The NetIQ Security Solutions for iSeries product provides simplified security auditing, vulnerability assessment, and security management for iSeries systems. With powerful vulnerability assessment, access control, security auditing, real-time monitoring, and user profile and password management, NetIQ Security Solutions for iSeries help you eliminate security risks and maintain business continuity across your iSeries servers. NetIQ Security Solutions for iSeries also allows you to simplify security management and automate routine security tasks across your entire iSeries environment.

This document outlines why you should install this version, provides additions to the documentation, and identifies any known issues. We assume you are familiar with previous versions of this product. For more information about installing NetIQ Security Solutions for iSeries, see the Installation Guide for NetIQ Security Solutions for iSeries.

What's New?

NetIQ Security Solutions for iSeries 8.1 provides several new features, as well as improves usability and extends several capabilities. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

The following sections outline the key features and functions provided by this version.

• Authority Escalation Solution
• Support for SPSS ShowCase Suite
• Support for IBM i5/OS V6R1
• Enhanced Support for NetIQ Secure Configuration Manager Integration
• Enhanced Support for NetIQ Security Manager Integration
• Enhanced Support for PSAudit
• Enhanced Support for PSSecure
• Enhanced Support for PSDetect

Authority Escalation Solution

Privilege Manager is an authority escalation tool that allows iSeries administrators to reduce the number of security officer class profiles on the iSeries server. Privilege Manager offers an escalation model that allows administrators to control who has access where, to which commands, programs, and files, using which swap profile, and when that access is possible.

Built-in auditing and reporting help you meet your compliance objectives. Offering a rich escalation model, Privilege Manager allows you to:

• Reduce the need for user profiles with *ALLOBJ authority on your server
• Manage access to sensitive commands, programs, and files
• Provide a controlled interface for users to gain escalated authority
• Audit usage and access failures

Privilege Manager provides the escalated privilege solution you need to limit widespread authorities, show continuous regulatory compliance, and increase operational integrity.

Using Privilege Manager, you can limit regular access to your sensitive commands, programs, and files to a one-time or regularly scheduled maintenance window and assign the task to a specific user or user group.

For more information about Privilege Manager, see the User Guide for Privilege Manager.

Support for SPSS ShowCase Suite

NetIQ Security Solutions for iSeries now provides the ability to secure the SPSS ShowCase Suite 8.0 exit point with an exit program installed using PSSecure Remote Request Management (RRM). Before using RRM to secure this exit point, ensure you have the latest SPSS ShowCase Suite PTFs applied. For operating system levels supported by SPSS ShowCase Suite, please see the SPSS Web site.

For more information about configuring integration with RRM and SPSS ShowCase Suite, see the Installation Guide for NetIQ Security Solutions for iSeries.

Support for IBM i5/OS V6R1

All previous functionality included in PSAudit, PSSecure, PSDetect, and integration with NetIQ Security Manager and NetIQ Secure Configuration Manager is operational on servers running IBM i5/OS V6R1.

Enhanced Support for NetIQ Secure Configuration Manager Integration

NetIQ Security Solutions for iSeries provides the ability to create your own security checks in the Secure Configuration Manager console for iSeries servers. You can use custom security checks to handle your unique security needs. In addition to the wizard provided in the Secure Configuration Manager console, you can use a programming language such as TCL to create queries outside of the console, and then import those checks into the console to include in policy templates.

To create custom security checks for the iSeries agent in NetIQ Secure Configuration Manager, you must be running NetIQ Secure Configuration Manager 5.7 or later. If you are running NetIQ Secure Configuration Manager 5.7, you must have hotfix 70969 applied. Hotfix 70969 is located in the SCMUpdates folder of the NetIQ Security Solutions for iSeries installation kit.

