Release notes are also available for Network Security for Insite.
November 15, 2022
Added an Analytics tool with features that increase the user's ability to perform triage and forensic activities while implementing the organization's security strategy. All the following features allow immediate access to transaction data and visibility to which rule matched each transaction:
Exit points will write Captured Transaction data directly to a DB2 table, eliminating the need for the Captured Transaction journal.
The summarization job will monitor incoming transactions and summarize based on the user-customizable Summarization Strategy.
The Summarization Strategy component allows you to configure how much total MB data to retain, and time limits for how long to keep individual transaction records (Detail) before rolling them up into summarized Hourly, Daily, and Monthly transaction records for each unique combination of Server/Function/User.
Analytics screens allow traversing the data from the top summary levels and drilling down into the details.
Users can pre-configure display filters, create new filters, use more detailed selection and sorting criteria, and maintain user views for future sessions.
Added the following screens:
Configurable Filters Maintenance, which includes: filters that allow the user to quickly pare down large amounts of Captured Transactions by specifying a field and a value or range of values; filters that can be combined to further refine how much data is returned and aid in finding a particular transaction; a few helpful filters shipped with the product; and allowing the user to create and name additional filters that can be quickly retrieved for use when viewing Captured Transactions.
Saved Views, which allows the user to quickly save and name a "snapshot" of how the Work with Captured Transaction screen is currently configured using filters and sort sequences. These Saved Views can then be quickly retrieved for reuse and serve as a starting point to build upon or eliminate the need to reconfigure a frequently used setup.
Sort Sequence Selection and Maintenance in the Analytics feature, where the user can define ascending and descending sort sequences based on one or more Captured Transactions’ record fields.
Captured Transactions—Work with Summarized Transactions, as part of the Analytics feature, which summarizes all Captured Transactions down into one record for each combination of the same Server/Function/Action (Allow or Reject); shows a count of how many associated transactions there are; and allows the user to drill down to their desired detail level.
Using Central Administration and Exit Point Manager on a managing system, users can now view and maintain Filters, Saved Views, and Summarization Strategy on any connected endpoint. Users cannot view Captured Transaction data on connected endpoints.
Journaled the following files to PTNSLIB07/PWRJRN: PNSCSD, PNSCSM, PNSCSQ, PNSCTF, PNSFLD, PNSUPD, and PNSUPF.
Improved the following screens’ appearance and/or usability:
Add/Change Rules (User and Location) for the Global Rules Facility.
Add Object List Entry’s Type field: added assistive text.
Configuration Menu: removed the blank row between options 1 and 2 and shortened the menu option names.
Main Menu: added an Active Analytics feature, which contains all the new tools for working with Captured Transactions.
Modern and Legacy Reports Menus: shortened long names, regrouped or repositioned items, and renumbered items sequentially.
Security Menu: shortened long names, regrouped or repositioned items, renumbered items sequentially, and added context-sensitive help.
Security by Server and Security by User: standardized field names' spelling.
Socket Rule’s fields: standardized field names’ spelling and added assistive text.
Valid Authorities’ selection: added descriptions.
Work with Captured Transactions:
Shows more detail without opening each transaction record. See when each transaction occurred, whether the transaction was allowed or rejected, and press a function key to see the transaction's request data and which rule was matched.
Grouped transactions into configurable "time ranges." Detail transactions are a single record. Identical Hourly, Daily, and Monthly transactions are summarized into one record.
Work with Location/User Pre-filters’ function keys: all keys appear without having to press "F24=More keys."
Removed an extra menu layer between selecting the Test Socket Rules menu option and displaying the PNSTSTQSO command.
Updated Help text in all applicable screens.
Added the ability to create user rules, location rules, or pre-filter rules directly from the Captured Transactions screen.
Eliminated the message id PLK9000 "Server does not supply transaction data for the function" in the Captured Transaction's Request field, if there was no request data supplied by the exit point. This removal minimizes processing and conserves disk space.
Modified upgrade/conversion code to retain existing Captured Transaction data and migrate it into the new database storage scheme.
Updated compatibility with Insite to properly display Captured Transactions using configurable levels of summarization.
Updated the DLTCPTTRN command to include the new Summary Level field (Detail, Hourly, Daily, Monthly) parameters.
Changed "OS400," "iSeries," and "IBMi" text on screens, help text, and reports to “IBM i.”
