Monthly Release Notes - December 2019

Jump to:

Core Security


Core Network Insight

Version: 6.4.3
Other Fixes
  • [CAS-0010170402] - Improvements on diagnostic metrics calculation performance and reliability.

Back to Top

 

GoAnywhere


Version 6.3.1
Applicability Statement 4 (AS4)
  • Added support for the Applicability Statement 4 (AS4) file transfer protocol. The AS4 tasks work with the existing GoAnywhere HTTP/S server as the message transport mechanism.
    • Added a new AS4 Resource for defining partner information, such as URLs, authentication, certificates, etc...
    • Added a new AS4 service, along with configuration pages for AS4 Message Channels.
    • Added a new AS4 Pull task for retrieving messages from an AS4 server.
    • Added a new AS4 Push task for sending messages to an AS4 server.
    • Added a new AS4 Send Error task for returning an error if validation of an AS4 message fails.
    • Added a new AS4 Send Receipt task for sending receipts in response to AS4 pull requests.
    • Added a new AS4 Enqueue Message task for adding messages to Web User Message Channels.
    • Added new Web user configuration options for AS4.
    • Added new AS4 server-side logs.
Fixes
  • Fixed an issue where MFT would fail to start up due to a missing security property. This issue was introduced in version 6.3.0.
  • Fixed a UI alignment issue in the SAN/DN section of Web User settings. This issue was introduced in version 6.3.0.
  • Fixed an issue where encryption GoFast file accelerated transfers would fail during key generation when running in FIPS mode using the new Bouncy Castle FIPS 140-2 certified security provider. This issue was introduced in 6.3.0.
  • Fixed an issue where encryption updates to the service keystore passwords were causing the Security Audit Report generation to fail. This issue was introduced in 6.3.0.
  • Fixed an issue where SOAP and REST tasks were not correctly handling implicit trust. This issue was introduced in version 6.3.0.
  • Fixed an issue where email and username validation was not properly enforced when performing SAN/DN verification during Web User authentication. This issue was introduced in 6.3.0.

Back to Top

 

IBM Partnership


Backup, Recovery, and Media Services (BRMS)

Version: PTF 7.4 SI71134, 7.3 SI71133, 7.2 SI71132
Enhancements

In version 7.2 and later:

  • BRMS enhanced the INZBRM OPTION(*FLASHCOPY) STATE(*STRPRC) processing to end the BRMS Enterprise subsystem named Q1ABRMENT.
  • BRMS now provides a Reclaim Media (Q1ARCLMED) API to reclaim a single tape volume.
  • Improved the IFS backup outfile processing performance.
  • To display the cloud retain media retention period the following command can be run:
    CALL PGM(QBRM/Q1AOLD) PARM('CLOUD ' 'RETAINDATA' 'S' 'mmmmmmmmmm' '*DSP')
    where 'mmmmmmmmmm' is the move policy name.
Other Fixes

In version 7.2 and later:

  • RSTBRM may fail with MSGBRM1688.
  • ANZLIBBRM may incorrectly report MSGCD3105 and MSGCPF9899.
  • RSTLICPGM LICPGM(5770BR1) may fail with MSGCPF3D95.
  • STRMNTBRM may fail MSGCPF501B.
  • The GUI Web Enterprise Feature and INZBRM *VFYSYS may incorrectly report connection failures when using secured DDM with mixed case passwords.
  • BRMS restores running longer with the job in MSGW and the call stack ending with Q1AMS and QMHRCVPM.
  • DUPMEDBRM with the parameter TOENDOPT(*UNLOAD) may not unload all of the target volumes.
  • Restoring *SAVSECDTA from a cloud backup using STRRCYBRM or WRKMEDIBRM appears to be in a loop as it repeats the restore 99 times.

In version 7.4:

  • Upgrades with DSLO media may fail with MSGCPD377C causing 5770SS1 option 3 to go into an *ERROR state.

