- Download the Risk Assessor installer (SRASetup.exe) from the Risk Assessor Download Page. (The "Trial" download is the full product, which can be unlocked with a valid License Key).
- Navigate to where you saved the file. The file name will be "SRASetup.exe".
- Double-click on the file, SRASetup-xx.exe, to launch the setup wizard.
Note: If you get the Microsoft - Open File - Security Warning pop-up box, saying that the publisher could not be verified or that you need Administrator rights, or that your firewall is blocking the syswow64\ftp.exe, click Run to continue.
Note: This wizard uses FTP to send files to your system; therefore, FTP must be started to upload the file. Ensure that FTP is active on your system and the user profile you specify in the installation wizard is not prohibited from using FTP by either an exit program or Application Administration. If the user is prohibited, the connection fails.
- In the wizard, specify the host name (system name) or TCP/IP address of the system (partition) on which you want to install the software.
- In the wizard, specify a profile and password for a user that has *ALLOBJ and *SECADM special authorities. The FTP connection will be made running as this profile.
- In the wizard, you can also specify the port for FTP to use. If you have not changed the port, leave this at 21 which is the default port for FTP.
- Click Next.
- The connection is established and the files are copied to the system.
- To complete the installation of the product, sign on to the system with a user that has *ALLOBJ and *SECADM special authorities and type SETUPTMP/INSTALL.
Note: Installation is not complete until you complete this step!!! DO NOT skip this step!
- For new installations, you will be prompted to enter your authorization code. You should have received an authorization code from HelpSystems or an authorized reseller.
- For new installations, you will be prompted to enter your Company Name. This will be the name that appears on the Risk Assessor reports. That is, it will appear as "Your Company Name Confidential" on the Risk Assessor reports. If you are running Risk Assessor on multiple machines, we recommend that you include the system name in your Company Name field.
- Installation is now complete. To access the product, type GO SKYRA.
Running Risk Assessor for IBM i:
- To run Risk Assessor you must have *ALLOBJ, *SECADM and *IOSYSCFG special authorities.
- You have three options for running the product.
- Type GO SKYRA to get to the Risk Assessor Main Menu, take Option 1 and specify to run the product interactively.
- Type GO SKYRA to get to the Risk Assessor Main Menu, take Option 1 and specify to submit the product to run in batch. The product will run in the batch jobq of the user submitting the job.
- Schedule the product to run off-hours. To do to this, schedule the command SKYVIEWRAP/SKYASSESS using your job scheduler. You may want to choose this option if you have a large number of users that belong to the same group profile. There is a timing issue with IBM i that can cause members of this group profile to not be allowed to sign on the system while that report runs. If you have this configuration, you may wish to schedule Risk Assessor at a time when users who are a member of this large group profile are not trying to sign on the system.
Eliminating one group from the SKYGRPOWN report:
The report that causes users to not be able to sign on is gathering the objects owned by group profiles. This is to show the scope of the exposure of having a group own objects. If you have one group that owns most objects on the system, you may already be aware of the objects this profile owns and may want to eliminate this group profile from the report. (Eliminating this group profile will also significantly reduce the size of this report and prevent the issue of users not being able to sign on.) Examples of group profiles that often cause this issue include S2KOBJOWNR and JDE. To eliminate one group from the SKYGRPOWN report, update the SKYOGP data area in the SKYVIEWRAP library by running the following command:
CHGDTAARA DTAARA(SKYVIEWRAP/SKYOGP) VALUE(GROUP_NAME)
substituting the name of the group profile you wish to exclude for the "GROUP_NAME" value.
To include the group in the report, run the following command:
CHGDTAARA DTAARA(SKYVIEWRAP/SKYOGP) VALUE(' ')
Eliminating the supplemental report that lists validation list users: If you wish to eliminate the report, SKYVLDLE that lists all of the users in each validation list, update the SKY632 data area in the SKYVIEWRAD library by running the following command:
CHGDTAARA DTAARA(SKYVIEWRAD/SKY632) VALUE(N)
To generate the report again, run the following command:
CHGDTAARA DTAARA(SKYVIEWRAD/SKY632) VALUE(Y)
Eliminating the supplemental report that lists authority settings of commands, programs files in all libraries:
On systems with hundreds of libraries, you may wish to eliminate the report, SKYOBJAUT, that lists the number of commands, programs and files with *PUBLIC authority set to *ALL, *CHANGE, *USE or *EXCLUDE. To omit the report, update the SKY652 data area in the SKYVIEWRAD library by running the following command:
CHGDTAARA DTAARA(SKYVIEWRAD/SKY652) VALUE(N)
To generate the report again, run the following command:
CHGDTAARA DTAARA(SKYVIEWRAD/SKY652) VALUE(Y)
- Due to an i5/OS limitation with user spaces, if there are more than 80,500 files in one library, the SKYOBJAUT report will only count the authorities for these files. Additional files will not be counted.
- The recommendation for the minimum length of a changed changed from '7' to '8' to better align with security best practices.
- Option 2 on the Main Menu and option 2 on the Reports menu which allowed you to run and view the 'Comparison' report have been removed. This function is provided by the Policy Minder product and has been removed to avoid confusion. The command to run a comparison report remains part of the product for compatibility but the comparison report will not be updated in this or future releases.
Troubleshooting Common upload errors:
- "Socket error 10061 - connection refused" - the FTP server is not started or you specified the wrong FTP port. (FTP traditionally uses port 21.)
- "Connection to system_name Failed" and "Log on attempt by user XYZ rejected." Check to see if an exit program is registered and is rejecting user XYZ from using the FTP server.
- FTP connection is made but certain requests are being rejected - "550 Request rejected." - Check to see if an exit program is registered and is rejecting specific FTP functions.
- "Connection to system_name Failed and "Log on attempt by user XYZ rejected" and no exit program is registered - iSeries Navigator Application Administration is blocking the request.
- "Error Renaming Existing Library for Risk Assessor" or "Cannot allocate library SKYVIEWRAD"- the library SKYVIEWRAD is in someone's (typically your) library list. Have the person sign off and try the upload again.
- xxx objects restored. yyy objects not restored. Check to make sure the following system values are set to the following values to allow Risk Assessor to be installed in its entirety.
- QVFYOBJRST must be set to '3' or lower
- QFRCCVNRST must be set to '3' or lower
- Change the values and upload the code from your PC again.
SKYVIEWRAD library not found. You did not run the SETUPTMP/INSTALL command to complete product installation.
Risk Assessor for IBM i is supported on releases V5R4 and beyond.