Updated *OS400 and *MEMOS400 authority text to *ALLOW and *MEMALLOW on all screens and reports, and on the following Rule commands: CHGLOCRUL, CHGOBJRUL, CHGUSRRUL, CRTLOCRUL, CRTOBJRUL, CRTUSRRUL, and DLTOBJRUL.
Modified the PNSSTRMON and PNSENDMON commands to start and end all three monitor jobs (PNSEVTMON; PTNSGMSTR; and SUMCAPTRAN) in the PTWRKMGT subsystem. Previously, PNSTRMON and PNSENDMON were used to start and stop only the PNSEVTMON job.
Insite will now show the proper Authority value for IBM i systems. The Authority value for version 8.0 and above is *ALLOW, and for version 7.99 and below is *OS400.
Fixed issue that could cause incorrect or incomplete feedback when either the CHGUSRRUL or CHGLOCRUL commands were executed.
Fixed an Insite issue in Product Configuration where it displayed an intermittent, incorrect server status as active or inactive. Fixed a similar IBM i issue in Server Properties, where the Enforce Server Rules’ field value was not always correct.
Fixed issue where the Modern Reports Menu was not defaulting to appear after product installation.
Fixed issue that could cause improperly entered IP address range values for IP Address Groups not to match transactions to Location Rules.
Fixed intermittent issue that could cause rules for an endpoint to show up on the Manager when it had not been selected.
Fixed issue with Object Rules and MEMOBJ authority that could cause an LNS0703 error when matched with a transaction containing a large SQL statement.
Fixed issue where Location Rules were not working with the *TFTP exit point processing.
Fixed issue caused by adding Server Function data via the LWRKGENSRV command.
Fixed issue where the user didn’t receive immediate feedback when using the PNSLOGEXT command to send output to an *OUTFILE and entering an invalid library name.
Fixed issue where running modern reports with PNSLOGEXT caused error MCH3601 if the journal receiver containing the data it needs is no longer available on the system.
Fixed issue where creating a report using the PNSLOGEXT command and saving it to the IFS caused an error.
Fixed issue where Object type descriptions were truncated on the Select Object Type screen (NSOBJUT).
Fixed issue where the Location Group Report did not show any IP Address groupings.
Fixed issue where an invalid *ALL value was allowed in the User Rules screen's User field.
Fixed isolated issue for one type of *RMTSRV captured transaction that could cause a user's password to be visible.
Fixed issue where the cursor was not placed in the correct position when returning from creating a new Location Group entry.
Fixed issue with Object List entry validation where allowing an invalid asterisk for "File type" could cause an attached rule to not be processed.
Fixed issue that sometimes caused one user record to not be displayed when the User Group list was being subset.
Fixed issue where the user was unable to disable Exit Point Manager jobs from Central Administration.
Removed the "Journal receiver delete handling" and "Change last captured date/time" parameters from the LCHGCAPSUM command, leaving only the "Delay time" parameter.
Restored missing commands for maintaining NS User Groups (ADDNSUGRPM, CHGNSUGRP, and CRTNSUGRP).
Removed the Start Here link from the installer.
June 8, 2021
- *HIDEZEROSUM is now the default behavior for the PNSLOGEXT command when *SHOWZEROSUM is not specified.
- The ability to synchronize the Exit Program Manager library system ID has been added to accommodate copying Exit Point Manager libraries across systems.
- An issue that caused error RNQ0202 when accessing User Rules immediately after activation has been resolved.
- Options previously displayed erroneously in the Authority prompt of the Capture Memorized Transaction panel have been removed.
- Interactive activation that includes the *FILESRV exit point no longer fails to refresh QZLSFILE jobs.
- An issue that could cause all Object Rule Lists to become inactive for a user when deactivating a single rule has been resolved.
- An issue that could cause error MCH3601 in PNSLOGEXT reports when using *PRIORDAY, *PRIORWEEK, or *PRIORMONTH has been resolved.
- Missing informational text in the Create Pre-Filter panel has been restored.
- Missing informational text in the Change Server Function Rule panel has been restored.
- An issue that caused the Secure Screen monitor PTWRKMGT/PSSMON to return message "Not authorized to user profile" has been resolved.
- Misaligned colons on the Change Server Function Rule screen have been corrected.
- Missing commands for maintaining NS User Groups (ADDNSUGRPM, CHGNSUGRP, and CRTNSUGRP) have been restored.
- An issue that caused missing journal entries in *TFRFCL exit point program LNSR108R has been resolved.
- An issue that could cause error VLD4003 'User not found' during a Global Rule Facility change with an Exit Point Manager User Group has been resolved.
