Moving Powertech Compliance Monitor for IBM i 3.x to a New System

Important Updates to Cybersecurity Software

HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.

See the new names here > New, Simpler Names for HelpSystems Security Software.

Step I – Planning a Compliance Monitor 3.x Move

Consolidator vs. Endpoint

Compliance Monitor has two features, the consolidator and an endpoint.

• The Consolidator is the work horse of Compliance Monitor. It serves the browser interface, retrieves the data from the endpoint, stores the data, generates reports, and sends reports electronically. These are the objects that will be moved.

   

  Note: Object size consideration
  Large amounts of data may be retained in the product library. The largest objects typically are the CMTDJE* files. The save file of the library will contain these files, so implications of disk usage should considered when making a copy of the objects. Also, the process outlined in this document describes using FTP to transfer the save file. Using FTP for this can take a very long time and we have no ability to predict all the factors affecting the speed at which FTP can move the save file. If you have alternative means to transfer these to your target system, you may want to consider using them.

• The Endpoint is the system on which the data is collected and reported. Unless the endpoint has a local filter, there is no need to move the endpoint. Simply install the endpoint software using the software installer.

Compliance Monitor Installation 

The Compliance Monitor Consolidator and Endpoint must be installed on the new system using the software installer so the user profiles and authorization lists are created.

Review the Compliance Monitor Installation Instructions prior to installing the product, especially the IBM required program products and PTFs.

Run the Compliance Monitor Pre-Checker prior to the installation on the new system, as it will check the system for the required IBM program products and PTFs.

Consolidator - Mail Server

Verify whether the new system will use the same mail server as the existing server. If a different server will be used, obtain the IP address or fully qualified name of the server.

QAUDJRN Journal – Consolidator & Endpoint

Compliance Monitor reporting consists of different types of auditing that must be setup on the new system. Verify that the QAUDJRN journal is setup and collecting the proper information by comparing the appropriate systems values on the new system to the current system. The system values to check are QAUDCTL, QAUDLVL and QAUDLVL2.

If Automatic Collection is used, the journal entries selected in Automatic Collections must also be verified with the new system’s audit values (system values above) to ensure that necessary information is collected. 

Consolidator - Verify the Users that should have ‘Use’ or ‘Admin’ rights to the web application exist on the new system.  

The users and administrators of the Compliance Monitor WUI must have user profiles created on the IBM i. Verify that these user profiles exist on the new system. 

Authorization Lists – Consolidator & Endpoint

Verify the users setup in these authorization lists on the new system are the same users setup on the current system.  

Consolidator: PLCM2ADM, PLCM2DTA and PLCM2PGM

Endpoint: PLCMADM

Consolidator - Secured Sockets Setup 

Compliance Monitor Browser Interface does support SSL (Secured Sockets Layer). If SSL was setup on the current system and will also be used on the new system, refer to the Using Secure Sockets Layer (SSL) with the Compliance Monitor Browser Interface document for these setup instructions.

License Keys – Consolidator & Endpoint

Obtain a license key for the Consolidator and/or Endpoint for the new system from the Powertech Sales team.

Note: After normal business hours, contact technical support for a temporary key.  

Step II – Install Compliance Monitor

To successfully move Compliance Monitor from one system to another (i.e. a D/R system), you must first install Compliance Monitor on the destination system using the software installer.

The installer creates the required user profiles and authorization lists for Compliance Monitor.  

Consolidator:

• The Consolidator has two user profiles: PLCM2ADM and PLCM2OWN.
• The Consolidator has three authorization lists: PLCM2ADM, PLCM2DTA and PLCM2PGM.

Endpoint:

• The Endpoint has two user profiles: PLCMADM and PLCMOWN.
• The Endpoint has one authorization list: PLCMADM. 

Note: If the user profiles or authorization lists exist, installation will fail. If installation fails, delete these user profiles and/or authorization lists and try the installation again. 

Step III -  Compliance Monitor Replication

If the new system is in an HA environment, please refer to the Compliance Monitor Setup in an HA Environment for more information. 

Step IV – Compliance Monitor Objects to Move

After the Compliance Monitor Consolidator and/or Endpoint products have been installed, you can save and restore the following objects on the new system. 

Moving Consolidator:

1. Save and restore the Compliance Monitor library, PTCMT2, to the new system.   
2. Save and restore the Compliance Monitor directory ‘/PowerTech/ComplianceMonitor’ to the new system.
3. If any batch assessment reports are saved to an IFS directory, then this directory could be saved and restored to the new system based on the customer’s decision on whether these reports need to be moved to the new system.

