Kisco Systems
SafeNet/i Support
SafeNet/i : Support : Frequently Asked Questions
DOWNLOADS | TECH SUPPORT

The following is a list of frequently asked questions about SafeNet/i. If you have a question thatis not covered here, ask us via E-mail Support and we'll answer your question.

Register your E-mail address to receive automatic notification whenever there are changes to SafeNet/i.

SafeNet/400 Frequently Asked Questions

Index:

Is SafetNet/i at risk from the LOG4J vulnerability?

We have examined all Apache based applications from Kisco and determined that they are not affected by this security exposure. For our products, you do not need to make any changes or apply any patches or PTFs that may become available from IBM, Java or Apache.

We encourage you to check other services on your system that are using the Apache web server to make sure that they are not at risk. Here is a good article about it on your IBM i system.

Can we remove *ALLOBJ authority from the SAFENET user profile?

We often hear this question as a result of audit activities. In a word, the answer is No.

All of the objects in the SafeNet/i libraries are owned by this profile and the program objects run under adopted authority tied to the profile. Many of the programs access system functions in different libraries and removing the *ALLOBJ special authority can cause those functions to fail with adverse results for your system and its users.

We recommend that after you get SafeNet/i installed, that you go back to this user profile and change it so that the password is set to *NONE and the status is changed to *DISABLED. Once these changes have been made, then the profile is secure from possible abuse.

How can I control including or excluding the Socket exit points in SafeNet/i?

When you first install SafeNet/i Release 11.08 or higher, the new Socket exit points will be exlcuded from SafeNet/i processing. This applies if you are a new customer or if you upgraded to SafeNet/i 11.08 or higher from any level of Release 10 or earlier. The socket exit points monitor all TCP/IP socket Accept, Connect and Listen connections. On some customer systems, there are a very high number of these transactions that can adversely affect system overall performance. For this reason, we have chosen to make using these exit points entirely optional on the customer's part.

To activate one or more of the Socket exit points, use the following instructions:

  1. At the command line, run the following commands:
    ADDLIBLE PCSECLIB
    ADDLIBLE PCSECDTA
  2. Update the exit point exclusion code by running a file maintenance program. You can run this program by entering the following on the command line:
    CALL ACTEPXCL
  3. The Socket exit points have the following descriptions:
    Exit point TCP Accept socket connections
    Exit point for sockets connect() API
    Exit point for sockets Listen() API
    You will see that the three points in question already have an X in the Exclude code.
  4. Find the Socket exit point on the list that your want to work with and place a 2 next to it. On the detail screen that follows, change the exclusion code to a blank and press ENTER.
  5. As soon as you make this change, the exit point will be deactivated in the IBM i OS.
  6. Make any additional changes to other Socket exit points before you exit the screen.
  7. When you are done, the sockets will be activated.

If it becomes necessary to have SafeNet/i exclude the exit point that has been activated, you can do so by following the exact same procedure as above EXCEPT that at step #3, change the Exclude code back to X. When you make this change, the exit point registration will be removed.

I am showing at least one exit point at level 5, how do I reset this?

When an installation has a user exit program in place that SafeNet/i does not recognize, the exit point will automatically be set to Level 5 (unsupported). To allow SafeNet/i to support this server you must do the following:

  1. Remove your user exit program from the registration facility in i OS.
    Type WRKREGINF and press ENTER

    Locate the exit point and remove your exit program.

    Important: Do not remove any program called from PCSECLIB.

    You may have several servers set to Level 5. You must remove each one. Then, using the DSPNETA or CHGNETA command, verify that your IBM i network attributes DDMACC and PCSACC are both set to *OBJAUT. If these attributes are not initially set to *OBJAUT, SafeNet/i will flag several exit points to Level 5.

  2. Type the following:
    CALL PCSECLIB/DELST5CL and press ENTER
  3. From the SafeNet/i Main Menu (SN1) select Option 1 - Server Security Settings or use WRKSRV command.
    Press F3 to exit without making any changes

  4. Using the IBM i console, you must place the system in a restricted state with the ENDSBS *ALL *IMMED command, or any other site-specific shutdown process.

  5. De-activate SafeNet/i
    From the Install Menu select Option 50 - Activate/De-Activate SafeNet/i

    Follow the instructions to de-activate the program found in Chapter 13 in this guide, ‘De-activating and Removing SafeNet/i’.

  6. Re-activate SafeNet/i
    Select Option 50 - Activate/De-Activate SafeNet/i

  7. Restart your system

Is *SECADM authority required for the SAFENET user profile?

We recently heard from a customer who had an auditor request to remove *SECADM special authority from the SAFENET user profile. In the SafeNet/i documentation, we have always recommended that the SAFENET profile be set up with all special authorities, including *SECADM. After extensive testing at OS level V5R4, we have determined that *SECADM can be removed.

Keep in mind that the SAFENET profile does not need to be active with a password and can even be set to *DISABLED status. These aspects should appeal to your auditors. Now, if specifically requested, we also believe that you can remove the *SECADM special authority in response to an audit request.

