Installing RSA SecurID Agent

Use the following instructions to install Powertech RSA SecurID Agent for IBM i.

For information regarding installation of SecurID Remote Authentication, see Installing SecurID Remote Authentication.

Before You Begin

Read this section before you install Powertech RSA SecurID Agent for IBM i.

Important Considerations Before Installing

  • Please ensure that the system value QALWOBJRST has a value of *ALL i.e. 
    CHGSYSVAL SYSVAL(QALWOBJRST) VALUE('*ALL')
  • If you are installing Agent for RSA SecurID on i 7.2 or above, we recommend that you ensure that the system value QFRCCVNRST is set to two i.e. CHGSYSVAL SYSVAL(QFRCCVNRST) VALUE(‘2’). This ensures that any program conversion is performed when the objects are restored. If you do not change this system value, the system will convert these programs as and when they are used. This may lead to users experiencing longer response times.
  • Agent for RSA SecurID version 9.8.3.2 is only compatible with IBM i 7.2 (V7R2M0) and above.  Please ensure that your system is at the right release level of IBM i before continuing.
  • The QSECOFR security officer profile is referenced within these instructions for use during the installation process.  However, a different profile may be used but MUST have all the Special Authorities that are associated with QSECOFR, on your release level of IBM i.  Make sure that you have access to the appropriate profile, ideally the QSECOFR security officer profile. Do not attempt to load the software with any other profile that does not have all the required Special Authorities.

Software Availability

The Agent for RSA SecurID download is available via the HelpSystems Community Portal.

System Requirements

  • Disk Space: The amount of disk space required to accommodate the software will be approximately 60MB.
  • Data Requirements: The amount of disk space required to accommodate the necessary information is dependent on the number of profiles to have authentication. A journal technique has been introduced as from version 9.8.2, to provide auditing of the configuration details.  Beginning with version 9.8.3.1 additional journal processing has been included for user/job activity relating to ‘Emergency Access’. Therefore, as a rule of thumb, you should ensure that there is a minimum of 100MB of DASD available for the initial installation. It is certainly anticipated that no where near this amount of space will in fact be used, but this will give you sufficient space to start using Agent for RSA SecurID.
  • OS: The minimum level of IBM i operating system software that is required to support Agent for RSA SecurID, is IBM i 7.2 (V7R2M0). Please contact your local supplier if you are concerned whether your version of Agent for RSA SecurID will function correctly with your version of IBM i.
    • In order to prevent multiple Agent for RSA SecurID challenges for a series of DDM (not DRDA) requests from a specific IBM i job, an IBM PTF is required to have been applied. The PTF is available for a number of IBM Release Levels:

      • ACTIVE_JOB_INFO

      Check with your IBM i administrator to make sure your database group PTF levels are up to date. For IBM i 7.2 the database group PTF level should be at least 5.

      GET_JOB_INFO

      IBM i 7.3 SF99703 Level 3 and

      IBM i 7.2 SF99702 Level 14

  • Profiles: There are three profiles required by this software: PTADMIN, PTUSER, and a product administrator profile (to be designated by the security officer) that is a member of the PTSECURID authorization list. For proper functioning of the system, please do not delete these profiles. Should you designate additional product administrator profiles, they must be included in the PTSECURID authorization list. 

    IMPORTANT: These profiles are shared with other Powertech products, and consideration must be made before uninstalling SecurID or any of the products that use these profiles. Be sure to discuss any plans to remove Powertech Central Administration, Command Security, SecurID, or other products that make use of these common profiles with HelpSystems Support prior to doing so.
  • Error Logs: If errors occur which cannot be transmitted to the operator, the system will dump the error to the output queue (QEZDEBUG) on the system on which it has occurred.
  • PASE: Portable Application Solutions Environment, option 33.
NOTE: Installation of SecurID does not change any major system settings.

