Installing Authority Broker

These instructions describe how to install Authority Broker.

Before You Begin

Read this section before you install Authority Broker.

NOTE: When installing Authority Broker in an HA environment:
  1. Stop the replication of user profiles from production to HA system by either ending the replication software or ending the replication of the user profiles.
  2. Install Authority Broker on the HA and production systems.
  3. Setup Authority Broker replication per the HA Setup instructions. To view these instructions, see Authority Broker Setup in an HA Environment.
  4. Start replication (including the user profiles).

System Requirements

Authority Broker 4 requires the following:

  • IBM i (i5/OS, IBM i) version V6R1 or higher
  • 206 MB of disk space
  • PTF SI30894, if you are running OS V6R1

QAUDJRN

QAUDJRN is the default IBM Security Audit Journal, located in QSYS. This is the journal name and library where user activity is logged. QAUDJRN must be configured on your system in order for Powertech Authority Broker to function correctly. See Appendix F: QAUDJRN.

Licensing

Authority Broker requires that you enter a valid license key. Contact keys@helpsystems.com if you need to request a new license key.

System Values

It is Powertech’s goal not to change system values on customer systems because we recognize that security-conscious organizations have rigorous change control processes in place for even small changes to system values. Therefore, we ask you to make any system value changes that are needed. However, the Authority Broker 4 installation process could change a system value to allow the install to proceed if a system value is not set as specified below. If the Installation Wizard changes a system value during install, it changes it back to its original value when the install completes.

To install Powertech Authority Broker 4 on your system, the following system values that control object restores must be configured as shown.

  • Set QALWOBJRST to *ALWPGMADP (at a minimum) to allow the system to restore programs that adopt authority. Many Powertech Authority Broker programs adopt the authority of the product owner, rather than forcing you to give authority directly to administrators and end users.
    NOTE: For some system configurations, *ALL is required temporarily.
  • QALWUSRDMN controls which libraries on the system can contain certain types of user domain objects. You should set the system value to *ALL or include the name of the Authority Broker product library (PTABLIB and QTEMP as a minimum) for the product to function properly.
  • Set QVFYOBJRST to 1, 2, or 3. This allows Authority Broker to restore all objects regardless of their signature.
    NOTE: If you normally check signatures, remember to check this system value after the Authority Broker install process completes.
  • Set QFRCCVNRST (Force conversion on restore) to 0, Do not convert anything.

Auditing

Before installing Authority Broker, the IBM audit Journal QAUDJRN must already exist on the system. QAUDJRN may not exist on newly purchased IBM i systems.

System Security – Exit point and access permissions

The Authority Broker 4 install wizard uses FTP and Remote commands to perform the installation. The Server’s FTP server must be started beforehand. If an exit program technology exists on the system, the profile used in the Wizard must be permitted access. IBM iSeries Navigator can also block FTP server access through the Application Administration component. The standard port reserved to establish an FTP connection to the IBM i is port 21. Consequently, it is required that this port is open and ‘listening’ on the server in order to establish a connection with the Installation Wizard and facilitate a successful installation.

NOTE: If you are unable to use the installation wizard due to FTP access limitations, you can install the product manually. See Manual Installation of Authority Broker 4 (v4.13 and greater) in the HelpSystems Community Portal.

Installing Authority Broker

Follow these instructions to install Authority Broker:

  1. Download the Authority Broker 4 Installer to your PC. You install Authority Broker directly from the Authority Broker download page, or the link provided by your HelpSystems sales representative. (The "Trial" download is the full product, which can be unlocked with a valid License Key). The Authority Broker installation process is completely automated.
  2. Double-click the .exe file to start the Installation Wizard. When prompted, enter the name of the system on which you want to install Authority Broker, a user ID, and password.
    NOTE: Make sure the user profile is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, *AUDIT, and *SERVICE. The user profile should have Limit capabilities set to *NO.
  3. The Wizard installs Authority Broker 4 on your System i and places a copy of the Administrator’s Guide on your PC. The path of the guide is Start/Programs/Powertech Authority Broker. When the installation completes, click Finish to remove the Wizard from your PC.
  4. The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Authority Broker 4 install.
    NOTE: To take advantage of the major improvements in system design and processor capabilities program conversion is required for all systems running IBM i 6.1 or later. The conversion replaces existing program objects, but each program object retains attributes such as the name, library, and owning user profile. This conversion is a one-time process on each object. To provide an uninterrupted work environment, all program conversion occurs during installation, which can extend the installation process as long as 90 minutes or more on some systems.

