(Updated 11th May 2008)
This list comprises some commonly reported problems and their solutions.
The Reported Problems:
1. Client Installation on PC workstation failed with code 132.
2. Error message “Unknown extension in database name" appears in FTP session.
6. A specific communication action was rejected although it should have succeeded.
7. No alerts are received from the IDS
8. The Alert Server fails to send a mail alert
9. The list of users is empty.
10. The Bsafe/Enterprise Security Manager doesn't respond.
11. Bsafe/Enterprise Security is activated but entries are not being recorded in the log.
12. After restricting port 21 (FTP) to specific users no-one can use FTP (not even the specified users).
13. There are groups missing from the “Priority level between overlapping groups” screen.
14. I get an error message BSG0110. Not valid time.
15. The print preview is blank when it should contain data.
18. After deleting the Bsafe libraries, we still have problems with users not being able to sign on.
20. We received an error message MCH3203 when installing the product.
21. I don’t see where the allow change password takes effect.
22. We are experiencing degradation in performance since starting to use the product.
24. When running Telnet logon, one or more occurrences of RMTCMD appear in the Bsafe Audit – why?
25. After restoring the Bsafe libraries we are encountering problems with Bsafe.
27. After upgrading to a newer release of the product, we encountered access problems with Bsafe
33. Cannot see signon/signoff events in the Application Audit even though OS/400 Signon is activated.
34. The message “OS version not supported yet” is given in System Audit.
36. Object not found in library RMTOBJ while attempting to IPL from a SAVSYS backup.
37. Problems when attempting to print the user guide.
38. SQL Statement Audit – Information Missing
39. Objects in RMTOBJ not found when running system commands following restore from SAVSYS
The Solutions:
Cause
Complications due foreign language support on your PC workstation.
Solution
Try again and specify a different install folder (not the default).
Cause
The FTP server NAMEFMT Parameter has value other than *LIB.
Solution
Execute the following commands on the iSeries.
1. ENDTCPSVR *FTP
2. CHGFTPA NAMEFMT(*LIB)
3. STRTCPSVR *FTP
Cause 1
Incorrect IP address or host name in the Host field. Use the command PING to check if a TCP/IP connection exists between the PC and the iSeries (AS/400). For example: ping 128.0.0.2
Solution 1
Change Host field and try again.
Cause 2
No TCP/IP connection exists between the PC and the iSeries (AS/400). Use the command PING to check if a TCP/IP connection exists between the PC and the AS/400. For example: ping 128.0.0.2
Solution 2
Contact the Network Administrator. The problem may be with network definitions, a physical connection failure, or an inactivated TCP/IP server in the iSeries (AS/400).
Cause 3
Inactive HTTP server job, BSAFEINST (up to OS/400 V5R2) or BSAFAPCH (from V5R3). Check if the job is active by using the command: WRKSBSJOB QHTTPSVR
Solution 3
Execute the following command on the iSeries.
STRTCPSVR SERVER(*HTTP) HTTPSVR(BSAFEINST) (up to OS/400 V5R2)
STRTCPSVR SERVER(*HTTP) HTTPSVR(BSAFAPCH) (from V5R3)
Cause 4
The field Port contains a value which is not a valid local port number. Default values are1983 up to OS/400 V5R2 or 1967 from V5R3) To verify this, execute the NETSTAT command on the iSeries. Select option 3 (work with TCP/IP connection status) then locate the entered port number in column Local Port.
Solution 4
Change the Port field to an existing port (first try default values of1983 up to OS/400 V5R2 or 1967 from V5R3) and try again.
Cause 5
The entered port is defined but not in Listen status. To verify this, execute the NETSTAT command on the iSeries. Select option 3 (work with TCP/IP connection status) then locate the entered port number in column Local Port. This port must be in status Listen. If it is not, check the message log (DSPMSG QSYSOPR) to see if problems were encountered when operating the HTTP Server.
Solution 5
Contact the System Administrator.
Cause 6
User Profile QTMHHTP1 or QTMHHTTP is disabled. Use DSPUSRPRF to verify status of the two User Profiles
Solution 6
Use CHGUSRPRF to change the status of the User Profiles to enabled.
Cause 1
Some objects or authorization settings are absent.
