Upgrading to Network Security 7 (v7.04 and higher)

Important Updates to Cybersecurity Software

HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.

See the new names here > New, Clearer Names for HelpSystems Security Software.

--------------------

Please review the following information before upgrading to Exit Point Manager 7 from a previous version.

Note: For information on upgrading in an HA environment, see Replication of Power Admin, Exit Point Manager, and Central Administration in an HA Environment.

Planning Your Upgrade

Before you upgrade, note the following:

The following user profile was renamed in Exit Point Manager 7:

The following authorization list was renamed in Exit Point Manager 7:

The following commands have been removed from Exit Point Manager in favor of the HelpSystem's Insite Web UI:

• PTNSINSWEB (to install the old web server)
• PTNSSTRWEB (to start the old web server)
• PTNSENDWEB (to stop the old web server)
• PTNSCFGWEB (to configure web server ports in the old web server)
• PTNSRMVWEB (to remove the old web server)

Also, the profile PTWEB, used for the old web server, is no longer installed.

Considerations

• The Library name for Exit Point Manager is PTNSLIB07. If an alert device is used in conjunction with Exit Point Manager, the alert device may have fields that need to be updated in order to reflect the library name change within Exit Point Manager. 
• The Exit Point Manager 7 web server has been discontinued in favor of the HelpSystems Insite web server and browser interface. Insite offers simultaneous viewing of rules across all systems on your network and support for other HelpSystems products including Robot Schedule and Robot Network. Insite is not installed during Exit Point Manager's installation procedure. To download HelpSystem's Insite, visit the HelpSystems Insite download page. 
• The upgrade process does not copy user profiles to the new authorization lists. You should copy your user profiles to the appropriate new authorization list before using Exit Point Manager 7.
• If you upgrade from Exit Point Manager 5.3 or 6, the license code is copied to Exit Point Manager 7 when you run the MRGPRVNS command (see Merging Rules from a Previous Version below). If you are upgrading from an earlier version of Exit Point Manager, contact [email protected] to request a new license key.
• If you used the Operations Navigator plug-in in a previous version of Exit Point Manager, Network Security 7 has been modified so that it no longer uses the plug-in. 
• It is Powertech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Exit Point Manager installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.

Exit Point Manager 7 installs the following product libraries, profiles, authorization lists, commands, objects, and exit points on your system.

System Values

To install Powertech Exit Point Manager on your system, the following system values that control object restores must be configured as shown.

• Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many Powertech Exit Point Manager programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
• QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Exit Point Manager product library (PTNSLIB07 or PTNSLIB and PTPLLIB and QTEMP as a minimum) for the product to function properly. See Allow User Domain Objects (QALWUSRDMN) in the IBM Knowledge Center for more information.
• Set QVFYOBJRST to 1, 2, or 3. This allows Exit Point Manager to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Exit Point Manager install process completes.)
• Set QFRCCVNRST (Force conversion on restore) to 0, Do not convert anything. 
• Set QALWJOBITP (Allow jobs to be interrupted) to 1. This allows job to be interrupted to run user-defined exit programs. All new jobs that become active will default to be uninterruptible.

System Requirements

Exit Point Manager requires the following:

• IBM i version 7.2 or higher
• 256 MB of disk space 
• PASE (Portable Applications Solutions Environment), option 33
• Current IBM-supported PTF level
• V7R2:  PTF SI69104
• V7R3:  PTF SI67661

If you are using the Showcase product, then in order for Exit Point Manager to control access to Showcase, version 9.1.0.3 of Showcase is required.

If you intend to use exit point monitoring for the QIBM_QSO_ACCEPT (incoming TCP connections) exit point, and if the environment has a high number of incoming TCP connections, the following PTFs are recommended: 

• V7R2M0: MF66311
• V7R3M0: MF66310
• V7R4M0: MF66308

The above PTFs will improve exit point processing performance for incoming connections.

Note: If FTP is not available, you must install the product manually. See Manual Installation of Powertech IBM i Products.

Upgrading to Exit Point Manager 7

Ensure the following servers are available and running prior to upgrading:

• FTP Server
• Remote Command Server 

Upgrading to Exit Point Manager 7 is a three-step process:

1. Install Exit Point Manager 7
2. Merge information from the previous version (optional)
3. Activate Exit Point Manager 7

To upgrade Exit Point Manager, run the installation process. Do the following to perform the installation:

1. Download the Powertech Exit Point Manager installer (setupNetworkSecurity7.exe) from the Exit Point Manager download page. (The "Trial" download is the full product, which can be unlocked with a valid License Key).

