SafeNet/i Upgrade Procedures

If you currently have SafeNet/400 Release 7 or earlier installed on your system, you cannot upgrade directly to SafeNet/i Release 10. It will be necessary for you to first upgrade your installation to SafeNet/400 Release 8 before you can upgrade to SafeNet/i Release 10. Contact Kisco Information Systems for details on how to best get this done.

---

You have two methods you can use when upgrading your SafeNet/i installation from one release level to the latest release level as follows:

• Method A - Traditional Direct Installation
• Method B - Automatic Unattended Upgrade Installation

Either method will result in a successful upgrade installation. Method A is used for those situations where you can easily schedule some downtime for your system and you prefer to do a direct installation with operator supervision during the entire process. Method B can be used as an alternate when scheduling downtime is a problem. Method B is a two step process where the actual installation is done during an IPL of your system. Important Note: You cannot use method B when upgrading more than one release level.

Both upgrade installation methods are described below.

---

Before you start your upgrade

1. Make sure that you have your SafeNet/i permanent installation codes available for use. They may be needed towards the end of the installation process. If you do not have these codes available, contact Kisco Information Systems and obtain the codes prior to starting this procedure.
2. Check the size of the file named TRAPOD in library PCSECDTA. If it is very large, you should consider doing a purge of it in advance of the upgrade, especially if your system is low on free disk space. During the upgrade, all files in PCSECDTA are copied over into the newly installed version. Some customers do not purge this file regularly and are then surprised when the upgrade install takes a very long time or fills up their free disk space. If you do a purge, but specify in the purge to save the information to the archive files, then make sure you backup the archive and clear the archive file members before the upgrade. The archive file is named TRAPARCW and is also in library PCSECDTA. If you do not purge the TRAPOD file and it is very large, be prepared for a long upgrade process. Note: If you do a purge, make sure that you do it before you end all subsystems at the start of the upgrade process.
3. Check the following system values. They should be set as indicated here. If they are not, note the current settings then change them to these settings:

   QALWOBJRST - *ALL
   QVFYOBJRST - value 3 or lower
   QFRCCVNRST - value 1

   After all upgrade processing has been completed, you can change these values back to what they werebefore you started.
4. If you have activated file journaling on the SafeNet/i control database files in library PCSECDTA, (see the user's guide, Section 11, titled Journaling SafeNet/i Security Files), you must stop that journaling activity before doing your upgrade. This can be done by running the ENDSAFEJRN program in library PCSECLIB - CALL PGM(PCSECLIB/ENDSAFEJRN). You must also remove all journal and journal receiver objects from the PCSECDTA library. These are objects with object type *JRN and *JRNRCV.

   Note: The ENDSAFEJRN program must be run when you have brought your system into restricted state. Prior to that, the journals will still be active and some will not detach.

5. Check your system for the presence of libraries with either of the following names:

   PCSECOLD
   PCSECOLDD

   You can do that by using the following command:

   DSPOBJD OBJ(QSYS/PCSECOLD*) OBJTYPE(*LIB)

   If either library (or both) exist, they MUST be removed before you start your upgrade process.

6. If you are upgrading to SafeNet/i Release 10 for the first time (from any level at Release 8), you must check for implementation of the CHGSPCSET command in PCSECLIB in any of your application CL programs. Some customers may find this implemented in their periodic backup process to step and then restart logging during the backup cycle.

   Check for the use of the LOGALL parameter on the CHGSPCSET command. The new version no longer supports the *NO/*YES values for this parameter. This parameter now supports the options: *FILE, *JOURNAL, *BOTH or *NONE. For compatibility, if you have a CHGSPCSET command with LOGALL(*NO) coded, it must be changed to LOGALL(*NONE). If you have a LOGALL(*YES) coded, it must be changed to LOGALL(*FILE). After the upgrade is complete, the old form of the CHGSPCSET command will fail unless changed.

   After you have implemented the new release, if you choose to start journaling your transaction history, these settings must be reviewed again.

7. If your prior installation is a release level 9.07 or lower (PTF level PCPTF907), this upgrade contains an engineering change in the way objects in libraries named QSYS and QGY are processed. Prior to this, these objects were all automatically allowed access through *RMTSRV (Remote Command/Program Call) regardless of how the rules were set up. This was done for performance reasons as these are frequently accessed objects for some installations. With this change, any users accessing these objects must have User to Server permission to *RMTSRV. Before you install this upgrade, you should check which users on your system are accessing these two libraries using *RMTSRV and add User to Server permission now. Failure to do so may result in access issues for users that they have not experienced prior to this upgrade.
8. If you are upgrading to SafeNet/i Release level 10.39 or higher for the first time and if you have archived SafeNet/i Transaction History that is kept off-line, make sure that you review the IPv6 Enhancement documentation to make sure that the off-line history files are converted to the new format when needed.
9. As an extra measure of security, Kisco recommends that you create your own backup copies of the critical SafeNet/i libraries, PCSECLIB and PCSECDTA, prior to your upgrade. During the upgrade, Kisco also creates these backups but having an extra set can insure your ability to recover if something happens during the upgrade. To save time, and if you have enough disc space, create two save files on your system in a library other than PCSECLIB and PCSECDTA and save the libraries into those save files. If you do not have sufficient disc space, save the libraries to tape, but keep the tape available until you are happy with the results of the upgrade.