How can I send SafeNet/i Alerts to my cell phone?

With a recent PTF for SafeNet/i Release 9, you can now use a numeric email address in the Alert Notification list. Prior to Release level 9.09, this was not allowed on the CHGNOTIFY command.

To send a text Altert Notification, you just need to identify the carrier of the target cell phone, then form an email notification address according to the form called for by the carrier. Here are the five most common cell carrier formats available at the time this was written:

T-Mobile: phonenumber@tmomail.net
Virgin Mobile: phonenumber@vmobl.com
Cingular: phonenumber@cingularme.com
Sprint: phonenumber@messaging.sprintpcs.com
Verizon: phonenumber@vtext.com
Nextel: phonenumber@messaging.nextel.com

As an example, if your carrier is Verizon and your cell phone is 5185551212, then the entry you should use in the CHGNOTIFY command is: 5185551212@vtext.com

Performance improvement possibility.

A customer who has been using SafeNet/i for a long time on multiple systems recently ran into a performance issue on several of their production servers that were carrying a heavy workload. After exhaustive analysis, they discovered that a fairly simple change to the logical file configuration for several files used in their application software would relieve the performance bottleneck. In the process of their testing, they identified a logical file in SafeNet/i that is frequently used that would also benefit from the change.

If you feel that your installation might benefit from this change, then we recommend that you consider it. The logical file concerned is named PCACCEL2 and resides in the library named PCSECDTA. Since this file is referenced by a lot of servers on your system when SafeNet/i is active, you will probably have to schedule the configuration change so that it takes place when your system is in restricted state.

When the file is available, as when you have brought your system to restricted state, just run the following command from the command line while signed on as a security officer:

CHGLF FILE(PCSECDTA/PCACCEL2) ACCPTHSIZ(*MAX1TB)

Once this change has been made, you can then resume normal processing. You do not have to deactivate SafeNet/i when making this change.

I have libraries named PCSECOLD and PCSECOLDD on my system, are they needed?

These two libraries are created during version upgrade installation processing. Once you have installed an upgrade and you are happy with how it is working, then these can both be removed. They would only be needed if you had to revert back to the prior release following a version upgrade.

We recommend that you keep these two libraries on your system for a period of at least two weeks following a version upgrade to your SafeNet/i software.

There are two large files in the PCSECDTA library. They are named TRAPOD and TRAPARCW. How can I keep their size under control?

The TRAPOD file is the live transaction history file used daily in SafeNet/400. This file must be kept on the system with an active member.

The correct way to reduce the size of the TRAPOD file is to use the purge option that you will find on the SN2 menu in library PCSECLIB (the STRPRGARC command).

The TRAPARCW file is a multiple member file that contains previously archived transaction history file records. When you run the purge, there is an option to archive the purged records. When you use this option, the archived records are stored in this file in a newly created member. If you want to save these transaction records for historical purposes, you should back the file up off-line. Once you have them saved, then the correct way to reduce the size of the TRAPARCW file is to remove the individual members.

I want to transfer my current version of SafeNet/400 to another system, how can I do this?

Several customers have asked this question when they want to keep their system-wide implementation of SafeNet/400 at a specific release level that is no longer available from Kisco Information Systems.

You can install SafeNet/400 from a backup from your production system provided that the system is in restricted state and SafeNet/400 is deactivated when the backup is taken. Both libraries, PCSECLIB and PCSECDTA must be saved. If this precaution is not followed, some objects may not be saved correctly on the backup tape. Since this may be a significant inconvenience for a normal backup process, you might consider keeping a copy of SafeNet/400 that has been saved this way available for off-site use. This backup copy should be refreshed whenever a significant number of access rules have been changed or when Kisco PTFs have been installed.

We recommend that you test your backup plan to make sure that all objects are correctly saved to your backup tape. Note: Your backup of the SafeNet/400 libraries (PCSECLIB and PCSECDTA) must be made using the SAVLIB command.

To install SafeNet/400 at your new site, do the following:

  1. Make sure that the special user profile SAFENET is created with the correct attributes according to SafeNet/400 documentation.
  2. Restore the library PCSECLIB and PCSECDTA using the RSTLIB command.
  3. Sign on as QSECOFR (or under another user profile with *SECOFR authority) and go to the INSTALL menu in library PCSECLIB.
  4. Run menu option #1.
  5. SafeNet/400 should now be installed and activated on your backup system.

You are now in a position to activate SafeNet/400 so that it is current on this new system. Be sure to check with Kisco Information Systems about your license status on this new machine and to arrange for your permanent installation codes.

Is SafeNet/400 ready to run under i5/OS (OS/400) release V6R1?

Yes!

You must be running a minimum SafeNet/400 Release level of 8.21.

Does the Nav-Central GUI interface work with Microsoft Vista?

