May 14, 2020
- Agent for RSA SecurID can now be configured to trigger custom messages in response to configuration and authentication activity in order to provide observability into what is happening on the system. The following updates have been added to accommodate this feature:
- The new option "Work with Message Action Item" has been added to the Audit Configuration and Reporting menu. This option allows the user to configure and/or review the Message Action Item configuration.
- A collection of messages are now added during installation.
Service programs have been added into the @ACE library in order to accommodate job management and signal processing. All such objects have MSPT* as the object name prefix.
- To help ensure all TCP/IP communications are carried out using secure methods, clear text capable servers are no longer registered automatically during installation or upgrade.
- A new pre-start job ensures Agent for RSA SecurID's server jobs remain active while the associated subsystem is active (if, for example, the job is ended using endjob or option 4 via WRKACTJOB).
- Configuration data stored within the following areas has been encrypted for enhanced integrity:
- IP Address/Profile cross reference table that is used for Remote Authentication
- Data areas that are used to provide processing
- Default exit point details
- Exit points that have been configured by the product administrator
- TCP/IP port numbers that have been configured by the product administrator and/or required for successful use
- User profile database
- User profile template details (*SECURID)
- When maintaining the TCP/IP port for RMTSDIAUT, a five digit port can now be entered for Remote Authentication processing.
- A new server, GENSVR2 "General Server Enhanced" has been added to the list of products within option 8 "Work with TCP/IP port connections". This new server provides enhanced security for the TCP/IP requests in relation to IP Address updates and profile synchronization for SecurID Remote Authentication.
- The public authority AUT parameter for the ACEDTI profile is now set to *EXCLUDE when created during installation.
- The correct data now always appears on activity reports (PRTSIDATV), even when rogue data exists within the journal receiver.
- The ability to enter an unsupported port number in "Maintain TCP/IP connection details" (a value greater than 65535) has been removed.
- An issue that previously caused Authentication Suppression to fail when the SignOn Exit Point was triggered several times within a second has been resolved.
- SecurID Agent now prevents the Journal Receiver deletion job ACEDTIDJR1 to remain on MSGW status due to CPA7025. This would previously occur if a Journal Receiver had been saved while that receiver was still attached to the associated journal. Additional checking has been introduced to prevent the need for a specific System Reply List entry that is associated with CPA7025. This update also ensures the affected Journal Receivers can be fully saved before any attempt can be made to delete them based on the 'Number of Days to Keep' receivers.
- Updates were made to prevent an array index error within program MSPT9400.
- An issue causing incorrect cursor positioning after viewing the F1 help on the Master Menu has been resolved.
- The General server (DTIGEN) has been updated to allow for the processing of several requests at the same time.
- Changes have been made to help protect against vulnerability scanning of active/open communication ports used by SecurID Agent's server jobs. These function even when the scanning is performed internally, against the IBM i system environment. Job Management has been introduced to help ensure that each of SecurID Agent's configured servers have an active job whenever the ACEDTI subsystem is active. Activity related to Job Management is recorded within the Activity Journal, the default being @ACE/ACEACTJRN. The associated journal entries have 'Journal Entry Type' of 'JB' and the 'Entry Specific Data' begins with a Message Id in the range MLT0018 - MLT0022. The message text is located within Message File @ACE/SDIMSGF01.
- The General Server job, ACEDTIDS04 is now started as a pre-start job within the ACEDTI subsystem.
- The Authentication server job, ACEDTIDS01 is now started as a pre-start job within the ACEDTI subsystem.
- When configuring the General Server (DTIGEN) within 'Work with TCP/IP Connections,' the entered port number can now contain five digits. Previously, the port number had been restricted to four digits due to a limitation within the associated Windows software.
- When the software is installed or upgraded, the General Server (DTIGEN) is added to the list of Products as seen within 'Work with TCP/IP Connections,' if it does not exist already. Previously, the administrator had to add the correct Product after installation or upgrade. The associated Product RMTSDIAUT is also added if it does not exist, which is required for Remote Authentication.
When the software is installed or upgraded, the SecurID Authentication Product SECURID is added to the list of Products, as seen within 'Work with TCP/IP Connections.' Previously, the administrator was required to add the correct Product after the installation or upgrade.
- Syntax errors causing a failure to authenticate remotely to IBM i systems across different subnets have been corrected.
- Enhanced SecurID GUI Client. Various system and user configuration settings have been combined into a new Insite-style interface that incorporates usability and performance improvements for an enhanced user experience. Installer updates have been introduced to accommodate upgrades and migrating from the previous client.
- Authentication Suppression. SecurID's new Authentication Suppression allows authentication to required resources with a reduced number of authentication challenge prompts. This allows for minimal disruption while securing your network.
- The time period of suppression can be configured.
- The field can be audited for management reporting.