Installing RSA SecurID Agent

Ensure the following servers are available and running prior to installation:

  • FTP Server
  • Remote Command Server

Do the following to perform the installation or update:

  1. Download the Powertech RSA SecurID Agent for IBM i installer (setupAgentForRSASecurID.exe) to your PC from the Agent for RSA SecurID download page.
  2. On the Choose Components panel, select which components you want to install. You can choose to install the Manuals and the Software for IBM i. Click Next.
  3. If you are installing the Manuals only, the process completes and the installer closes. The Manuals have been installed. You can skip the rest of these steps.
    NOTE: The manuals are installed to the following location:
    C:\Program Files\PowerTech\RSA SecurID Agent for IBM i\manuals

  4. On the IBM i Details panel:

    1. Select or enter the IBM i system.
    2. Enter a user profile and password that is a member of the user class *SECOFR and has at least the following special authorities: *ALLOBJ, *SECADM, *JOBCTL, *IOSYSCFG, and *AUDIT. The user profile should have Limit capabilities set to *NO.
    3. (Optional) In the Advanced Settings section:
      • Enter a port number or use the arrows if you want to change the FTP port number to something other than the default of 21.
      • Select Secure File Transfer if you want to use FTPS (FTP over SSL) during the file transfer. The default FTPS secure port is 990, but it can be changed to the required secure port for your environment.
      • In the Timeout (seconds) field, enter the number of seconds the session should be kept active during an FTP transfer. You can choose anywhere between 25 and 1800 seconds (30 minutes).
        NOTE: If the transfer takes longer than the amount of time specified, the session will expire.

    4. Click Next.

  5. You have two options on the Product Load Options panel:

    1. Click Immediate Load if you’d like to load the product on the IBM i now.

    2. Click Staged Load if you’d like to transfer the objects now and load them on the IBM i at a later time.

      NOTE: See "Loading Staged Objects on the IBM i" (below) for instructions on how to load the staged objects on your selected IBM i system.

  6. The Product Load Progress panel for Powertech RSA SecurID Agent for IBM i launches.

    If the Product Load Progress panel ends with an overall Failed message, the product upload could not complete properly. To find the reason the upload failed, click View Logs and review your logs. You can also use Download at the top of the logs to save the information for future review.

    When the processing is complete, you have two choices:

    • If this is the only installation or update of Powertech RSA SecurID Agent for IBM i that you're doing, click Finish.

    • If you have installs or updates to do on other IBM i systems, click Restart. Then, return to step 4.

Loading Staged Objects on the IBM i

If you chose to stage your objects during step 5b of the installation or update process, do the following to manually load them on the IBM i you identified above.

  1. On the IBM i, execute the following command to display the Work with Loads panel:

    HSLOADMGR/HSWRKLOAD

  2. Enter option 1, Load, next to the Load Name for Powertech RSA SecurID Agent for IBM i and press Enter.

    The installation program installs Powertech RSA SecurID Agent for IBM i, including the required user profiles and libraries (see table below for details).

The installation process displays the job log name, user, and job log number. Use the WRKSPLF command to display the job log for complete information on the Powertech RSA SecurID Agent for IBM i install.

After You Are Done

Congratulations! Powertech Antivirus is now installed. Read the following for additional information regarding port configuration.

Objects Installed on System

Installed on System Description

Product Library

@ACE
User Profiles

PTADMIN, which has special authorities *ALLOBJ, *AUDIT, *IOSYSCFG, *JOBCTL, *SAVSYS, *SECADM, *SERVICE, and *SPLCTL

PTUSER, which has no special authorities
Authorization List PTSECURID - for product administrators

Subsystem

ACEDTI

Job Queue Entries

@ACE/ACEDTI01 & @ACE/ACEDTI02 added to ACEDTI

Removing Install / Upgrade Objects

When you install/upgrade, a couple of installation only libraries are created as follows:

  • Install/Upgrade Object Library. The default library is called @APYACE. This library contains objects required to install/upgrade the SecurID software.
  • Save File Library. The default library is called @ACESAVF. This library contains save files containing the actual SecurID software.

After a successful install/upgrade you can remove these libraries from the system unless you want to load SecurID onto other machines or partitions via your network, instead of using the supplied media. If you wish to install/upgrade this Software on multiple machines or partitions in this way, please proceed to the section entitled “Install/Upgrade Software on Multiple Machines / Partitions”.

Remote Authentication Software

If you now wish to install the Remote Authentication Software, please proceed to Installing SecurID Remote Authentication.

Contacting Us

For additional resources, or to contact Technical Support, visit the HelpSystems Community Portal at https://community.helpsystems.com.

Previous Next