We have tested Nav-Central Version 8.0 with MSVista and it works just fine. We have not tested earlier releases of Nav-Central with MSVista, but we suspect that it will work there as well. We recommend that you do a fresh installation and not rely on copied files from your older MS OS system.

A user is getting rejected for object access by SafeNet/400. Their request includes a reference to the library setting of *USRLIBL. How can I deal with this?

There are three ways to deal with an object access request the references the object's library with the *USRLIBL reference. SafeNet/400 does not check for all libraries in the job's library list as to do so could severely impact processing efficiency for your network application. Please review these three alternatives and choose the one that works best for you. They are presented in the sequence of recommended preference:

  • The best solution is to change the application to make a library specific request for the data.
  • If that is not possible, then the next best solution would be to add an object authorization entry for the user or users affected indicating a library value of *USRLIBL and the object or objects that they need access to. This will leave you with a security exposure if the object or objects exist in other libraries where you don't want access. Also, you should not specify access of *USRLIBL/*ALL as this would open up a lot of objects to access that probably should not be available.
  • The last solution, which we specifically do NOT recommend, is to go to the SN2 menu and run option #2. Go to the "Specific USRLIBL Entry Needed?" parameter. Change it to *NO. This will allow any user request for any object using the *USRLIBL reference to pass and is a definite security exposure on your system. We specifically recommend that this parameter be kept set to the *YES value.
I am getting the error message "A SERIOUS SafeNet Error has occured. Network logging has failed or been suspended. Contact Kisco Information Systems." and I also found hundreds of jobs queued in the SAFENET job queue. What does this mean and what should I do?

We have seen this happen when the SAFELOGING subsystem is shut down and then not restarted in a timely manner. When you shut down SAFELOGING, SafeNet/400 does NOT stop working, it just stops recording the results in the Transaction History log. The results are stored temporarily in a data queue named SAFEQ. The only problem with this is that data queues have a finite size constraint and can fill up. When the SAFEQ data queue fills up, then SafeNet/400 senses it, issues the error message that you saw about the SERIOUS error, and then tries to start the SAFELOGING subsystem and job to relieve the pressure on the SAFEQ data queue. The problem is that on some systems there can be a huge number of transactions that cause it to issue this error. In each instance, a job is sent to the job queue. Sometimes it can take a long time for the job to get started and all those jobs get queued to the job queue.

The first question you need to concern yourself with is how SAFELOGING got shut down. For some customers that we have seen, this can happen when a backup is run that fails before normal completion. We recommend that the SAFELOGING system be stopped during a backup and then restarted as soon as the backup is done. If something happens to the backup, then the restart can get cancelled along with the backup and you're in the soup. Other times, users have shut down SAFELOGING thinking they were turning SafeNet/400 off, but this is not the case.

To recover from this situation, you first need to make sure that the SAFELOGING subsystem is up and running. Use the command "WRKACTJOB SBS(SAFELOGING)" and verify that there is at least one job running in the subsystem. If it is not running, you can start it using option #11 from the SN2 menu in library PCSECLIB. Once it is up and running, then you need to clear the pending jobs in the SAFENET job queue.

We have modified the SAFENET Job Descripion in SafeNet/400's application library, PCSECLIB. After installing a SafeNet/400 release upgrade, where is this job description from the prior release?

During installation processing, the current complete contents of the SafeNet/400 application library named PCSECLIB are saved in a save file object. A backup library is created named PCSECOLD and the name of the save file that contains the entire library contents is SAVF. If you want to restore any of these objects, you can do so with a simple RSTOBJ command.

Warning: We warn you, however, to check with us before arbitrarily restoring any objects from an earlier release of SafeNet/400. Some of these objects could create instability if restored to the new release. Contact Kisco Information Systems support staff for advice on your specific situation.

If you have stored any objects, or modified objects in the SafeNet/400 data objects library named PCSECDTA, this library is also preserved during a release upgrade. The prior version of this library will be found in a backup library named PCSECOLDD. Again, review the previous warning when attempting to restore any objects from this backup library.

Rather than do the data migration for the Release 8 upgrade, how can I just uninstall Release 7 and then install Release 8 as a new installation?

If you have only loaded Release 7 in logging mode and have not created any access rules, then this is an option you might want to consider. If you have rules already set up and your servers are locked down, DO NOT CONSIDER THIS OPTION as it will create a lot more work to re-enter all of your rules.

To uninstall SafeNet/400 Release 7, remove it, and then install SafeNet/400 Release 8 as a new installation, please do the following:

  1. Deactivate SafeNet/400 Release 7.
  2. From the system console, bring your system to a restricted state by ending all subsystems.
  3. When your system reaches restricted state, remove the two application libraries for SafeNet/400. These are named PCSECLIB and PCSECDTA. If you think you may want to return to having SafeNet/400 Release 7 installed, just rename them.
  4. At this point, SafeNet/400 Release 7 has been uninstalled.
  5. Install SafeNet/400 Release 8 using the instructions that came with the software for a new product installation.
The SAFEQ data queue in library PCSECLIB on my system is very large. Does it need to be so large?

