Upgrading RSA SecurID Agent

Important Considerations before Upgrading

NOTE: If you wish to install the Remote Authentication Software, please proceed to the section entitled Installing the Remote Authentication Software.

Powertech RSA SecurID Agent for IBM i attempts to delete user profile ACEDTI as part of upgrading to 9.10, as well as all objects owned by ACEDTI, including contents of the @ACEOLD library.
- A backup of the existing @ACE library must be made prior to the upgrade.
- After upgrading, restoring Powertech RSA SecurID Agent for IBM i using the @ACEOLD library will not be possible.
  NOTE: The ACEDTI profile will not be deleted in some cases. This does not interfere with the proper functioning of the SecurID Agent.
Agent for RSA SecurID objects are now owned by one of two User Profiles:
- PTUSER - Standard object owner User Profile with IBM i Special Authority set to *NONE.
- PTADMIN - Administrator level owner User Profile, which includes all available IBM i Special Authority values.
(Previously, all objects were owned by a single User Profile named, ACEDTI.)

IMPORTANT: These profiles are shared with other Powertech products, and consideration must be made before uninstalling SecurID or any of the products that use these profiles. Be sure to discuss any plans to remove Powertech Central Administration, Command Security, SecurID, or other products that make use of these common profiles with HelpSystems Support prior to doing so.
The installation must be in a dedicated mode. Please ensure that all users who are controlled by SecurID have already signed off.
To ensure that you are in a dedicated mode, use the commands:
```
WRKOBJLCK QSYS/@ACE *LIB
```
```
WRKOBJLCK @ACE/MSFT770 *FILE
```
```
WRKOBJLCK @ACE/MSFT094 *FILE
```

No one should be using this library. Also check that the libraries @ACE and other prefixed @ACE* libraries are not in the system library list or in the user library list. Check this by using the WRKSYSVAL command.

If in doubt, you may want to ensure that the machine is in a restricted state before continuing.

If migrating SecurID to IBM i 7.2 or above, please refer to the section entitled "Migrate To i 7.2 (or Above) From Previous IBM i Release ".
Please ensure that the system value QALWOBJRST has a value of *ALL i.e.
```
CHGSYSVAL SYSVAL(QALWOBJRST) VALUE(‘*ALL’)
```
If you are installing SecurID on IBM i 7.2 or above, we recommend that you ensure that the system value QFRCCVNRST is set to two i.e. CHGSYSVAL SYSVAL(QFRCCVNRST) VALUE(‘2’). This ensures that any program conversion is performed when the objects are restored. If you do not change this system value, the system will convert these programs as and when they are used. This may lead to users experiencing longer response times.
The QSECOFR security officer profile is referenced within these instructions for use during the upgrade process. However, a different profile may be used but MUST have all the Special Authorities that are associated with QSECOFR, on your release level of IBM i. Make sure that you have access to the appropriate profile, ideally the QSECOFR security officer profile. Do not attempt to load the software with any other profile that does not have all the required Special Authorities.
Ensure that the software is compatible with your IBM i operating system release level. If the release of your IBM i operating system is below that of the permitted release level, you will have to upgrade your operating system to the correct level. Please consult your system administrator for further details.
Please ensure that your current SecurID system is properly backed up. The libraries to back up are all the @ACE* prefixed libraries. Also, for Agent version 9.7.0 (and later), back up the IFS directory: /var/ace . Complete these backups first before proceeding further.
The installation time may vary between 0.5 hours to 1 hour depending on the size and usage of SecurID.
Please remove all reports (if any) in the @ACE/ACEDTI output queue. The output queue should be empty. If the queue is not empty, the job to remove the previous version of the @ACE library (@ACEOLD) may terminate abnormally.
Also, ensure that there are no outstanding jobs waiting in any of the SecurID job queues. If there are any, you must ensure that they are either processed or deleted accordingly.

Important Consideration for the SecurID Authentication

Upgrading from version 9.6.0 or earlier (Master/Slave processing)

With the enhancement to allow authentication against RSA Authentication Manager 7.2, SecurID some objects are now installed and used within the Integrated File System (IFS).

Whenever SecurID is installed or upgraded on IBM i 7.2 (V7R2M0) (or later) the SecurID related objects are configured to use the IFS for SecurID authentication. The relevant DetectIT objects are located within directory, /var/ace .

For users who are currently using SecurID authentication that makes use of the Master/Slave processing, the existing version of sdconf.rec (@ACE/SDCONF) must be placed within the IFS directory, /var/ace for the SecurID authentication to continue. This can be achieved, AFTER the actual upgrade, using ftp with binary mode transfer.

For example:

Sign on as the product administrator.
ftp < local IBM i >
cd /
bin
namefmt 1
put /qsys.lib/@ace.lib/sdconf.file /var/ace/sdconf.rec

Upgrading from version 9.8.0 or earlier

The following applies if the current version of the SecurID Agent is prior to 9.8.1 and had been used for authentication:

After installing or upgrading to version 9.8.1 (or later), access the Authentication Manager to clear the Node Secret from the IBM i agent.
The Node Secret should also be deleted from the actual IBM i agent.

The above notes also apply if any other product had been used, on the IBM i System to perform SecurID authentication with the same Authentication Manager.

Software Availability

The SecurID download is available via the HelpSystems Community Portal.

Native Software Upgrade Procedure

These instructions are identical to the Installation procedure. See Native Software Install Procedure.

Migrate To IBM i 7.2 (or Above) From Previous IBM i Release

On the Command Entry Screen, type in the following command:
```
CHGSYSVAL SYSVAL(QFRCCVNRST) VALUE(‘0’)
```
This will ensure that no program conversion will be performed on pre-IBM i 7.1 objects as they are restored.
Restore the previous version of SecurID onto the machine.
The libraries to be restored are: @ACE.
Next, on the Command Entry Screen, type in the following command:
```
CHGSYSVAL SYSVAL(QFRCCVNRST) VALUE(‘2’)
```
This will ensure that IBM i 7.2 program conversion will be performed on SecurID objects as they are restored.
Perform the upgrade routine as defined in the section entitled "Upgrading Native Software".

NOTE: This process will install the IBM i 7.2 compatible version of SecurID and (if “Transfer Data” parameter is set to “Y”) automatically copy the data from the previous version.

Removing Install/Upgrade Objects

When you install/upgrade SecurID a couple of installation only libraries are created as follows:

Installation Object Library. The default library is called @APYACE. This library contains objects required to install/upgrade the SecurID software.
Save File Library. The default library is called @ACESAVF. This library contains save files containing the actual SecurID software.

After a successful install/upgrade you can remove these libraries from the system unless you want to load SecurID onto other machines or partitions via your network, instead of using the supplied media. If you wish to install/upgrade SecurID Software on multiple machines or partitions in this way, please proceed to the section entitled “Install/Upgrade Software on Multiple Machines / Partitions”

Copyright Help/Systems LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.