You can use the following objects and their associated attributes when creating iSeries custom security checks:

• Authorization List
• Check object integrity
• Check system
• Command information
• Exit point information
• Host
• Integrated File System
• Job descriptions
• Message queue
• Network attributes
• Network status
• Object Authorities
• Output queue information
• Profiles
• PTF status
• QSYS.LIB file system objects
• Script Content
• Software resources
• Subsystem autostart job entries
• Subsystem communications entries
• Subsystem information
• Subsystem job queue entries
• Subsystem pools
• Subsystem prestart job entries
• Subsystem remote location
• Subsystem routing
• Subsystem work station name entries
• Subsystem work station type entries
• System disk status
• System jobs
• System pools
• System status
• System values

Since custom security checks are flexible, you can tailor them to meet the technical policies and regulations specific to your workplace. With custom security checks you can:

• Select only the fields you want to display on your report and the order in which you display them
• Establish baseline results that allow you to determine what changes have been made to your servers and then take the appropriate action according to your security policies
• Create your own policy templates
• Incorporate built-in scoring to your security checks to easily assess security risks

Enhanced Support for NetIQ Security Manager Integration

The following section summarizes enhancements made to the NetIQ Security Solutions for iSeries product integration with NetIQ Security Manager.

Enhances Journal Type Entries Sent to NetIQ Security Manager - PTF 1C03016

This release includes PTF 1C03016. PTF 1C03016 provides the ability to limit which journal type entries are sent to Security Manager Log Manager and improves performance of iSeries data collection.

Resolves an Issue with Data Returned to Log Manager - PTF 1C03003

This release includes PTF 1C03003. PTF 1C03003 resolves a potential issue with data being returned to Security Manager Log Manager. Security Manager Log Manager requests data from the iSeries server according to a user-defined time interval. If the data is not returned before the next request for data is sent to the iSeries server, job requests could potentially stack in the job queue and prevent data from being returned to Log Manager. The job name on the iSeries server that processes the Log Manager request is currently PSEREPORT and will change to PSEGETLOGS with this PTF.

Resolves an Issue with Parsing Log Manager Events - PTF 1C03007

This release includes PTF 1C03007. PTF 1C03007 resolves an issue where NetIQ Security Manager displays the alert Log Manager Could Not Parse the Incoming Events Logs.

Resolves an Issue with Sending Alerts to Intrusion Manager

This release resolves an issue where PSDetect does not send alerts to Security Manager Intrusion Manager and generates error CEE9901 unmonitored by PSM995C at statement 800, instruction X'0013'. (ENG197838)

Enhanced Support for PSAudit

The following section summarizes enhancements made to the PSAudit product.

Resolves Issues with Incomplete SAR Database Load - PTF 1A03001

This release includes PTF 1A03001. PTF 1A03001 resolves an issue where the System Auditing and Reporting Database Load does not update library QSYS and new libraries are not included on reports.

Resolves an Issue with Display Journal Output from the PSAudit Submittal Window - PTF 1A03002

This release includes PTF 1A03002. PTF 1A03002 resolves an issue where reports may truncate data when you specify a DSPJRN *TYPE4 outfile instead of a journal receiver in the PSAudit Submittal Window.

Resolves Database Load Error MCH3402 - PTF 1A03006

This release includes PTF 1A03006. PTF 1A03006 resolves an issue where the File, Object, and Library Database load fails and returns error MCH3402: Tried to refer to all or part of an object that no longer exists.

Resolves Issues Adding Libraries to the SAR File, Object, and Library Database Inclusion/Exclusion List - PTF 1A03007

This release includes PTF 1A03007. PTF 1A03007 resolves an issue where adding libraries to the Inclusion/Exclusion List for the File, Object, and Library Database fails and returns the error Library does not exist or not Authorized.

Resolves an Issue with Failed Database Load Scheduled Jobs

This release resolves an issue where the Database load scheduled job fails with I/O error CPF5257. (ENG201297)

Resolves an Issue with Purging Logged Data

This release resolves an issue where the Purge Logged Data option returns the error CPF0555 Date not in specified format or date not valid. (ENG197832)

Resolves an Issue with the System Access Report

This release resolves an issue where the SAA System Access Report fails with the error Not authorized to object ALPF25 in PSAUDIT type *FILE. (ENG223569)

Enhanced Support for PSSecure

The following section summarizes enhancements made to the PSSecure product.