 

IBM PowerHA SystemMirror for IBM i

Version 7.4 HA 4.0.1, PTF SI71412 (plus Language PTFs)
New Features
  • Increased the cluster administrative domain monitored resource entry limit to support up to 200,000 resources entries - an increase of over 340% to support for the largest environments.
  • New parameters for the Work with Cluster Administrative Domain Monitored Resource Entries (WRKCADMRE) command enable filtering based on criteria like monitored resource, library, resource type, and global status. Filters can be combined and support generic wild cards.
  • The Add Cluster Administrative Domain Monitored Resource Entry (ADDCADMRE) command now supports *ALL and wild cards on the monitored resource and library parameters. In addition, the omit parameter has been added. The new options are supported for user profiles, authorization lists, classes, job descriptions and subsystem descriptions. These simplify administrative domain setups; a single command can be used to add multiple resources at one time.
Enhancements
  • PowerHA enhanced support for replication of encrypted passwords set with(using) the QSYSUPWD API. Previously, the QSYSUPWD API caused the user-affected profile to be marked as inconsistent within the administrative domain.
  • Improved control over changing the synchronization option for an administrative domain using the Change Cluster Administrative Domain (CHGCAD) command even when some nodes in the administrative domain are inactive.
  • The WRKCADMRE command has been enhanced to work even when clustering is inactive. With this function, users can view monitored resources within an administrative domain on a local node even during maintenance windows.
  • Enhanced integrated recovery from a data-center outage in a HyperSwap with a LUN-level switching environment that enables HyperSwap protection to be restored with a single command.
  • Confirmation panels in PowerHA have been enhanced to use F16 instead of enter for confirm.
  • Several PowerHA work panels have been enhanced to show both error and completion messages at the bottom of the panel upon execution of actions on the work (WRKHAPCY, WRKASPCPYD, WRKHACFGD, WRKHYSSTS, Work with cluster resource groups).
  • PowerHA enhanced the detached status for Copy Services Manager Sessions to display as XXXX instead of blanks for consistency and ease of understanding.
  • Improved CHGCRGCNR switch type of *SAMESITE behavior has been improved to be more consistent in handling of ordering of the recovery domain.
  • User queue and user space objects used for PowerHA operation have been moved from the QGPL library to the QUSRHASM library.
  • Function key F13=Release notes has been added to the Work with Cluster (WRKCLU) command menu to show the release notes for the PowerHA product.
Other Fixes
  • SE71819: DS8000 multiple incremental FlashCopy issues at DS bundle versions.
  • SE72158: In an SVC Global Mirror with change volumes environment when the session storage state was 'consistent copying', the RTVSVCSSN command was returning unknown for the storage state. This is corrected to now correctly show the storage state as 'consistent copying'.
  • SE72209: In geographic mirroring environments, when replication was suspended or detached, the mirror copy of the IASP would show the status as VARYONPEND instead of VARYOFF. This has been corrected to show the status as VARYOFF.
  • SE72375: The persistent(*NO) option on STRASPSSN was not being honored for DS8000 FlashCopy sessions.
  • DSPSVCCPYD with the output *PRINT option, now includes the node field previously shown only with interactive displayed output.
  • The Remove HA Policy confirmation panel now wraps text for long policy commands, rather than truncating the displayed value.
  • The WRKHAPCY screen now allows option 1=ADD to be specified on any entry containing policy names, making it easier to add a specific policy without needing to type the entire name of the policy.
  • WRKCLU option 9, work with cluster resource groups (CRGs) has a simplified display for CRG containers indenting CRGs that are managed by a container.
  • DSPHYSSTS with the output *PRINT option now includes the synchronization status column previously shown only with interactive displayed output.
  • Error messages for the Change CSM Session (CHGCSMSSN) command have been enhanced with additional information as to the current session state and why the given operation is not allowed.
  • When performing WRKHAPCY at cluster version less than 9, a diagnostic message was incorrectly being displayed in the job log that the request was not compatible with the current cluster version.
  • When performing a refresh of the DSPCSMSSN command after clustering has ended, an MCH0601 would occur. This has been corrected to correctly show CPFBB26: Cluster Resource Services not active or not responding.
  • WRKCLU option 9 when no cluster is defined would give a CPF6A38 - Variable record CNSIS02RCD not defined in panel group. This has been corrected so that the panel works even when there is no cluster defined.
  • In geographic mirroring environments in some instances the vary state of the mirror copy independent ASP on DSPASPSSN incorrectly would show as unknown when a geographic mirroring session contained multiple independent ASPs.
  • Panel group QGYASPDSSN not released properly.
  • Panel group QGYASPWCPY not released properly.
  • Padded spaces truncated from PowerHA confirmation panels for easier readability.
  • The performance of DSPCRGINF was corrected as previously subsequent F5=Refresh on the DSPCRGINF screen resulted in longer refresh times.
NOTE: PTF update SI71412 requires one or more associated language PTFs. To determine if additional languages you have installed in your environment require a requisite MRI PTF, consult the table of language PTFs in the release cover letter at IBM Support.
Version 7.2/7.3 HA 3.2, PTF SI71480
Enhancements
  • PowerHA enhanced support for replication of encrypted passwords set with(using) the QSYSUPWD API. Previously, the QSYSUPWD API caused the user-affected profile to be marked as inconsistent within the administrative domain.
  • Improved control over changing the synchronization option for an administrative domain using the Change Cluster Administrative Domain (CHGCAD) command even when some nodes in the administrative domain are inactive.
  • Enhanced integrated recovery from a data-center outage in a HyperSwap with a LUN-level switching environment that enables HyperSwap protection to be restored with a single command.
  • Several PowerHA work panels have been enhanced to show both error and completion messages at the bottom of the panel upon execution of actions on the work (WRKHAPCY, WRKASPCPYD, WRKHACFGD, WRKHYSSTS, Work with cluster resource groups).
  • PowerHA enhanced the detached status for Copy Services Manager Sessions to display as XXXX instead of blanks for consistency and ease of understanding.
  • User queue and user space objects used for PowerHA operation have been moved from the QGPL library to the QUSRHASM library.
Other Fixes
  • Error messages for the Change CSM Session (CHGCSMSSN) command have been enhanced with additional information as to the current session state and why the given operation is not allowed.
  • When performing a refresh of the DSPCSMSSN command after clustering has ended, an MCH0601 would occur. This has been corrected to correctly show CPFBB26: Cluster Resource Services not active or not responding.
  • In geographic mirroring environments in some instances the vary state of the mirror copy independent ASP on DSPASPSSN incorrectly would show as unknown when a geographic mirroring session contained multiple independent ASPs.
  • SE72209: In geographic mirroring environments, when replication was suspended or detached, the mirror copy of the IASP would show the status as VARYONPEND instead of VARYOFF. This has been corrected to show the status as VARYOFF.
  • Previously in some instances PowerHA did not release locks on panel group QGYASPDSSN or panel group QGYASPWCPY. This has been corrected so that the locks are released once the panels are closed.
  • Padded spaces truncated from PowerHA confirmation panels for easier readability.
  • SE71819: DS8000 multiple incremental FlashCopy issues at DS bundle versions.
  • SE72158: In an SVC Global Mirror with change volumes environment when the session storage state was 'consistent copying', the RTVSVCSSN command was returning unknown for the storage state. This is corrected to now correctly show the storage state as 'consistent copying'.
  • SE72375: The persistent(*NO) option on STRASPSSN was not being honored for DS8000 FlashCopy sessions.

