How to configure Profile and Password Management (PPM) for ANYNET? (NETIQKB30867)

  • 7730867
  • 02-Feb-2007
  • 14-Jun-2019

Environment

NetIQ Security Solutions for iSeries 8.1
NetIQ Security Solutions for iSeries 8.0
VigilEnt Security Agent for AS/400 7.5
VigilEnt Security Agent for iSeries 5.4/7.0
Profile and Password Management (PPM)


Situation

How to configure Profile and Password Management (PPM) for ANYNET?
How to use TCP/IP to configure Password Synchronization in Profile and Password Management?

Resolution

Below, are instructions for setting up ANYNET (APPC over TCP/IP) in preparation for using PPM for profile and/or password distribution between IBM i servers.

ANYNET  Set-up (APPC over TCP/IP)

 

System-A    ß à    System-B

 Network Attributes                System:   A                                      

 Current system name  . . . . . . . . . . . . . . .  . :   PENTA421                

  Pending system name  .   . . . . . . . . . . . . . :                           

Local network ID . . . . . . . . . . . . . . . . . . . . :   APPN                    

Local control point name . . . . . . . . . . . . . . :   PENTA421                

Default local location . . . . . . . . . . . . . . .  . :   PENTA421                

Default mode . . . . . . . . . . . . . . . . . . . . . . . :   PENTA                   

Server network ID/control point name . .  . :   *LCLNETID   *ANY

Allow ANYNET support . . . . . . . . . . . . . . :   *YES

 

Network Attributes                System:   B                                      

 Current system name  . . . . . . . . . . . . . . .  . :   DOMINO1

  Pending system name  .   . . . . . . . . . . . . . :                           

Local network ID . . . . . . . . . . . . . . . . . . . . :   APPN

Local control point name . . . . . . . . . . . . . . :   S102D21M

Default local location . . . . . . . . . . . . . . .  . :    S102D21M                

Default mode . . . . . . . . . . . . . . . . . . . . . . . :   BLANK

Server network ID/control point name . .  . :   *LCLNETID   *ANY

Allow ANYNET support . . . . . . . . . . . . . . :   *YES

 

1.)     Prerequisite:  You must have both SNADS and TCP/IP running on both systems.

2.)     Make sure the Network Attributes for both systems (A & B) specify “Allow ANYNET support:     *YES”.   If the value of this parameter was “*NO” and changed to “*YES”, it will be necessary to vary off all communications controllers, for each system the value was changed, then vary back on those communications controllers.

3.)     Add Host Table Entries on each system, for the IP addresses of the target systems.   On each system enter CFGTCP at the AS/400 command prompt.   Then select Option-10 (Work with TCP/IP host table entries).   Next, if the IP address does not already exist in the Host Table, enter a “1” in the Opt field and the IP address in the Internet Address field, then press enter to show the Add TCP/IP Host Table Entry display.   If the IP address does in fact exist in the Host Table, then enter “2” in the Opt field next to that IP address and press enter to show the Change TCP/IP Host Table Entry display.   From either the Add TCP/IP Host Table Entry (ADDTCPHTE) or Change TCP/IP Host Table Entry (CHGTCPHTE) screen, enter a “+” in the Host names field and press enter to add the Host name (HOSTNAME) of the target system.   The name must be in the form system name.appn.sna.ibm.com in order to conform to the SNA standard for AnyNet.   After entering the Host name, then keep pressing enter until you have returned to the Configure TCP/IP menu.   From the Configure TCP/IP menu press function key F3 (Exit) to return to the AS/400 command prompt.   The following shows the entries for our example:

 

a)       System-A:

Internet Address . . .  . . . . . :   192.168.128.91

Host names:

  Name . . . . . . . . . . . . . . . . :   DOMINO1.APPN.SNA.IBM.COM

Text description  . . . . . :   DOMINO1

 

b)      System-B:

Internet Address . . .  . . . . . :   192.168.255.92

Host names:

  Name . . . . . . . . . . . . . . . . :   PENTA421.APPN.SNA.IBM.COM

Text description  . . . . . :   PENTA421

  