February 1, 2021
- A new function key, F23=Delete, has been added to the Work with Captured Transactions screen. This can be used to delete all selected Captured Transactions, even those records on pages before or after the page currently visible. If selection has been subsetted (F16), function key F23 will delete only transactions included in the sub-selection.
- Multiple Captured Transactions can now be deleted from the database using the new DLTCPTTRN command.
- Colors previously used to indicate Object Rule status have been removed in favor of an Active status column.
- Usability of the Work with IP Address Groups screen has been improved.
- The software has been enhanced to provide a more flexible purging process for unwanted Captured Transactions.
- An issue that could cause User Authority rules for *SIGNON to erroneously show rules for *FTPSIGNON in a specific case has been resolved.
- An issue interfering with the *SWITCH function when working with Object Rules has been corrected.
- Missing field-level help on the Work with System Values screen has been added.
- An issue causing the incorrect display of error messages in the Work with Object List screen has been corrected.
- The message that appears when failing to delete an Object List because it is in use has been clarified.
- An issue causing Object List commands to fail when Powertech Central Administration is not in the library list has been corrected.
- An issue causing a failure to update the global rules has been corrected (F2=Global Rules Facility on the Work with Security by User screen or Work with Security by Location screen).
- The Change Server Function Rule screen now includes additional on-screen guidance to indicate the fields that can be prompted, and what options are available for fields that cannot be prompted.
- Usability updates and corrections to default values have been made to the Work with Socket Rules screen.
- Cursor positioning errors in the Work with Object Rules by User screen and Work with Object Rules by Location screen have been corrected.
- The F6 function key in the Work with Loc+User Pre-Filters screen is now labeled "Create" (instead of "Add") for consistency.
- The F12 key, to return to the previous screen, is now consistently available on all screens.
- The keystroke used to create or add a rule (F6) is now consistent across all IBM i screens in the product.
- Failure to position the list on the Select Object Type screen has been corrected.
- A problem causing the case sensitive option to be inactive when subsetting Captured Transactions has been corrected.
- An issue that caused Object List messages to omit the name of the Object List in some cases has been corrected.
- An error displaying the correct help text on the Work with Exit Point Manager System Values screen has been corrected.
- Validation and message inconsistencies in the Work with Exit Point Manager System Values screen have been corrected.
- On the Configuration Menu, "Work with System Values" has been renamed "Work with Exit Point Manager System Values" to more clearly indicate the menu controls product values and not IBM i system values.
- An issue that, in some cases, caused the cursor to return to an incorrect position after choosing F4 to prompt a field has been corrected.
- F1 help text for the Object List Library Entry field is no longer inconsistent (depending on when F1 is pressed).
- Nonstandard options (such as "FN", "UA", and "LA") on the Work with Security by Server screen have been replaced with standard numerical options. (Legacy options will continue to function.)
- An issue causing the error message "Authority MEMOBJ Is not allowed for the SERVER server" to appear for QSO servers when updating the Change Server Function Rule screen has been corrected.
- The Create Rule screen now includes additional on-screen guidance to indicate the fields that can be prompted, and what options are available for fields that cannot be prompted.
- Servers are no longer restarted unnecessarily during activation in interactive sessions. Only servers with a value other than *NONE for Pending Change will be restarted.
- Language for the F6 option (to create a Rule) on the Work with Pre-Filters screen has been corrected.
- An issue that cause Object List transactions to be incorrectly included in reports has been resolved.
- An issue causing the incorrect display of error messages in the Create User Group screen has been corrected.
September 9, 2020
- The amount of I/O that is performed by Exit Point Manager when it processes transactions has been optimized, resulting in a performance boost across all servers.
- The frequency (interval) of warning messages that are sent when server rules are not being enforced can now be configured.
- Incorrect authority selection is no longer allowed for Memorized Transactions.
- Recursive panel navigation issues causing exception RNX8888 have been resolved.
- Cases of unexpected behavior when using F9 to retrieve the previous command have been resolved.
- Cases of incorrect reporting of errors (including "MCH0603 â€“ Array element outside bounds â€“ LNSR108PS SQL") have been resolved.
- Modern reports now include server data from *FTPCLIENT.
- The LCOPYRIGHT command has been corrected to display the license agreement instead of a blank screen.
- An issue preventing Supplemental Exit Programs from being called has been resolved.
- An issue causing Generic and Wildcard characters to return unexpected results has been resolved.