Back to Top

 

Insite


Version 3.02
New Features
  • Dynamic Dashboards give you the ability to quickly create a single product dashboard with predefined widgets.
  • Insite Deployment Manager can now maintain Powertech Antivirus Endpoints installed on *NIX servers.
Enhancements
  • Some Robot Network dashboard assets now support filtering

  • Various Robot Network assets can now be created and viewed as Key Indicator widgets
  • Widget Advanced Settings are not organized into Setting Tabs in order to easily identify and change widget options
Other Fixes
  • Fixed issues with install and update process

  • Insite no longer supports CentOS 6.
  • Fixed issue with Password Self Help Answers not showing in User Setup.
Components in Insite
Updates

Back to Top

 

Intermapper


Version: 6.4.2
Enhancements
  • Link status entries in the Event Log now show the name of the map from which the link status message originated.
Other Fixes
  • Intermapper Remote Access Server Settings window now closes when the client is disconnected from the Remote Server pane.
  • In the Map List window, status totals at the top of the window now show correctly.
  • Notes have been added to the SNMPWalk topics in the Developer Guide that you can't use SNMPWalk with a probe group, only with its individual probes.
  • Device status counts in the Map List window (using the gear icon in the upper right corner to turn on status counts) now show correctly.
  • The Linux Readme no longer advises the user to update Java, which is unnecessary since an up-to-date Java Runtime Environment (JRE) is installed with Intermapper.
  • A number of improvements have made map status indication more reliable.
  • Performance when polling complex maps has been significantly improved.