In a word - No!

The SAFEQ data queue is used to temorarily hold the results of SafeNet/400 security tests that are on their way to the SafeNet/400 transaction history file. If you have a period of time on your system when there is transaction history and the SAFELOGING subsystem is not active, then the data queue size will continue to build until the SAFELOGING system is started and data is transferred from the data queue over to the history file. The problem is that the way OS/400 and i5/OS deal with data queues, they never shrink in size and will stay at their largest size used.

In SafeNet/400, we provide a procedure for deleting and rebuilding the data queue. This is used when the data queue has become damaged, but it can also be used to force the data queue back to its original size. We recommend that you do this at a time when there is little or no network transaction activity on your system as there could be an error issued if a transaction is processed while the data queue is being rebuilt.

To rebuild the SAFEQ data queue, signon to a terminal session as a Security Officer and then issue the following command:

CALL PGM(PCSECLIB/BLDSAFEQ)
When the program runs, the SAFELOGING subsystem will be temporarily ended, the data queue will be deleted and then rebuilt using the correct parameters for your version of SafeNet/400. When the data queue has been rebuilt, then the SAFELOGING system will be restarted.
Do all FTP commands get logged in SafeNet/400's transaction history?

Based on a customer request, we contacted IBM about this question. It turns out that "environment" FTP commands (BIN, NAMEFMT, TIME, etc.) DO NOT get passed to the OS/400 exit point. Only FTP operations (RCMD, GET PUT CD, etc) get passed and logged. Since these commands are never passed to the exit point by OS/400, SafeNet/400 never sees them and, consequently, cannot log them. Only those commands that have security implications are passed.

I have SafeNet/i installed on two systems, one of which is a backup recovery system for the other. How can I make sure that the rules set up on both systems are the same?

If you are using replication or mirroring software, you MUST exclude all objects in libraries PCSECLIB and PCSECJRN from replication processing. Also, you must exclude all objects in library PCSECDTA with the exception of the files listed below.

To duplicate the rules that have been set up on one machine for use on a backup system, you must transfer several physical files from library PCSECDTA. Use the following list of files to set up your replication process:

  • CMDUSR
  • FTPSPC
  • FTPUSR
  • PCACCESS
  • PCACCEST (if you are using time of day controls)
  • PCACCESU
  • PCACCLNG
  • SQLMST (not for customers with SafeNet/i Release 9 or higher installed)
  • SQLUSR
  • TCPIPS
  • TELSIGN
  • USREXTPF (for Release 7 only, not available on Release 8)
  • USRSWP
For customers running SafeNet/i Release 8 or higher, you should also add the following:
  • USRMGT
  • SUSERS (this is a data area, not a file)
For customers running SafeNet/i Release 9 or higher, you should also add the following:
  • ALERTS
  • FTPCT
  • ALERT *DTAARA
For customers running SafeNet/i Release 10.40 or higher, you should also add the following:
  • IPCACCESU *USRIDX (User Index)
  • All *USRSPC objects (User space)
For customers running SafeNet/i Release 11.00 or higher, you should also add the following:
  • TCPIPS2 *FILE
I see an report in the print spool that contains the statement "Attempt to retrieve information failed: Call KiscoCPF3CDB". What does this mean?

V5R2 no longer supports the Work Station Gateway (WSG) server. Since you are getting this error spool file, then a record for this server still exists in your version of the SafeNet/400 control files.

The procedure to correct for this manually is to do two file updates. One update will be for the file named SUPREGPF and the other for the active file WRKREGPF. Both files are in library PCSECDTA and you can use the UPDDTA command to do the update.

For the SUPREGPF file, locate the record with the following two key elements:

QIBM_QTMT_WSG
QAPP0100
When the record is displayed, press the F23 key twice to delete the record. To confirm that you have the right record, the display will look as follows before you do the deletion: 

WORK WITH DATA IN A FILE                       Mode . . . . :   CHANGE

Format . . . . :   SUPRFT                      File . . . . :   SUPREGPFSV

 

SEXITP: QIBM_QTMT_WSG

SFORMT: QAPP0100

SSNFMT: QAPP0100

SSRVID: *WSGSERVER

SSTATS: 4

SPGMID: W

For the WRKREGPF file, the key values for the record update are the same:

QIBM_QTMT_WSG
QAPP0100
To confirm that you have the right record for this one, the screen will appear as follows: 

WORK WITH DATA IN A FILE                       Mode . . . . :   CHANGE

Format . . . . :   WRKRFT                      File . . . . :   WRKREGPF


  
WEXITP: QIBM_QTMT_WSG

WFORMT: QAPP0100

WSTATS: 4

WMSGFL: QTCPMSG

WMSGLB: QSYS

WMSGID: TCP7101

WMSGTX: WSG Server Sign-On Validation

WEXPGN: PCCL04W

WEXPGL: PCSECLIB

WSRVID: *WSGSERVER

WLOGLV: A

WWRK1:  4

WWRK2:

WWRK3:

WWRK4:

WWRK5:

As with the first file, just press the F23 key twice to delete this record.