- An issue causing inconsistent rule data in modern reports has been resolved.
- Elements were added to make the Location+User Pre-filters panel consistent with other displays.
- An SQL0501 exception when sorting in the Location+User Pre-filter panel has been resolved.
- Prompting of the Function field in the Location+User Pre-filter sort panel is now possible.
- An issue preventing some user profiles from being retrieved when prompted has been resolved.
- Screen elements were added to Server-level Prefilters for panel consistency.
- SQL delete statements not having a FROM clause no longer circumvent the Exit Point Manager object rules.
- The list of valid authorities when changing a user rule and prompting the Authority field is no longer missing *MEMOBJ.
- Exit Point Manager no longer fails to validate the Users Group membership when using OS400 group profiles with MEMOBJ (both Memorized and Object rules).
- Message LNS3506 second level data text is now readable.
- Subsetting now functions properly when the filter value starts with an asterisk.
- PNSLOGEXT no longer omits some *FTPCLIENT function rejections.
- Obsolete program objects from previous versions that are no longer required are now removed from the system.
- Work with Server Pre-filter help text has been updated for consistent formatting.
- Corrections have been made to the help text for the Work with Captured Transactions panel (PNS4810) and Work with Memorized Transactions panel (PNS4910).
- When the *SHOWRULE parameter is used, an informational message now appears in the report that indicates the current rule may not have been in place at the time of the transaction.
- The published system requirements now include recommended IBM PTFs for QIBM_QSO_ACCEPT performance.
- The Work with Security by Location help text was updated to add two missing authorities, *USER and *MEMUSR.
- Missing help content for the Authority field (*USER) on Location Rules has been added.
- An issue causing the error: "The call to SORTSUBSET ended in error (C G D F)" while subsetting object rules by Location has been resolved.
- An error in the help text for the LPWRRPT command has been resolved.
- Help content has been updated to reflect the addition of the new Warning Message Interval for Server Rules not being enforced.
- The help content that describes the process of profile switching has been improved.
April 16, 2020
- A problem causing incorrect hex-encoded SQL transaction data in reports has been resolved.
- PTNSLOGEXT no longer omits *FTPSIGNON activity when the Include User Profile (USR) parameter is used.
- A problem causing some reports to omit column headings from stream-file output has been resolved.
- Errors in the help text for the PNSLOGEXT command have been corrected.
- A problem that caused the PNSLOGEXT command to fail when processing failed journal entries has been resolved.
- An issue that could cause missing QSOCONNECT transactions on reports has been corrected.
- A problem causing functions to display as numeric values instead of text has been resolved.
- A new IP Address Groups report is now available, which lists the IP Address Groups that have been configured. The report can be accessed using either the Reports menu or the SBMIPGREP command. The output can also be directed to a CSV-formatted stream file.
- The new "Security by Server Report" report now lists the Server and Function Properties that have been configured. It is accessible using the Reports menu or SBMSVFREP command. The output can also be directed to a CSV-formatted stream file.
- Socket exit point processing programs were changed to support thread-safety. They can now run concurrently on multiple threads in a job.
- The number of transaction-level licensing messages have been reduced to minimize the impact to job logs.
- Access to Central Administration Alerts is now available from all Exit Point Manager menus via function key F21.
- A new command Extract Audited Transactions (PNSLOGEXT) has been added, which:
- Performs most of the same functions as the Powertech Audit Report command (LPWRRPT) command.
- Offers several selection criteria including user, location, server, function, job, and date/time, which can all be used simultaneously.
- Can output to an output database file, a CSV-formatted stream file, or print to a spooled file.
- Accesses data and performs work only if it is necessary to extract the transactions according to the data selections specified. No unnecessary temporary tables or workspaces are created.
- Supports omitting zero-count summary totals at the end of the printed report.
- Exit Point Manager no longer creates History entries within Central Administration when updating the internal independent ASP information tables. Existing entries, which should not have been created, are removed from the History.
- A defect that prevented Memorized Transactions from being acknowledged correctly in release 7.20 and greater has been corrected.
- A defect causing a failure to display the Work with Memorized Transactions panel, and also the error Message ID RNQ0202 "The call to PSF_SFLLOA ended in error," has been fixed.
- An internal date associated with Memorized Transactions is now populated appropriately when a Transaction is created or changed.
Central Administration Fixes
- Error Message ID RNQ0202 “The call to aeelSort ended in error” when attempting to F4=Prompt on panel PPL3372 has been corrected.
