Installing Powertech Compliance Monitor for IBM i

Important Updates to Cybersecurity Software

HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.

See the new names here > New, Clearer Names for HelpSystems Security Software.

System Requirements

• IBM i version 7.2 or higher
• Java 1.6 32-bit (required minimum)
• Java 1.7 32-bit or Java 1.8 32-bit for 7.3
• Library QICU – International Components for Unicode for 7.2 and 7.3, option 39
• 256 MB of disk space
• PASE (Portable Applications Solutions Environment), option 33
• IBM V7R2: PTF SI54166
• The fully-qualified domain name of the IBM i must be name-resolved on the system. To check this:
  1. On the IBM i, PING the unqualified system name: PING 'SYSTEM_A' , where "SYSTEM_A" is system's name.
  2. From the messages displayed, note the fully qualified domain name, for example, "SYSTEM_A.yourdomain.com".  
  3. PING the qualified domain name: PING 'SYSTEM_A.yourdomain.com' .

     If the PING to the qualified domain name is successful, the name is resolved correctly. If not, adjust the system's host table entries or domain information, or configure DNS, to allow the fully qualified domain name to be resolved.

Note: During installation an FTP connection is initiated. The FTP server responds with messages that prompt for FTP login credentials. The standard port reserved to establish an FTP connection to the IBM i is port 21. Consequently, it is required that this port is open and ‘listening’ on the server in order to establish a connection with the Installation Wizard and facilitate a successful installation.

If FTP is not available, you must install the product manually. See Manual Installation of Powertech IBM i Products.

Before You Install

Please review the following information before installing Compliance Monitor. 

Note: When installing Compliance Monitor in an HA environment:

1. Stop the replication of user profiles from production to HA system by either ending the replication software or ending the replication of the user profiles. 
2. Install Compliance Monitor on the HA and production systems.
3. Setup Compliance Monitor replication per the HA Setup instructions (see Compliance Monitor Setup in an HA Environment)
4. Start replication (including the user profiles).

Licensing

Compliance Monitor requires that you enter a valid license key. Contact [email protected] if you need to request a new license key.

System Values

It is Powertech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. To install Powertech Compliance Monitor on your system, the following system values that control object restores must be configured as shown.

• Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many Powertech Compliance Monitor programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
• QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Compliance Monitor product libraries (PTCMT2 [Consolidator], PTCMT3 [Endpoint], and QTEMP as a minimum) for the product to function properly.
• Set QVFYOBJRST to 1, 2, or 3. This allows Compliance Monitor to restore all objects regardless of their signature.
• Set QFRCCVNRST (Force conversion on restore) to 0, Do not convert anything.

Installation

The Compliance Monitor installation process is completely automated.

Ensure the system is not in a restricted state and that the following servers are available and running prior to updating:

• FTP Server
• Remote Command Server 
• File Host Server 

If the File Host server is not active: Run the commands 

STRSBS QSYS/QSERVER

STRHOSTSVR SERVER(*FILE)

Do the following to install Compliance Monitor:

1. Download the Compliance Monitor Installer from the Compliance Monitor download page. (The "Trial" download is the full product, which can be unlocked with a valid License Key).
2. Double-click the .exe file to start the Installation Wizard. When prompted, enter the name of the system on which you want to install Compliance Monitor, a user profile, and password.

   Note: Make sure the user profile is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.

3. Specify how you want to load Compliance Monitor on your system, from the following:
   • Consolidator only
   • Endpoint only
   • Both (Installs both the Consolidator and Endpoint programs on the same system; this is the default selection. 

     Note: The Consolidator does not have to be an Endpoint.)

4. When the confirmation window displays, click Start to upload and install Compliance Monitor on your IBM i.
5. The Compliance Monitor Consolidator and Endpoint install processes run pre-checker programs that evaluate your system to verify that the install can proceed, including that you have the proper authority, that the operating system and PTFs are at the correct level, and that the default port (3035) used by Compliance Monitor is available. If the pre-checkers find any problems, you should review the message logs (CM2INSTP for the Consolidator, PCMINSTP for the Endpoint) for more information. 

   Note: Compliance Monitor installs a work management subsystem, PTWRKMGT, that allows Powertech products to submit long-running batch jobs without interfering with customer job queues. The PTWRKMGT subsystem also is used by other Powertech products, so if you have another Powertech product installed, it is not installed again. The PTWRKMGT library consists of a subsystem description, a class description, job queue descriptions for Powertech products, and job descriptions for Powertech products and features. PTWRKMGT is activated when a product needs to use it. All jobs in PTWRKMGT are submitted jobs; there are no prestart or auto-start jobs.

6. When the install completes on the system, you can view the install log or select “Restart and load another system” to install on another system. Follow the instructions to install the Endpoint program on additional systems. You can install the Endpoint program on as many systems as you want, one at a time.
7. When you are finished installing on all systems, click Finish to remove the Wizard from your PC. 

The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Compliance Monitor install.

Setting Up Compliance Monitor

After you’ve installed Compliance Monitor, do the following to complete the setup:

On the Consolidator System

1. Add the Compliance Monitor Consolidator library to your library list:

   ADDLIBLE PTCMT2

2. Enter the following command to display the License Setup panel:

   CALL CM2280

   Enter your Compliance Monitor license code.

3. Enter the following command to start the Compliance Monitor monitor job, QP0ZSPWT, in the PTWRKMGT subsystem:

   PTCMT2/STRPTCMCSL

   When prompted for a user name and password, enter the following:

   • User name: PLCM2ADM (this is the Compliance Monitor administrator user profile).
   • Password: Enter a password of your choice and assign it to the PLCM2ADM profile.

On the Endpoint Systems

Sign on to each Endpoint system and do the following:

1. Add the Compliance Monitor Consolidator library to your library list:

   ADDLIBLE PTCMT3

2. Enter the following command to display the License Setup panel:

   CALL PCM280

   Enter your Compliance Monitor license code. The Endpoint license code is different from the Consolidator license code.

3. Enter the following command to start the monitor job:
   PTCMT3/STRPTCMEPT

Note: You do not need to start the Endpoint monitor job at this time. The Endpoint starts automatically when you request an Assessment for the Endpoint.

From Your Browser

1. Enter the following to connect to the Consolidator system:

   HTTP://SYSNAME:3035/PTCM/

   where

   • sysname is the name of the system where the Consolidator is installed
   • 3035 is the default port number used by Compliance Monitor
2. When the Login window displays, enter the following user name and password:
   • PLCM2ADM—the Compliance Monitor administrator profile
   • password—the password you specified for PLCM2ADM

     The first time you log on to Compliance Monitor, you must sign on as the administrator.

Note: The Compliance Monitor Administrator's Guide can be found at Powertech Product Manuals.

Objects Installed

Consolidator

Endpoint

Consolidator & Endpoint