---

If you have any problems during the upgrade process, please refer to SafeNet/i Upgrade Recovery instructions on how to deal with any problems during your upgrade installation.

---

Method A - Traditional Direct Installation

If you are doing a traditional direct installation of your SafeNet/i upgrade, complete the following steps:

1. End all subsystems using the command: ENDSBS *ALL (you MUST bring your system to a restricted state).
2. De-Activate SafeNet/i. To De-Activate you must be signed on as QSECOFR. Select option 6 from the SN2 menu in Library PCSECLIB.
3. After the De-Activate completes, press F3 to exit all SafeNet/i menus.
4. On the command line type LODRUN DEV(XXX) replace XXX with the name of your CD-Rom reader. The upgrade is complete when the SafeNet/i Main Menu is displayed. Check the Additional Documentation Topics that will print on your system following the upgrade for possible additional considerations and instructions.
5. If any additional server settings will need to be set, please do so at this time by selecting menu option 1 from the SafeNet/i Main Menu (Maintain Server Security Settings).
6. Go to the INSTALL menu in library PCSECLIB and run option #3 to check the software installation status. If the status reports that the software is not installed, do the following:
   • Enter T in the type of install field and press ENTER
   • Enter P in the type of install field, your permanent install code, authorized user level and all 9's in the expiration date and press ENTER.
   This will reset your permanent installation status for the software.
7. Restart all subsystems and run your start-up program or IPL.
8. Once step 7 is complete all processing can resume.
9. If you have installed the WebCentral browser interface for SafeNet/i, you must refresh the WebCentral objects on your system before you resume using the WebCentral interface. Before you do this refresh, make sure that the WEBCENTRAL HTTP server instance is not running. You can end it using the following command:

   ENDTCPSVR SERVER(*HTTP) HTTPSVR(WEBCENTRAL)

   Once the WEBCENTRAL server instance is not running, then you can refresh the WebCentral objects on your system by running the following command from the command line while signed on as a SafeNet/i Administrator:

   PCSECLIB/WEBCINSTAL

   When this has completed, then you can resume normal use of the WebCentral browser interface.

---

Method B - Automatic Unattended Upgrade Installation

To have the SafeNet/i upgrade installed at your next IPL, use these instructions. Be sure to perform the update preparation EXACTLY as shown here. READ THE ENTIRE PROCEDURE BEFORE STARTING THIS PROCESS. Important Note: You cannot use method B when upgrading more than one release level.

The following process documents how to pre-load the upgrade onto your system and get your system set up to do the actual upgrade during your next IPL. You can perform this process at any time prior to your next IPL. We recommend that you pre-load the upgrade as close to the time of your scheduled IPL as is practical for you. Pre-loading the upgrade far in advance could result in problems if you have an un-scheduled IPL due to a system problem or power failure.

1. Sign on to any terminal session on your system using a user profile OTHER THAN QSECOFR that has *SECOFR as a user class. The profile must have *ALLOBJ, *IOSYSCFG, *JOBCTL, *SAVSYS, *AUDIT and *SECADM special authority. If no such user profile exists, we recommend that you create one to be active until after the update is completely installed.
2. If there is a library named PCSECINS on your system from a previous upgrade install, it must be deleted first. You can use the following command:

   DLTLIB LIB(PCSECINS)

3. Load the update CD in your drive.
4. To load the update from CD, enter following command:

   RSTLIB SAVLIB(PCSECINS) DEV(OPTxx) OPTFILE("/PCSECINS") +
   FRCOBJCVN(*YES *RQD)

   Note: Substitute single quotes for the double quotes shown here.

5. From the command line, issue the following instruction:

   CALL PGM(PCSECINS/INSPREPCL)

   This procedure will make the following changes to your system:

   • Your system value QSTRUPPGM (the IPL Startup Program setting) will be temporarily changed. When the IPL runs, this value will be reset to its old value.
   • The user profile associated with the job description QSTRUPJD will be temporarily changed. Following the IPL, this value will be changed to QPGMR (the default factory setting). If you have another value set for this job description, you will have to manually change it after the IPL is complete. You can use the DSPJOBD command to verify the current setting for this before doing step #5.

6. At your next IPL, the update to SafeNet/i will be automatically applied. Please be prepared that this IPL process will take longer than normal by up to 20 minutes. Do not interrupt the IPL until it is completed. All values associated with your current SafeNet/i installation will be preserved. Check the Additional Documentation Topics that will print on your system following the upgrade for possible additional considerations and instructions.
7. As soon as practical following the IPL., go to the INSTALL menu in library PCSECLIB and run option #3 to check the software installation status. If the status reports that the software is not installed, do the following:
   • Enter T in the type of install field and press ENTER
   • Enter P in the type of install field, your permanent install code, authorized user level and all 9's in the expiration date and press ENTER. This will reset your permanent installation status for the software.
8. If you have installed the WebCentral browser interface for SafeNet/i, you must refresh the WebCentral objects on your system before you resume using the WebCentral interface. Before you do this refresh, make sure that the WEBCENTRAL HTTP server instance is not running. You can end it using the following command:

   ENDTCPSVR SERVER(*HTTP) HTTPSVR(WEBCENTRAL)

   Once the WEBCENTRAL server instance is not running, then you can refresh the WebCentral objects on your system by running the following command from the command line while signed on as a SafeNet/i Administrator:

   PCSECLIB/WEBCINSTAL

   When this has completed, then you can resume normal use of the WebCentral browser interface.