To confirm that this corrects the problem, run option #1 on the SN1 menu again at this point and see if you get a fresh copy of the spool file error message.

How can I transfer SafeNet/i to a new system?

First, you must contact Kisco Information Systems and advise us that you are transferring your software from one system to another system. We will need to provide you with a new permanent installation code for your new system. We require that you notify us in writing, on your company letterhead or from your company email address, that you are moving the product from one system to a new system. The serial numbers for both your old and new systems must be included. You can fax or email this notification to us at our fax number: 518-897-5003 or by email to support@kisco.com. When we get your transfer request, we will issue a new installation code for your new system and will note in our records that you are retiring the software from your current system.

To transfer the software, you must first get a clean backup of your installed product. The only way to guarantee a safe backup is to do the following:

  1. Bring your system to a restricted state by ending all subsystems.
  2. When your system is in restricted state, deactivate the product by going to menu INSTALL in library PCSECLIB and running option #50. (For customers running Release 9 or earlier, this is menu SN2 in library PCSECLIB and running option #6.)
  3. After the product has been deactivated, backup the two product libraries named PCSECLIB and PCSECDTA. Be sure to use the IBM i/OS SAVLIB command for this purpose.
  4. Reactivate the product by running option #50 on the INSTALL menu again. (Option #6 on the SN2 for customers running Release 9 or earlier.)
  5. Resume normal processing by restarting your controlling subsystem.
At this point, you can restore both libraries on your new system using the RSTLIB command. When they have been restored, go to the INSTALL menu in library PCSECLIB and run option #3. When the security screen is displayed, it will give you a status that the product is not installed. First, enter the letter 'T' in the type of install field and press ENTER. This will change the status to show that the product is installed on trial. After you see this message, enter the new permanent installation code. This will authorize the software on your new system.

To activate the software, bring your new system to a restricted state. Once the system enters restricted state, go to the INSTALL menu in library PCSECLIB and run option #50 (option #6 on the SN2 menu for earlier releases). After the product has been activated, go to the SN1 menu and run option #1. Review the exit point status for points set to level 5. If any are set to level 5, check with your documentation for instructions or contact our technical support specialist for additional information. To resume normal processing, start your controlling subsystem.

Starting with Release 5, SafeNet/400 supports Email notification for security exceptions, how can I get this working?

To use E-mail alerts, first the AS/400 must be configured for e-mail. (SafeNet/400 is not an Email product, so we will not support setting this up for customers, but IBM has some very good documentation in their TCP/IP quick configuration guides to help you with this.) Remember, for this option to work, your QSNADS subsystem must be active and running. Then you need to create a distribution list.

First, use the WRKDIRE command and check to make sure that the special user profile SAFENET has been enrolled in the system directory. If you don't see it there, add it taking the standard default values.

The distribution list must always be qualified with the system name, for example

CRTDSTL LSTID(SAFE2 KISCO) LSTD('Safenet Alerts')
The second part of the distribution list name must be the system name. In the above example, KISCO is our system name. If you are unsure of this value, use the DSPNETA command on your system to display your system name.

Once the distribution list has been created, add all the entries for mail recipients using the ADDDSTLE command. Then, turn on alert notification, (menu option #7 on the SN2 menu or the SafeNet/400 command CHGNOTIFY), turn on the email option and specify the name of the distribution list. Be sure that you only specify your distribution list. Do not mix distribution lists and user profiles. If you want to continue to send notification messages to user profiles, include them in the distribution list. When this is done, the alert notifications will be sent via Email.

If you have this all set up and it does not appear to be working, use the SNDDST command to manually send a message to your distribtution list. This will test your SMTP configuration. If this fails, then the problem lies in your SMTP setup. If this works, but you are still not getting messages from SafeNet/400, check the joblog for the job running in the SAFELOGING subsystem to see if there are additional error messages showing there.

When I run the FTP Summary Report with default selection dates, some strange dates print on the report.

The default settings for the FTP Summary report call for all transactions on the file to be selected. The program defaults to a selection date range of 1/1/1990 to 12/31/2010. These are the date that are displayed on the report in YYMMDD format.

When I purge the transaction history file (TRAPOD), SafeNet/400 puts the records into an Archive File. How can I purge this file?

When SafeNet/400 purges records from the transaction history file (TRAPOD), it stores them in a new member in the Archive File. This file is named TRAPARCW. Each purge operation results in a new member being added to this file.

To purge this file, use the SAVOBJ command to save the members from the file to tape. Then, you can delete the members that you have saved from the file. If you so desire, all members can be deleted from this file but the file itself should not be deleted.

How can I install a SafeNet/400 release update at a remote site?