Reorganizes the OAM Menu

This release reorganizes the OAM menu to provide the functionality of the STROAMAPI command. This reorganization enhances usability and reduces the number of steps to produce the Non-Compliance report. The menu changes are as follows:

Old OAM Menu	New OAM Menu
1. Work With Templates	1. Work With Templates
2. View/Change Non-Compliant Objects	2. Work With Groups
3. Generate Authority File (PSAudit)	3. Work With Filters
4. Group Name Maintenance	10. Non-Comp Report/Force Compliance
	11. Work With Non-Compliant Objects
	20. Generate Authority File (PSAudit)

Enhanced Server/Function/Command Combinations in RRM

The following Server/Function/Command combinations have been renamed to better reflect their usage as generic operations while retaining the same functionality. You can use these Server/Function/Command combinations in RRM as catch-all operations. (ENG230856)

Old Name	New Name
DBSQL_EXECIMM	DBSQL_EXECIMM_*ALL
DBSQL_FETCH	DBSQL_FETCH_*ALL
DBSQL_PREPARE	DBSQL_PREPARE_*ALL
DBSQL_PRPDESC	DBSQL_PRPDESC_*ALL
DBSQL_PRPEXEC	DBSQL_PRPEXEC_*ALL

If you have secured entries that contain these DBSQL functions, they will continue to work as generic operations. If you want your rules to be more restrictive, create new secured entries from your collected entries.

The following Server/Function/Command combination descriptions have been renamed to better reflect their usage:

Server/Function/Command combination	Old Description	New Description
DBSQL_EXECIMM	Execute Package Immediately	Execute Immediately
DBSQL_PREPARE	Prepare Package	Prepare
DBSQL_EXECIMM_COMMENT	Execute Comment Table Immediately	Execute Comment Immediately
DBSQL_EXECIMM_LABEL	Execute Label Table Immediately	Execute Label Immediately
DBSQL_PKGINFO	Blank	Retrieve SQL Package Info

RRM now collects and logs the following Server/Function/Command combinations that you can secure with RRM:

• DBSQL_EXECIMM_SET
• DBSQL_EXECIMM_GRANT
• DBSQL_EXECIMM_REVOKE
• DBSQL_EXECIMM_COMMENT (on column)
• DBSQL_EXECIMM_LABEL (on table)

Resolves Ignored Swap Profiles for FTP Transactions - PTF 1C03002

This release includes PTF 1C03002. PTF 1C03002 resolves an RRM issue where swap profiles defined in RRM rules are ignored for FTP transactions on V5R3 systems. On servers that have IBM PTF SI14206 applied, this PTF also resolves an issue where FTP transactions generate error message: PSCOMMON/NW0032E TYPE PGM MUST BE CHANGED IN THE NEXT 99 DAYS. THE LENGTH AND CCSID PARAMETERS MUST BE ADDED ON THE CALL TO API QSYGETPH.

Resolves an Issue with Collected Transactions - PTF 1C03005

This release includes PTF 1C03005. PTF 1C03005 resolves an issue where transactions with any segment of the path beginning with an asterisk (*) or percent sign (%) collect the subsequent path segments with an asterisk for the object or member name instead of the actual name. A path segment should only be collected with an * as the library, object, or member name if the first character of that segment is an * or %.

Resolves an Issue with Inactive Session Monitor Time-Out - PTF 1S03004

This release includes PTF 1S03004. PTF 1S03004 resolves an issue where Inactive Session Monitor does not time out sessions exceeding the maximum allowed period of inactivity. This error occurs due to operating system changes introduced in the V5R4 release.

Resolves an Issue with Profile and Password Management Profile Synchronizer Exclusions - PTF 1S03007

This release includes PTF 1S03007. PTF 1S03007 resolves an issue where Profile and Password Management Profile Synchronizer generic profile exclusions do not apply to profiles added after the generic exclusion was created.