Solution 1
1. Use the WRKSBSJOB QHTTPSVR command to see it the job BSAFEINST is running.
2. Use the NETSTAT command option 3 to see if the port 1983 is listening.
3. Profiles QTMHHTP1 and QTMHHTTP should be enabled.
4. OBJ(RMTSMP/BSFGUICL) OBJTYPE(*PGM): user QTMHHTP1 should be AUT(*USE)
5. OBJ(RMTSMP/DB2WWW) OBJTYPE(*PGM): user QTMHHTP1 should be AUT(*USE)
6. OBJ(RMTSMP/SAGUIC) OBJTYPE (*PGM) : user QTMHHTP1 should be AUT(*USE)
7. OBJ(RMTSMP/MACROS) OBJTYPE (*FILE) : user QTMHHTP1 should be AUT(*USE)
8. OBJ(RMTSMP/SIGNCHECK) OBJTYPE(*PGM) :user QTMHHTP1 should be AUT(*USE)
Cause
User has no Role defined in the Bsafe Administration Roles Manager.
Solution
Define the user in the Bsafe Administration Roles screen or use the BSAFE user profile.
Cause 1
Another permission definition took precedence over the one you consider should have been used. Use the Audit Log (discussed in detail in the relevant section ) to identify the event and determine which authorization caused the rejection. The class field in every log event specifies the priority level of the rejected action. The order of increasing priority is system defaults, address range, Bsafe Group, generic user, user profile, user. The address range can also be defined as the highest priority.
Solution 1
Change the authorizations as required.
Cause 2
You expected the permissions for a user to be taken from a group profile. However, permissions have been defined for the group profile at the user account type and not at the group profile account type. Use the audit log to investigate the event as described in cause 1, above.
Solution2
Add the permissions definition for the group profile under the group profile account type.
Cause 3
The same user is included in more than one Bsafe Group. Use the audit log to investigate the event as described in cause 1, above.
Solution 3
Make any required changes in the member list in this or the other groups, or change the priority sequence between overlapping groups. This is described in detail in the Bsafe Group Manager section of the user guide.
Cause 4
The action was rejected at the function, library or object levels. Use the audit log to investigate the event as described in cause 1, above, then examine the options of the relevant server permissions at the function, library and object levels. Remember that the permissions are taken from the system defaults if they are not specifically defined elsewhere - see the section on permissions for more information.
Solution 4
Make any required changes in the function, library or object level permissions.
Cause 1
The Alert Server is not running. If the Alert Server is running, you should see an icon on the system tray.
Solution 1
Start the Alert Server as described in the user guide.
Cause 2
The Alert Collector is not running. If the Alert Collector is running, you will see the active job BSFICOL in the QSYSWRK sub-system.
Solution 2
Start the Alert Collector as described in the user guide.
Cause 3
There is no connection between PC and iSeries. Go to the “green screen” manager, to the Alert Collector menu and select Send Test Message as described in the user guide. Then you should see the test message in the Alert Server Monitor (on the PC). If no test message is printed in the Alert Server Monitor, check the IP address and port definitions in the IDS manager (configure alert server button) and the port definition in the Alert Server – the two port definitions should be identical
Solution 3
Make any necessary changes in the port definitions.
Cause 4
The Alert Collector fails to submit the Send Alert job. See if there are any messages in the job BSFICOL in the QSYSWRK sub-system.
Solution 4
Report any messages found to technical support.
Cause
The mail properties in the Alert Server are not set up properly.
Solution
Set up the mail properties in the Alert Server according to the directions in the user guide.
Cause
The coded character set identifier (CCSID) value of the file SAUSRP does not match the system value QCCSID.
Solution
Issue the following command from the OS400 command line:
CHGPF RMTFIL/SAUSRP CCSID(XXXXX)
(where XXXXX is the value specified in the QCCSID system value).
Cause
There may be a message waiting on the iSeries (AS/400). Use the WRKACTJOB JOB(BSAFEINST) command to check if one of the BSAFEINST jobs is waiting on a message.
Solution
Act according the message content. If it is unclear report the message to customer support.
Cause 1
Certain essential services on the iSeries were not restarted following installation of Bsafe/Enterprise Security.
Solution 1
Restart TCP/IP and the Qserver sub-system after installation. Use the following commands:
ENDSBS QSERVER OPTION(*IMMED)
STRSBS QSERVER
STRHOSTSVR SERVER(*DATABASE)
STRHOSTSVR SERVER(*FILE)
Cause 2
The Bsafe/Enterprise Security optimizer is activated.
Solution 2
The optimizer is means of reducing the degree of logging of network activity to bring about an improvement in product performance. The default value for optimization at installation time is on (reduced logging) but this may be changed at any time for the appropriate servers on the system defaults screen. A full discussion of the optimizer can be found in the on-line Help and User Guide.
