Resolution
fact
VigilEnt Security Agent for iSeries 5.4/7.0
fact
VigilEnt Security Agent for iSeries PSSecure 7.0
symptom
DDM transactions are no longer using profile QUSER on the target machine.
symptom
Remote DDM transactions are rejected with an OS object authority error for the originating user profile from the source machine.
symptom
Remote DDM transactions are not creating a Collected Entry in RRM on the target machine.
change
Upgraded NetIQ iSeries product from version 5.3/6.3 to 5.4/7.0.
cause
The way RRM handled DDM transactions in version 6.3 was to process the request as QUSER, but because swapping is turned on for the DDM exit point in RRM 7.0, it will check to see who the user was on the source system, swap to that profile, and try to do the request as that user. This in turn, fails without a collected entry because the Operating System object level authority is checked before the exit program is invoked, therefore the OS rejects the request (not the NetIQ iSeries product), and there is no collected entry written.
fix
VigilEnt Security Agent for iSeries 5.4/7.0
fact
VigilEnt Security Agent for iSeries PSSecure 7.0
symptom
DDM transactions are no longer using profile QUSER on the target machine.
symptom
Remote DDM transactions are rejected with an OS object authority error for the originating user profile from the source machine.
symptom
Remote DDM transactions are not creating a Collected Entry in RRM on the target machine.
change
Upgraded NetIQ iSeries product from version 5.3/6.3 to 5.4/7.0.
cause
The way RRM handled DDM transactions in version 6.3 was to process the request as QUSER, but because swapping is turned on for the DDM exit point in RRM 7.0, it will check to see who the user was on the source system, swap to that profile, and try to do the request as that user. This in turn, fails without a collected entry because the Operating System object level authority is checked before the exit program is invoked, therefore the OS rejects the request (not the NetIQ iSeries product), and there is no collected entry written.
fix
There are two possible solutions depending on the results you wish to see:
- If you want DDM transactions to work as they did in the prior version of RRM (6.3), on the Target machine or on all machines where version 7.0 is installed, you need to turn swapping OFF for the DDM transactions. You can change this by selecting RRM menu Option 8 Work With Exit Points, and then editing the DDMACC Exit point, Exit Format DDM, Server DDM and setting the 'Allow Swap' value *NO. The DDM transactions will then use profile QUSER as they did in the past.
- If you want to configure DDM so that it secures by the originating user profile, please follow the instructions from IBM found in the link below and set up OS object level authority for the appropriate users on the target system. The entries will be collected by RRM and you can create secured entries from them. At this point, it won't matter what the swap value is set to in RRM, as there will be no need to swap.
IBM Document related to DDM and QUSER user profile
Additional Information
Formerly known as NETIQKB33294