Notes on AS400/iSeries Robot installation permissions and probe operations

book

Article ID: 38197

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES

Issue/Introduction

Notes and technical details on AS400/iSeries Robot installation permissions and probe operations

Customers installing the Robot and probes on AS/400/iSeries systems sometimes have security concerns when it comes to installation and operation of the Robot and probes and would prefer to limit permissions for their environments.
 
 

 

Environment

Release: UIM 8.x
Component:

Resolution

Instructions:

• *SAVSYS and *ALLOBJ: Could be set just to install or upgrade the probe or any UIM component for ISeries.
• *IOSYSCFG: Could be tested to check if it is really needed or not.
• The other special authorities (*JOBCTL, *SPLCTL) are needed so the probes can work so you need to leave *JOBCTL, *SPLCTL but test *IOSYSCFG if it is needed.
    
For the robot itself, *SAVSYS (is needed for probe distribution and robot updates) and that is normally sufficient.

Technical Details:


- diskstat, fetchmsg, jobqs, journal, outqs, jobs, jobsched, and sysstat should have ALLJOBS authority for this reason.
- sysstat needs IOSYSCFG authority to provide system statistics to the Nimsoft
- jobs, jobqs, and jobsched probes would have to have JOBCTL authority.
- The majority of probes will also need SERVICE and SECADM authority.

• *SAVSYS special authority : Used while installing robot. We use a SAVLIB command which requires *SAVSYS special authority.
• *JOBCTL special authority : This authority is required when we start or stop the robot (Like for ENDSBS and STRSBS command).
• *SPLCTL special authority : In outqs probe this authority is required for the OUTPUT Queue.
 
The iSeries/AS400 probes require additional rights, for instance, the jobs probe will require *JOBCTL to get full job information.
 
- Need to have object operational (*OBJOPR) authority to the CRTSAVF command.
- Need to have save system (SAVSYS) special authority. This 'might not' be needed as the alternative permissions listed may be satisfied.
- You must have add (*ADD) and read (*READ) authority to the library in which the save file is to be created.
- It states in the Nimsoft installation guide that the NIMBUS user, under which the NIMBUS subsystem is started, must have *ALLOBJ permissions.

As this user cannot be used for login (if configured as advised in the installation material), it is used only by CA UIM/Nimsoft subsystem job, the security risk of this is as small as possible.

There are 2 reasons we require *ALLOBJ:

1. It is possible for administrators to manually change the permissions needed to access API calls required by the probes. The only way to ensure this doesn’t interfere with correct operation of the probes is to override any customized permissions.

2. A significant task performed by the Robot/controller program is the installation of probes. This requires the restoration of SAVF files which need to overwrite the existing file system. Specifically, use of the RSTOBJ command with the ALWOBJDIF(*ALL) option. This is entirely necessary of the installation/update of probes. That this option requires *ALLOBJ permissions is an operating system restriction introduced by IBM in a previous update. With these permissions the IBM iSeries robot, and the fetchmsg probe operate as expected.

Notes on journal probe:

The journal probe can monitor all journals available in the AS400 system (for that *AllOBJ and *SAVSYS need to be granted to the ‘NIMBUS’ user profile).
 
However, if some specific journal only needs to be monitored, then that journal needs to be given *All authority for ‘NIMBUS’ user profile, manually.


Per our installation docs the user used to run the Robot should NOT be an interactive user. It should only be used for the Nimsoft subsystem job.

***Installing Nimsoft robot on iSeries (AS400)

Note: The binaries in NIMBUS.LIB take about 20 MB of disk space, and approximately 35 MB including the currently available probes.
Installation procedure:
On AS400:

Create the user NIMBUS:
CRTUSRPRF USRPRF(NIMBUS) PASSWORD() USRCLS(*SECOFR) TEXT('NimBUS User for NimBUS Management')
Create temporary files for the ‘save files’
CRTSAVF <>/NIMBUS TEXT('Savf of Nimbus LIB')
CRTSAVF <>/NIMSOFT TEXT('Savf of Nimbus_Software')

On a workstation on the network:

ftp <>
log on the AS400
LCD <>
CD <>>
BIN
PUT NIMBUS.savf
PUT NIMSOFT.savf
Quit
On AS400:

Restore /qsys.lib/nimbus.lib
RSTLIB SAVLIB(NIMBUS) DEV(*SAVF) SAVF(<>/NIMBUS)
Restore /Nimbus Software/NimBUS file-tree
QSYS/CRTDIR DIR('/Nimbus_Software')
QSYS/CRTDIR DIR('/Nimbus_Software/NimBUS/')
QSYS/RST DEV('/QSYS.lib/<>.lib/NIMSOFT.file') OBJ(('/Nimbus_Software/NimBUS/*'))

Edit the configuration file /Nimbus_Software/NimBUS/robot.cfg according to the example below. The fields with bold text in the example below must be modified according to your system configuration.

***IMPORTANT: Note that robotip and contip parameter values should both be the local computer’s ipaddress.

EDTF STMF('/Nimbus_Software/NimBUS/robot/robot.cfg')

Example:

<controller>
domain = IAS
hub = Informatikk
hubrobotname = taletv02
hubip = 192.168.254.11
robotname = talea1s
robotip = 192.168.254.250
</controller>
<remote>
contip = 192.168.254.250
</remote>

Start the robot with the command
STRSBS NIMBUS/NIMBUS

The robot can be stopped with the command
ENDSBS NIMBUS/NIMBUS

If you want to shut down the system/tcpip each night for backup, you should also stop Nimbus and start it again after tcpip has been restarted.

Stopping and starting Nimbus can be done in jobscde as described in the example below (stop time 01.00.00 and start time 07.00.00, every day):

ADDJOBSCDE JOB(ENDNIMBUS) CMD(ENDSBS SBS(NIMBUS) DELAY(120)) FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('01.00.00') USER(NIMBUS) TEXT('End Nimbus')

ADDJOBSCDE JOB(STRNIMBUS) CMD(STRSBS SBSD(NIMBUS/NIMBUS)) FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('07.00.00') USER(NIMBUS) TEXT('Str Nimbus')

If you later want to change the schedules, use

WRKJOBSCDE

 

Additional Information

Install IBM robot

Please also find attached to this case-> iseriesmonitoring.pdf with further details.

iseries monitoring.pdf

If you encounter installation issues, check the logs on the AS400/iSeries side, especially the security logs in regards to permission and copy and paste any errors into the Support case comments.

Attachments

1558534328127TEC1833571.zip get_app