Cause
The system reaction to restrictions on well-known ports (0 through 1023) is unpredictable. We strongly recommend not applying any restrictions to this range of ports. The port restriction will be effective only with the unknown ports, used by the customer applications. For example, if the port 23 is restricted to some user other then QTCP, the Telnet server simply won’t start. When the port 23 is restricted to QTCP, it doesn't matter what other specific users are also in the list - all the users are allowed to use Telnet.
Solution
Do not apply restrictions to ports in the range 0 through 1023.
Cause
In the “Priority level between overlapping groups” screen you can see only those groups which contain users appearing in more than one group. In other words, if you don't see groups in that screen, each user belongs to one group only.
Solution
There is no problem. No users appear in more than one group.
Cause
A Bsafe/Enterprise Security bug appearing when the time separator in the Windows definition is set to ‘.’ (dot).
Solution
Bug corrected in versions v.3.2.1.1 and later.
Cause
The same problem as 14, above. A Bsafe/Enterprise Security bug appearing when the time separator in the Windows definition is set to ‘.’ (dot).
Solution
Bug corrected in versions v.3.2.1.1 and later.
Cause
Permissions have been defined at two or more different priority levels for a user.
Solution
The following description must be understood fully.
User permissions may be defined for the user at a number of different levels. These include user ID, group profile, generic name and Bsafe group and the default level – the system defaults. An additional level is the IP address.
User permissions may be defined at several or even all of these levels at one and the same time. However, only one set of permissions will be active for a user at any one time – the active permission set is that with the highest priority. If permissions have not been specifically defined for a user at any level then the System Defaults will apply for that user. If, on the other hand, a user has specific permissions defined at the user ID, group profile, generic name or Bsafe Group level, then these will be adopted accordingly, the appropriate icon being displayed aside the user ID in the User ID account level display. This may be seen in the Bsafe/Enterprise Security Manager.
We recommend making use of the Bsafe Group as the primary method of permissions definition. For information see the Bsafe/Enterprise Security User Guide topics The Bsafe/Enterprise Security Manager, Access Security Policy, Account Type Priority and Assigning User Permissions.
Cause
This is the Bsafe alert collector. It must be deactivated specifically.
Solution
After deactivating Bsafe go to alert collector in the green screen and select the stop alert collector option. This should be done before upgrading the version or uninstalling the product.
Cause
The Bsafe/Enterprise Security product must be uninstalled correctly, using the detailed instructions provided.
Solution
If the libraries have already been removed, they should first be restored in order to proceed with the uninstall process. Once you have done this, follow the uninstall instructions which may be found in the Bsafe/Enterprise Security on-line user guide, provided with the product and also on the Bsafe Solutions website.
Cause
You have recently upgraded your
version of OS/400 to V5R2 but have not
refreshed the Bsafe user list.
Solution
Go the Commands menu in the Bsafe/Enterprise Security Manager and select the Retrieve User List From System option. After completion of this task, click the Refresh button under the Accounts window on the main screen and you will see this user in the list.
Cause
This is an internal OS/400 error, normally fixed by applying the appropriate PTFs.
Solution
Apply the recommended PTFs. Seek assistance from IBM support or through the IBM.
Cause
This option is designed for the password change prompt when making the initial Telnet connection through client access. If the system determines a password change is required, Client Access will request the new password. Once the sign-on screen is displayed, the initial Telnet connection has already been passed.
Solution
By setting the Bsafe/Enterprise Security Allow Change Password option to No, Client Access will not display this prompt when connecting to Telnet.
Cause
The Optimizer is switched off for certain server applications being accessed intensively, for example in batch-type processing. The optimizer is a means of reducing the degree of logging of network activity to bring about an improvement in product performance. The default value for optimization at installation time is on (reduced logging) but this may be changed at any time for the appropriate servers on the system defaults screen. A full discussion of the optimizer can be found in the on-line Help and User Guide.
Solution
Set the Optimizer on for the server application by going to the system defaults screen and marking the appropriate optimizer checkbox.
Cause
The Bsafe/Enterprise Security PC client (GUI) is designed to run on the OS/400 HTTP server, even though the native green-screen component we run without problems.
Solution
Running the Bsafe instance under any other HTTP server would need to be configured manually. However, the OS/400 HTTP server should have no problem coexisting with either the Apache or Domino HTTP server. You can then run the BSAFINST instance under the original server and any other instances under Apache or Domino, as long as you provide the BSAFEINST with unique port number. More information may be found on the IBM website at the following URL:
http://www-1.ibm.com/servers/eserver/iseries/domino/buysell/tools_4.htm
Cause
This is a problem unrelated to Bsafe, but rather due to an outdated installation of IBM Client Access on your PC client.