- Activity auditing (journals, Exit Point, job tracking, ATHPRF) allows you to identify the time period suppression is being used.
- Object locking. SecurID has been changed to open database files for Read or Change based on the action that is required in order to minimize object locking.
- If the position for the SecurID Agent library is changed, the activity is audited within the @ACE/ACEACTJRN journal.
- Changes to the SecurID library position are now printed on the User/Job Activity report.
- Agent for RSA SecurID is now delivered with new deployment functionality, including the ability to stage the product installation.
- The upgrade process will migrate data from your prior version of the software so that no configuration data is lost when upgrading.
- The profile file has been changed to 'Read' access only for SecurID Authentication. This ensures authentication can take place, but profile configuration changes cannot be performed directly on the destination (DR) IBM i system.
- The Authenticate Profile (ATHPRF) command has been changed to include Exit Point related parameters. These parameters allow you to make use of the "Authentication Suppression" feature when running ATHPRF within an Exit Point program that is not shipped as part of the Agent for RSA SecurID.
- Reporting for Authentication Suppression activity has been added. Full detail of the activity is held in the Activity Journal.
- SecurID Authentication is now available for DDM / DRDA requests. This is the IBM Network Attribute parameter identified as DDM/DRDA request access (DDMACC). Authentication can be configured to challenge All, Specific, or no users. For Specific users, the appropriate User Profiles must be configured within SecurID and have 'Sign On exit point' set to *SECURID.
- SecurID Authentication is now available for File Server requests. This is the IBM Exit Point identified as: QIBM_QPWFS_FILE_SERV. Authentication may be configured to challenge All, Specific, or no users. For Specific users, the appropriate User Profiles must be configured within the Agent for RSA SecurID and have 'Sign On exit point' set to *SECURID.
- SecurID Authentication is now available for Data Base Server Initiation (SQL / ODBC entry). This is the IBM Exit Point identified as: QIBM_QZDA_INIT. Authentication may be configured to challenge All, Specific, or no users. For Specific users, the appropriate User Profiles must be configured within the Agent for RSA SecurID and have 'Sign On exit point' set to *SECURID.
- The Check Agent Configuration (CHKAGTSRV) routine includes verification for for following additional Exit Points:
- Database Server - entry, QIBM_QZDA_INIT. Format ZDAI0100
- File Server, QIBM_QPWFS_FILE_SERV. Formats: PWFS0100 and PWFS0200 (from IBM i 7.3)
- DDM request access (DDM / DRDA).
- SecurID now checks for and removes 'orphaned systems.' These are systems that have been assigned a user, but no longer exist in the list of systems.
- Emergency Access Override functionality has been added. The SecurID administrator now has the ability to configure those User Profiles that can gain access to the IBM i system when it is not possible for SecurID authentication to be run. A User Profile may have Emergency Access under one or more of the following situations:
- The IBM i system in ‘Restricted State’.
- All required Authentication Managers and/or ‘Replicas’ are not accessible from the IBM i.
For all other situations, all User Profiles, configured for SecurID authentication are still required to authenticate with the configured RSA Authentication Manager(s).
- New PRTSIDATV command. Print Report over data within Activity journal Review the User/Job activity based on the configuration settings that had been set within 'Activity Configuration'.
- Improvements to the Audit Configuration and Reporting menu. The following additions have been made to the MSCT002I menu.
- Option 3 “Activity Configuration” has been added to allow the SecurID Administrator configure activity related parameters. Initially, these are for ‘Emergency Access’.
- Option 13 “Print User/Job Activity (PRTSIDATV)” has been added to provide direct access to the referenced command.
The following print commands have been updated.
- PRTSIDAUDR Print Receiver Audit Report On Internal Files Journal receiver (RCVR) parameter now has a default value of *CURRENT. For a specified receiver name, fixes ensure only those events within that receiver are printed.
- PRTSIDEXCP Print SecurID Profile Exception Report Journal receiver (RCVR) parameter now has a default value of *CURRENT. For a specified receiver name, fixes ensure only those events within that receiver are printed
- Sign On after installation now requires a password change. When the Agent for RSA SecurID Administrator profile, ACEDTI, is created, the ‘Set password to expired’ parameter is configured to force a change of password (i.e. PWDEXP(*YES)). Consequently, for the first sign on attempt with ACEDTI, the user will be required to change the default password.
Additional Commands. In order to enhance the way in which DetectIT Agent for RSA SecurID can be configured and used, the following commands have been added:
- CHKACESRV, Check Agent Configuration Status. This command provides a simple method for checking the state of the Agent’s configuration. The processing looks at the relevant exit points that are accessible via WRKREGINF. Prompting the 'Application Name' on the CHKACESRV command provides a list of those Exit Points that can be reviewed.
- DSPAGTPRF, Display Agent Profile. Review the profiles that have been configured for SecurID authentication. The details are available as a report or within an output file. The name and library for the output file can be specified by the user.
