Anonymous_User Absent Member.
Absent Member.
503 views

IBM i integration

Hello everyone,

I am working with a customer that is using several IBM i systems, and
they have asked us to integrate them with the Sentinel system we
recently deployed.

This is a first for us, and we are struggling a bit with the NetIQ
documentation regarding the NSSi agent at
https://www.netiq.com/support/sentinel/plugins/prod/collectors/IBM_i_2011.1r5.html#ObserverConfiguration_section


The documentation mentions "Install iSeries Agent NSSi 8.1 on IBM i
Server", but it is hard to determine which part of NSS is the actual
agent. The documentation further refers to the NSSi installation guide,
which mentions a large number of components, none of which is called
"Agent" or similar.

Specifically, the questions we have are:
1. *Exactly* which NSSi components need to be deployed on the i server
2. In order to receive events, do we need to set up NetIQ Security
Manager, or Agent Manager, or both?

It would be great if anyone could clarify things a bit.
Regards,

Mark

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IBM i integration

mvreijn,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.netiq.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.netiq.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.netiq.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team
http://forums.netiq.com


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IBM i integration


Hello Mark,

I've tried some time ago to connect one iSeries server to Sentinel, it
was a bit problematic with mentioned "security extension", finally
customer resign from the concept but our last idea was to install
syslog-ng from balabit and fine tune a bit collector script.

--
Arek


--
arekmacak
------------------------------------------------------------------------
arekmacak's Profile: https://forums.netiq.com/member.php?userid=6080
View this thread: https://forums.netiq.com/showthread.php?t=53588

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: IBM i integration


Hi Mark,

The entire NSSi product must be deployed to the i server as there is
presently no options to only install select portions of it.

These are the chapters you'll need:
Chapter 2 Planning to Install NetIQ Security Solutions for iSeries
Chapter 3 Installing NetIQ Security Solutions for iSeries
Chapter 4 Configuring NetIQ Security Solutions for iSeries Components ->
Configuring Communication in Heterogeneous Enterprises section
Chapter 6 Configuring Security Manager Support

Thanks,
John


--
jgassner
------------------------------------------------------------------------
jgassner's Profile: https://forums.netiq.com/member.php?userid=324
View this thread: https://forums.netiq.com/showthread.php?t=53588

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IBM i integration

On 2015-06-15 13:44:01 +0000, jgassner said:

> Hi Mark,
>
> The entire NSSi product must be deployed to the i server as there is
> presently no options to only install select portions of it.
>
> These are the chapters you'll need:
> Chapter 2 Planning to Install NetIQ Security Solutions for iSeries
> Chapter 3 Installing NetIQ Security Solutions for iSeries
> Chapter 4 Configuring NetIQ Security Solutions for iSeries Components ->
> Configuring Communication in Heterogeneous Enterprises section
> Chapter 6 Configuring Security Manager Support
>
> Thanks,
> John


Thanks for that insight. We have not been able to get any results yet however.

In the mean time, we have installed the following components on the IBM
i machines:
* PSAudit
* PSSecure
* PSDetect

Also, the following services are running:
* ZPSE subsystem
* PSEAGENT (PGM-PSEAGENT)
* PSEAGENTD
* PSECA (PGM-VigilEntAgent)

The IBM i servers are listening on port 1622 and the remote port Agent
Manager port is set to 1636 (following agent manager docs).
All servers can properly connect to eachother, and a Windows Agent
delivers events to Sentinel already.

Now when we try to register the IBM i agent using the Agent Manager
Console, we get an error in the Windows Event Log stating "Could not
register agent <hostname>" with Event ID 31017.

We can see communication to the IBM i server on port 1622, a few
packets going back and forth and then nothing.
No further explanation on the Agent Manager side, no logging on the IBM
i Agent side (logging is set to 2).

What are our options?

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IBM i integration

On 2015-07-07 13:28:25 +0000, mvreijn said:

> On 2015-06-15 13:44:01 +0000, jgassner said:
>
>> <snip>

>
> In the mean time, we have installed the following components on the IBM
> i machines:
> * PSAudit
> * PSSecure
> * PSDetect
>
> Also, the following services are running:
> * ZPSE subsystem
> * PSEAGENT (PGM-PSEAGENT)
> * PSEAGENTD
> * PSECA (PGM-VigilEntAgent)
>
> The IBM i servers are listening on port 1622 and the remote port Agent
> Manager port is set to 1636 (following agent manager docs).
> All servers can properly connect to eachother, and a Windows Agent
> delivers events to Sentinel already.
>
> Now when we try to register the IBM i agent using the Agent Manager
> Console, we get an error in the Windows Event Log stating "Could not
> register agent <hostname>" with Event ID 31017.
>
> We can see communication to the IBM i server on port 1622, a few
> packets going back and forth and then nothing.
> No further explanation on the Agent Manager side, no logging on the IBM
> i Agent side (logging is set to 2).
>
> What are our options?


Since we suspect that the issue lies with client-server communication,
we started to debug the SSL connections.
It seems that there is a violation of the SSL protocol, because the
NSSi Agent responds to our SSL client with a ClientHello instead of a
ServerHello:

# openssl s_client -connect <hostname>:1622 -showcerts -ssl3 -msg
CONNECTED(00000003)
>>> SSL 3.0 Handshake [length 007f], ClientHello

01 00 00 7b 03 00 55 9b e9 82 99 fb f7 37 a5 92
b1 5f 93 51 5b 10 c9 52 18 1b 79 22 7a f6 14 a0
4d 6a d0 5c 9f f9 00 00 54 00 39 00 38 00 35 c0
14 c0 0f c0 0a c0 05 00 88 00 87 00 84 c0 12 c0
0d c0 08 c0 03 00 16 00 13 00 0a 00 33 00 32 00
2f c0 13 c0 0e c0 09 c0 04 00 45 00 44 00 41 c0
11 c0 0c c0 07 c0 02 00 05 00 04 00 15 00 12 00
09 00 14 00 11 00 08 00 06 00 03 00 ff 01 00
<<< SSL 3.0 Handshake [length 004b], ClientHello
01 00 00 47 03 00 55 9b e9 67 86 29 be c7 bc d9
56 22 e7 52 a9 e2 02 1f 8a 55 6e 68 ec cc 34 3e
8d 1e 42 c1 68 1b 00 00 20 00 39 00 35 00 16 00
0a 00 33 00 2f 00 05 00 04 00 62 00 15 00 09 00
64 00 60 00 14 00 08 00 03 01 00
>>> SSL 3.0 Alert [length 0002], fatal unexpected_message

02 0a
5584:error:14092072:SSL routines:SSL3_GET_SERVER_HELLO:bad message
type:s3_clnt.c:730:

This would mean that when the Agent Manager server connects to the
Agent (which it does, according to our packet traces), it is met by a
ClientHello and barfs.
Is anybody using the NSSi agent to collect iSeries log events? Or is
the (deprecated) syslog method still the way to go?

/Mark

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: IBM i integration


Hi Mark,

I think your best bet at this point is to open a service request with
technical support so that this question can efficiently be routed to the
people with the right expertise.

Thanks,
John


--
jgassner
------------------------------------------------------------------------
jgassner's Profile: https://forums.netiq.com/member.php?userid=324
View this thread: https://forums.netiq.com/showthread.php?t=53588

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.