Solution
The appropriate service pack must be downloaded from the IBM website and installed accordingly. The following link should assist you. http://www-1.ibm.com/servers/eserver/iseries/navigator/srvpck.html
Cause
The authorities to the Bsafe libraries have been changed in the restoration process
Solution
After restoration, re-run the Bsafe/Enterprise Security installation program, CALL PGM(RMTOBJ/SATKNAC)
This is discussed in the full installation guide which appears on the Bsafe website and in the Bsafe/Enterprise Security user guide.
Cause
Allocate Conversion and the other operations mentioned are server requests made when accessing the OS/400 file server. It is quite normal and occurs in many situations of remotely accessing OS/400 resources.
One example of this is when you use
Microsoft Excel to open a
file residing on the iSeries IFS. In this case, the Allocate Conversion
request is the first of several different requests made – it is followed by List
File Attributes and Open Stream file requests.
Solution
There is not a problem.
Cause
The last stage of the upgrade process is to restart the QSERVER/QUSRWRK sub-systems. Until this is done the Bsafe/Enterprise Security will prevent access to the Database server and File server. It is therefore clearly recommended in the upgrade instructions to begin the upgrade process only when QSERVER may be restarted straight away.
Solution
If, however, the upgrade and been completed and restart cannot be carried out immediately, you must de-activate these two servers until this can be done. See the upgrade instructions on the website or in the user guide for details of how to do this.
Cause
You have perhaps misunderstood the purpose of this field.
This user profile parameter displays the number of invalid sign-on attempts since last successful sign-on and it cannot be more than the value specified for the system value QMAXSIGN (maximum sign-on attempts allowed). You can see it also when executing the DSPUSRPRF for the user, in the Sign-on attempts not valid parameter.
Solution
There is not a problem.
Cause
This is a problem found on V5R2 of OS/400 only and is due to a problem in the IBM software. An error of type MCH3601 from module SQLTR appears in the BSAFEINST or BSFAPCH job, following this the list of users is no longer seen on the GUI main screen.
Solution
Apply the following IBM PTFs:
SF99502 group level 17, SF99098 group level 16 and SI17237.
Cause
This is not a problem of Bsafe/Enterprise Security.
Qshell - is a command environment based on POSIX and X/Open standards. It consists of two parts:
· The shell interpreter (or QSH) is a program that reads commands from an input source.
· The utilities (or commands) are external programs that provide additional functions.
Qshell - provides an extensible command environment that allows you to:
· Manage files in any file system supported by the Integrated File System.
· Run threaded programs that do thread-safe I/O to and from an interactive session.
· Write shell scripts that can be run without modification on other systems using a cross-platform command language.
Solution
Cause
The currently attached journal receiver is full and the system journal is defined to manage receivers manually.
Solution
Change the attached receiver for system journal. This can be done from the GUI main screen by clicking on the System Journal Audit icon > Receivers button > Change.
Alternatively, you can issue the following command from iSeries green screen: CHGJRN JRN(QAUDJRN) JRNRCV(*GEN).
Cause
This is normally caused by duplicate permissions definitions (in different accounts) where the actual permissions used are defined with a higher priority than those you expect. A common occurrence is where permissions are defined both at the User ID level and also at the Bsafe group level. In other cases, the user may appear in two different Bsafe groups.
Solution
First check which permissions were used in the handling of the event. Enter the Application Audit and double click on the relevant event to see the Class parameter. This is the permissions set actually used and can be user ID, group profile, generic name, a specific Bsafe group or system policy. Once the ‘offending’ account has been identified, its permissions can be deleted, so the next event of this kind will use the expected definition. If it is the user ID permissions that are unwanted, click on ‘Clear’ to remove the definitions set, if the user appears as a member in more than one Bsafe groups, then using the Bsafe Group Manager, that user may be removed from the other group.
Cause
This logging function requires IPL of your iSeries to take effect.
Solution
Check again following IPL of your system.
Cause
The installed version of the product has not yet been updated with the latest OS system journal definitions update
Solution
Contact Bsafe support to receive the necessary update.
Cause
The file in question uses triggers and so cannot be used for field masking.
Solution
Contact Bsafe support to check if an update is available for this problem
Cause
The SAVSYS backup was done while certain Bsafe exit programs were active.
