Release notes are also available for Network Security for Insite.
- A new IP Address Groups report is now available, which lists the IP Address Groups that have been configured. The report can be accessed using either the Reports menu or the SBMIPGREP command. The output can also be directed to a CSV-formatted stream file.
- The new "Security by Server Report" report now lists the Server and Function Properties that have been configured. It is accessible using the Reports menu or SBMSVFREP command. The output can also be directed to a CSV-formatted stream file.
- Socket exit point processing programs were changed to support thread-safety. They can now run concurrently on multiple threads in a job.
- The number of transaction-level licensing messages have been reduced to minimize the impact to job logs.
- Access to Central Administration Alerts is now available from all Exit Point Manager menus via function key F21.
- A new command Extract Audited Transactions (PNSLOGEXT) has been added, which:
- Performs most of the same functions as the Powertech Audit Report command (LPWRRPT) command.
- Offers several selection criteria including user, location, server, function, job, and date/time, which can all be used simultaneously.
- Can output to an output database file, a CSV-formatted stream file, or print to a spooled file.
- Accesses data and performs work only if it is necessary to extract the transactions according to the data selections specified. No unnecessary temporary tables or workspaces are created.
- Supports omitting zero-count summary totals at the end of the printed report.
- Exit Point Manager no longer creates History entries within Central Administration when updating the internal independent ASP information tables. Existing entries, which should not have been created, are removed from the History.
- A defect that prevented Memorized Transactions from being acknowledged correctly in release 7.20 and greater has been corrected.
- A defect causing a failure to display the Work with Memorized Transactions panel, and also the error Message ID RNQ0202 "The call to PSF_SFLLOA ended in error," has been fixed.
- An internal date associated with Memorized Transactions is now populated appropriately when a Transaction is created or changed.
Central Administration Fixes
- Error Message ID RNQ0202 “The call to aeelSort ended in error” when attempting to F4=Prompt on panel PPL3372 has been corrected.
- Changes have been made within the PPLIMPCSV command's processing to ensure it works as documented for parameter TYPE(*ALLOWANCE) as well as its outputted report's accuracy.
- A new Pre-filters report lists the configured Pre-filters. The report can be run from the Reports Menu or by using the SBMPREREP command.
- An extraneous RNX0100 error message no longer appears within the PNSEVTMON monitor job's job log when a Memorized Transaction is removed via Insite.
- Submit report commands can now be run by users without All Object authority, including:
- SBMNSGREP - Authorities by user profile report
- SBMPREREP - Print Prefilters
- SBMSCKREP - Socket rules report
- The product has been renamed Powertech Exit Point Manager for IBM i. The new name is used throughout the software and accompanying documentation. (Prior to version 7.22, the product was called "Network Security.")
- Two new commands allow you to "lock" (LCKDSP) and "unlock" (UNLDSP) an interactive display session. While the interactive display is locked, a screen saver is displayed and the workstation user must enter their password to unlock the display or unlock it from another authorized job.
- A new command DLTNSUGRP has been developed to allow programmatic deletion of User Groups and, optionally, their members.
- Performance of processing transactions through exit points has been improved.
- A minor error has been corrected that allows the F9=Retrieve, F16=System Main Menu, and F22=Status function keys to function properly on the Reports Menu.
- The User Rules Listing and Location Rules Listing reports now indicate whether the Memorized Transactions listed are generic or not.
- Network Security now supports Rules (User, Location, Memorized, and Object Lists) for objects residing in an iASP.
- An issue subsetting the 'Transaction' field by value using F16=Sort/Subset in the Work with Memorized Transactions screen has been corrected.
- Network Security has been repaired so that the software only changes Aut settings on existing User or Location rules when the first active Memorized Transaction becomes available for a server/function/user/location, or when the last active Memorized Transaction is deleted or inactivated, and never in the interim.
- SecureScreen filter rules can now be created for any subsystem description in any library on the system. The subsystem description does not need to exist when the filter rule is created.
- Authority failures are no longer generated to QAUDJRN when Memorized Transactions are processed for the FTP server.
- Help text has been updated to include a description of the *MEMOBJ Authority value.
- A Socket Exit Point-related stability issue has been resolved.
- When converting to Version 7 from a prior version, the correct release information now appears when the conversion completes successfully.
- The help text for “Create Socket Rule Condition” and “Change Socket Rule Condition” has been changed to list only valid values for the Connector field.
