Master Menu
The following is an overview of the options available on the Master Menu.
How to Get There
After the agent software has been installed, log in to the IBM i system using the command WRKSECURID. See the Installing SecurID Remote Authentication section in the Powertech RSA SecurID Agent for IBM i Installation Guide on the Fortra Support Portal and Getting Started.
Options
Option 1. Powertech RSA SecurID Agent Maintenance
Select this option to maintain a network connection and/or to activate / deactivate profiles for SecurID authentication. See Powertech SecurID Agent Maintenance.
Option 2. Create SecurID Agent profile
This option creates a new IBM i profile and activates SecurID authentication. The option runs SecurID command, CRTAGTPRF. Once the profile name and template have been Entered the IBM command, CRTUSRPRF is prompted.
Option 3. Display client configuration
This option provides access to configuration details for the following types of RSA SecurID authentication processing:
-
RSA SecurID configuration using sdconf.rec
-
RSA SecurID RestApi
The original, sdconf.rec processing is for IPv4 networks only. With the RSA SecurID RestApi processing SecurID authentication can be performed over IPv4 and IPv6 networks.
The first screen shows the SecurID configuration details currently stored on the IBM i agent, within sdconf.rec. These details can be obtained by executing CLNTCHK command from the command line..
After the copy, the name of the resulting file is composed as follows:
psi + <Job number> + .rec
For example, if the CLNTCHK command is run via a job with number 123456, the resulting file will be /tmp/psi123456.rec.
In order for this processing to function successfully for all user profiles, the public (UNIX 'world') authority on the /tmp directory is set to allow at least read access ('r--' ).
Pressing Enter opens the "Work With Client RestAPI Configuration" display.
This latter function allows the IBM i SecurID administrator maintain the required details for authentication via the SecurID RestApi. The IBM i administrator has some freedom and flexibility over the RSA Authentication Manager(s) to use. However, the administrator must first obtain the details for the relevant RSA Authentication Manager(s). The appropriate RSA SecurID administrator(s) will be able to access and provide the required details.
The IBM i administrator has the ability to determine the following in relation to the local IBM i system:
-
The sequence in which the Authentication Managers are to be accessed.
-
Whether an Authentication Manager is considered active or inactive.
This is different to the original sdconf.rec processing where the administrator for each RSA SecurID Authentication Manager would generate the file. Thereby they would determine the RSA Authentication Manager(s) that are to be used.
Option 4. Activate/de-activate remote authentication
Select this option to configure the controlling parameters for PCS validity checking, for example, activate SecurID for FTP requests. This is also used to activate command activity checking to prevent users from changing their initial program and/or library to bypass the RSA SecurID authentication. See Activate/De-activate PCS Validation screen.
Option 5. Change your password
Select this option to change the password for the current IBM i profile. This is the standard IBM i change password command. It has been included on the SecurID Administrator menu to provide easy access. It runs the IBM i, CHGPWD command.
Option 6. Maintain SecurID Agent lib. position
The function of this routine is to allow the SecurID security officer to determine the position of the @ACE library. Depending on your environment, it may at times be necessary to determine whether you should place the agent library in the user library list or in the system library list. The user can change the user library list in the user list, whilst the system list cannot be amended.
The following entries are valid:
- *SYSLIBLThe agent library will be added to the system library list of the user.
- *USRLIBL The agent library will be added to the user library list.
- *NONE No library will be added. Libraries will be added using the normal command.
WARNING: *NONE may cause abnormal functioning of SecurID.
Option 7. Display SecurID Agent release
Select this option to display the software release that is currently installed on this system.
Option 8. Work with TCP/IP port connections
Select this option to work with the TCP/IP port numbers that are to be used for communication between IBM i and a machine operating under a different platform.
The product named "SECURID" must be configured to ensure SecurID authentication will work when authenticating using "replicas".
Option 9. Work with TCP/IP address by profile
This function allows you to work with TCP/IP addresses associated with IBM i profiles. These TCP/IP addresses will be used by SecurID to perform SecurID authentication for a user accessing the IBM i via the TCP Signon Server or Telnet Server.
Option 10. Work with client application availability
This function allows you to work with the Available Client Applications. Although the applications may be defined to the system, the exit point processing will not validate any of those applications until they are registered for use within this “work with” program.
Option 20. Audit Configuration and Reporting Menu
Select this option to configure auditing and/or report activity collected by the auditing. See Audit Configuration and Reporting Menu.
Option 40. Start SecurID Agent Subsystem (ACEDTI)
This option is used to start the SecurID subsystem, ACEDTI. The subsystem can also be started using command, STRACEDTI.
Option 50. End SecurID Agent Subsystem (ACEDTI)
This option is used to end the SecurID subsystem, ACEDTI. Alternatively, the ENDACEDTI command can be run from the command line.
Option 60. Command entry screen
Select this option to access the IBM i Command Entry screen.
Option 70. License Setup
The objective of this option is to allow the administrator to enter and/or review the details for existing license codes related to this software. An active license is required for the SecurID authentication to be performed.
Option 90. Signoff
Select this option to end the job that you started on the display station when you signed on.