Back to Top

 

Powertech


BoKS Control Center

Version 8.0
NOTE: For system requirements including supported platforms, see the BoKS Control Center 8.0 Installation Guide.
New Features
  • Updated to support BoKS 8.0 features and functions.
Enhancements
  • Support for java version 11 and above.
  • Added support for changing multiple GIDs or multiple group names in one operation.
  • Improved the autocomplete feature for selecting primary group - now the number of groups is displayed at the bottom of the drop-down if there are more than the 15 that are displayed in the drop-down.
  • Added support for setting global time zone to the Domain settings page.
  • Added columns for Target user and From user in the Access Rule listing.
  • Added links to host detail pages from members listing in the Host Group details page, where the member resolves to a specific host (i.e. not for wildcard definitions).
  • Added support for the REALSTARTEDBY parameter to the Keystroke Log Files as read in BCC.
Other Updates
  • The installation directory is owned by the process user instead of previously root. This prevents an issue whereby the presentation server couldn't be started after installation with a restrictive umask setting.
  • Upgrade of dependency libraries. Resolves the vulnerabilities CVE-2019-10241 and CVE-2019-10247.
  • Some GUI labels that previously said "To user" have been changed to "Target user" for consistency.

BoKS Manager

Version 8.0
NOTE: For system requirements including supported platforms, see the BoKS Manager 8.0 Installation Guide. For Known Issues in this release, see the section "Known Issues" in the Administration Guide.
New Features
  • Segmented Network Mode
  • Network communication within a BoKS domain has been redesigned with a special mode for segmented networks where the BoKS Master is not allowed to contact BoKS Server Agents.

  • Improved DB shared memory index handling
  • BoKS database shared memory index handling has been completely redesigned to enhance responsiveness and performance.

Enhancements
  • Upgraded the version of OpenSSH that BoKS SSH is based on from 7.3p1 to 8.1p1.
  • This causes the following changes:

    • Only SSH protocol version 2 is supported (regardless for BoKS activated or not)
    • Privilege Separation mandatory and cannot be disabled.
    • Chroot environment for scp and sftp needs to include a /dev/random device (not needed if internal sftp server is used)
    • The following sshd_config options are no longer supported.
      serverkeybits
      keyregenerationinterval
      rhostsauthentication
      rhostsrsaauthentication
      rsaauthentication
      skeyauthentication
      uselogin
      protocol
      verifyreversemapping
      reversemappingcheck
      authorizedkeysfile2
      useprivilegeseparation
    • Default key length when generating RSA keys is increased from 2048 to 3072 bits.
  • BoKS supports DSA keys, but the DSA key support in SSH is disabled by default since it uses an older and weaker encryption algorithm. For more information, see http://www.openssh.com/legacy.html.
  • The deprecated CLI programs ttyadmin and routeadm which were previously used to define Access Rules, are removed in this version of BoKS Manager. The deprecated functions used for managing access policies for the program bksdef are also removed.
  • SSH privilege separation is always active for SSH access in BoKS 8.0. The -p option to activate privilege separation is removed for the install, setup and sshd_setup programs. If there is no existing sshd user, you must either specify the uid and gid for the user and the user will be created, or create the user manually.
  • NOTE: In order to use the boks_upgrade program to upgrade Server Agents, the user 'sshd' and the directory /var/empty must exist on the Server Agent host.

