Important Updates to Cybersecurity Software

HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.

See the new names here > New, Clearer Names for HelpSystems Security Software.

-------------------

Please review the following information before updating Identity Manager. If you are upgrading Identity Manager from version 1, see Upgrading Identity Manager.

Before You Update

  • The installation must be performed under a user profile with *SECOFR user class or the QSECOFR profile.
  • Two components during the Identity Manager update will occur and also must be done together. The Identity Manager update will also update the related Central Administration.
  • The following user profiles were used in prior versions of Identity Manager. They are reused in the new version:

        PTADMIN
        PTUSER 

  • The following Authorization list was used in prior versions of Identity Manager and is reused in the new version:

        PTADMIN
    After the update, any prior authorization list users and administrators will remain as such.

  • The library remains the same for both Components

Identity Manager

PTPMLIB

Central Administration

PTPLLIB

Licensing

  • The update will migrate and re-use the existing license from the prior version. If you need a license code for Identity Manager you can request one using a link on the download page. Contact Powertech at keys@helpsystems.com to request a new license code.
  • It is Powertech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed.However, the Identity Manager installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation wizard changes a system value during install, it changes it back to its original value when the install completes.

System Values

To install Powertech Identity Manager on your system, the system values that control object restores must be configured as follows.

  • Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many Powertech Identity Manager programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users. (Note: For some system configurations, *ALL is required temporarily.)
  • QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Identity Manager install library (PTPMLIB), Central Administration library (PTPLLIB), and QTEMP for the product to function properly.
  • Set QVFYOBJRST to 1, 2, or 3. This allows Identity Manager to restore all objects regardless of their signature. (Note: If you normally check signatures, remember to check this system value after the Identity Manager install process completes.)
  • Set QFRCCVNRST (Force conversion on restore) to 0, Do not convert anything.

Back up your previous version:

As in any update, it’s highly recommended you back up the previous version. Should any reason to need to review prior configuration or return to the prior version occur, the library can be restored. 

System Requirements

Identity Manager requires IBM i version 7.1 or higher.

Note: During installation an FTP connection is initiated. The FTP server responds with messages that prompt for FTP login credentials. The standard port reserved to establish an FTP connection to the IBM i is port 21. Consequently, it is required that this port is open and ‘listening’ on the server in order to establish a connection with the Installation Wizard and facilitate a successful installation. Any firewall or exit program technology on the PC or the IBM i system could potentially block the FTP file upload and remote commands running the installation. Ensure any such firewall or program is configured to permit an FTP connection on port 21. If standard FTP is not permitted, contact Powertech support for instructions on how to manually install the product without the installation wizard.

If FTP is not available, you must install the product manually. See Manual Installation of Powertech IBM i Products.

Required PTFs

It is recommended that you load the PTF listed above for your OS level. 

Updating Identity Manager

Ensure the following servers are available and running prior to updating:

  • FTP Server
  • Remote Command Server 

Updating Identity Manager is a three-step process. As previously noted the below steps should be done for every system part of the Identity Manager/Central Administration unit.

  1. Download the Identity Manager Update Installer from the Identity Manager download page.
  2. Sign on to the system with QSECOFR or a user profile with the user class *SECOFR
  3. Ask any system administrator to stay out of the Identity Manager and Central Administration menus. They should also refrain from using the GO POWERTECH menu.
  4. Run the install Wizard. When the installation completes, click Finish to remove the Wizard from your PC unless you are updating multiple systems. The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Identity Manager install.

Note 1: Make sure the user profile used for the installation is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.

After the update is complete

The following monitor jobs, listed under the PTWRKMGT subsystem, are stopped during the update process, and then restarted automatically when the update is finished. 

PPLCMNMON
PPLCMNSVR
PPLEVTMON
PPMEVTMON

If the monitors were not running when the update was started, they will not be started automatically after the update. To start them:

  1. On the IBM i system, return to the Central Administration main menu using the GO POWERTECH command.
  2. Run the command PPLSTRMON to start these four monitor jobs.

Note 2: To take advantage of the major improvements in system design and processor capabilities program conversion is required for all systems running IBM i 6.1 or later. The conversion replaces existing program objects, but each program object retains attributes such as the name, library, and owning user profile. This conversion is a one-time process on each object. To provide an uninterrupted work environment, all program conversion occurs during installation, which can extend the installation process V6r1 or greater.

Note 3: What to do if the installation fails. The installation process runs a prechecker before the actual product install. The prechecker validates the system to see if it has the proper set up installed before it runs the product installation. The installation, whether it completes or fails, will generate a joblog and a prechecker log with a name format PPLnnnnnn for your review under the profile used for the installation. If you see an ‘F’ for failure you may attempt to remedy the problem yourself or choose to contact Technical Support for assistance.

Objects Installed on System

  1. Product Libraries: PTPLLIB, PTPMLIB and PTWRKMGT
  2. Profiles:
    • PTADMIN, which has special authorities *ALLOBJ, *SECADM, *JOBCTL, *AUDIT, JOBCTL and *IOSYSCFG
    • PTUSER, which has no special authorities
    • PTWRKMGTOW, which has no special authorities

(All these profiles are set to Password = *NONE so that they can’t be used to sign on to the system.)

  1. Authorization Lists:
    • PTADMIN - Powertech Identity Manager Administrators
  2. Subsystem:
    • PTWRKMGT (in library PTWRKMGT)
  3. Job Queue Entries:
    • PTPLLIB/PPLJOBQ added to subsystem PTWRKMGT
    • PTPMLIB/PPMJOBQ added to subsystem PTWRKMGT
  4. Objects in QGPL:
    • POWERTECH (*CMD)
    • POWERTECH (*MENU)
    • WRKPTPA
  5. Powertech-created Unregistered Exit Points:
    • POWERLOCK_PL format SYS01000
    • POWERLOCK_PL format SYS03000
    • POWERLOCK_PM format SYS01000
    • POWERLOCK_PM format SYS03000
    • POWERLOCK_WRKMGT format SYS01000

Starting Identity Manager

To start Identity Manager:

  1. Enter the command POWERTECH on a command line to display the Powertech Main Menu
  2. Enter option 2 to display the Power Admin Main Menu.

Or, use the command WRKPTPA on the command line. 

Note: The Identity Manager Administrator's Guide can be found at Powertech Product Manuals


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: November 07, 2018