- Changes have been made within the PPLIMPCSV command's processing to ensure it works as documented for parameter TYPE(*ALLOWANCE) as well as its outputted report's accuracy.
- A new Pre-filters report lists the configured Pre-filters. The report can be run from the Reports Menu or by using the SBMPREREP command.
- An extraneous RNX0100 error message no longer appears within the PNSEVTMON monitor job's job log when a Memorized Transaction is removed via Insite.
- Submit report commands can now be run by users without All Object authority, including:
- SBMNSGREP - Authorities by user profile report
- SBMPREREP - Print Prefilters
- SBMSCKREP - Socket rules report
- The product has been renamed Powertech Exit Point Manager for IBM i. The new name is used throughout the software and accompanying documentation. (Prior to version 7.22, the product was called "Network Security.")
- Two new commands allow you to "lock" (LCKDSP) and "unlock" (UNLDSP) an interactive display session. While the interactive display is locked, a screen saver is displayed and the workstation user must enter their password to unlock the display or unlock it from another authorized job.
- A new command DLTNSUGRP has been developed to allow programmatic deletion of User Groups and, optionally, their members.
- Performance of processing transactions through exit points has been improved.
- A minor error has been corrected that allows the F9=Retrieve, F16=System Main Menu, and F22=Status function keys to function properly on the Reports Menu.
- The User Rules Listing and Location Rules Listing reports now indicate whether the Memorized Transactions listed are generic or not.
- Network Security now supports Rules (User, Location, Memorized, and Object Lists) for objects residing in an iASP.
- An issue subsetting the 'Transaction' field by value using F16=Sort/Subset in the Work with Memorized Transactions screen has been corrected.
- Network Security has been repaired so that the software only changes Aut settings on existing User or Location rules when the first active Memorized Transaction becomes available for a server/function/user/location, or when the last active Memorized Transaction is deleted or inactivated, and never in the interim.
- SecureScreen filter rules can now be created for any subsystem description in any library on the system. The subsystem description does not need to exist when the filter rule is created.
- Authority failures are no longer generated to QAUDJRN when Memorized Transactions are processed for the FTP server.
- Help text has been updated to include a description of the *MEMOBJ Authority value.
- A Socket Exit Point-related stability issue has been resolved.
- When converting to Version 7 from a prior version, the correct release information now appears when the conversion completes successfully.
- The help text for “Create Socket Rule Condition” and “Change Socket Rule Condition” has been changed to list only valid values for the Connector field.
- A change was made within the removal of a system that eliminates an MCH3601 error from appearing in Network Security’s PNSEVTMON job log.
- A change was made within the installation of Central Administration to accommodate user profile objects whose object text cannot convert to Unicode.
- A change was made within the “Work with Directory Queries” panel PPL2920 to ensure all validation errors are displayed appropriately. Additionally, a F4=Prompt has been added for the External Server field.
- Authority failures to NSEPUP have been fixed.
- A problem causing failure to update dashboard counters has been fixed.
- Authority failures when LNSR108xx calls API QP0ZRIPC have been fixed.
- Typos in the "Work with Object List Entries" screen have been corrected.
- F17 (Top) and F18 (Bottom) keys in the Captured Transactions screen now function properly.
- Subset and Sort functions in Captured Transactions and Memorize Transactions have been fixed.
- Pointer errors no longer occur when socket exit points are set to not enforce rules.
- A problem causing IP address validation to not allow the number 5 has been resolved.
- Print Object List now includes just the selected list, and not all Object Rules.
- Installation now supports user profiles with blank location values.
- The History Subset and Sort Panel (PPL3372) no longer signals error CPF24B3 “Message type PPL3372 not valid” when F4=Prompt is attempted for a field that does not support prompting.
- The Set Monitor Status (PPLMONSTS) command now functions properly when attempting to set the status for the Monitor value of *PROFILE.
- The 'List Template Profile Settings' API (PPL6125) now correctly outputs Template Profile Settings that exist for an Allowed System to the inputted user space.
- A problem within system removal that was causing existing audits to be unremovable has been resolved.
- A problem preventing newly included systems from being recognized as an Allowed System for existing Templates has been resolved.
- Installation now accommodates objects that have object text defined at the maximum length of 50.
- Inability to call the supplemental exit point after changing a rule to *REJECT, then back to *OS400, has been resolved.
- A problem causing certain memorized transactions to be rejected when they should be allowed has been resolved.
- RNX0100 errors in LNSR108xxx after loading Network Security have been resolved.