  • If an Access Rule with chroot includes scp and sftp access, the chroot environment must include a /dev/random device. For sftp, this is only required if you are using an external sftp server subsystem; it is not required for internal sftp.
  • The cadm program has the following functional changes:
    • Prevent execution of arbitrary BoKS files in BOKS_lib and BOKS_sbin. Scripts placed there by users are still possible to execute, as are Boot and sysreplace.
    • Prevent writing and deletion of certain variables in the ENV file on Server Agents. The forbidden variables are BOKS_* (the install paths of BoKS), VERSION, OSREL, BOKSINIT, ISMASTER, PKG_HOTFIX, SSM_ACTIVE, and ENVDONTSAVELIST.
    • The ability to execute non-BoKS scripts in BOKS_lib and BOKS_sbin is deprecated, and will be removed in a future version.
    • A new directory BOKS_local (default BOKS_DIR/local) should be used instead.
  • If a host is removed from the BoKS database, and it has queued batch messages, these messages will be removed after some 30-40 minutes. If the primary IP address for a host with queued batch messages is changed, the IP address will be changed for the queued batch messages as well. Due to this change, the functionality in boksdiag to change IP address for batch messages has been removed (boksdiag fque -bridge -move fromip toip).
  • The option -D is removed for the setup program.
  • A new bokscron job is added to periodically remove expired suexec tickets.
  • On Linux, pam_limits.so has been changed from optional to required in the boks_sshd PAM configuration file.
  • The option -Z is removed for the prgrpadmin program.
  • The option -d is removed for the mkhome program.
  • The mapcert program now supports setting a comment when adding a UUID or hash mapping, with the optional parameter "-C" to "mapcert set". Listing mappings also lists the comments.
  • The hostadm program has a new list option -J to display the database id for the host (Note the database id is only used internally in BoKS and is unrelated to the hostid string used for DHCP hosts):
  • BoKS # hostadm -l -J

  • New bksdef option: bksdef --compat-pre71-suexec { enable | disable }
  • Prior to BoKS 7.1, suexec did not distinguish between spaces that separate arguments, and spaces within arguments. In BoKS 7.1 this was corrected, but suexec Access Rules created prior to BoKS 7.1 will not work as expected with Server Agents of version 7.1 and above if there are spaces within arguments. Similarly, suexec Access Rules created in BoKS 7.1 and above will fail to grant access to pre-7.1 Server Agents, if there are spaces in arguments. bksdef now has a configuration option that restores the pre-7.1 behavior, where there is no difference between spaces that separate arguments, and spaces within arguments. This is only necessary if there are suexec access rules with spaces in arguments, and

    1. Access rule is created prior to BoKS 7.1, and there are Server Agents of version 7.1 and above that need this access, or
    2. Access rule is created in BoKS 7.1 or above, and there are Server Agents of version 7.0 or below that need this access.
  • There is now an auto-registration proxy running on Replicas, so when auto-registering a Server Agent, you can specify the name/IP address of a Replica instead of the Master provided you have issued a host certificate to the Replica.
  • New bksdef option "bksdef --segmented-network-mode { enable | disable }" to enable/disable direct Master/Server Agent communication. For details on Segmented Network Mode, see the BoKS Manager 8.0 Administration Guide.
  • BoKS setup now attempts to stop and disable the system SSH server in order to enable boks_sshd at BoKS install. Added SYSTEM_SSHD_ENABLE_ON_UNINSTALL environment variable, which is used by BoKS uninstall to restore the system SSH server. Added the -d option to BoKS install and setup scripts in order to prevent stopping and disabling the system SSH server (and thus not enabling boks_sshd).
  • As previously, new SSH host keys are generated by default at BoKS installation. A new option to the install and setup programs can be used to specify that any found system SSH host keys are used by copying them to the $BOKS_etc/ssh directory. If a needed host key type is missing after the system's host keys have been copied, the missing host key is generated.

  • In BoKS 8.0 cacreds is no longer used to manage encrypted Keystroke Logging certificates, instead kslogadm is used and the KSL administration password is always required when performing any operations affecting the encrypted KSL cert. See the BoKS man page kslogadm for more information.
  • Provided enhanced support for creating host credentials from an external CA. Four new commands added:
    • bokshostcertreq - create a certificate request for a host
    • bokshostcertreqgenp12 - create host credentials given issued cert
    • bokshostp12import - create host credentials from a PKCS#12 file with a private key and certificate created by an external CA
    • bokshostmkp12 - create host credentials from the internal BoKS CA.

    Also added manpages for these programs and a manpage externalca.5

  • Added support for default global timezone to use when evaluating access rules. If set it is used if the Server Agent the request originated from does not have a timezone set in the BoKS DB.