Moving Endpoint:

1. If Endpoint Local Filters are being used, the endpoint’s library is PTMCT3, will need to be saved and restored to the new system.
2. To verify if the ‘Endpoint Local Filters’ are used on the current system do the following:

                        ADDLIBLE PTCMT3

                        CALL SETLCLFTR

Note: If an empty screen appears, then no endpoint filters have been setup and there is no need to save and restore the PTCMT3 library.

Step V – Compliance Monitor License Objects

Compliance Monitor version 3.12 and higher has the ability to enter multiple licenses on the Consolidator and/or the Endpoint (press F7 – License List on License Setup screen). This allows you to enter multiple licenses in preparation of a move or an event such as a role swap. 

Note: In the event that you are using the multiple license feature and have added the new system’s license on the current system, you do not need to obtain a new license when migrating to the new system.

Also note: If you are not using the multiple license feature, you will need to install a new license after restoring the product libraries. 

Step VI – Move Consolidator Commands

1. End the consolidator:

ENDPTCMCSL

Monitor the QP0ZSPWT job’s termination in the PTWRKMGT/PTWRKMGT subsystem.

2. Create the following save file on both systems (current and new):

CRTSAVF FILE(QGPL/CM2LIBSAVF) TEXT('Move Consolidator Compliance Library Savefile')

CRTSAVF FILE(QGPL/CM2IFSSAVF) TEXT('Move Consolidator IFS Savefile')

3. Save commands to save the Consolidator library & IFS objects:

SAVLIB LIB(PTCMT2) DEV(*SAVF) SAVF(QGPL/CM2LIBSAVF)

SAV DEV('/QSYS.LIB/QGPL.LIB/CM2IFSSAVF.FILE') OBJ(('/PowerTech/ComplianceMonitor')) SUBTREE(*ALL)

Note: Target release (TGTRLS) must be determined by the customer.

4. FTP the savefiles to the new system
5. Restore the Consolidator library & IFS objects to the new system using the commands:

RSTLIB SAVLIB(PTCMT2) DEV(*SAVF) SAVF(QGPL/CM2LIBSAVF) MBROPT(*ALL) ALWOBJDIF(*ALL) 

RST DEV('/QSYS.LIB/QGPL.LIB/CM2IFSSAVF.FILE') OBJ(('/PowerTech*')) SUBTREE(*ALL) ALWOBJDIF(*ALL)                                                                        

Step VII – Move Endpoint Commands

The endpoint was installed in Step II. If there are no endpoint local filters configured on the current system, this step can be skipped.

1. Verify that there are no assessments or automatic collections running.

WRKACTJOB SBS(PTWRKMGT)

Check for active CM0000B jobs, these are the jobs which would be running if an assessment or an automatic collection is running.  These jobs can be ended using  the ENDJOB *IMMED option, however this will cancel the assessment on the Consolidator.

Note: Powertech recommends that you plan the move so these jobs will not be affected.   

2. End the Endpoint, using the command:

ENDPTCMEPT

Monitor the PLCMMON job’s termination in the PTWRKMGT/PTWRKMGT subsystem.

3. Create the following save file on both systems:

CRTSAVF FILE(QGPL/CM3LIBSAVF) TEXT('Move Endpoint Library Savefile')

4. Save command to save the Endpoint library – PTCMT3:

SAVLIB LIB(PTCMT3) DEV(*SAVF) SAVF(QGPL/CM3LIBSAVF) PVTAUT(*YES)

Note: Target release (TGTRLS) must be determined by the customer.

5. FTP the savefile (CM3LIBSAVF) to the new system
6. Restore the Endpoint library to the new system using the command:

RSTLIB SAVLIB(PTCMT3) DEV(*SAVF) SAVF(QGPL/CM3LIBSAVF) MBROPT(*ALL) PVTAUT(*YES) ALWOBJDIF(*ALL)

Step VIII – Compliance Monitor Authorization Lists

Review the following authorization lists and add the users from the current system to the new system:

Consolidator: PLCM2ADM, PLCM2DTA and PLCM2PGM

Endpoint:  PLCMADM

Step IX – Starting Compliance Monitor

After the product has been installed and the files restored, start the Compliance Monitor jobs.  

1. If the multiple license key feature is not used, enter the license key.

On the Consolidator:

ADDLIBLE PTCMT2

CALL CM2280

On the Endpoint:

ADDLIBLE PTCM3

CALL PCM280

3. Start the Web application and verify the following:

Enter the url for the new system http://xxxxxxxxxx:3035/ptcm

4. Verify that the email is correct for this Consolidator system.
5. Verify that authorization lists are correct for this Consolidator system.
6. Verify the Report Groups are correct for this Consolidator system.
7. Run an assessment for each Endpoint, to verify that communication between the Endpoint(s) and Consolidator are working properly and that each assessment completes successfully.