Use the install media received from Kisco to load the library named PCSECINST to your local system. Check the upgrade instructions that you received. Using "Method B", choose one of the restore instructions documented at step 3 (steps 4, 5 or 6 if you are using the on-line instructions found at http://www.kisco.com/safenet/support/snrelupg.htm). Using SNADS, or any other method that you have for moving libraries to another system, transfer the PCSECINST library to the remote system where you want to perform the SafeNet/400 release upgrade.

Once the library is on your remote system, resume the instructions for "Method B" at step number 4 (or step 7 if you are referring to the on-line instructions). Once those instructions are complete, the upgrade will install automatically the next time the remote system is IPL'd.

After installing a PTF, a new library named PCPTFnnn is created on my system. Do I need to keep it on disk?

When you install PTF's to SafeNet/400, the replaced objects are moved to this newly created library. The library is assigned the same name as the PTF package name. These objects could be used to restore your system to it's pre-PTF state if that becomes necessary. Under normal conditions, you should be able to delete these libraries once the PTF has been installed and tested to your satisfaction.

When I try to maintain entries for QSYSOPR, SafeNet/400 tells me that I'm not allowed to do this.

SafeNet/400 only allows maintenance on IBM user profiles (those starting with the letter Q) when you are signed on using the QSECOFR user profile. Sign off under your current profile, then sign back on using the QSECOFR profile. If your installation has strict control over the use of QSECOFR, you may have to arrange for your installation security officer to handle this task.

What is the safest way to do a backup of the SafeNet/400 library?

Since SafeNet/400 uses IBM's exit point technology to protect your system, it is integrated into OS/400 and in normal operation it regularly has files and programs in use. This can create a problem when trying to take a backup of the library. To overcome this problem, we recommend that you keep a separate backup of the library named PCSECLIB and only save it when product PTFs or updates have been installed. To get a safe backup of PCSECLIB, your system should be in restricted state. For the data library named PCSECDTA, we recommend the following sequence. (Note, all commands referred to in this procedure are with OS/400 commands or can be found in the SafeNet/400 library.)

  1. End the log recording program by issuing command: ENDTRP
  2. Turn off Alert Notification (if it is active) by issuing command: CHGNOTIFY ALERT(*OFF)
  3. End the SAFELOGING subsystem by issuing command: ENDSBS SBS(SAFELOGING) OPTION(*IMMED)
  4. Save the SafeNet/400 library PCSECDTA using the SAVLIB command. Do not use the SAVOBJ command as some required objects may not get saved correctly. Make sure that you specify IBM's save-while-active option.
  5. Restart log recording by issuing command: STRTRP
  6. Reset Alert Notification by issuing command: CHGNOTIFY ALERT(*ON)
Note: the SAFELOGING subsystem will be restarted by the STRTRP command.

My company uses a Disaster Recovery Site, how can I implement SafeNet/400 on the backup system?

You may install SafeNet/400 from a backup from your production system provided that SafeNet/400 the SAFELOGING subsystem is ended when the backup is taken. Both libraries, PCSECLIB and PCSECDTA must be saved. If this precaution is not followed, some objects may not be saved correctly on the backup tape. Since this may be a significant inconvenience for a normal backup process, you might consider keeping a copy of SafeNet/400 that has been saved this way available for off-site use. This backup copy should be refreshed whenever a significant number of access rules have been changed or when Kisco PTFs have been installed.

We recommend that you test your backup plan to make sure that all objects are correctly saved to your backup tape. You should not rely on an untested recovery plan. Note: Your backup of the SafeNet/400 libraries (PCSECLIB and PCSECDTA) must be made using the SAVLIB command.

To install SafeNet/400 at your recovery site, do the following:

  1. Restore the library PCSECLIB and PCSECDTA using the RSTLIB command.
  2. Sign on as QSECOFR (or under another user profile with *SECOFR authority) and go to the INSTALL menu in library PCSECLIB.
  3. Run menu option #1.
  4. SafeNet/400 should now be installed and activated on your backup system with an unlimited user license.
  5. If your license is for less than unlimited users, contact Kisco Information Systems to obtain an authorization code for your backup system for your authorized user level. This should be done before you start using your system, although SafeNet/400 should work just fine at the higher license level. If you know that you are going to your recovery site, you can request this code in advance as long as you know the serial number and partition number of the backup system.

Remember that SafeNet/400 registers exit points in OS/400. Before leaving your backup site, you should deactivate SafeNet/400 and remove the library.

Also see: "I have a backup system and will need to transfer SafeNet/400 to that machine in an emergency. What is the best way to do this?".

I am upgrading OS/400, are there special considerations for SafeNet/400?

SafeNet/400 is integrated into OS/400 via IBM's exit point technology. Because of this, you must take some special steps with SafeNet/400 when upgrading your level of OS/400.

  1. Immediately before starting your upgrade, deactivate SafeNet/400.
  2. Following deactivation, end all subsystems and bring your system to a restricted state.
  3. Then, perform your OS/400 upgrade according to IBM's instructions to you.
  4. After the OS/400 upgrade is complete, including installation of PTF's, bring your system to a restricted state again by ending all subsystems.
  5. Activate SafeNet/400 again at this point.
  6. You can now resume normal operations.
I keep getting a message Security Error in my system operator message que, how can I stop this?