- A change was made within the removal of a system that eliminates an MCH3601 error from appearing in Network Security’s PNSEVTMON job log.
- A change was made within the installation of Central Administration to accommodate user profile objects whose object text cannot convert to Unicode.
- A change was made within the “Work with Directory Queries” panel PPL2920 to ensure all validation errors are displayed appropriately. Additionally, a F4=Prompt has been added for the External Server field.
- Authority failures to NSEPUP have been fixed.
- A problem causing failure to update dashboard counters has been fixed.
- Authority failures when LNSR108xx calls API QP0ZRIPC have been fixed.
- Typos in the "Work with Object List Entries" screen have been corrected.
- F17 (Top) and F18 (Bottom) keys in the Captured Transactions screen now function properly.
- Subset and Sort functions in Captured Transactions and Memorize Transactions have been fixed.
- Pointer errors no longer occur when socket exit points are set to not enforce rules.
- A problem causing IP address validation to not allow the number 5 has been resolved.
- Print Object List now includes just the selected list, and not all Object Rules.
- Installation now supports user profiles with blank location values.
- The History Subset and Sort Panel (PPL3372) no longer signals error CPF24B3 “Message type PPL3372 not valid” when F4=Prompt is attempted for a field that does not support prompting.
- The Set Monitor Status (PPLMONSTS) command now functions properly when attempting to set the status for the Monitor value of *PROFILE.
- The 'List Template Profile Settings' API (PPL6125) now correctly outputs Template Profile Settings that exist for an Allowed System to the inputted user space.
- A problem within system removal that was causing existing audits to be unremovable has been resolved.
- A problem preventing newly included systems from being recognized as an Allowed System for existing Templates has been resolved.
- Installation now accommodates objects that have object text defined at the maximum length of 50.
- Inability to call the supplemental exit point after changing a rule to *REJECT, then back to *OS400, has been resolved.
- A problem causing certain memorized transactions to be rejected when they should be allowed has been resolved.
- RNX0100 errors in LNSR108xxx after loading Network Security have been resolved.
- A timing error on cache causing "CPF9802, Not authorized to object PS17144 in PTNSLIB07 type *USRIDX" during the product update procedure has been addressed.
- The User Group Subset function has been repaired so that the last user is no longer missing in some cases.
- A problem causing activation of socket exit points to interfere with Robot Schedule Enterprise has been resolved.
- A problem causing Object Rules to be unable to process the *DELETE operation has been resolved.
- Prompt program PNS4002 no longer displays "More" when it should display "Bottom".
- Secure Screen Monitors have been fixed.
- Access control for Sockets-related exit points has been added.
NOTE: Insite Users: If you intend to use the HelpSystems Insite Web UI along with Network Security, go to HelpSystems Insite Downloads and follow the accompanying Insite installation instructions. Insite version 1.15 is required in order to use Network Security 7.15's socket-related features.
- Socket Rules and Conditions can be configured to accept or reject socket transactions for the QSOLISTEN, QSOCONNECT, and QSOACCEPT servers.
- Multiple Socket Rule Conditions are evaluated according to a preferred sequence.
- Socket Rules can be tested to ensure correct behavior on the system before they are activated.
- Reports have been enhanced to support reporting of socket activity.
- For more information, see Socket Rules (green screen) and Socket Rules (Insite web UI).
Accompanying Central Administration Updates
- Auditing strategies have been added to support auditing of Socket Rules.
- Better handling of damaged objects. A change was made so objects that are known to occasionally become damaged (User Index; Data Queue) are better handled. Where possible the product has been changed so that it self corrects these situations.
- Error RNX0100 when running Event Reports has been resolved.
- Exit point programs no longer change the job’s library list to include the Central Administration and Network Security libraries without removing them. (This was particularly an issue with FTP, since FTP can be done in an interactive job leaving the library list changed until sign off.)
- Secure Screen:
- A problem causing Secure Screen Monitor to fail with MCH3401 has been resolved.
- Inability to Edit/Copy/Display in the Secure Screen Filter has been resolved. (Previously, a screen defect was causing options 2 (Edit), 3 (Copy), and 5 (Display) to always bring up the last item in the list instead of the selected one.)
