Important Updates to Cybersecurity Software

HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.

See the new names here > New, Simpler Names for HelpSystems Security Software.

Some of the most powerful functions available in our Powertech products require the use of the PTWRKMGT subsystem, which, if invoked unintentionally, will unexpectedly end a restricted state. Use the following suggestions to prevent PTWRKMGT from starting unintentionally.

Powertech Command Security for IBM i

Certain command and action combinations can be set up in Command Security that will end a restricted state. If you monitor commands in Command Security that are used on the console, or written into your own programs, or 3rd party software, note that the actions taken when these commands are used could bring your system out of a restricted state.
Some actions are designed to be deferred in order to avoid any delay in the interactive session—we offload them to a secondary job. These actions include *COMMAND, *EMAIL, *MSG and *QUEUEMSG. If the PWRWRKMGT subsystem is down and these actions are requested, the PTWRKMGT subsystem will start, ending your restricted state.
You are welcome to monitor and report on various commands while in a restricted state, but, in order to assure the restricted state is maintained, we suggest limiting actions as follows:

  • Do not use the actions that are queued or deferred on commands that you may use while in a restricted state.
  • Use limits to prevent when actions occur. You can do this by testing the user profile or time of day when the command occurs. You could prevent the action of *MSG or another deferred action if the command is run by the user that runs the backup job, or if it runs during your normal backup or system down window.
  • Instead of the deferred actions (*COMMAND, *EMAIL, *MSG and *QUEUEMSG ), use *CMDINLINE as the action. This action allows you to run any command as part of the interactive job. For *MSG, you would use *CMDINLINE as the action, then the command of SNDMSG as the command. This allows the SNDMSG command to send a message to a message queue, but does not require a job to run in the PTWRKMGT subsystem. Your action would look like this:

    *CMDINLINE(QSYS/SNDMSG MSG(‘SAVLIB command used’) TOUSR(THERESA))

Powertech Authority Broker for IBM i

If a switch pair is set up as a timed switch, Authority Broker uses a timer job in the PTWRKMGT subsystem to track the duration of the switch. 
If a switch pair is set up to capture screens, when the swap is released, Authority Broker starts the PTWRKMGT subsystem and runs a job to create the screen capture document and starts up TCP servers and subsystems to send the email.
You can avoid having your restricted state ended by taking this precaution:

When setting up a switch pair that will be used while in a restricted state, do not time the swap (use *NOMAX instead) and do not request screen captures to be generated and emailed. (Though a screen capture PDF will not be created, you can still access history and see the commands used while in a restricted state from the Authority Broker Event Report, and by working with Profile Switches.)

Powertech Exit Point Manager for IBM i

In Exit Point Manager, choosing menu option 10 to ‘Work with Captured Transactions’ will start up the PTWRKMGT subsystem if it is not active, in order to run the SUMCAPTRAN job. This ends your restricted state. To avoid this:

Do not choose option 10 ‘Work with Captured Transactions’ while in a restricted state. There is no reason to use this menu option while in a restricted state.

In version 6.5 of Exit Point Manager, we introduced a web browser interface. Part of the new interface includes a Dashboard, which shows counts of transactions coming through your monitored exit points. Some customers run a ‘semi-restricted’ environment for backups, where some communication traffic (TCP/IP for example) may still be allowed. If a transaction comes through a monitored exit point, Exit Point Manager will start the PTNSGMSTR job, which will start up the PTWRKMGT subsystem and bring you out of the ‘semi-restricted’ state.
You can avoid the potential for Exit Point Manager ending your semi-restricted state by:

  1. Running a true restricted state environment (ENDSBS *ALL).
  2. On 6.51 or higher, you can stop PTNSGMSTR from running by adding an environment variable:

    ADDENVVAR ENVVAR(POWERTECH_NETWORKSECURITY_GM) VALUE(0) LEVEL(*SYS)

    To reinstate the dashboard feature, run the command to remove the environment variable:

    RMVENVVAR ENVVAR(POWERTECH_NETWORKSECURITY_GM) LEVEL(*SYS)

 


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: November 07, 2018