    Commands:

    bksdef --set-default-timezone <timezone>

    bksdef --clear-default-timezone

  • The host flag HOST_MULTIADDR is removed. This was included in the bccas API as host attribute "multiAddr".
  • The BoKS ENV var BRIDGE_MASTER_S_USE_CHUNK_BATCH is now obsolete. The replica master send bridge now always uses this mode.
  • The program fccsetup is renamed to bccsetup.
  • Due to changes in the way password changes are handled, it is not supported to run BoKS Server Agents 8.0 in a domain where the BoKS Master and Replicas are older than version 6.6.x.
Other Updates
  • CAS-0010165047 - Added additional information to the ENV(4) man page about the AUTOREGISTER_POSTPROGRAM variable.
  • CAS-0010156868 - Fixed an issue where the setup program could exit as successful in a false context.
  • CAS-0010178140 - The ENV(4) man page is updated to clarify the behavior of the variable BKSD.
  • CAS-0010178526 - Fixed an issue with audit log entries not being sent from Server Agents using cadm.
  • CAS-0010173513 - Fixed an issue with unnecessary delays to local keystroke logging sessions.
  • CAS-0010176629 - Fixed a number of issues in the CRL import function.
  • CAS-0010141723 - kslog no longer issues audit log messages about no primary log server being defined if running in a pre-BoKS 7.0 server domain.
  • CAS-187378-N4P6L5, #12950 - The kslog program is updated to handle multiple remote logging disconnects.
  • CAS-0010175314 - Updated the routines to add Unix groups and delete Unix groups from Server Agents so they no longer lock the database during the entire operation.
  • CAS-0010152275 - A home directory is no longer created when the home directory specified in the user record and parent are not the same as the parent specified with CREATE_HOMEDIR_PATH, and this is not incorrectly logged as a directory being created for a non-existent user.
  • CAS-0010136355 - BoKS upgrade is improved to ensure that any changes made to config files are properly migrated.
  • CAS-0010165070 - When using the host preregistration flag "REMOVE_DISCONNECT", the action on disconnect was not logged, and there was no way to tell the status of the host.
  • CAS-0010152275 - When BoKS creates a home directory the correct name of the home directory is included in the audit log message.
  • CAS-0010154294 - Upgrading from BoKS 6.7 correctly inteprets program group names for suexec Access Rules.
  • CAS-0010157907 - getreports is now able to fetch customized file monitoring reports and transfer them to the Master.
  • CAS-0010165590 - Fixed issue with host certificate verification if CA chain longer than 2, affecting database download, host pre-registration, host auto-registration and audit log relaying.
  • CAS-0010166786 - Made a number of security enhancements to the cadm program.
  • CAS-0010123279 - The bccgethostcert command was updated to work if the Master has host type UNIXBOKSHOST instead of REPLICA. Previously it only worked with Master of host type REPLICA.
  • CAS-0010141459 - Fixed issue where not all users and Unix groups where pushed out to all hosts in a Host Group.
  • #14110, CAS-188995-R4W7S0 - The documentation for the "sequence" option in the BoKS man page boksdiag(1) has been enhanced.
  • #9410, CAS-189097-X2G9W3 - Running the command "mkhome -d <directory>" without specifying a user or host could cause BoKS to dump core, but this command is now removed from BoKS.
  • CAS-0010131126 - An issue was fixed whereby renaming a user with the command "modboks -n" could cause boks_master to end up in an infinite loop.
  • CAS-0010134853 - A check of authentication method used has been added to suexec tickets so that access within the session is only granted for the explicit authentication method configured.
  • #14535, CAS-184623-Y0J9S3, CAS-0010103964 - The extension "=+1" which is for internal database use is no longer included in Access Rule report listings for CLI programs.
  • CAS-0010118596 - boks_bru is updated to resolve an issue where it failed to restore very large database backups with an error message from the shell.
  • CAS-0010155060 - The HIDE_LOGIN_MESSAGE=on parameter now correctly hides the login message when logging in using SSH.

