Contact Technical Support for information on Network Security 7 Setup in an HA environment.
Step I – Installation of the Powertech Products
To successfully install any Powertech product in a High Availability (HA) environment, the Powertech product must be installed on the HA system before the production system.
This is necessary because replication software could be setup with global settings to replicate non-library objects such as user profiles, authorization lists, IFS directories, etc. Many of the PowerTech products check for the existence of these objects (especially user profiles) prior to installation, and will not install if these objects already exist.
Step II – Network Security User Profiles & Authorization Lists
Network Security has three profiles, PTNSADM, PTNSOWN and PTWRKMGTOW.
Network Security has four authorization lists, PTNSADM, PTNSDTA, PTNSPGM & PTNSRPT.
Note: If the user profiles or authorization lists exist, replication of these objects must be inactivated on the production system. Delete the user profiles and/or authorization lists on the HA system then install Network Security per the installation instructions.
Step III – Network Security Setup
If log journal is QAUDJRN. If the log journal used in Network Security is QAUDJRN this system journal must be setup prior to the activation of Network Security on the HA system. All audit reports for Network Security when using QAUDJRN are only from the time of the role swap going forward.
If log journal is a journal other than QAUDJRN system journal. If the log journal is not QAUDJRN the journal and receivers could be replicated from the source (production) to the target (HA) system for historical purposes. If the journal information is replicated the audit report history can be retained and ran on the HA system.
Supplemental Exit Programs. If supplemental exit programs are used, these programs must exit on the HA system along with the proper owner and authorities.
Step IV – Network Security Authorization List
Network Security only has four authorization lists: PTNSADM, PTNSDTA, PTNSPGM, and PTNSRPTL.
Replication for these authorization lists should be setup on a scheduled, weekly basis to reflect any changes. Since these changes are not as frequent as the other changes, a weekly update is sufficient.
Step V – Use Object Synchronization Replication Software
Synchronization of the objects will need to be done on the individual object. Never use the ‘Library Synchronization’ feature of the HA product as it will clear the product’s library and replicate just the objects that are defined to be replicated. We have seen that Library Synchronization has caused issues that require the product to be uninstalled and reinstalled.
Step VI – Network Security Journals
Network Security has two journals, PTCAPJRN and PWRJRN. The journal PTCAPJRN is used for captured transactions. Network Security temporarily stores the transactions in PTCAPJRN until the transactions are moved to the PLKCAP file in the SUMCAPTRAN job.
PWRJRN is the journal that tracks all of the changes to the product’s settings and configuration. Note: Use the journal PWRJRN in PTNSLIB to replicate the changes between the production and HA system.
Step VII – Network Security Authorization Lists to Replicate
Add an 'Include' filter to include all of the Network Security Authorization Lists.
Step VIII – Network Security Files to Include
Add an 'Include' filter to include these files in the PTNSLIB library.
Note: Do not replicate the NSACTHST and NSACTLST files. The replication software can have locks on these files and Network Security activation will fail on the HA system. These files do not need to be replicated.
Step IX – Network Security User Index to Include
Add an 'Include' filter to include the NSORPARTS user index in the PTNSLIB library.
The user index NSORPARTS must also be replicated as it stores the object lists and is used for the triggers on the NSOBJE file.
Step X – Verify the Triggers and Constraint on NSOBJE File
File NSOBJE has 5 triggers. Verify that the triggers and primary key constraint are attached on the HA system by executing the command:
File NSOBJE primary key constraint.
Step XI – Network Security Program to Omit
Do not replicate the program PTNS0107 in library QGPL. Replicating this program can cause a lock condition when trying to activate Network Security on the HA system. Add an ‘Omit’ filter for the PTNS0107 program.
Do not replicate the data area LNUA010 in QGPL. This data area contains a startup program that activates Network Security’s exit programs when ‘Silent Activation’ is used. Replicating this data area could cause problems on the HA or production system.
Add an ‘Omit’ filter for the LNUA010 program.
Step XII – License Objects
Network Security 6.15 or later has the ability to enter multiple licenses (press F7 – License List on License Setup screen). This allows you to enter the HA system’s license before the role swap so you aren't required to contact Technical Support for an emergency (temporary) key.
In the event that you are using multiple licenses, you will need to setup the following object to be replicated.
Note: If you have not taken advantage of the multiple license feature, or do not have a version that has this feature, do not replicate this object as it will cause the license on the HA system to be invalid.
Step XIII – Activation after the ‘Role Swap’ on the HA system License
If the multiple license key feature is not implemented or used, then contact Powertech Sales (Support if after hours) to get either a license key for Network Security on the HA system. To enter the license key, enter the command:
Option 81 – Configuration Menu
Option 2 – License Setup
Note: The WRKPTNS command is not in QGPL until Network Security gets activated.
Step XIV - Activation
After the license key has been entered, the Network Security product can be activated.
- To activate Network Security, enter the command:
Option 81 – Configuration Menu
Option 3 – Work with Activation
- Before the activation can be selected, you must select which servers you want to activate Network Security on. You can select the servers individually or select all of them with F13 – Set all to Activate. Once the servers have been set, the ‘Pending Change’ column will display ‘*ACTIVATE’ to show that the next step is pending an activation.
There are two methods of activation, silent activation (F18) and interactive activation(F20). Silent activation is done at IPL time vs the running the activation interactively.
Note: No matter which activation method is selected, the IBM servers must be ended and restarted for Network Security programs to be registered with the IBM server.
After the servers have been ended/restarted, the ‘Current Program’ column will display the version of Network Security (e.g. NS R06M11) in the Work with Activation screen.
Note 2: If the version of Network Security does not display in the ‘Current Program’ column then Network Security is not registered and is not active on that server. The ‘Current Program must display the version of Network Security before any rules will be enforced.
Note 3: In the event that Network Security exit programs are already active, you should clear the cache for all of the servers so the exit programs use the rules that have been replicated. To clear the cache do the following for each server:
Option 1 – Work with Security by Server
Next to each server, enter ‘SP’ server properties
Change the Network Security rules enforced flag to ‘N’
Enter the ‘SP’ server properties next to each server again
Change the Network Security rules enforced flag ‘Y’