIT I have on my system?

    From the DetectIT Master menu, take option 65 for the Technical Assistance Information (or option 60 from the older style menus). Alternatively run the following command “CALL MSC710I”.

    For support purposes, your DetectIT Technical Engineer may need to know the latest PTF level of DetectIT. From the same program (’Technical Assistance Information’) press F10; this will show you which PTFs have been applied to your system. The latest PTF is displayed last.

  6. How does the time-out control method work? What do the values “M” and “R” mean?

    “M” means message control. If the field is set to “M”, the program will replace the QINACTITV and QINACTMSGQ system values. QINACTITV will be set to “5″ and QINACTMSGQ will be set to “@MS/TIMEOUTQ”. This means OS/400 will send a message to @MS / TIMEOUTQ whenever a user’s interactive job has been idle for 5 minutes. The action taken by DetectIT will depend upon the timeout action defined against the ‘resident company’ for that user. When using DetectIT profile maintenance each profile is assigned to a DetectIT company. This company is known as the resident company.

    “R” means Record control. If the field is set to “R”, the QINACTITV and QINACTMSGQ are not used or affected. Instead a system API is used to work out the time a job has been idle. Again, the action taken, by DetectIT, will depend upon the timeout action defined against the appropriate “resident company”.

  7. What are the names of the DetectIT subsystems? What do they do?

    The DetectIT subsystems are called ALERT and TIMPGM. In order for DetectIT to function fully, these subsystems must be started. The jobs in these subsystems perform a number of functions such as:

    • Monitoring the running of DetectIT
    • Watching a message queue to see if an action needs to be performed
    • Connecting to the DetectIT Graphical Clients

    Many of the jobs will be at a status of “MSGW”, and will only become active when required. Others will have a status of “TIMW”, specifically those waiting for external activity.

  8. Can I use ENDSBS to end the DetectIT subsystems instead of the options on the main menu?

    It is not recommended that you use the OS/400 command, because the DetectIT process performs some housekeeping functions too. For example the Safestone function removes redundant DetectIT jobs and updates a number of parameters. Either use the options on the main menu to End and Start the subsystems, or use the following commands:

    STRALERT - to start ALERT and TIMPGM subsystems
    ENDALERT - to end ALERT and TIMPGM subsystems

  9. Will ending and restarting the DetectIT subsystems cause any problems with users signed onto the System i?

    If the DetectIT subsystems are inactive this will not stop users performing their regular work, however it will not provide some of the security checks such as:

    • Intrusion Detection alerts
    • Time-Out processing
    • Network distributions

    We recommend that the subsystems are active at all times.

  10. When a key expires for a module, what is the impact on the settings we have defined within DetectIT?

    If a module key is no longer valid, users can still sign on, the administrators can still stop & start the subsystems, and the settings within the Network Traffic Controller will still be effective.

    However, access is restricted to most DetectIT menu options, in particular where maintenance is concerned. The End of Day process only reports upon data relating to modules with active keys, therefore any expired module will not be audited.

  11. If I make changes to the TCP/IP Connections within the Network Configuration screens, do I need to stop and start DetectIT?

    Yes, you will need to use either the ENDDTISVR or ENDALERT commands to end the DetectIT servers from the TIMPGM subsystem, if you have made ‘TCP/IP Connection’ configuration changes for the ports. Once the changes have been made and the DetectIT servers have fully ended, you must restart them using the STRDTISVR or STRALERT commands.

  12. Can FTP, TELNET and other external connections be restricted to certain IP addresses using DetectIT?

    Yes, you can use a range of IP addresses or just single IP address entries. When entering TCP/IP addresses, wildcards (*) are allowed. However, there may only be one wildcard within each “octet”. Valid entries include:

    • 172.10.12.151
    • 172.20.12.*
    • 172.*.12.*
    • *.*.12.151
  13. Are there any special procedures I need to take to deal with DetectIT , when running nightly backups on my System i (or system saves, IPL’s, etc.)?

    Yes, you will want to make sure that the DetectIT subsystems have ended prior to any of the procedures involving ending the system or backing up of files. Use the ENDALERT command from either your own procedures, from the command line or take the appropriate option on the DetectIT Master Menu. Be sure to allow enough time for the jobs in the ALERT and TIMPGM subsystems to end controlled. Likewise, you should use the STRALERT command in your startup job that runs after an IPL or backup.

  14. Can I print the reports from the Graphical software to my PC?

    Yes, in the DetectIT Graphical modules you can print your report into Word, plain text, CSV, HTML or straight to a printer.

  15. How do I configure the work server and report server ports on the System i, so that I can use the DetectIT Graphical client?

    Follow these steps:

    • Ensure you are signed on as the ALERT profile.
    • On the command line, type: WRKDTITCP.
    • Check whether a ‘product’ called DTIE is present.
    • If it is not present, take F6 to ‘Add’.
    • Enter a 1 against DTIE and press enter twice (ensure that the port number is the same as defined in the Graphical client)
    • Repeat the above steps for a product called DTIERPT - the reports server
    • From the command line, enter STRALERT to start the DetectIT subsystems and plus series servers. NOTE - if the DetectIT subsystems are already started they will need to be ended before the STRALERT.
  16. How can I tell whether my DetectIT Graphical client is communicating with the System i?

    The status bar, at the bottom of the window, should show the system name or IP address of the System i you are connected to. Each time a request is sent to the System i, and the PC is waiting for the response, an animated DetectIT logo is displayed. In the Networked version of the Graphical client you can verify the connection to the System i by selecting ‘Verify Connection’ from the ‘Connections’ drop down menu.

    In addition, you can check whether the relevant jobs, (ALERTDS02 and ALERTDS03) are running on the System i. From a command line enter:

    WRKACTJOB SBS(TIMPGM)

    and check whether either of the jobs are in RUN status (at other times the status will be TIMW).