- A timing error on cache causing "CPF9802, Not authorized to object PS17144 in PTNSLIB07 type *USRIDX" during the product update procedure has been addressed.
- The User Group Subset function has been repaired so that the last user is no longer missing in some cases.
- A problem causing activation of socket exit points to interfere with Robot Schedule Enterprise has been resolved.
- A problem causing Object Rules to be unable to process the *DELETE operation has been resolved.
- Prompt program PNS4002 no longer displays "More" when it should display "Bottom".
- Secure Screen Monitors have been fixed.
- Access control for Sockets-related exit points has been added.
NOTE: Insite Users: If you intend to use the HelpSystems Insite Web UI along with Network Security, go to HelpSystems Insite Downloads and follow the accompanying Insite installation instructions. Insite version 1.15 is required in order to use Network Security 7.15's socket-related features.
- Socket Rules and Conditions can be configured to accept or reject socket transactions for the QSOLISTEN, QSOCONNECT, and QSOACCEPT servers.
- Multiple Socket Rule Conditions are evaluated according to a preferred sequence.
- Socket Rules can be tested to ensure correct behavior on the system before they are activated.
- Reports have been enhanced to support reporting of socket activity.
- For more information, see Socket Rules (green screen) and Socket Rules (Insite web UI).
Accompanying Central Administration Updates
- Auditing strategies have been added to support auditing of Socket Rules.
- Better handling of damaged objects. A change was made so objects that are known to occasionally become damaged (User Index; Data Queue) are better handled. Where possible the product has been changed so that it self corrects these situations.
- Error RNX0100 when running Event Reports has been resolved.
- Exit point programs no longer change the job’s library list to include the Central Administration and Network Security libraries without removing them. (This was particularly an issue with FTP, since FTP can be done in an interactive job leaving the library list changed until sign off.)
- Secure Screen:
- A problem causing Secure Screen Monitor to fail with MCH3401 has been resolved.
- Inability to Edit/Copy/Display in the Secure Screen Filter has been resolved. (Previously, a screen defect was causing options 2 (Edit), 3 (Copy), and 5 (Display) to always bring up the last item in the list instead of the selected one.)
- Error "Object (sbsd) in library *LIBL not found" has been resolved. (Previously, when adding a secure screen filter, if you prompted for an *SBSD entry and selected one not in your job’s library list (PTWRKMGT for example), the entry would not be added with the following error displayed: "Object PTWRKMGT in library *LIBL not found".)
Accompanying Central Administration Updates
- Better handling of damaged objects. Objects that are known to occasionally become damaged (User Index; Data Queue) are better-handled. Where possible, the product has been changed so that it self-corrects in these situations.
- The Central Administration product library (PTPLLIB) is permanently placed in a job’s library list when a profile is created, changed, or deleted. A job’s library list is now returned to its original state after Central Administration processes a user profile function that was processed by the product’s exit point programs.
- A problem causing inactivity of the monitor job (without visible errors) has been resolved. The PPLCMNSVR monitor job had a built-in feature that was acknowledging the QSTGLOWLMT system value. That feature was added to better handle an Operating System defect that existed in some base Operating System releases. The PTF that addresses this defect is now included in all base Operating System releases negating the need for this built-in feature, which has been removed.
- Event processing and integrity improvements.
- Entering the History Browser no longer results in Message ID CPF2419 and/or CTL0001 in the job log. The CPF2419 message typically appeared when an end point system running Network Security existed in a different library than that of the Management System (i.e. manager using PTNSLIB and end point using PTNSLIB07).
- A problem causing the PPLCMNMON monitor job to remain inactive (with log ID T410012) has been resolved. The PPLCMNMON monitor job was unable to start due to the /tmp directory being so large that the Unix stat function failed with error “Object is too large to process.” The stat function has been replaced with stat64, which is specifically designed to handle larger objects.
- A change has been made within the event monitor processing pertaining to captured transactions in order to improve this job’s overall performance.
- The installation process has improved support for systems with a large number of locks at the time of install.
- PIV0013 error "Object is in use" for LNSUSA02 and LUSER01 during installation has been resolved.
- When creating a new Object List Rule, if a User or Location Rule already exists, a message is now sent and the Object List Rule is set to Inactive.
- Performance enhancement: Network Security now attempts job interrupts in a more efficient manner.
- A merge issue impacting installation was resolved.
- A merge issue impacting installation was resolved.
- Easily define and manage groups of network users. A collection of user profiles can now be quickly and easily managed from directly within Network Security.
