Register your E-mail address and receive automatic notification when any of the SafeNet/400 customer support pages are updated.

SafeNet/400 Frequently Asked Questions

Index:

• How can I transfer SafeNet/400 to a new system?
  
• SafeNet/400 Release 5 support Email notification for security exceptions, how can I get this working?
  
• When I run the FTP Summary Report with default selection dates, some strange dates print on the report.
  
• When I purge the transaction history file (TRAPOD), SafeNet/400 puts the records into an Archive File. How can I purge this file?
  
• How can I install a SafeNet/400 release update at a remote site?
  
• After installing a PTF, a new library named PCPTFnnn is created on my system. Do I need to keep it on disk?
  
• When I try to maintain entries for QSYSOPR, SafeNet/400 tells me that I'm not allowed to do this.
  
• What is the safest way to do a backup of the SafeNet/400 library?
  
• My company uses a Disaster Recovery Site, how can I implement SafeNet/400 on the backup system?
  
• I am upgrading OS/400, are there special considerations for SafeNet/400?
  
• I keep getting a message Security Error in my system operator message que, how can I stop this?
  
• I am upgrading from CISC to RISC and SafeNet/400 programs show up as a problem. How can I transfer your software to my new RISC system?
  
• I have a backup system and will need to transfer SafeNet/400 to that machine in an emergency. What is the best way to do this?
  
• I have multiple AS/400's. How can I distribute SafeNet/400 to my other systems without creating additional install tapes?
  
• Is SafeNet/400 Year-2000 Compliant?
  
• I have more than one system and the tape that SafeNet/400 came on cannot be loaded onto my other systems. Can I make a copy to test on the other systems? If so, how?
  
• How can I purge the SafeNet/400 Logfile?
  
• How can I run the security reports?
  
• How can I protect my system from ODBC mis-use?
  
• How can I reduce the number of IPLs needed during installation?
  

First, you must contact Kisco Information Systems and advise us that you are transferring your software from one system to another system. We will need to provide you with a new permanent installation code for your new system. We will require that you notify us in writing on your company letterhead, that you are moving the product from one system to a new system. The serial numbers for both your old and new systems must be included. You can fax this notification to us at our fax number: 914-241-9140. When we get your letter, we will issue a new installation code for your new system and will note in our records that you are retiring the software from your current system.

To transfer the software, you must first get a clean backup of your installed product. The only way to guarantee a safe backup is to do the following:

1. Bring your system to a restricted state by ending all subsystems.
2. When your system is in restricted state, deactivate the product by going to menu SN2 in library PCSECLIB and running option #6.
3. After the product has been deactivated, backup the two product libraries named PCSECLIB and PCSECDTA. Be sure to use the OS/400 SAVLIB command for this purpose.
4. Reactivate the product by running option #6 on the SN2 menu again.
5. Resume normal processing by restarting your controlling subsystem.

To activate the software, bring your new system to a restricted state. Once the system enters restricted state, go to the SN2 menu in library PCSECLIB and run option #6. After the product has been activated, go to the SN1 menu and run option #1. Review the exit point status for points set to level 5. If any are set to level 5, check with your documentation for instructions or contact our technical support specialist for additional information. Some level 5's are normal if you are running your system at OS/400 level V4R5 or higher. To resume normal processing, start your controlling subsystem.

To use E-mail alerts, first the AS/400 must be configured for e-mail. (SafeNet/400 is not an Email product, so we will not support setting this up for customers, but IBM has some very good documentation in their TCP/IP quick configuration guides to help you with this.) Then you need to create a distribution list.

The distribution list must always be qualified with the system name, for example

CRTDSTL LSTID(SAFE2 KISCO) LSTD('Safenet Alerts')

Once the distribution list has been created, add all the entries for mail recipients using the ADDDSTLE command. Then, turn on alert notification, (menu option #7 on the SN2 menu or the SafeNet/400 command CHGNOTIFY) and specify the name of the distribution list. When this is done, the alert notifications will be sent via Email. You can check whether the setup is working correctly by testing it with the SNDDST command.

The default settings for the FTP Summary report call for all transactions on the file to be selected. The program defaults to a selection date range of 1/1/1990 to 12/31/2010. These are the date that are displayed on the report in YYMMDD format.