PRTSIDAUDR, Print Configuration Activity. This command provides an audit report showing the configuration activity. The date and time range can be entered together with the required type of configuration. For example: User profiles maintained for authentication, Client/Server applications activated etc.
PRTSIDEXCP, Print Profile Exception Changes. Review the User Profile maintenance activity that has been performed outside the Agent software that would affect the SecurID authentication. This is effectively the second of two methods to help prevent users from bypassing the authentication. The process makes use of the IBM i System Audit journal, QAUDJRN. Therefore, it is more of an 'after the event' review. The first and recommended method is to configure the 'Change command exit programs' Exit Point using the option entitled 'Work with client application availability'.
STRSIDJRN, Start Agent Configuration Auditing. By default, the required auditing is started as part of an installation and/or upgrade to version 9.8.2 (or later). The auditing makes use of IBM functions and as such it is possible for an administrator with the appropriate authority and/or IBM i knowledge to remove / undo the audit configuration. This command provides a simple method to ensure the auditing is (re)activated on all the relevant Agent objects.
VFYJRNCPCL, Verify QAUDJRN Collection. This command can be used to verify that the required QAUDJRN auditing configuration has been put in place and is currently still active. The use of QAUDJRN is not essential for ensuring users do not bypass the SecurID Authentication. However, if another configuration such as the 'Change command exit programs' Exit Point is no longer making use of a program supplied with this software, QAUDJRN provides a secondary method to review any User Profile changes.
- VFYSIDJRCL, Verify Agent Auditing. Review the audit configuration for the Agent to ensure it is still active.
- Auditing and Reporting of Activity within the Agent. Activity auditing and reporting functions have been introduced within the Agent software. The auditing makes use of a journal technique and also an Exit Point. New commands have also been included to provide reporting over the audit activity. In addition, it is possible to activate an Exit Point function that ensures the SecurID authentication is not being bypassed. For example, to prevent a user from running the IBM CHGPRF command to change the initial program and/or library that is required on their User Profile.
Additional Menu for Audit Configuration and Reporting. A new menu, MSCT002I, has been created to provide a single interface for the additional auditing- related functionality and commands. This new menu is accessible via new menu option, 20 “Audit Configuration and Reporting Menu” on the initial Agent Administrator menu, MSCT000I.
Client/Server Applications Added. The following client / server applications have been added to the list of applications processed by DetectIT Agent for RSA SecurID:
Retrieve command exit programs. This is more for functionality within the IBM i itself. However, for activation it is part of the Registration Facility (behind the WRKREGINF command) and therefore is activated in the same manner as the more familiar client / server applications such as FTP, REXEC etc. ‘Retrieve command exit programs’ provides the ability to check and prevent users from removing the Agent authentication program, @ACE/MSCT111C, from their User Profile.
- HelpSystems style licensing. This change has been included for completeness. Version 9.8.0 had been created to help identify which version of licensing was being used within the software i.e. Safestone (9.7.0 and earlier) or HelpSystems (from 9.8.0).
- Compatibility with IBM i 7.2 and i 7.3. Version 9.8.0 was the first version to be compatible with 7.2 and also 7.3 of the IBM i operating system. If you are planning to install or upgrade to 7.2 or 7.3, please ensure that you plan to install, or upgrade to, at least Version 9.8.0 of DetectIT Agent for RSA SecurID at the same time.
- Upgrade does not require QSECOFR. As from version 9.8.1, installations and upgrades no longer require the use of the QSECOFR profile nor a profile that is part of the QSECOFR group. However, the alternative profile must have the same Special Authorities as QSECOFR on the intended release level of IBM i. Versions prior to 9.8.1 required the software to be installed or upgraded using the QSECOFR security officer profile or a profile with QSECOFR as the Group Profile.
- Agent Administrator is not part of the QSECOFR group. When the agent software is installed or upgraded the Agent Administrator profile, ACEDTI is no longer created nor updated with Group Profile of QSECOFR. Instead, ACEDTI has the Group Profile parameter, GRPPRF set to *NONE.
- The Node Secret Encryption Algorithm has changed. The data within the Node Secret, /var/ace/securid is no longer encrypted using DES. With the way the new cryptographic method returns the data, the file is now 1024 bytes instead of 512.
- Agent for RSA SecurID now allows for selection of configured exit point formats. When checking applications with multiple formats, for example: FTP or REXEC, the processing now allows a format to be selected even when that same format has an Exit Program registered within the IBM i Registration Facility. Previously, when checking multiple formats, the application could not be selected if an Exit Program had been configured against any of the formats for that application.
- Authenticate FTP from one IBM i system to another. It is now possible to authenticate an FTP request being performed from one IBM i system to another. The previous processing assumed the FTP would be performed from a Windows system to an IBM i system.