Solution
Repeat the SAVSYS backup but first deactivate the Bsafe exit programs by running the option Maintenance > Commands Menu > Deactivation of Bsafe before SAVSYS, or by running the command RMTOBJ/BSFINAC. No parameters are necessary and it may be run interactively or as part of a batch job. If you run the SAVSYS via a CL program, you can hardcode the command into it. This is not a one-time action but something that is required every time the SAVSYS system backup is performed.
If this option does not exist in your menu or if the command RMTOBJ/BSFINAC is not found, you can download and install PTF AP55232 to receive them (If there is a cumulative PTF released after 16th April 2008, this may be downloaded and installed instead). All product PTFs can be downloaded from the Customer Center on the Bsafe website. After the system backup (SAVSYS) you must reactivate the Bsafe exit programs as described in the implementation instructions.
If the above steps don’t help, contact Bsafe support for assistance.
See also issue 39, below.
Cause
Printing errors when attempting to print the user guide. There are a number of errors which are know to occur when attempting to print parts of or all of the user guide from the online CHM file. These include the non-printing of certain pictures, truncation of pages, failure to print on network printers and error messages. They are the result of unpredictable behaviour of CHM help files when printing.
Solution
Use the PDF version of the user guide for the purpose of printing. This can be downloaded from the Bsafe website. www.bsafesolutions.com Go to the Technical Support page then click on Bsafe/Enterprise Security User Guide and Help (PDF File Format). Note that this is a large file – around 100Mb.
Cause
Sometimes, information is missing from the SQL statement audit. This can be the user name, IP address or the field values in the SQL statement itself.
Solution
The user name and IP statement information are only given when the database activity is the result of ODBC or RMTSQL requests. In addition, in the Application Access Control definitions, DDM must be activated and the logging level for this application server must be defined as “ALL” in the System Policy screen. Note that interactive SQL requests originating from the native environment do not carry this information. Field values in the SQL statement are not available in the audit - they are displayed as question marks. This is a limitation by the OS400 operating system.
Cause
The SAVSYS backup was done while certain Bsafe exit programs were active.
Solution
Repeat the SAVSYS backup but first deactivate the Bsafe exit programs by running the option Maintenance > Commands Menu > Deactivation of Bsafe before SAVSYS, or by running the command RMTOBJ/BSFINAC. No parameters are necessary and it may be run interactively or as part of a batch job. If you run the SAVSYS via a CL program, you can hardcode the command into it. This is not a one-time action but something that is required every time the SAVSYS system backup is performed.
If this option does not exist in your menu or if the command RMTOBJ/BSFINAC is not found, you can download and install PTF AP55232 to receive them (If there is a cumulative PTF released after 16th April 2008, this may be downloaded and installed instead). All product PTFs can be downloaded from the Customer Center on the Bsafe website. After the system backup (SAVSYS) you must reactivate the Bsafe exit programs as described in the implementation instructions.
See also issue 36, above.
Cause 1
You clicked on the Refresh OS400 Report button rather than Test network access including OS/400 report or Run Again.
Solution 1
Click on Test network access including OS/400 report or Run Again.
Cause 2
The change you made in the permissions definitions did not affect the permissions of the user you are using for the network access test.
Solution 2
1. First recheck the Bsafe Application Access Control permissions for the user you used for the assessment.
2. To be sure, select Windows Start > Run then enter the first command displayed in the Command column of the report. (i.e. ftp…). Enter the user and password you used for the assessment.
3. If the connection result on the previous step is not what you expected, the report is OK - recheck your permissions definitions.
4. If the connection result on the previous step is what you expected and the report does not reflect this result, view the file run_log.log in the product install folder. If the reason cannot be found in the log, send it to Bsafe support, with an explanation of the preceding events.
Cause 1
The admin user entered (after the user to be tested) does not have high enough object authority or is blocked by Bsafe (or other) exit programs from accessing ODBC. Blocking by Bsafe applies to power users like QSECOFR just like any other user.
Solution 1
Check the admin user is not blocked from accessing the Database (ODBC) server. One way you can check this is by running SQL scripts in Operations Navigator, using the admin user ID. When you are satisfied the admin user can successfully perform database operations, repeat the assessment.
Cause 2
The installation was not fully completed because the code was not updated at installation time.
Solution 2
1. Uninstall the server software by running setup.exe from the c:\bsaferisk folder, then choosing uninstall.
2. Reinstall by following the instructions, step by step, in the readme file in the c:\bsaferisk folder.
3. Run the assessment, as described in the readme file, referred to above.
4. If this does not solve then problem, please send the two files srv_set_log.log and run_log.log in the product install folder to Bsafe support, with an explanation of the preceding events.