Resolves an Issue with the STROAMAPI Command

This release resolves an issue where running the OAM STROAMAPI command generates the error MCH6902 (The requested heap space operation is invalid.). (ENG199478)

Resolves an Issue with Supplemental Groups in PPM Profile Templates

This release resolves an issue where profiles do not retain the supplemental group value when using the Change User Profile Based On Template function in PPM. This release also adds the *ANY default supplemental group profile value. (ENG194403, ENG238637, ENG188127)

Resolves an Issue with Copying User Profiles in PPM

This release resolves an issue where copying a user profile in the PPM Work With Users screen fails if the supplemental group profile exceeds 10 characters. (ENG207819)

Resolves an Issue with PPM Accounting Codes

This release resolves an issue where user profiles may contain incorrect accounting codes when you create them from a PPM template with accounting code values that exceed 10 characters. (ENG201580)

Resolves an Issue with Inactive Session Monitor Timeout

This release resolves an issue where Inactive Session Monitor does not end jobs immediately at time intervals specified in the global ISM timing parameters. (ENG219782)

Enhanced Support for PSDetect

This release resolves an issue where the PSDetect Trap Manager fails with the error The target for a numeric operation is too small to hold the result. (ENG227936)

Return to Top

Usage Considerations

The following notes may be of assistance to you when using RRM to secure the SPSS ShowCase Suite exit point.

IP Address Collection

The following notes may be of assistance to you when using RRM to collect IP addresses from the SPSS ShowCase Suite exit point.

• If a transaction does not provide the client computer's IP address, RRM uses the server's loopback address.
• If you remotely access the Signon Server (RRM server SIGNON, system job QZSOSIGN) or Remote Command/Program Call server (RRM server RMTCMD, system job QZRCSRVS) RRM uses the server's loopback address.

Data Collection

The following notes may be of assistance to you when using RRM to collect data from the ShowCase Suite exit point.

• When Warehouse Manager remotely accesses the Signon Server, some transactions display *N for the user profile name, particularly when selecting Active Connections for the Warehouse Manager application.
• When user profiles that do not have *ALLOBJ authority use SQL Server Mode, RRM may generate the error RSC6140 ("You must have *ALLOBJ authority to run this program.") in the QSQSRVR joblogs.
• Transactions resulting from Query client and batch queries, such as functions CREATE, JOIN, and DELETE, may contain an invalid object. The invalid object name is the file name specified in the Results tab of the Batch Options screen. For example, file name MYFILE_SC1 is passed to any exit point program as MYFILE_SC.
• Transactions resulting from batch query may incorrectly display the function SELECT instead of INSERT for SQL statements containing INSERT INTO file name SELECT field FROM location. For example:

  INSERT INTO MYLIB/"MYFILE_SC1" SELECT FIELD1,FIELD2,FIELD3 FROM MYLIB01/MYFILE MYFILE

Client-Side Handling of Rejected Transactions

The following notes may be of assistance to you when using Warehouse Builder.

• The Warehouse Builder client does not display a screen for transactions rejected by the Signon Server exit program.
• If the ShowCase Server exit program rejects a user's request to read a user file from Warehouse Builder, the Warehouse Builder client does not display an error and allows the user to run the definition within a set.
• If the ShowCase Server exit program rejects a user's request to open a user file defined in the Warehouse Builder client, the Warehouse Builder client displays the message Error Message Unknown.

Upgrading from Previous Versions

To upgrade from NetIQ Security Solutions for iSeries 8.0, install the new version over version 8.0. You do not need to uninstall version 8.0. For more information about upgrading to the current version, see the Installation Guide for NetIQ Security Solutions for iSeries.

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. If you need assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support).

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support (www.netiq.com/support).

• Operating System Compatibility Issues
• RRM Issues

Operating System Compatibility Issues

The following notes may be of assistance to you when working with IBM OS V5R4M5 and V6R1.