Repeated appearance of this message indicates that your trial of SafeNet/400 has expired. If you have already paid for SafeNet/400, all you need to do is apply the permanent installation password provided to you by Kisco Information Systems and the messages will stop appearing. If you have not paid, you have two options:

  1. You can contact Kisco Information Systems and arrange for a trial period extension. You will be provided with a trial extension password along with instructions. Once the trial extension password is applied, the messages will stop appearing.
  2. If you do not plan on purchasing SafeNet/400 or if you want to defer additional testing until a later date, you should deactivate SafeNet/400. This is done from the Special Jobs menu by using option #6.
I am upgrading from CISC to RISC and SafeNet/400 programs show up as a problem. How can I transfer your software to my new RISC system?

The install tape that you have contains observable code and can be installed on either a CISC or a RISC system. With that in mind, here is our recommendation for moving SafeNet/400 from CISC to RISC.

  1. Deactivate SafeNet/400 on your CISC system.
  2. Bring your CISC system to a restricted state by ending all subsystems.
  3. Save the current library (PCSECLIB) from your CISC system and restore it onto your new RISC system. If you have SafeNet/400 Release 5 or later installed, save the library PCSECDTA from your CISC system and restore it too on your new RISC system. (Note, after creating the backup on your CISC system, you can re-activate SafeNet/400 on your CISC system and restart your controlling subsystem.)
  4. Identify all PTF's that you have received from us via E-mail and transfer the E-mail files into the KISCO shared folder on your new RISC system.
  5. Create a listing of your Server Settings on your CISC system (menu option #1 from the Reports menu).
  6. At your option, You may want to create copies of the other settings using menu options #2 through #6.
  7. Mount your original install media for SafeNet/400 on your RISC system and follow the instructions in the user's guide for an upgrade installation.
  8. Reinstall all of the PTFs previously identified at step 4 above.
  9. Apply a new permanent install code on your RISC system. You will have to contact Kisco Information Systems for this code. Kisco will need the serial number of your RISC system.

At this point, SafeNet/400 will be successfully installed on your new RISC system.

I have a backup system and will need to transfer SafeNet/400 to that machine in an emergency. What is the best way to do this?

SafeNet/400 can be installed on any computer using the original installation tape. When you do the install, SafeNet/400 will be activated for a normal 30 day trial period. During this period, you must contact Kisco Information Systems to work out the licensing arrangements for your backup system.

Once the software is installed, you will want to bring your custom configuration rules forward from your normal production system. You can do this by transferring the library named PCSECDTA from your system. Before saving this library on your production system, you should shut down the logging function (option #12 on the SN2 menu). When the library has been saved, remember to resume logging (option #11 on the SN2 menu). This library should now be restored to your test system. This will preserve the settings and rules.

Finally, if your system license covers more than 25 users, you will have to contact us for a trial installation password that will support your level of users. We will gladly issue a temporary code immediately and work out the licensing arrangements at a later time. If you have the basic system installed, this is not an issue.

I have multiple AS/400's. How can I distribute SafeNet/400 to my other systems without creating additional install tapes?

This can be done using the following steps:

  1. From your original distribution tape, restore the library named PCSECINST using the following command:

    RSTLIB SAVLIB(PCSECINST) DEV(xxxx)

  2. Send this library to your remote system using SNADS or any similar communications method for sending an entire library contents.

  3. At the remote system, rename the library to it's production name using the following command:

    RNMOBJ OBJ(QSYS/PCSECINST) OBJTYPE(*LIB) NEWOBJ(PCSECLIB)

  4. At the remote system, run the following command:

    RSTLIB SAVLIB(PCSECDTAIN) DEV(*SAVF) +
    SAVF(PCSECLIB/PCSECDTA) MBROPT(*ALL) +
    ALWOBJDIF(*ALL) RSTLIB(PCSECDTA)

  5. Bring the system into a restricted state from the system console by issuing a stop for all sub-systems.

  6. Install this library from the INSTALL menu in library PCSECLIB. Choose option #1 from the menu. This will activate SafeNet/400 on that system.

  7. IPL your system. SafeNet/400 is now ready to use.
Note: - The above remote install procedure only works with SafeNet/400 Release 5 or higher.
Is SafeNet/400 Year-2000 Compliant?

Yes. Since its initial introduction, SafeNet/400 has always been Year-2000 Compliant.

I have more than one system and the tape that SafeNet/400 came on cannot be loaded onto my other systems. Can I make a copy to test on the other systems? If so, how?

Kisco will give you permission to make as many copies of SafeNet/400 for installation on other systems as you need. Each of these installable tapes can then be installed on a trial basis on whatever machines you want to use.

Here are the steps you need to take to create an installable tape for SafeNet/400.