4.)     Create APPC controllers on each system.   From the AS/400 command prompt, enter CRTCTLAPPC and press function key F4 (prompt).   For ease of identification, it is recommended that you use the target system name for the Controller description (CTLD).   Link type (LINKTYPE) should be specified as “*ANYNW”.   The value of the Remote control point (RMTCPNAME) should equate to the value of the Network Attribute-Local control point name on the target system.   Do not enter anything in the Attached devices (DEV) field.   For V4R1 and later, specify “*NONE” for Autocreate device (AUTOCRTDEV).   Optionally, enter a value for the text (TEXT) field.   Take the IBM parameter defaults for all of the other parameters and press enter.   The following shows the CRTCTLAPPC parameters for our example:

 a)       System-A:

 Controller description . . . . > DOMINO1      

Link type  . . . . . . . . . . . . . > *ANYNW       

Online at IPL  . . . . . . . . . . .  *YES         

Remote network identifier .  *NETATR      

Remote control point . . . . > S102D21M      

User-defined 1 . . . . . . . . .   *LIND        

User-defined 2 . . . . . . . . .   *LIND        

User-defined 3 . . . . . . . . .   *LIND        

Text 'description' . . . . . . . > DOMINO

                            Additional Parameters

Attached devices . . . . . . . .                

               + for more values                

Character code . . . . . . . . .   *EBCDIC

        

b)      System-B:

 Controller description . . . .>  PENTA421 

Link type  . . . . . . . . . . . . . >  *ANYNW    

Online at IPL  . . . . . . . . . . .   *YES     

Remote network identifier  .   *NETATR  

Remote control point . . . .  >  PENTA421 

Autocreate device  . . . . . .  >  *NONE     

Autodelete device  . . . . . . . .   1440     

User-defined 1 . . . . . . . . . . .   *LIND    

User-defined 2 . . . . . . . . . . .   *LIND    

User-defined 3 . . . . . . . . . . .   *LIND    

Text 'description' . . . . . . . . .   *BLANK

 Additional Parameters

Attached devices . . . . . . . .

  

5.)   Create an APPC device for each controller created in step-4.   From the AS/400 command prompt, enter CRTDEVAPPC and press function key F4 (prompt).   Once again for ease of identification, it is recommended that you use the target system name for the Device description (DEVD).    The value of the Remote location name (RMTLOCAME) should equate to the value of the Network Attribute-Local control point name on the target system.   Specify, for the Attached controller parameter (CTL), the name of the corresponding controller created in step-4.   The value for the Mode (MODE) should equate to the value of the Network Attribute-Default mode on the target system.   Optionally, enter a value for the text (TEXT) field.   Take the IBM parameter defaults for all of the other parameters and press enter.   The following shows the CRTDEVAPPC parameters for our example:

 

a)   System-A:

Device description . . . . . . .      DOMINO1

Remote location  . . . . . . . .       S102D21M

Online at IPL  . . . . . . . . .         *YES

Local location . . . . . . . . . . . . . *NETATR

Remote network identifier  . . . *NETATR

Attached controller  . . . . . . . .   DOMINO1

Mode . . . . . . . . . . . . . . . . . . .    BLANK

                   + for more values

Message queue  . . . . . . . . . . .   QSYSOPR

        Library  . . . . . . . . . . .                *LIBL

APPN-capable . . . . . . . . . .       *YES

Single session:                  

        Single session capable . . . .       *NO

        Number of conversations  . . .

Text 'description' . . . . . . .          Domino device

 

 

b)   System-B:

Device description . . . . . . .      PENTA421

Remote location  . . . . . . . .       PENTA421

Online at IPL  . . . . . . . . .         *YES

Local location . . . . . . . . . . . . . *NETATR

Remote network identifier  . . . *NETATR

Attached controller  . . . . . . . .   PENTA421

Mode . . . . . . . . . . . . . . . . . . .    PENTA

                   + for more values

Message queue  . . . . . . . . . . .   QSYSOPR

        Library  . . . . . . . . . . .                *LIBL

APPN-capable . . . . . . . . . .       *YES

Single session:                 

        Single session capable . . . .       *NO

        Number of conversations  . . .

