Is it possible to upgrade XCOM for AS/400 using a non-QSECOFR user ID

book

Article ID: 222910

calendar_today

Updated On:

Products

CA XCOM Data Transport

Issue/Introduction

Working with IBM i (AS/400) 7.3 and doing an XCOM upgrade from 11.0 to 11.0 SP02

In several environments, the upgrade has been done successfully using the QSECOFR user ID.
However in one environment when not using the QSECOFR user ID the upgrade process fails with the following messages:
Cannot assign object XCOMCNFG
ERROR IN CREATING SOFTLINKS FOR OPENSSL LIBRARIES
ERROR IN REMOVING OLDER SOFTLINKS TO OPENSSL LIBRARIES

The user ID that was used does have all object privileges. Could not using QSECOFR user ID be the root cause of the messages mentioned?

Environment

Release : 11.0

Component : CA XCOM Data Transport for AS/400 i5/OS

Resolution

It is noted that in the documentation under XCOM™ Data Transport® for AS/400 11.0 > Installing and Upgrading it states:
"The owner of the TLS/SSL configuration files is QSECOFR and the directory is created as a secure directory where the owner has read, write, and execute rights, whereas the group and other users have only read and execute rights. The permissions for configuration files, scripts for creating TLS/SSL certificate and directories can be changed and should be customized for your site's security level."
Also on this page for XCOM™ Data Transport® for AS/400 11.0 > Installing and Upgrading > Install and Upgrade only QSECOFR is suggested for the installation/upgrade steps.

XCOM Engineering has advised that using a non-QSECOFR user for install or upgrade is not supported. 
However, it is possible to create a TEMPSEC user ID (internally that is done in Broadcom) and give that TEMPSEC user ID the same rights as QSECOFR. However, that would still be QSECOFR, all be it not by name. From an internal system, QSECOFR has user rights:
+++
...

User class . . . . . . . . . . . . . . . . :   *SECOFR

...
Special authority  . . . . . . . :   *ALLOBJ 

                                               *AUDIT  

                                               *IOSYSCFG

                                               *JOBCTL 

                                               *SAVSYS 

                                               *SECADM 

                                               *SERVICE

                                               *SPLCTL 
+++
The user ID TEMPSEC has exactly the same settings as above and TEMPSEC is used internally all the time.
In addition, it can be used to look through the installation/update log, which is printed at the end of the installation, to see the kind of things, which are done.