  1. Create a copy of *PGM object QINSTAPP in QTEMP using the following command:

    CRTDUPOBJ OBJ(QINSTAPP) FROMLIB(PCSECLIB) +
    OBJTYPE(*PGM) TOLIB(QTEMP)

  2. Initialize your tape.

  3. Save the install program to tape with the following command:

    SAVOBJ OBJ(QINSTAPP) LIB(QTEMP) DEV(xxxx) +
    TGTRLS(youroption)

    Where xxxx=tape device name and youroption=the lowest target level that the tape will be used for installation purposes.

  4. Using the original install media, load the library named PCSECINST onto your system using the RSTLIB command.

  5. Save this install library to your tape with the following command:

    SAVLIB LIB(PCSECINST) DEV(xxxx) ENDOPT(*UNLOAD) +
    TGTRLS(yourlevel)

At this point, you will have an installable tape that you can use on any of your systems. To do the install, you can use the installation procedure from the SafeNet/400 user's guide. When you are all done, you can delete the PCSECINST library from your system.

How can I purge the SafeNet/400 Logfile?

Note: This answer only applies to SafeNet/400 Release 2 and earlier.

SafeNet/400 records log information in a file named TRAPOD in our application library named PCSECLIB. Option#4 on the Special Jobs menu (menu name SN2) can be used to purge these records.

You can also embed a call to the purge program from within your own CL program. The program is named TRAPDL1CL and requires two parameters. Use the following call example as a guide:

CALL PGM(PCSECLIB/TRAPDL1CL) PARM("0" "19980115")

The first parameter must always be zero. The second parameter must be the purge day in form YYYYMMDD. In the example shown here, all records on the file prior to January 15, 1998 will be purged from the file.

How can I run the security reports?

Note: This answer only applies to SafeNet/400 Release 2 and earlier.

The SafeNet/400 Security Report by user will print all requests logged by SafeNet/400. Selecting menu option 6 from the Reports menu (menu SN3) will produce this report.

You can also call the reports program directly. The program is named TRAPOD1CL and it has 8 parameters. The parameters are defined as follows:

  1. must be a "0" (zero)
  2. must with be "D" (print user within date) or "S" (print user within Server)
  3. must be user name or "*ALL"
  4. must be the start date in format MMDDYYYY
  5. must be the end date in format MMDDYYYY
  6. must be the start time in form HHMMSSNN expressed as 24 hour time (ie: 00131508 converts to 1:15:08PM)
  7. must be either "N" to print all entries or "Y" to print just the reject entries
  8. must be blank

The following is an example of a CL call to this program:

CALL PGM(PCSECLIB/TRAPOD1CL) PARM("0" "D" "*ALL" "01011998" "01151998" "08150000" "N" " ")

In this example, entries will be listed by user within date for all users starting at 8:15am on January 1, 1998 through January 15, 1998.

How can I protect my system from ODBC mis-use?

Note: This answer only applies to SafeNet/400 Release 2 and earlier.

SafeNet/400 provides protection from ODBC users when you use the IBM ODBC driver that is included in OS/400. There are other ODBC drivers on the market and SafeNet/400 will not give you protection when these are used. These other drivers do not conform to the exit point requirement that is found with the IBM ODBC driver. If you need protection, you must use the IBM provided ODBC driver.

Non-IBM ODBC drivers can easily be excluded on your system. All of these drivers require that you load a software component onto your AS/400. You can prevent use of non-IBM ODBC drivers by simply not loading their AS/400 software component. This will force your users to conform to the standard ODBC driver from IBM.

How can I reduce the number of IPLs needed during installation?

SafeNet/400 requires an IPL of your AS/400 just prior to installation. You may also need to obtain PTFs from IBM (see link on customer support page) for your current level of OS/400. The PTF process also requires an IPL. For installations that are running critical operations on a 24 hours per day/seven days a week basis, this can be difficult. If this is your situation, you can eliminate one of these two IPLs by using the following installation sequence:

  1. Load SafeNet/400 but DO NOT change any initial settings.
  2. Load your OS/400 PTFs as necessary.
  3. Do the single IPL.
  4. Complete the installation tasks outlined in the SafeNet/400 user guide.

Product Information:
> Support Policy
> Customer Training
> User Level
> International Dealer List

Related Products:
> SafeNet/i Lite
> iFileAudit
> iSecMap Security Enforcement
> i2Pass Two Factor Authentication > iResetMe Password Management

Support:
> PCI Compliance Points
> Servers Supported (Exit Points)
> IBM i/OS PTF Requirements
> Frequently Asked Questions
> Enhancements and Features
> Major Updates Log
> Problem Reports
> Release Upgrade Instructions
> Upgrade Recovery Instructions
> PTF Installation Instructions
> SMS Integration

© 2021 KISCO SYSTEMS LLC
54 Danbury Rd. | Suite 439 | Ridgefield, CT 06877

IBM i Security
Compliance Solutions
Event Monitoring
Support
About