SQL/QRY Monitor Issues with V5R4M5 and V6R1

To resolve an issue where the SQL/QRY Monitor ends as soon as it is started on servers running OS V5R4M5 or V6R1, issue the following commands from the iSeries command line:

RNMOBJ PSAUDIT/SAR0514F *FILE SAR0514F80

CRTDUPOBJ OBJ(QAQQDBMN) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(PSAUDIT) NEWOBJ(SAR0514F)

CHGOBJOWN PSAUDIT/SAR0514F *FILE NEWOWN(PSOBJOWN)

GRTOBJAUT PSAUDIT/SAR0514F *FILE REFOBJ(PSAUDIT/SAR0514F80)

PSDetect Issues with V6R1

The PSDetect QuickStart Wizard fails when you try to configure PSDetect to send email alerts or forward alerts to NetIQ Security Manager. To work around this issue, manually configure the mail server.

To manually configure the mail server:

1. On the iSeries command line, type CFGTCP and press Enter.
2. Type 10 (Work with TCP/IP host table entries) and press Enter.
3. Type 1 (Add) and press Enter.
4. Specify the IP address and the name of the mail server and press Enter.

To manually add the email address where you want to send alerts:

1. Type PSMENU and press Enter.
2. Type 3 (PSDetect) and press Enter.
3. Type 11 (PSDetect Action Setup Menu) and press Enter.
4. Type 6 (Work With Email Addresses) and press Enter.
5. Press F6 to add the email address for the user name specified in the PSDetect QuickStart Wizard.

Operations Navigator Plug-in for RRM Issues with V6R1

You cannot install the Operations Navigator plug-in for RRM from iSeries servers running i5/OS V6R1. If you currently have the Operations Navigator plug-in for RRM installed on an iSeries server running an earlier version of the operating system, the Operations Navigator plug-in for RRM continues to operate after you upgrade to i5/OS V6R1.

RRM Issues

The following notes may be of assistance to you when using RRM to secure remote access to your servers.

• NetIQ Security Solutions for iSeries 8.1 does not support transactions with functions COMMIT, LOCK, and ROLLBACK. If RRM rules reject these functions, the SPSS ShowCase Suite application may produce unpredictable results.
• Transactions that include the CREATE, DROP, GRANT, or REVOKE functions are not collected, but do appear on RRM transactions reports with the object accessed.
• Transactions with the GRANT function may not include the object name.
• If the Collected Entries report contains null values, RRM generates the error CPF5035 (Data mapping error on member NW0007F.).
• When changing RRM default values, you must cycle your remote servers for changes to take effect immediately. If you do not cycle your remote servers, jobs started before you change default values continue to use the original settings. Any jobs started after you change the default values use the updated settings, causing jobs to run with inconsistent configuration settings.

  Note Cycling your servers could negatively impact some users' functions. To reduce the impact on users, cycle your servers at an appropriate time.

  To cycle your remote servers:

  1. From the NetIQ Product Access Menu, type 2 (PSSecure) and press Enter.
  2. Type 3 (Remote Request Management) and press Enter.
  3. Type 30 (Manage RRM) and press Enter.
  4. Type 3 (Cycle Remote Servers) and press Enter.
  5. Ensure the value for each parameter is correct.
  6. Press Enter.

Return to Top

Additions to Documentation

The product documentation is up-to-date and provides the latest information.

Viewing Documentation Files

When viewing the documentation files in the installation kit, you may observe the following issues:

• The installation kit provides some documentation in Microsoft Word DOC files. To view these documentation files, you need Microsoft Word or Microsoft Word Viewer installed. Other programs, such as Microsoft Wordpad, may not correctly translate the file format. You can download Microsoft Word Viewer from the Microsoft Web site (www.microsoft.com).
• The installation kit provides some documentation in PDF files. To view these documentation files, you need Adobe Acrobat or Adobe Acrobat Reader installed. You can download Adobe Acrobat Reader from the Adobe Web site (www.adobe.com).
• When you view the documentation files through the setup program, the snap-in for Internet Explorer may display some hidden text, such as index entry tagging, in the files. To hide this hidden text:
  1. On the Tools menu, click Options.
  2. Clear the All and Hidden Text check boxes, and then click OK.

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

© 2008 NetIQ Corporation and its affiliates. All Rights Reserved.

For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.

Return to Top