- Error "Object (sbsd) in library *LIBL not found" has been resolved. (Previously, when adding a secure screen filter, if you prompted for an *SBSD entry and selected one not in your job’s library list (PTWRKMGT for example), the entry would not be added with the following error displayed: "Object PTWRKMGT in library *LIBL not found".)
Accompanying Central Administration Updates
- Better handling of damaged objects. Objects that are known to occasionally become damaged (User Index; Data Queue) are better-handled. Where possible, the product has been changed so that it self-corrects in these situations.
- The Central Administration product library (PTPLLIB) is permanently placed in a job’s library list when a profile is created, changed, or deleted. A job’s library list is now returned to its original state after Central Administration processes a user profile function that was processed by the product’s exit point programs.
- A problem causing inactivity of the monitor job (without visible errors) has been resolved. The PPLCMNSVR monitor job had a built-in feature that was acknowledging the QSTGLOWLMT system value. That feature was added to better handle an Operating System defect that existed in some base Operating System releases. The PTF that addresses this defect is now included in all base Operating System releases negating the need for this built-in feature, which has been removed.
- Event processing and integrity improvements.
- Entering the History Browser no longer results in Message ID CPF2419 and/or CTL0001 in the job log. The CPF2419 message typically appeared when an end point system running Network Security existed in a different library than that of the Management System (i.e. manager using PTNSLIB and end point using PTNSLIB07).
- A problem causing the PPLCMNMON monitor job to remain inactive (with log ID T410012) has been resolved. The PPLCMNMON monitor job was unable to start due to the /tmp directory being so large that the Unix stat function failed with error “Object is too large to process.” The stat function has been replaced with stat64, which is specifically designed to handle larger objects.
- A change has been made within the event monitor processing pertaining to captured transactions in order to improve this job’s overall performance.
- The installation process has improved support for systems with a large number of locks at the time of install.
- PIV0013 error "Object is in use" for LNSUSA02 and LUSER01 during installation has been resolved.
- When creating a new Object List Rule, if a User or Location Rule already exists, a message is now sent and the Object List Rule is set to Inactive.
- Performance enhancement: Network Security now attempts job interrupts in a more efficient manner.
- A merge issue impacting installation was resolved.
- A merge issue impacting installation was resolved.
- Easily define and manage groups of network users. A collection of user profiles can now be quickly and easily managed from directly within Network Security.
- A new type of User Rule has been added. Network Security's new User Groups are containers for groups of user profiles that can be used in place of user profile names when defining a User Rule.
- Ranked sequence. User Groups are assigned a sequence number that determines the order they are used in the exit programs. For example, if there are three User Rules with NS User Groups for a specific Server/Function, and all three have USER1 as a member, the rule with the lowest sequence number will be used. (Of course, a User Rule assigned specifically to USER1 for the Server/Function would have priority.)
- Green screen and web browser support. User Groups can be easily defined and applied to User Rules in the green screen or Insite Web UI.
- Simplified Green Screen Interface. The green screen interface has been simplified. Previously, management of User Rules was handled on one of three different panels, depending on how the User Rule was invoked. These panels have been consolidated into a single "Work with Security by User" panel. Similarly, all Location Rules are now managed with the "Work with Security by Location" panel. For details, see Appendix M: Interface Changes in Network Security 7.08 in the Network Security Administrator's Guide.
- Bug Fixes and Usability Improvements.
- FTP/REXEC sign-on no longer causes the exit program to fail with an MCH3601 (pointer not set) error.
- A program that is called to check whether SUMCAPTRAN can be started has been fixed.
- When a transaction is rejected due to a prefilter rule, the reject message is now correctly sent to QSYSOPR.
- Transactions with leading spaces can now be memorized.
- Problems capturing transactions for the *DDM server have been fixed.
- Disabling Silent Activation no longer fails for ten-character program names.
- Reports can now be run for user profiles that start with @, #, or $ characters.
- Failed audits (whose status remains stuck as "Processing") have been resolved.
- *RMTSRV RMTCMD text for Captured Transactions has been fixed.
- A stuck semaphore has been detected and fixed (copy to QGPL).
- Stuck semaphores causing the Dashboard counters to stop counting has been fixed.
- Network Security is now delivered with new deployment functionality, including the ability to stage the product installation.
- The job queue library on the PTNSGMSTR job description now appropriately lists PTNSLIB07 when PTNSLIB07 is the product library.