- A new type of User Rule has been added. Network Security's new User Groups are containers for groups of user profiles that can be used in place of user profile names when defining a User Rule.
- Ranked sequence. User Groups are assigned a sequence number that determines the order they are used in the exit programs. For example, if there are three User Rules with NS User Groups for a specific Server/Function, and all three have USER1 as a member, the rule with the lowest sequence number will be used. (Of course, a User Rule assigned specifically to USER1 for the Server/Function would have priority.)
- Green screen and web browser support. User Groups can be easily defined and applied to User Rules in the green screen or Insite Web UI.
- Simplified Green Screen Interface. The green screen interface has been simplified. Previously, management of User Rules was handled on one of three different panels, depending on how the User Rule was invoked. These panels have been consolidated into a single "Work with Security by User" panel. Similarly, all Location Rules are now managed with the "Work with Security by Location" panel. For details, see Appendix M: Interface Changes in Network Security 7.08 in the Network Security Administrator's Guide.
- Bug Fixes and Usability Improvements.
- FTP/REXEC sign-on no longer causes the exit program to fail with an MCH3601 (pointer not set) error.
- A program that is called to check whether SUMCAPTRAN can be started has been fixed.
- When a transaction is rejected due to a prefilter rule, the reject message is now correctly sent to QSYSOPR.
- Transactions with leading spaces can now be memorized.
- Problems capturing transactions for the *DDM server have been fixed.
- Disabling Silent Activation no longer fails for ten-character program names.
- Reports can now be run for user profiles that start with @, #, or $ characters.
- Failed audits (whose status remains stuck as "Processing") have been resolved.
- *RMTSRV RMTCMD text for Captured Transactions has been fixed.
- A stuck semaphore has been detected and fixed (copy to QGPL).
- Stuck semaphores causing the Dashboard counters to stop counting has been fixed.
- Network Security is now delivered with new deployment functionality, including the ability to stage the product installation.
- The job queue library on the PTNSGMSTR job description now appropriately lists PTNSLIB07 when PTNSLIB07 is the product library.
- Long Distributed Program Calls no longer cause the error RNX0100, causing exit program PTNSLIB/LNSR108P to end abnormally.
- Network Security 7 now always installs into library PTNSLIB07.
- Inability to change the 'Rules Enforced' flag (as of Network Security 7.04) has been resolved.
- HelpSystems Insite Web Browser Interface support has been added. See HelpSystems Insite and Network Security for Insite for details.
- Failure to run reports when the 'SystemID' contains a single quote has been resolved.
- An RNX1211 error when attempting to run a Showcase Exit Point has been resolved.
- Network Security no longer causes an Authority Failure (AF) audit journal entry during Silent Activation.
- The MCH3601 (Pointer not set for location referenced) error no longer occurs when attempting to prompt for an IFS.
- The Reports/Display IFS file function no longer requires the user’s home directory to be root (/).
- Remote commands run via Visual Basic using the 'IBM i Access for Windows ActiveX Object Library' are now being converted to EBCDIC correctly.
- A command parameter error no longer appears when trying to run reports.
- Audit Reports no longer fail on transactions greater than 9,999 chars.
- *FTPCLIENT no longer creates blank journal entries.
- Errors MCH3401, CPF5009, and CPF5034 while upgrading from Network Security 6.xx to 7.xx have been resolved.
- The History Browser now supports subsetting by subject name.
- Auditing for IP Address Groups is now available.
- High I/O counts have been reduced for all LNSR108xx programs.
- For Object Rule checking, the possibility of looping when parsing an SQL statement has been eliminated.
- Pre-Filters now display for low authority users.
- Network Security exit programs now always honor Object Rules.
- All servers now display Location Rules.
- The screen no longer fills with the same *ALL Location Rule when using LA against a server with more than one location rule.
- Network Security Reports now include Transaction Data.
Central Administration: During uninstallation, the Profile Change Trap is now unregistered from the profile exit points.
- Network Security 7 includes the integration of PowerTech Central Administration, which allows you to manage systems across your network from a central server, benefit from Central Administration’s security features, and copy Rules and other configuration settings across systems. The following updates are included with Network Security 7:
- System Accessibility. Easily switch to any managed system in order to manage Network Security’s configuration, or use other Network Security features, on that system. Switching systems is a feature of both the green screen and Web UI.
- Convenient Dashboards. Dashboard transaction counts and statistics can now be quickly accessed for any managed system.