When SafeNet/400 purges records from the transaction history file (TRAPOD), it stores them in a new member in the Archive File. This file is named TRAPARCW. Each purge operation results in a new member being added to this file.

To purge this file, use the SAVOBJ command to save the members from the file to tape. Then, you can delete the members that you have saved from the file. If you so desire, all members can be deleted from this file but the file itself should not be deleted.

Use the install media received from Kisco to load the library named PCSECINST to your local system. Check the upgrade instructions that you received. Using "Method B", choose one of the restore instructions documented at step 3. Using SNADS, or any other method that you have for moving libraries to another system, transfer the PCSECINST library to the remote system where you want to perform the SafeNet/400 release upgrade.

Once the library is on your remote system, resume the instructions for "Method B" at step number 4. Once those instructions are complete, the upgrade will install automatically the next time the remote system is IPL'd.

When you install PTF's to SafeNet/400, the replaced objects are moved to this newly created library. The library is assigned the same name as the PTF package name. These objects could be used to restore your system to it's pre-PTF state if that becomes necessary. Under normal conditions, you should be able to delete these libraries once the PTF has been installed and tested to your satisfaction.

SafeNet/400 only allows maintenance on IBM user profiles (those starting with the letter Q) when you are signed on using the QSECOFR user profile. Sign off under your current profile, then sign back on using the QSECOFR profile. If your installation has strict control over the use of QSECOFR, you may have to arrange for your installation security officer to handle this task.

Since SafeNet/400 uses IBM's exit point technology to protect your system, it is integrated into OS/400 and in normal operation it regularly has files and programs in use. This can create a problem when trying to take a backup of the library. To overcome this problem, we recommend the following sequence when saving the SafeNet/400 application library named PCSECLIB. (Note, all commands referred to in this procedure are with OS/400 commands or can be found in the SafeNet/400 library.)

1. Stop SafeNet/400 logging by issuing command: CHGSPCSET LOGALL(*NO)
2. End the log recording program by issuing command: ENDTRP
3. Turn off Alert Notification (if it is active) by issuing command: CHGNOTIFY ALERT(*OFF)
4. End the SAFELOGING subsystem by issuing command: ENDSBS SBS(SAFELOGING) OPTION(*IMMED)
5. Save the SafeNet/400 library PCSECLIB (and PCSECDTA if you have SafeNet/400 Release 5 or higher) using the SAVLIB command. Do not use the SAVOBJ command as some required objects may not get saved correctly.
6. Reset the logging option by issuing command: CHGSPCSET LOGALL(*YES)
7. Restart log recording by issuing command: STRTRP
8. Reset Alert Notification by issuing command: CHGNOTIFY ALERT(*ON)

Also see: "I have a backup system and will need to transfer SafeNet/400 to that machine in an emergency. What is the best way to do this?".

If the standard method referenced above does not work for you, you may install SafeNet/400 from a backup from your production system provided that SafeNet/400 the SAFELOGING subsystem is ended when the backup is taken. Both libraries, PCSECLIB and PCSECDTA must be saved. If this precaution is not followed, some objects may not be saved correctly on the backup tape. Since this may be a significant inconvenience for a normal backup process, you might consider keeping a copy of SafeNet/400 that has been saved this way available for off-site use. This backup copy should be refreshed whenever a significant number of access rules have been changed or when Kisco PTFs have been installed.

We recommend that you test your backup plan to make sure that all objects are correctly saved to your backup tape. You should not rely on an untested recovery plan. Note: Your backup of the SafeNet/400 libraries (PCSECLIB and PCSECDTA) must be made using the SAVLIB command.

To install SafeNet/400 at your recovery site, do the following:

1. Restore the library PCSECLIB and PCSECDTA using the RSTLIB command.
2. Sign on as QSECOFR (or under another user profile with *SECOFR authority) and go to the INSTALL menu in library PCSECLIB.
3. Run menu option #1.
4. SafeNet/400 should now be installed and activated on your backup system with a 25 user limit.
5. If your license is for more than 25 users, contact Kisco Information Systems to obtain an authorization code for your backup system for your authorized user level. This must be done before you start using your system. If you know that you are going to your recovery site, you can request this code in advance as long as you know the serial number of the backup system.

Remember that SafeNet/400 registers exit points in OS/400. Before leaving your backup site, you should deactivate SafeNet/400 and remove the library.