- Long Distributed Program Calls no longer cause the error RNX0100, causing exit program PTNSLIB/LNSR108P to end abnormally.
- Network Security 7 now always installs into library PTNSLIB07.
- Inability to change the 'Rules Enforced' flag (as of Network Security 7.04) has been resolved.
- HelpSystems Insite Web Browser Interface support has been added. See HelpSystems Insite and Network Security for Insite for details.
- Failure to run reports when the 'SystemID' contains a single quote has been resolved.
- An RNX1211 error when attempting to run a Showcase Exit Point has been resolved.
- Network Security no longer causes an Authority Failure (AF) audit journal entry during Silent Activation.
- The MCH3601 (Pointer not set for location referenced) error no longer occurs when attempting to prompt for an IFS.
- The Reports/Display IFS file function no longer requires the user’s home directory to be root (/).
- Remote commands run via Visual Basic using the 'IBM i Access for Windows ActiveX Object Library' are now being converted to EBCDIC correctly.
- A command parameter error no longer appears when trying to run reports.
- Audit Reports no longer fail on transactions greater than 9,999 chars.
- *FTPCLIENT no longer creates blank journal entries.
- Errors MCH3401, CPF5009, and CPF5034 while upgrading from Network Security 6.xx to 7.xx have been resolved.
- The History Browser now supports subsetting by subject name.
- Auditing for IP Address Groups is now available.
- High I/O counts have been reduced for all LNSR108xx programs.
- For Object Rule checking, the possibility of looping when parsing an SQL statement has been eliminated.
- Pre-Filters now display for low authority users.
- Network Security exit programs now always honor Object Rules.
- All servers now display Location Rules.
- The screen no longer fills with the same *ALL Location Rule when using LA against a server with more than one location rule.
- Network Security Reports now include Transaction Data.
Central Administration: During uninstallation, the Profile Change Trap is now unregistered from the profile exit points.
- Network Security 7 includes the integration of PowerTech Central Administration, which allows you to manage systems across your network from a central server, benefit from Central Administration’s security features, and copy Rules and other configuration settings across systems. The following updates are included with Network Security 7:
- System Accessibility. Easily switch to any managed system in order to manage Network Security’s configuration, or use other Network Security features, on that system. Switching systems is a feature of both the green screen and Web UI.
- Convenient Dashboards. Dashboard transaction counts and statistics can now be quickly accessed for any managed system.
- Central Administration’s Security Tools. All managed systems benefit from Central Administration features, including:
- Auditing: To verify the integrity of Network Security throughout your network, and ensure adherence to your organization’s security policy, users can run audits to identify and manage Rules (and other Network Security settings) that have been changed on Endpoints directly. Any discrepancy can be resolved easily with a Remedy, accepting the configuration of either the Endpoint or Management System.
- History Browser: The History Browser displays a list of all events that have occurred on any system that is managed through Central Administration. Any action performed through Central Administration or one of the PowerTech products that work with Central Administration is recorded in the history, including Rule changes, security changes, system inclusions, network configuration changes, and so on.
- Role-based Security: Central Administration Product Security allows you to perform product security functions, such as working with Roles. A Role is a collection of access rights that define a PowerTech user’s authority over the managed systems.
- Copy Rules to Managed Systems (Web UI). Once you have configured Rules on the Management System, you can copy them to other Endpoints in order to quickly propagate your security policy across your network.
- Issues related to PTWRKMGTOW/PTWRKMGT have been fixed.
- SQL errors in MRGPRVNS have been fixed.
- The authority check for exit point activation is now using the Current User on the job (instead of the Job User).
- Remote IP address retrieval for FTP exit points have been cleaned up. (Formerly, retrieving the remote IP address could return blanks that were transcribed as 12 zeros.)
- The possibility of looping when parsing an SQL statement for object rule checking has been eliminated.
- Problems related to non-displayable characters in Work with Captured Transactions have been addressed.
- *ALLOBJ authority is no longer required to run the PTNSSTRWEB command (used to start the Network Security Web Server). See Starting the Web Server.
- Only one audit journal entry is now created for 'Possible Intrusion' events.
- Invalid IP addresses added to IP Address Groupings can now be deleted.
- The previous day's cache file for the *CLI server is now cleared automatically each day.
- MCH3601 and LNS0703 errors in exit programs have been resolved, allowing the appropriate journal entries to be written.