- Central Administration’s Security Tools. All managed systems benefit from Central Administration features, including:
- Auditing: To verify the integrity of Network Security throughout your network, and ensure adherence to your organization’s security policy, users can run audits to identify and manage Rules (and other Network Security settings) that have been changed on Endpoints directly. Any discrepancy can be resolved easily with a Remedy, accepting the configuration of either the Endpoint or Management System.
- History Browser: The History Browser displays a list of all events that have occurred on any system that is managed through Central Administration. Any action performed through Central Administration or one of the PowerTech products that work with Central Administration is recorded in the history, including Rule changes, security changes, system inclusions, network configuration changes, and so on.
- Role-based Security: Central Administration Product Security allows you to perform product security functions, such as working with Roles. A Role is a collection of access rights that define a PowerTech user’s authority over the managed systems.
- Copy Rules to Managed Systems (Web UI). Once you have configured Rules on the Management System, you can copy them to other Endpoints in order to quickly propagate your security policy across your network.
- Issues related to PTWRKMGTOW/PTWRKMGT have been fixed.
- SQL errors in MRGPRVNS have been fixed.
- The authority check for exit point activation is now using the Current User on the job (instead of the Job User).
- Remote IP address retrieval for FTP exit points have been cleaned up. (Formerly, retrieving the remote IP address could return blanks that were transcribed as 12 zeros.)
- The possibility of looping when parsing an SQL statement for object rule checking has been eliminated.
- Problems related to non-displayable characters in Work with Captured Transactions have been addressed.
- *ALLOBJ authority is no longer required to run the PTNSSTRWEB command (used to start the Network Security Web Server). See Starting the Web Server.
- Only one audit journal entry is now created for 'Possible Intrusion' events.
- Invalid IP addresses added to IP Address Groupings can now be deleted.
- The previous day's cache file for the *CLI server is now cleared automatically each day.
- MCH3601 and LNS0703 errors in exit programs have been resolved, allowing the appropriate journal entries to be written.
- Only the jar files are deleted from powertech/installs after a product update.
- A web UI accessibility issue regarding PTWEB password expiration has been resolved.
- An MCH1210 error no longer causes program PTNSLIB/LNSR108P to end.
- Rules can now be filtered by Type: User or Location.
- A convenient slide-out menu in the Captured Transactions screen allows you to quickly memorize Captured Transactions.
- Delete buttons have been added to detail forms.
- An environment variable can now be used to suppress the PTNSGMSTR job.
- Performance enhancements have been made to Network Security Activation.
- Performance enhancements have been made for the *DATAQSRV exit program.
- Network Security includes a new web interface designed to allow an efficient, interactive method of managing network traffic. See Web Browser Help in the Network Security Administrator’s Guide for details.
- Network Security’s new Dashboard, available from the web interface, allows you to monitor transactions controlled by Network Security. See Dashboard for details.
- For Print Rules by Location, specifying *ALL for the location now includes all location rules for all locations in the report (rather than only rules defined as location=*ALL).
- The rule checking order has been fixed for Object Lists.
- Caching of flags for *MEM rules has been fixed.
- *RMTSRV and RMTCMD have been converted from Unicode so that transactions from IFS commands are recognized.
- Rule checking has been fixed for cases when a user profile does not exist.
- MCH1210 no longer causes PTNS010701 to end abnormally on the QZDASOINIT job.
- Support for Showcase is now available.
- The “File LNSSVF01 not found” error during the product update procedure has been resolved.
- ShowCase exit point support has been added.
- MCH1202 error in PTNS010701 has been fixed.
- Authority Failure journal entries on *FILESRV exit program when not an *ALLOBJ user have been fixed.
- Database reads for Location/User/Object rule checking have been reduced.
- The SUMCAPTRAN process now handles PARTIAL journal receivers.
- The last collected date, which was incorrect for some captured transactions, has now been corrected.
- The number of database reads for pre-filters has been reduced, improving performance.
- *LOCATION rules address groups are now working.
- New menu option for pre-filters to combine user and location rules
- Corrected error directly following flushing the cache
- Performance improvements with the SQL Exit Point
- Fixed an issue with supplemental group profiles and a looping exit program
- Fix RNX0100 in LNSR108TFT when using IPv6
- Handle parsing of *FROM in an SQL Statement
- Handle parsing of 3-part names in SQL through PRPDESDCRB when using Object Lists
- Fix generics on Subset by User under Work with Security by User
- Allow Subset by User to handle more than 9,999 user profiles