    To verify that Authority Broker 4 installed successfully, enter the following command to display the Powertech Authority Broker 4 window, which shows the release and modification level of the product:

PTABLIB/LPRDVRM
  1. Add the product administrator's user profile to the POWERABADM authorization list.
WRKAUTL POWERABADM
  1. Press 2 to edit and add the profile. The profile only needs *USE right.

Authority Broker 4 installs the following product libraries, profiles, authorization lists, commands, objects, and exit points on your system.

Installed on System Description
Product Libraries PTABLIB
PTWRKMGT
User Profiles PLABOWN, which has special authorities *ALLOBJ, *SECADM, *JOBCTL, *AUDIT, and *IOSYSCFG
PLABADM, which has special authorities *JOBCTL
PTWRKMGTOW, which has no special authorities
(All these profiles are set to Password = *NONE so that they can’t be used to sign on to the system.)
Authorization List POWERABADM - Powertech Authority Broker Administrators
POWERABDTA - Powertech Authority Broker Data Objects
POWERABFL - Firecall logs and reports menu
POWERABFO - Firecall operators commands and menu
POWERABPGM - Powertech Authority Broker Programs
POWERABRPT - Powertech Authority Broker Reports
Commands in QGPL LEVENTRPT - Run event reports from the command line
LFIRECALL - Display the FireCall assignments
LFRCLLMNU - Display the FireCall menu
LPRDVRM - Displays the currently installed version of Authority Broker
LRLSPRF - End a switch
LSWPPRF - Switch to a profile
LWHOAMI - Display the active profile
LWRKAUTBKR - Primary menu configuration and reporting options
Subsystem PTWRKMGT
The subsystem is created at install if it doesn’t already exist on the system.
Powertech-created Exit Points: POWERLOCK_WRKMGT
POWERLOCK_AB

After You Are Done

Congratulations! Authority Broker is now installed. Read the following for additional information and next steps.

Configuring Product Administration

The Work with Product Settings screen allows you to set the initial system values for Authority Broker. See Work with Authority Broker Product Settings screen for details.

All users authorized to administer Authority Broker must be added to the POWERABADM authorization list using the following command:

ADDAUTLE AUTL(POWERABADM) USER(MYUSER) AUT(*USE)

NOTE: Even user profiles with *ALLOBJ authority must be added to the authorization lists if they wish to administer Authority Broker and run reports.

Once authorized to the POWERABADM authorization lists, a user will have all the authorities needed to administer Powertech Authority Broker. Product administrators will dynamically receive *CHANGE authority to Authority Broker data and *USE authority to Authority Broker programs at the time this authority is needed.

NOTE: The Product Administrator must have the following special authority: *JOBCTL.

Special Information for Authority Broker Reporting

Users without *ALLOBJ Special Authority, who will be allowed to run Authority Broker reports, must be granted the POWERABRPT authorization list.

ADDAUTLE AUTL(POWERABRPT) USER(MYUSER) AUT(*USE)

NOTE: For users who do NOT have *ALLOBJ special authority in their profile: If you are only on the POWERABADM authorization list, you can administer the product but not run reports. However, if you are on the POWERABADM authorization list and the POWERABRPT authorization list, you can administer the product and run reports.

If only on the POWERABRPT authorization list, you only have access to LEVENTRPT.

Licensing Authority Broker

After Authority Broker has been installed, the next step is to add your license key to the product. Configuration of the product can then begin.

  1. Use the command LWRKAUTBKR.
  2. Take menu options 5, then 14.
  3. Enter your License Key.

Contacting Us

For additional resources, or to contact Technical Support, visit the HelpSystems Community Portal at https://community.helpsystems.com.