SafeNet/400 is integrated into OS/400 via IBM's exit point technology. Because of this, you must take some special steps with SafeNet/400 when upgrading your level of OS/400.

1. Immediately before starting your upgrade, deactivate SafeNet/400.
2. Following deactivation, end all subsystems and bring your system to a restricted state.
3. Then, perform your OS/400 upgrade according to IBM's instructions to you.
4. After the OS/400 upgrade is complete, including installation of PTF's, bring your system to a restricted state again by ending all subsystems.
5. Activate SafeNet/400 again at this point.
6. You can now resume normal operations.

Repeated appearance of this message indicates that your trial of SafeNet/400 has expired. If you have already paid for SafeNet/400, all you need to do is apply the permanent installation password provided to you by Kisco Information Systems and the messages will stop appearing. If you have not paid, you have two options:

1. You can contact Kisco Information Systems and arrange for a trial period extension. You will be provided with a trial extension password along with instructions. Once the trial extension password is applied, the messages will stop appearing.
2. If you do not plan on purchasing SafeNet/400 or if you want to defer additional testing until a later date, you should deactivate SafeNet/400. This is done from the Special Jobs menu by using option #6.

The install tape that you have contains observable code and can be installed on either a CISC or a RISC system. With that in mind, here is our recommendation for moving SafeNet/400 from CISC to RISC.

1. Deactivate SafeNet/400 on your CISC system.
2. Bring your CISC system to a restricted state by ending all subsystems.
3. Save the current library (PCSECLIB) from your CISC system and restore it onto your new RISC system. If you have SafeNet/400 Release 5 or later installed, save the library PCSECDTA from your CISC system and restore it too on your new RISC system. (Note, after creating the backup on your CISC system, you can re-activate SafeNet/400 on your CISC system and restart your controlling subsystem.)
4. Identify all PTF's that you have received from us via E-mail and transfer the E-mail files into the KISCO shared folder on your new RISC system.
5. Create a listing of your Server Settings on your CISC system (menu option #1 from the Reports menu).
6. At your option, You may want to create copies of the other settings using menu options #2 through #6.
7. Mount your original install media for SafeNet/400 on your RISC system and follow the instructions in the user's guide for an upgrade installation.
8. Reinstall all of the PTFs previously identified at step 4 above.
9. Apply a new permanent install code on your RISC system. You will have to contact Kisco Information Systems for this code. Kisco will need the serial number of your RISC system.

At this point, SafeNet/400 will be successfully installed on your new RISC system.

SafeNet/400 can be installed on any computer using the original installation tape. When you do the install, SafeNet/400 will be activated for a normal 30 day trial period. During this period, you must contact Kisco Information Systems to work out the licensing arrangements for your backup system.

Once the software is installed, you will want to bring your custom configuration rules forward from your normal production system. You can do this by transferring the library named PCSECDTA from your system. Before saving this library on your production system, you should shut down the logging function (option #12 on the SN2 menu). When the library has been saved, remember to resume logging (option #11 on the SN2 menu). This library should now be restored to your test system. This will preserve the settings and rules.

Finally, if your system license covers more than 25 users, you will have to contact us for a trial installation password that will support your level of users. We will gladly issue a temporary code immediately and work out the licensing arrangements at a later time. If you have the basic system installed, this is not an issue.

This can be done using the following steps:

1. From your original distribution tape, restore the library named PCSECINST using the following command:

   RSTLIB SAVLIB(PCSECINST) DEV(xxxx)

2. Send this library to your remote system using SNADS or any similar communications method for sending an entire library contents.

3. At the remote system, rename the library to it's production name using the following command:

   RNMOBJ OBJ(QSYS/PCSECINST) OBJTYPE(*LIB) NEWOBJ(PCSECLIB)

4. At the remote system, run the following command:

   RSTLIB SAVLIB(PCSECDTAIN) DEV(*SAVF) +
   SAVF(PCSECLIB/PCSECDTA) MBROPT(*ALL) +
   ALWOBJDIF(*ALL) RSTLIB(PCSECDTA)

5. Bring the system into a restricted state from the system console by issuing a stop for all sub-systems.

6. Install this library from the INSTALL menu in library PCSECLIB. Choose option #1 from the menu. This will activate SafeNet/400 on that system.