BoKS Reporting Services

Version 8.0
NOTE: For system requirements including supported platforms, see the BoKS Reporting Services 8.0 Administrator's Guide.
New Features
  • Updated to support BoKS 8.0 features and functions.
Enhancements
  • Added a tar archive installation package, in addition to RPM.
  • The Domain Status page has added information about the database dump timestamp and file name.
  • The Rows per page setting is retained between report runs within a logged in session.
  • Users with the role "user" now have access to the Domain Status page.
  • A number of enhancements have been made to the JSON output for efficiency and readability:
    • New parameter "columnNames" that contains a list of the headers of the columns.
    • New parameter "filterParameters" (previously named "params").
    • Parameters "pageParams", "allParams" and "pageOrientation" has been removed.
    • Parameter "type" (used internally) now contains the short name of the report type.
    • Parameter "content" has a changed structure. The type specification ("[Ljava.lang.Object;") has been removed. It now contains a list of rows where each row is a list of the column values.

    Example output:

    {
      "type" : "UserClassListingReport",
      "dumpDate" : "2019-10-22 08:30:01",
      "title" : "User Class Listing",
      "columnNames" : [
        "User class",
        "Comment"
      ],
      "filterParameters" : {
        "Domain" : "Demo"
      },
      "content" : [
        [
          "CLASS_1",
          "First User Class"
        ],
        [
          "CLASS_2",
          "Second User Class"
        ],
        [
          "CLASS_3",
          "Third User Class"
        ]
        ]
      }			
    
Other Updates
  • BRS GUI reports can now display double quotation marks ".
  • User Class Access reports now filter out target users that do not exist in BoKS so that they do not appear in the reports.
  • In the REST API, if a JSON request generates an error, the error is returned in JSON format rather than html.
  • The only HTTP methods now allowed are GET, HEAD and POST, due to security issues with other methods.
  • Http requests are now redirected to https instead of giving an error message.
  • Upgrade of dependency libraries. Resolves the vulnerabilities:
    • CVE-2019-16335
    • CVE-2018-5968
    • CVE-2018-14718
    • CVE-2018-14719
    • CVE-2018-14720
    • CVE-2018-14721
    • CVE-2018-1000873
    • CVE-2019-16943
    • CVE-2019-14379
    • CVE-2019-12086
    • CVE-2019-14540
    • CVE-2019-14439
    • CVE-2018-19360
    • CVE-2018-19361
    • CVE-2018-19362
    • CVE-2019-12814
    • CVE-2019-16942
    • CVE-2019-12384
    • CVE-2018-15756
    • CVE-2019-10241
    • CVE-2019-10247
    • CVE-2018-14040
    • CVE-2018-14041
    • CVE-2018-14042

BoKS Web Services Interface

Version 8.0
NOTE: For system requirements including supported platforms, see the BoKS Web Services Interface 8.0 Administrator's Guide.
New Features
  • Updated to support BoKS 8.0 features and functions.
Enhancements
  • Support for java version 11 and above.
  • Added an RPM installation package, in addition to tar archive.
  • Added support for parameterized install for automated installation.
  • Added support for user certificate mapping.
Other Updates
  • CAS-0010142865 - Support has been added to explicitly use the UTF-8 character set to ensure proper processing of requests with these characters. This resolves an issue whereby WSI requests containing certain UTF-8 characters caused the program to stop responding and processing further requests.
  • CAS-0010149474 - Added more detail to the documentation on setting up the admin server using bccsetup.
  • Http requests are now redirected to https instead of giving an error message.
  • The only HTTP methods now allowed are GET, HEAD and POST, due to security issues with other methods.
  • Upgrade of dependency libraries. Resolves the vulnerabilities CVE-2019-10241 and CVE-2019-10247.