- Only the jar files are deleted from powertech/installs after a product update.
- A web UI accessibility issue regarding PTWEB password expiration has been resolved.
- An MCH1210 error no longer causes program PTNSLIB/LNSR108P to end.
- Rules can now be filtered by Type: User or Location.
- A convenient slide-out menu in the Captured Transactions screen allows you to quickly memorize Captured Transactions.
- Delete buttons have been added to detail forms.
- An environment variable can now be used to suppress the PTNSGMSTR job.
- Performance enhancements have been made to Network Security Activation.
- Performance enhancements have been made for the *DATAQSRV exit program.
- Network Security includes a new web interface designed to allow an efficient, interactive method of managing network traffic. See Web Browser Help in the Network Security Administrator’s Guide for details.
- Network Security’s new Dashboard, available from the web interface, allows you to monitor transactions controlled by Network Security. See Dashboard for details.
- For Print Rules by Location, specifying *ALL for the location now includes all location rules for all locations in the report (rather than only rules defined as location=*ALL).
- The rule checking order has been fixed for Object Lists.
- Caching of flags for *MEM rules has been fixed.
- *RMTSRV and RMTCMD have been converted from Unicode so that transactions from IFS commands are recognized.
- Rule checking has been fixed for cases when a user profile does not exist.
- MCH1210 no longer causes PTNS010701 to end abnormally on the QZDASOINIT job.
- Support for Showcase is now available.
- The “File LNSSVF01 not found” error during the product update procedure has been resolved.
- ShowCase exit point support has been added.
- MCH1202 error in PTNS010701 has been fixed.
- Authority Failure journal entries on *FILESRV exit program when not an *ALLOBJ user have been fixed.
- Database reads for Location/User/Object rule checking have been reduced.
- The SUMCAPTRAN process now handles PARTIAL journal receivers.
- The last collected date, which was incorrect for some captured transactions, has now been corrected.
- The number of database reads for pre-filters has been reduced, improving performance.
- *LOCATION rules address groups are now working.
- Compliance Monitor Consolidator updates for 3.11
- Check for ibmxmlcrypto.jar in the pre-checker has been removed.
- A 'wait' panel now appears during export.
- An e-mail's ‘from’ address can now be changed.
- Authority Broker reports can now be run in Compliance Monitor (through external reports).
- Temp files from AB-rpts-via-CM code (for the endpoint startup process) are now cleaned up.
- A plus sign (‘+’) before '%' or '_' can now be used to indicate ‘%’ and ‘_’ should not be treated as special characters when parsing a filter to convert to regex. (‘+’ is equivalent to an SQL escape character.) The two-character string ‘++’ can be used to specify the single character ‘+’.
- When a CM batch report definition is deleted, it is now removed from the internal scheduler.
- NSIS has been enhanced to populate the .exe Details panel with Product info.
- Integers are no longer incorrectly exported as strings when exporting to Excel format.
- Compliance Monitor now completely cancels collections initiated by batch reporting.
- 'used' has been added to memory information logging in the cm3.log file for troubleshooting purposes.
- For Batch Reporting, the 'Start at' is no longer off if the consolidator and PC timezone settings do not agree on daylight savings time offset.
- Placement of batch report run slot enforcement is now better. The number of concurrent batch reporting jobs without bouncing consolidator can now be changed. (This is for single or multi-threading batch report jobs.)
- 'ELF enabled' information now appears on exported PDF reports.
- A problem has been corrected within scorecards for filters with field-to-field comparisons that have to perform a cast.
- Enhancements to allow for work within Vagrant Virtual Machine were added.
- Batch delivery of multi-format reports has been fixed, with improved journal data cleanup and CSV output.
- Compliance Monitor now attempts to handle (and to send messages) when a CMCOLL row is going to be written with REQUESTOR column set to blanks.
- The Batch Report owner now propagates when changed.
- New menu option for pre-filters to combine user and location rules
- Corrected error directly following flushing the cache
- Performance improvements with the SQL Exit Point
- Fixed an issue with supplemental group profiles and a looping exit program
- Fix RNX0100 in LNSR108TFT when using IPv6
- Handle parsing of *FROM in an SQL Statement
- Handle parsing of 3-part names in SQL through PRPDESDCRB when using Object Lists
- Fix generics on Subset by User under Work with Security by User
- Allow Subset by User to handle more than 9,999 user profiles