2. On the Choose Components panel, select which components you want to install. You can choose to install the Manuals and the Software for IBM i. Click Next.

3. If you’re only installing the Manuals, the process completes and the installer closes. The Manuals have been installed. You can skip the rest of these steps.

   Note: The manuals are installed to the following location:

   • C:\Program Files\PowerTech\Network Security\manuals

   If you’re loading the Software for IBM i, continue to step 4.

4. On the Choose a Destination IBM i panel:

   1. Select or enter the IBM i where you want to load Exit Point Manager.

   2. Enter a user profile and password that’s a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, and *IOSYSCFG. The user profile should have Limit capabilities set to *NO. This profile will be used to restore and copy objects, and for product maintenance on the IBM i.

   3. (Optional) In the Advanced Settings section:

      • Enter a port number or use the arrows if you want to change the FTP port number to something other than the default of 21.

      • Select Secure File Transfer if you want to use FTPS (FTP over SSL) during the file transfer. The default FTPS secure port is 990, but it can be changed to the required secure port for your environment.

      • In the Timeout (seconds) field, enter the number of seconds the session should be kept active during an FTP transfer. You can choose anywhere between 25 and 1800 seconds (30 minutes).

        Note: If the transfer takes longer than the amount of time specified, the session will expire.

   4. Click Next.

5. You have two options on the Product Load Options panel:

   1. Click Immediate Load if you’d like to load the product on the IBM i now.

   2. Click Staged Load if you’d like to transfer the objects now and load them on the IBM i at a later time.

      Note: See “Loading Staged Objects on the IBM i” below for instructions on how to load the staged objects on your selected IBM i system.

6. The Product Load Progress panel for Exit Point Manager launches. When the processing is complete, you have two choices:

   • If this is the only installation or update of Exit Point Manager that you're doing, click Finish.

   • If you have installs or updates to do on other IBM i systems, click Restart. Then, return to step 4.

   Note: If the Product Load Progress panel ends with an overall Failed message, the product upload could not complete properly. To find the reason the upload failed, click View Logs and review your logs. You can also use Download at the top of the logs to save the information for future review.

 To verify that Exit Point Manager installed successfully, enter the following command to display the Powertech Exit Point Manager window, which shows the release and modification level of the product:

PTNSLIB07/LPRDVRM

Exit Point Manager installs the following product libraries, profiles, authorization lists, commands, objects, and exit points on your system.

Loading Staged Objects on the IBM i

If you chose to stage your objects during step 5b of the installation or update process, do the following to manually load them on the IBM i you identified above.

1. On the IBM i, execute the following command to display the Work with Loads panel:

   HSLOADMGR/HSWRKLOAD

2. Enter option 1, Load, next to the Load Name for Exit Point Manager and press Enter.

   The installation program installs Exit Point Manager, the PTNSLIB07 library (as needed), and three user profiles (PTUSER, PTADMIN, and PTWRKMGTOW). It adds PTNSLIB07 to the system portion of your library list, if required.

3. Review the information on the Install Exit Point Manager Host panel and make any necessary changes and additions. Select *NEW for the installation, then press Enter.

Merging rules from a Previous Version

The installation program installs Exit Point Manager 7, but does not automatically import information from a previous version. The previous version exit programs remain active, allowing you to continue to use it as you become familiar with version 7 (as long as you do not activate Exit Point Manager 7). Once you’ve familiarized yourself with Exit Point Manager 7, use the Merge Previous NS (MRGPRVNS) command to merge rules from your previous version to version 7. You should review these rules and make any modifications necessary before activating version 7.

Note: Merging data from a previous version of Exit Point Manager does not automatically activate version 7. You must still run the activation process on Exit Point Manager 7 to start using it. See Reactivating Exit Point Manager After an Upgrade (below).

Enter the following command on a command line to import rules from a previous version of Exit Point Manager.

If you are upgrading from version 5 or 6 to version 7, the merge command is: 

PTNSLIB07/MRGPRVNS

Force run option

Allows you to specify an option for the merge process. This is useful if you’ve performed the merge already, and need to run it again. Possible values are:

*NONE Indicates that no special options are specified; the merge process proceeds normally.

*FORCE Indicates that the merge process should proceed, even if it has been run previously.

Note: Before upgrading, check the PowerTech product download Web page for any additional information.

Database conversion options [CVTOPTS]

This parameter contains some settings you may use to limit the amount of data migrated to the new version. This is a multi-part parameter consisting of the following elements:

Add missing data Specify *ADD to add data to the new version that is in the prior version but is missing from the new version. Specifying *NOADD will not migrate missing data from the prior version.