Powertech Antivirus

Version 5.2
New Features
  • On-Demand scans can now be started and stopped in HelpSystems Insite.
    • Options for starting and stopping scans are available on the Endpoints screen. The Endpoints screen also includes the status for scans currently running on endpoints.
    • Configurations for On-Demand scans can be defined on the Configurations screen. On-Demand scanning Configurations are validated when edited to ensure there are no validation errors.
    • The Configurations screen can be sorted and filtered by Configuration type so that only On-Access or On-Demand scan Configurations are displayed.
    • While running a scan from the Endpoints screen, Configuration settings can changed prior to the scan. The updated settings can be saved as a new Configuration.
    • Status information about configuration updates and virus scan requests is listed on the Activity Status screen and Activity Details list.
    • The number of endpoints with currently active scans is also listed on the Home screen.
  • An internal repository can now be used to download virus definition (DAT file) updates to be distributed to Powertech Antivirus endpoints using an HTTP file server.
    • A new Settings screen now allows you to configure options for running DAT level updates on endpoints.
    • The HTTP file server uses TLS certificates to ensure secure data transfer and requires little configuration. A signed TLS certificate can be used to secure the DAT repository HTTP file server. If a signed TLS certificate is not available the Powertech Antivirus service will generate a self-signed certificate to ensure a secure connection.
    • Row action and group action options for updating DAT files now appear on the Powertech Antivirus Endpoints screen.
    • The number of endpoints with outdated virus definition DAT files is listed on the Powertech Antivirus Home screen.
    • The Powertech Antivirus Home screen shows new information about the DAT file repository and endpoint DAT levels.
    • A new Powertech Antivirus service can be configured to update the DAT file repository when new virus definition updates are available. The most recent three DAT file versions are stored on the remote server, ensuring the local repository can be updated without the risk of interrupting any file transfer requests from endpoints that are currently in progress.
    • The avupdate command now support an new option, --ptavrepo, to indicate the path provided is to the root of a PTAV DAT Repository.
Enhancements
  • Endpoints can be searched by operating system on the Endpoints screen, so that only endpoints running the specified operating systems will be displayed.
  • Running scans can be sorted according to their scanning status on Powertech Antivirus Endpoints screen.
  • Activity Status links have been added to the Powertech Antivirus Home screen, which allow easy access to a list of endpoints with currently running scans and the list of active scans.
  • Filtering options have been added to the Activity Status screen, allowing easier access to the most relevant list of requests.
  • All endpoint items across all pages can now be selected, so that multi-select actions can be applied to all endpoints.
Other Fixes
  • A change has been made to kernel event handling on AIX to avoid a system crash during On-Access operation.
  • An issue causing a failure to quarantine files in the root directory when using AVSCAN has been resolved.

Powertech SIEM Agent

Version 4.0
New Features
  • SIEM Agent 4 has been re-invented to significantly improve the power and flexibility of SIEM Agent's capabilities.
    • Any IBM i journal or message queue can now be monitored for critical system messages, audit entries, and requests logged by Powertech Exit Point Manager, Authority Broker, and Command Security.
    • Outputs define the format and destination of notification events to be sent from SIEM Agent 4, which can be sent to multiple targets. An output target can be a network location, message queue, or IFS stream file.
    • Formats include settings that control the formatting of syslog event data, including the header specification. SIEM Agent 4 now supports variations of the syslog format, including CEF, RFC3164, the original published standard for Syslog, and RFC5424, a more modern version of the RFC3164 standard.
    • Specific, highly relevant information from event fields can be included in your event notifications by configuring Extensions and Event Text.
      • Extensions are name-value pairs that display simple values from the event (such as pgm=QSYS/QLESPI, user=QSECOFR, etc.).
      • Event Text can be used to define the dynamic pattern used to assemble a highly-informative, human-readable message accompanying your notifications.
    • Event Descriptions now allow you to easily accommodate events from custom journals and message queues.
    • Rules now allow you to include additional Extensions, alternative Event Text, or send to alternative Outputs based on a relevant piece of data within an event, such as a user profile name.
Enhancements
  • Entry types and subtypes have been added for IBM i 7.4 compatibility.
  • Journal and message queue data is now stored in a normalized, relational way for improved performance.
  • The monitor jobs have been rewritten for improved integrity and performance.
  • SIEM Agent 3.0 user-defined journals are converted to 4.0 data stores as part of the upgrade process to 4.0 in order to reduce the amount of configuration required after upgrading.
  • Message Queue events support message field insertion in Extensions.
  • Event monitoring can now optionally be restarted to a specific a date.
Other Fixes
  • The current product name, Powertech SIEM Agent for IBM i, is now used throughout the interface. (The product was previously called Powertech Interact.)
  • The app-name value included in syslog messages has been changed from "Interact" to "SIEM Agent", to reflect the product name (updated in 2018). If you have created rules in your SIEM that use the app-name value as a condition, you will need to update those rules to check for app-name = "SIEM Agent" instead of app-name="Interact".

Back to Top

 

 

Copyright © HelpSystems, LLC.
All trademarks and registered trademarks are the property of their respective owners.
Last Published: 202001200111