7. IPL your system. SafeNet/400 is now ready to use.

Yes. Since its initial introduction, SafeNet/400 has always been Year-2000 Compliant.

Kisco will give you permission to make as many copies of SafeNet/400 for installation on other systems as you need. Each of these installable tapes can then be installed on a trial basis on whatever machines you want to use.

Here are the steps you need to take to create an installable tape for SafeNet/400.

1. Create a copy of *PGM object QINSTAPP in QTEMP using the following command:

   CRTDUPOBJ OBJ(QINSTAPP) FROMLIB(PCSECLIB) +
   OBJTYPE(*PGM) TOLIB(QTEMP)

2. Initialize your tape.

3. Save the install program to tape with the following command:

   SAVOBJ OBJ(QINSTAPP) LIB(QTEMP) DEV(xxxx) +
   TGTRLS(youroption)

   Where xxxx=tape device name and youroption=the lowest target level that the tape will be used for installation purposes.

4. Using the original install media, load the library named PCSECINST onto your system using the RSTLIB command.

5. Save this install library to your tape with the following command:

   SAVLIB LIB(PCSECINST) DEV(xxxx) ENDOPT(*UNLOAD) +
   TGTRLS(yourlevel)

At this point, you will have an installable tape that you can use on any of your systems. To do the install, you can use the installation procedure from the SafeNet/400 user's guide. When you are all done, you can delete the PCSECINST library from your system.

Note: This answer only applies to SafeNet/400 Release 2 and earlier.

SafeNet/400 records log information in a file named TRAPOD in our application library named PCSECLIB. Option#4 on the Special Jobs menu (menu name SN2) can be used to purge these records.

You can also embed a call to the purge program from within your own CL program. The program is named TRAPDL1CL and requires two parameters. Use the following call example as a guide:

CALL PGM(PCSECLIB/TRAPDL1CL) PARM("0" "19980115")

The first parameter must always be zero. The second parameter must be the purge day in form YYYYMMDD. In the example shown here, all records on the file prior to January 15, 1998 will be purged from the file.

Note: This answer only applies to SafeNet/400 Release 2 and earlier.

The SafeNet/400 Security Report by user will print all requests logged by SafeNet/400. Selecting menu option 6 from the Reports menu (menu SN3) will produce this report.

You can also call the reports program directly. The program is named TRAPOD1CL and it has 8 parameters. The parameters are defined as follows:

1. must be a "0" (zero)
2. must with be "D" (print user within date) or "S" (print user within Server)
3. must be user name or "*ALL"
4. must be the start date in format MMDDYYYY
5. must be the end date in format MMDDYYYY
6. must be the start time in form HHMMSSNN expressed as 24 hour time (ie: 00131508 converts to 1:15:08PM)
7. must be either "N" to print all entries or "Y" to print just the reject entries
8. must be blank

The following is an example of a CL call to this program:

CALL PGM(PCSECLIB/TRAPOD1CL) PARM("0" "D" "*ALL" "01011998" "01151998" "08150000" "N" " ")

In this example, entries will be listed by user within date for all users starting at 8:15am on January 1, 1998 through January 15, 1998.

Note: This answer only applies to SafeNet/400 Release 2 and earlier.

SafeNet/400 provides protection from ODBC users when you use the IBM ODBC driver that is included in OS/400. There are other ODBC drivers on the market and SafeNet/400 will not give you protection when these are used. These other drivers do not conform to the exit point requirement that is found with the IBM ODBC driver. If you need protection, you must use the IBM provided ODBC driver.

Non-IBM ODBC drivers can easily be excluded on your system. All of these drivers require that you load a software component onto your AS/400. You can prevent use of non-IBM ODBC drivers by simply not loading their AS/400 software component. This will force your users to conform to the standard ODBC driver from IBM.

SafeNet/400 requires an IPL of your AS/400 just prior to installation. You may also need to obtain PTFs from IBM (see link on customer support page) for your current level of OS/400. The PTF process also requires an IPL. For installations that are running critical operations on a 24 hours per day/seven days a week basis, this can be difficult. If this is your situation, you can eliminate one of these two IPLs by using the following installation sequence:

1. Load SafeNet/400 but DO NOT change any initial settings.
2. Load your OS/400 PTFs as necessary.
3. Do the single IPL.
4. Complete the installation tasks outlined in the SafeNet/400 user guide.