Text 'description' . . . . . . .          *BLANK

  

6.)     Vary on controllers and devices created in steps 4 & 5.   From the AS/400 command prompt, enter WRKCFGSTS *CTL and press enter.   Search for the name of the controller created in step-4 and enter a “1” in the Opt field next to that controller.   This should vary on both the controller and the attached device and set the status to ACTIVE.   At this point, press enter to return to the AS/400 command prompt.   Note:  it may take a moment to vary on both the controller and the device.   You can update the status shown on your display by pressing function key F5 (Refresh) until the status shown for both the controller and the device is ACTIVE.

 

7.)     Configure the Distribution Services to create the Distribution Queues and Routing Table entries.   From the AS/400 command prompt, enter CFGDSTSRV and press enter.  

a.)     Enter “1” in the type of distribution services to configure field.   From the Configure Distribution Queues screen, press function key F6 (Add distribution queue) to display the Add Distribution Queue screen.   Again, for ease of identification, it is recommended that you use the target system name for the Queue name.   Queue type should be *SNADS.   The value of the Remote location name (RMTLOCAME) should equate to the value of the Network Attribute-Local control point name on the target system.   The value for the Mode (MODE) should equate to the value of the Network Attribute-Default mode on the target system.   Take the IBM defaults for the remaining parameters and press enter.   Press function key F12 (Cancel) until you return to the Configure Distribution Services screen.  

b.)     Next, enter “2” in the type of distribution services to configure field.   From the Configure Routing Table screen, press function key F6 (Add routing table entry).   At the Add Routing Table Entry screen, enter the target system name in the first parameter of the System name/Group field.   Optionally, enter a description identifying the target system.   For all the Queue names, enter the name of the Queue which you created in step-7a (this should be the name of the target system) and take the IBM default (“*DFT”) for the Maximum hops and press enter.

 Note: the following shows the values used for the Distribution Queues and Routing Entries used in our example:

 a)       System-A:

(Queue entry)

Queue . . . . . . . . . . . . .  . :   DOMINO1    

        Queue type  . . . . . . . .  . :   *SNADS     

        Remote location name   :   S102D21M   

        Mode  . . . . . . . . . . . . . . :   BLANK      

        Remote net ID . . . . . . . :   *LOC       

        Local location name . . . :   *LOC       

        Normal priority:                           

          Send time:                               

           From/To . . . . . . . . :    :        :

           Force . . . . . . . . . :   .   :        

          Send depth  . . . . . . . . . :     1        

        High priority:                             

          Send time:                               

           From/To . . . . . . . . :    :        :

           Force . . . . . . . . . :   . . :        

          Send depth  . . . . . . . .  . :     1

       

Number of retries . . . . . . :      3

Number of minutes                   

          between retries . . . . . . . :      5

To ignore time/depth values          

          while receiving:                  

  Send queue  . . . . .  . :   N

 


                (Routing Table Entry)

Destination system                           

          name/Group . . . . . :   DOMINO1           

Description  . . . . . :   Penta421 to Domino1

Service level:                               

          Fast:                                      

            Queue name . . . . :   DOMINO1           

            Maximum hops . . . :   *DFT              

          Status:                                    

            Queue name . . . . :   DOMINO1           

            Maximum hops . . . :   *DFT              

          Data high:                                 

            Queue name . . . . :   DOMINO1           

            Maximum hops . . . :   *DFT              

          Data low:                                  

            Queue name . . . . :   DOMINO1           

    Maximum hops . . . :   *DFT

  

b)     
System-B:

(Queue entry)

Queue . . . . . . . . . . . . .  . :   PENTA421    

        Queue type  . . . . . . . .  . :   *SNADS     

        Remote location name   :   PENTA421  

        Mode  . . . . . . . . . . . . . . :   PENTA

        Remote net ID . . . . . . . :   *LOC       

        Local location name . . . :   *LOC       

        Normal priority:                           