Update existing data Specify *UPDATE to update data in the new version that exists in the prior version but is different to that in the prior version. Specifying *NOUPDATE will Leave the data in the new version alone.  

Delete extra data Specify *DELETE to remove data from the new version that does not exist in the prior version. Specifying *NODELETE will leave the data in the new version alone.

Convert reporting users (CVTAUTH)

Reporting-only users were registered as members of a particular Authorization List in prior versions. Newer versions of Network Security employ the internal Product Security functions contained in Central Administration to control access to parts of the software.

*NO  This value indicates that no users will be transferred from the reporting Authorization List.  

*YES This value indicates that the members of the reporting Authorization List named in the CVTAUTL() parameter will be attached to the Product Security Role you name on the CVTROLE() parameter.

For more details, see Merge Data From Prior Version (MRGPRVNS) in the Exit Point Manager User Guide.

HelpSystem's Insite Web User Interface

The Exit Point Manager 7 web server has been discontinued in favor of the HelpSystems Insite web server and browser interface, which offers simultaneous viewing of rules across all systems on your network and support for other HelpSystems products including Robot Schedule and Robot Network. Insite is not installed during Exit Point Manager's installation procedure. To download HelpSystem's Insite, visit the HelpSystems Insite download page. 

The following commands have been removed from Exit Point Manager in favor of the HelpSystem's Insite Web UI:

• PTNSINSWEB (to install the old web server)
• PTNSSTRWEB (to start the old web server)
• PTNSENDWEB (to stop the old web server)
• PTNSCFGWEB (to configure web server ports in the old web server)
• PTNSRMVWEB (to remove the old web server)

Also, the profile PTWEB, used for the old web server, is no longer installed.

The HelpSystem's Insite Web Browser Interface allows security administrators to work with rules and most other Exit Point Manager features directly from a browser. The following browser versions (or later) are required to use Exit Point Manager's WUI:

Dashboard Showing Transaction Counts

A feature of HelpSystem's Insite for Exit Point Manager is the Dashboard.

The Dashboard displays a count of all transactions monitored or controlled by Exit Point Manager. The Dashboard displays the totals for the servers based upon the criteria selected by the user (today's totals, yesterday's totals, last 7 days or last 30 days). You can also select to see the individual server's counts for the past 24 hours. To activate this feature, start the Dashboard Data Summarization job.

To start/end the Dashboard Data Summarization job, use the following commands:

Start - PNSSTRDASH

End - PNSENDDASH

Execution of the Dashboard Data Summarization job can be controlled with the following commands:

PNSHLDDASH - Use this command, Hold Dashboard Collection, to set the system in a state such that data collection to support the web interface Dashboard will not run.

PNSRLSDASH - Use this command, Release Dashboard Collection, to release the Hold Dashboard Collection command, allowing data collection to occur. 

After You Upgrade

Upgrading and reactivating Exit Point Manager are separate processes. An upgrade installs the new Exit Point Manager software on your IBM i system; reactivation activates the Exit Point Manager exit programs. If you upgrade the software, but do not complete the reactivation process, Exit Point Manager protection and auditing of the new version are not active. However, the auditing and access control of the old version are valid and still in effect unless you previously deactivated the exit programs (removed them from the exit points). When you complete both the upgrade and activation processes, Exit Point Manager actively audits the network interfaces.

Reactivating Exit Point Manager After An Upgrade

After you upgrade Exit Point Manager, you must reactivate the exit programs that interact with the servers on your IBM i system. Do the following to activate Exit Point Manager for the first time after the upgrade:

1. From the Exit Point Manager Main Menu, select option 81, Configuration Menu.
2. On the Configuration Menu, select option 2, Work with Activation, to display the Work with Activation screen.
3. The Work with Activation screen shows the servers that were activated in the previous version of Exit Point Manager with a Pending Change of *ACTIVATE. Note: Exit Point Manager 7 has been installed into library PTNSLIB07.  
4. To activate the servers, press F20, Run activation for an interactive activation request, or F18 for Silent Activation.

Reactivation stops and restarts your servers. You can use either the Silent method (performed during an IPL) or the Interactive method to activate the exit programs.

Warning: The Interactive method stops and starts your processes and servers when run the activation. You should plan to perform an Interactive activation at a time when stopping critical servers will not interfere with your business processes. 

If you want to activate additional servers, use the Work with Activation screen to select the servers to be activated. See Activating Powertech Exit Point Manager in the Exit Point Manager Administrator’s Guide for complete information on activation. 

During exit program activation, Exit Point Manager modifies the values of the following Network Attributes: