Online Product Support

For more in-depth questions, or any question that is not included in the FAQ’s, please contact your local Safestone support office for assistance.

Interfacing Questions - Symantec’s ESM & ITA for System i

  1. On which platform does the DetectIT ESM interface run?

    The interface is available on IBM pSeries (RS/6000), Sun Solaris, Windows 2003 Server, Windows 2000 and Windows NT.

  2. What is a “proxy agent”?

    A proxy agent is an existing, working, ESM agent, which is to act as a proxy for the System i agent. When an OS/400 policy check is run from the ESM console, the ESM Manager communicates with the proxy agent to request the policy to be run. The proxy agent then contacts the System i to collect the data. Note: the ESM Manager and the proxy agent could be the same system, if you wish.

  3. What do I need to do on the proxy agent before I install the interface?

    The ESM 4.5 (or above) agent software must be installed and the proxy agent registered with the ESM manager. This will allow the interface install routine to register the OS/400 policy checks. It also ensures that the OS/400 policy checks can run successfully.

  4. I have been told I need to register my System i with the ESM Manager. How do I do that?

    Use the register command shipped with the ESM software. The following command string must be executed on the proxy agent:

    register -A -x [agent] -X AS/400 -b as400 -m [manager] -U [user]
    -P [password]

    where:

    • [agent] = name of the System i agent (use System i network attribute ‘Current system name’)
    • [manager] = ESM manager
    • [user] = ESM user name
    • [password] = ESM user password
  5. Where can I find the register command?

    The register command is located in the sub-directory containing the executables for the “native” ESM agent. The defaults are:

    • For Windows 2003: [ESM directory]&backslash;bin&backslash;inw3s-ix86
    • For Windows 2000: [ESM directory]&backslash;bin&backslash;inw2k-ix86
    • For Windows NT: [ESM directory]&backslash;bin&backslash;in t-ix86
    • For Solaris: [ESM directory]/bin/solaris-sparc
    • For AIX: [ESM directory]/bin/aix-rs6k
  6. How do I check the System i “Current system name”?

    Sign on to the System i, using the ALERT profile, enter the DSPNETA command.

  7. Why does ‘register’ not recognize the OS/400 operating system?

    The OS/400 operating system was introduced to ESM in release 4.5. Therefore the proxy agent must be running ESM 4.5 (or above).

  8. Why does an AS/400 policy run complete with ERRORS?

    The ESM “system” sub-directory must contain a sub-directory with the name of the System i agent. The System i agent sub-directory must also contain a “tmp” sub-directory. If these do not exist, create the directories using the following commands:

    mkdir [ESM directory]system[agent]
    mkdir [ESM directory]system[agent] mp

    where:

    [agent] = name of the System i agent (name as used in the ‘register’ command)

  9. The System i sub-directory exists, but policy runs still completes with ERRORS

    The DetectIT ESM interface must know the correct TCP/IP port to communicate with OS/400. Check whether the correct port number has been defined. The port details are stored in the file DTIHosts. DTIHosts is located in the sub-directory containing the executables for the “native” ESM agent.

  10. How do I update file DTIHosts?

    DTIHosts can be edited using any text file editor. For example:

    • For Windows 2003: edit [ESM directory]&backslash;bin&backslash;inw3s-ix86DTIHosts
    • For Windows 2000 : edit [ESM directory]&backslash;bin&backslash;inw2k-ix86DTIHosts
    • For Windows NT: edit [ESM directory]&backslash;bin&backslash;in t-ix86DTIHosts
    • For Solaris: vi [ESM directory]/bin/solaris-sparc/DTIHosts
    • For AIX: vi [ESM directory]/bin/aix-rs6k/DTIHosts

    Each line in DTIHosts must contain the following entries:

    • System i connection[space]TCP/IP port[space]System i name
    • TCP/IP port = TCP/IP port number for communicating with System i This must be the same as defined on the System i through “Work with TCP/IP Connections” option.
    • System i name = Name of System i agent (as shown in ESM/Manager)

    Important note: Do NOT insert a space at the beginning of a line.

  11. What must be active on the System i for a policy run to succeed?

    A DetectIT server job called ALERTDS01 must be active. This job runs in subsystem TIMPGM.

  12. How do I start the ALERTDS01 server job?

    The job is started automatically as part of the DetectIT subsystem start up routine. Use the STRALERT command to start the DetectIT subsystems.

  13. Why is job ALERTDS01 not active after STRALERT has been run?

    In order for the job to stay active the following conditions must be satisfied:

    • The DetectIT Security Audit and Detection module must be licensed on your System i
    • A TCP/IP port must be assigned to the ESM server job
  14. How do I check / assign the TCP/IP port used by the ESM server job on the System i?

    This can be done as follows:

    DetectIT Native

    1. Signon to the System i using the ALERT profile
    2. Execute the command WRKDTITCP To assign the TCP/IP port:
    3. Select F6 = Add
    4. Enter option “1″ against product “ESM”
    5. Enter the required TCP/IP port number (this must be the same as entered in “DTIHosts”).
    6. To change the TCP/IP port - Enter option “2″ against product “ESM”
    7. Enter the required TCP/IP port number (as entered in DTIHosts)

    DetectIT Graphical

    From the ‘System i Data’ drop down menu, select ‘Maintain TCP Connections’.

    1. To assign the TCP/IP port:
    2. Select ‘Add’
    3. Highlight product “ESM” and select “Add”
    4. To change the TCP/IP port - Highlight product “ESM” and select “Edit”.
      Enter the required TCP/IP port number (as entered in DTIHosts)
  15. My policy run completes normally, but there are no results to display. Why is this?

    There are a couple of common reasons why this could be occurring. Please check the following:

    • Ensure that the correct TCP/IP port number is assigned to the ESM ‘product’ on the System i
    • Is there a firewall installed that may be restricting processing through the selected port number?

Interfacing Questions - Intruder Alert for System i

  1. On which platform does the DetectIT/Intruder Alert interface run?

    The interface is available on IBM pSeries (RS/6000), Sun Solaris, Windows NT and Windows 2000.

  2. What do I need to do on the Intruder Alert agent machine before I install the interface?

    The following steps are required:

    For Windows NT/2000

    • Intruder Alert 3.5 agent software must be installed
    • The Intruder Alert agent must be registered with the manager

    For Sun Solaris and AIX

    • Intruder Alert 3.0 (or above) agent software must be installed
    • The Intruder Alert agent must be registered with the manager

    Intruder Alert must be monitoring the agent’s system log.

  3. I get an installation error message on screen saying that the Intruder Alert installation directory could not be found. What do I need to do?

    (NOTE: Windows NT or Windows 2000 only) The following steps are required:

    • Install Intruder Alert
    • Locate the file cols_nt.cfg

    Add the following entry to file cols_nt.cfg:
    &backslash;application&backslash;DTIITA

  4. Where can I find the file cols_nt.cfg?

    (NOTE: Windows NT or Windows 2000 only) The “cols_nt.cfg” file can be found in [Intruder Alert Directory]&backslash;System&backslash;[agent name]

    where [agent name] = the Intruder Alert agent name

  5. How can I verify/assign the TCP/IP port used by the Intruder Alert interface server?

    For Windows NT/Windows 2000:

    The installation of the Intruder Alert interface introduces a program to the Start Menu called ‘Port Maintenance’. This shows you which port the server is currently listening on, and provides you the option to alter that port. To add a new port number, type where the cursor is shown, and press OK. This will configure the server to listen on this port number.

    For Sun Solaris & AIX:

    Use the itadticfg command. This command is shipped with the interface software. The following command string must be executed on the Intruder Alert agent:
    itadticfg

    To change the TCP/IP port for the server job, enter the command:
    itadticfg -p[port]

    Where:
    [port] = New TCP/IP port number

  6. Where can I find the itadticfg command?

    The itadticfg command is located in the sub-directory containing the executables for the DetectIT Intruder Alert interface. Namely:

    Sun Solaris

    [Intruder Alert directory]/bin/solaris-sparc-as400

    AIX

    [Intruder Alert directory]/bin/aix-rs6k-as400

  7. How do I start / stop the DetectIT interface server?

    For Windows NT/2000:

    The interface server is started / stopped automatically whenever the machine is booted up / shut down.

    For Sun Solaris:

    The interface server (called itadtid) is started / stopped automatically whenever the machine is booted up / shut down.

    Alternatively, the itadtirc command can be used:

    • Stopping the server
      itadtirc stop
    • Starting the server
      itadtirc start

    For AIX:

    The interface server (called itadtid) is started / stopped using the itadtirc command:

    • Stopping the server
      itadtirc stop
    • Starting the server
      itadtirc start
  8. Where can I find the itadtirc command?

    The itadtirc command is located in the sub-directory containing the executables for the DetectIT interface. Namely:

    Sun Solaris

    [Intruder Alert directory]/bin/solaris-sparc-as400

    RS/6000

    [Intruder Alert directory]/bin/aix-rs6k-as400

  9. What information does DetectIT send to Intruder Alert?

    DetectIT sends selected messages from the Message Monitor function of the Security Audit and Detection Module to Intruder Alert. The administrator defines which events to send by assigning an “action item”, where one of the resulting actions is to send to the ‘external interface’ called Intruder Alert.

  10. How do I configure a ‘message action item’ for Intruder Alert?

    The message action item is configured against each message as follows:

    NATIVE

    • Sign on as ALERT
    • Select “DetectIT
    • Security Audit and Detection Manager Menu”
    • Select “Work with Message Monitor”
    • Enter option 12 (Maintain MSGID Action item) against the required MSGID • Enter “*ITA” for the “External Interface”

    GRAPHICAL MODULE - ADM

    • Navigate in tree structure to “Message Monitor” and ‘double click.
    • Find the message ID you want to send to Intruder Alert and highlight it.
    • Select “Maintain MSGID Action Item”
    • Enter “*ITA” for the “External Interface” and press OK.

    NOTE - there are other parameters you can also define in the action item processing, for example tailoring the message text which is to be sent to Intruder Alert . Please see the help text for further explanations.

  11. How often does DetectIT send the information to Intruder Alert?

    The frequency of sending information depends upon the DetectIT settings:

    • Default - once a day
      By default the information is sent once a day during the DetectIT Daily Reporting Routine 
    • Frequency update
      When using a “Frequency update” the information is sent at regular intervals throughout the day. This is configured in the ‘Audit Setup’ parameters - see field ‘Log Update Frequency’.
  12. Why is there no System i information available on the Intruder Alert view?

    In order for DetectIT to send the information the following conditions must be satisfied:

    • The DetectIT Security Audit and Detection module must have a valid license on the System i
    • A TCP/IP port must be assigned to Intruder Alert
    • The correct TCP/IP address of the Intruder Alert agent must be registered in DetectIT
    • The DetectIT interface server must be active on the Intruder Alert agent

    Intruder Alert policies must be have been created (or imported from the interface CD) to reference the System i message ID’s. The policies must also have been registered with the appropriate domain within Intruder Alert.

  13. How do I check / assign the TCP/IP port assigned to Intruder Alert on the System i?

    This is done as follows:

    DetectIT Native

    • Signon to the System i using the ALERT profile
    • Execute the command WRKDTITCP

    To assign the TCP/IP port:

    • Select F6 = Add
    • Enter option “1″ against product “ITA”
    • Enter the required TCP/IP port number (this must be the same as entered during the interface installation or when you used the itadticfg command).

    To change the TCP/IP port:

    • Enter option “2″ against product “ITA”
    • Enter the required TCP/IP port number.

    DetectIT Graphical

    From the ‘System i Data’ drop down menu, select ‘Maintain TCP Connections’.

    • To assign the TCP/IP port:
    • Select ‘Add’
    • Highlight product “ITA” and select “Add”

    To change the TCP/IP port:

    • Highlight product “ITA” and select “Edit”.
    • Enter the required TCP/IP port number (as entered during the interface installation or when you used the itadticfg command)
  14. How do I check / assign the TCP/IP address, of the ITA agent, on the System i?

    This can be achieved as follows:

    Native

    • Signon to the System i using the ALERT profile
    • Enter the command SECEXEC MSP5966, press Enter

    To assign the TCP/IP address:

    • Take F6 = Add
    • Input “*ITA” as the profile name
    • Press Enter
    • Enter the TCP/IP address for the ITA agent machine

    To change the TCP/IP address:

    • Enter option “2″ against profile “*ITA”
    • Enter the required TCP/IP address.

    Graphical

    From the ‘System i Data’ drop down menu, select ‘Maintain TCP Profiles’.

    To assign the TCP/IP port:

    • Select ‘Add’
    • Enter a product name of “*ITA”, the IP address of the ITA agent and a brief description. Press OK.

    To change the TCP/IP address of the ITA agent:

    • Highlight product “*ITA” and select “Edit”.
    • Enter the IP address of the ITA agent and a brief description. Press OK.

Interfacing Questions - SecurID for System i

  1. How do I register an System i agent?

    The System i agents are registered in the same manner as existing ACE/Agents. To do this you must use the Administration facility on the ACE/Server. For an System i agent, the type must be specified as “UNIX”.

  2. Where is the “sdconf.rec” record stored on the System i?

    The “sdconf.rec” record is held as file SDCONF in library @MS. @MS is installed as part of the DetectIT installation.

  3. Where is the node secret stored on the System i?

    The node secret is stored as file SECURID, in library @MS

  4. How do I remove the node secret?

    The node secret is removed using the following command:

    DLTF FILE(@MS/SECURID)

  5. Why do I keep receiving the message: “Cannot initialize client-server communications”?

    There are several areas which need to be checked:

    The TCP/IP host name for the System i (on the System i) must:

    • begin with the System i system name
    • have the domain name as the suffix.

    For example:
    System name: SYSTEM IA
    Domain name: XYZ.COM
    Host name must be: SYSTEM IA.XYZ.COM

    Note : If any changes are made within the TCP/IP configuration, for the System i, TCP/IP must be re-started. The System i line description may also need to be “varied off” and “varied on”.

    • “Database broker” has not been started on the ACE/Server Please refer to the appropriate documentation for your ACE/Server
    • The ACE/Server services are not started Please refer to the appropriate documentation for your ACE/Server
  6. How do I activate SecurID authentication for System i sign on?

    The authentication can be activated at DetectIT system level or at an individual profile level. For either level the profile must be activated within DetectIT.

    • DetectIT system level
      Use the “Work with user “EXIT” points” option and update the ‘SIGNON’ exit point with “*SECURID”.
    • Profile level
      Use DetectIT Profile Maintenance to ‘Activate profile’ within DetectIT

    Update “Sign on” exit point with “*SECURID”

  7. How do I activate a profile within DetectIT?

    The profile details must exist within DetectIT:

    • For an existing OS/400 profile
      Use command RTVPRFA to initialize DetectIT, then the WRKPRF command.
    • For a new OS/400 profile
      Use WRKPRF command to add a new profile.

    With both of these options change the “Activate DetectIT” flag to “Y”.