          Send time:                                

           From/To . . . . . . . . :    :        :

           Force . . . . . . . . . :   .   :        

          Send depth  . . . . . . . . . :     1        

        High priority:                             

          Send time:                                

           From/To . . . . . . . . :    :        :

           Force . . . . . . . . . :   . . :        

          Send depth  . . . . . . . .  . :     1

       

Number of retries . . . . . . :      3

Number of minutes                   

          between retries . . . . . . . :      5

To ignore time/depth values         

          while receiving:                  

  Send queue  . . . . .  . :   N

 


                (Routing Table Entry)

Destination system                           

          name/Group . . . . . :   PENTA421   

Description  . . . . . :    Domino1 to Penta421

Service level:                               

          Fast:                                      

             Queue name . . . . :   PENTA421           

             Maximum hops . . . :   *DFT               

          Status:                                    

             Queue name . . . . :   PENTA421           

             Maximum hops . . . :   *DFT              

          Data high:                                 

             Queue name . . . . :   PENTA421           

             Maximum hops . . . :   *DFT              

          Data low:                                  

             Queue name . . . . :   PENTA421           

     Maximum hops . . . :   *DFT

 

8.)     Add the necessary Directory entries to the System Distribution Directory.

a)       Source system:

Make an entry in the distribution directory to enable the transmission from the source system to the target system.   The User ID should be specified as “*ANY” with an Address matching the name of the target system.   Optionally enter a description for the directory entry.   Enter the target system name in the first parameter of the System name/Group field.   Take the IBM defaults for the remaining parameters and press enter.

b)       Target system:

Make an entry in the distribution directory to enable the receipt of a transmission, from a source system, by a user on the target system.   The User ID should specify the name of a valid user profile with an Address matching the name of the system which the entry is being made on.   Optionally enter a description of the directory entry.   Enter the current system name (name of the system which the entry is being made on) in the first parameter of the System name/Group field.   The User profile should be the same as the User ID entered in the first part of the User ID/Address.   Take the IBM defaults for the remaining parameters and press enter.

Note:   the following shows the Directory Entries used in our example.   This example will enable user GAS to transmit to and receive from the Domino1 machine to the Penta421 machine and vice versa.

System-A:

 

a)            User ID/Address . . . . . . :   *ANY      DOMINO1 

Description . . . . . . . . . . :   Any user to DOMINO1

System name/Group . . . :   DOMINO1           

User profile  . . . . . . . .  . :                     

Network user ID . . . . . . :   *ANY     DOMINO1

 

                b)            User ID/Address . . . . . . :   GAS       PENTA421

Description . . . . . . . . .  . :   Gary A. Smith    

System name/Group . . . :   PENTA421         

User profile  . . . . . . . . .. :   GAS               

Network user ID . . . . . . :   GAS      PENTA421

 

System-B:

 

a)            User ID/Address . . . . . . :   *ANY      PENTA421 

Description . . . . . . . . . . :   Any user  (Penta421)

System name/Group . . . :   PENTA421            

User profile  . . . . . . . .  . :                     

Network user ID . . . . . . :   *ANY     PENTA421

 

                b)        User ID/Address . . . . . . :   GAS       DOMINO1

Description . . . . . . . . .  . :   Gary A. Smith    

System name/Group . . . :   DOMINO1         

User profile  . . . . . . . . .. :   GAS               

Network user ID . . . . . . :   GAS      DOMINO1

 

This completes our example of configuring ANYNET communications (APPC over TCP/IP) between the two AS400 systems, PENTA421 and DOMINO1.   This is just one approach, which we feel is the most straight forward and simplest method to use.   However, other variations may be used which may better fit your installations and requirements.


-----------------------------------------------------------------------------------------------------------------------------------------------------

These instructions to configure ANYNET are available via the link below.

https://download.netiq.com/KB/files/NETIQKB30867.doc



Additional Information

Formerly known as NETIQKB30867