Important Updates to Cybersecurity Software
HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.
See the new names here > New, Simpler Names for HelpSystems Security Software.
To successfully install any Powertech product in an HA (‘High Availability’) environment, the Powertech product must be installed on the HA system before the production system.
This is necessary because replication software could be setup with global settings to replicate non-library objects such as user profiles, authorization lists, IFS directories, etc. Many of the Powertech products check for the existence of these objects (especially user profiles) prior to the installation and will not install if these objects already exist.
SIEM Agent for IBM i has two user profiles PTIAOWN and PTIAADM.
SIEM Agent for IBM i has these authorization lists: PTIAADM, PTIADTA and PTIAPGM.
Note: If the user profiles or authorization lists exist, replication of these objects must be inactivated on the production system. Delete these user profiles and/or authorization lists on the HA system then install Authority Broker per the installation instructions.
Unlike other products, SIEM Agent for IBM i does not change once it has been setup. The SIEM Agent for IBM i library PTINTERACT can be saved and restored from the production (source) system to the HA (target) system after the setup has been completed. Install SIEM Agent for IBM i on the HA system, then the production system (like the other PowerTech products) to get the profiles and other objects created. Once the product has been installed on the HA system, the PTINTERACT library can be restored to have the setup as the production system. If the library is restored, you will have to enter the reenter the license key.
However, if you would like to setup replication to capture any changes, here is what should be replicated.
If tuning is done to the ‘Event’ filters, then the PLIFTR physical can be replicated.
If changes are made to the ‘Agent/Broker’ configuration (e.g. a syslog server IP address) then the PLIAGENT file can be replicated.
If a change is made to the product values, then the PLISYS file can be replicated.
If a change is made to either the ‘Host Role’ or the ‘Message Queue for the product’ then the PLIUCTL user index should be replicated.
Note: Generally, once SIEM Agent for IBM i is installed and configured the only changes would be to the ‘Event’ filters, which still would be very rare.
SIEM Agent for IBM i has the following Authorization Lists in library QSYS:
Replication for these authorization lists should be setup on a scheduled, weekly basis to reflect any changes to them. Because these changes are not as frequent as the other changes, a weekly update would be sufficient.
Synchronization of the objects needs to be done on the individual object. Never use ‘Library Synchronization’ feature of the HA product as it will clear the product’s library and replicate only the objects that are defined to be replicated. Since the licensed objects cannot replicated from the source to the HA system (see next section) the product will not function on the HA system because the licensed objects were deleted. If ‘Library Synchronization’ was performed, the product will have to removed and reinstalled on the HA system again for the product to function properly.
Only certain objects should be replicated for SIEM Agent for IBM i in the product library PTINTERACT.
Setup an ‘Omit’ filter to omit all of the objects in the PTINTERACT library.
Setup an ‘Include’ filter to include the following objects in the PTINTERACT library.
SIEM Agent for IBM i 3.02 or later has the ability to enter multiple licenses (press F7 – License List on License Setup screen). This allows you to enter the HA system’s license before the role swap and don’t need to contact Powertech technical support for an emergency (temporary) key.
In the event that you are using multiple licenses, you will need to setup the following object to be replicated.
Note: If you have not taken advantage of the multiple license or not at a version that has this feature then do not replicate this object as it will cause the license on the HA system to be invalid.
Before you activate SIEM Agent for IBM i monitors on the target (HA) system, execute option 3 from the ‘Work with Monitors Menu’. Option 3 is ‘Initialize SIEM Agent for IBM i monitors after install’. This step clears all the communications areas used between the monitors and loads run-time indexes from the database. The next start of the monitors will be fresh and clean.
After the initialize has completed, take option 1 to start the SIEM Agent for IBM i monitors.
Still have questions? We can help. Submit a case to Technical Support.