Using OS/2 systems This section contains information specific to installing preliminary security software prior to installing Tivoli Management Framework on an IBM OS/2 operating system. This information applies to managed nodes and gateways. Security support is installed independently at the OS/2 machine by performing the following procedures: * Enabling Security Enabling Services (SES) * Installing system fixes and upgrades * Upgrading the rexecd utility * Ensuring reverse name resolution * Installing Tivoli Management Platform Security * Making security modifications * Adding new users * Blocking unauthorized TCP/IP access * Configuring TCP/IP to support the OS/2 gateway Because OS/2 is a single user system, you need to install SES to add UNIX-like security. After installing the Tivoli management platform security for OS/2 function, all installations that affect controlled files (such as config.sys, secure.sys, or the Tivoli directories) must be done from the root user, the default administrator. All parts of the security enabling process are performed on the OS/2 machine except mutual verification of name resolution, which must be performed on the OS/2 machine and Tivoli server. Enabling Security Enabling Services Before you can install necessary OS/2 system fixes (fixpaks), you must enable SES. To enable SES, perform the following steps: 1. From the OS/2 desktop, double-click the OS/2 System icon. The OS/2 System window is displayed. 2. Double-click System Setup. The System Setup window is displayed. 3. Double-click Install/Remove. The Install/Remove window is displayed. 4. Double-click Selective Install. The Selective Install window is displayed. 5. Click Next. 6. Click Next. 7. Select the Optional System Components check box. 8. Click the More button beside this option. 9. Select the Security check box. 10. Click OK. 11. Click Next and proceed with the installation. 12. Reboot your system. Enablement services can be downloaded from IBM Web site. Contact your IBM service provider for information about locating and accessing the appropriate Web site. From the Web site, download the following files: security.bbs An upack2-format file of the code with the installation utility included. warpses.txt The file that explains how to install security.bbs. Installing system fixes and upgrades After you have enabled security, you must install system fixes and upgrades. Note For Warp 4.0, the minimum fixpak is XR_M007. For Warp Server Advanced, the minimum fixpak is XR_W037. If you use Remote Software Upgrade (RSU) technology, you can access these fixpaks from the same Web site. If you want, you can install RSU technology if you do not already have it. Contact your IBM service provider for information about locating and accessing the appropriate Web site. Upgrading the rexecd utility If you are using TCP/IP, Version 4.0 or 4.1, you need to upgrade the rexecd utility to make this utility compatible with Tivoli Remote Execution Service on Windows operating systems and rexecd on UNIX operating systems. Upgrading rexecd for TCP/IP Version 4.0 If you have TCP/IP Version 4.0 installed, perform the following steps: 1. Download both rexecd fix IC19029 and the associated README file from IC19029 for TCP/IP, Version 4.0. 2. Follow the instructions in the README file to ensure that you add the -q option on the invocation of rexecd: 1. Issue the tcpcfg command from an OS/2 command line. 2. When the Settings window is displayed, click the Autostart tab. 3. Modify the rexecd settings to add the -q option. Upgrading rexecd for TCP/IP Version 4.1 If you are using TCP/IP, Version 4.1, perform the following steps: 1. Download both rexecd fix IC19029 and the associated README file from IC19029 for TCP/IP, Version 4.0. 2. Follow the instructions in the README file to ensure that you add the -q option on the invocation of rexecd. 1. Double-click the TCP/IP Configuration icon. 2. When the Settings window appears, click the Autostart tab. 3. Modify the rexecd settings to add the -q option. Verifying the upgrades When these upgrades are complete, run the syslevel command to verify that you have the correct corrective service delivery (CSD) levels installed. The output of the syslevel command shows CSD level XR_M007 (for Warp 4.0) or XR_W037 (for all other versions of the operating system). Ensuring reverse name resolution You need to ensure that the Tivoli server and the gateway have reverse name resolution. To do this, you need to use the nslookup command to ensure that the Tivoli server has the correct name for the OS/2 machine and that the OS/2 machine has the correct name for the Tivoli server: 1. On the Tivoli server, enter the following command and record the host name and host ID that it displays: nslookup gateway 2. On the OS/2 machine, enter the following command and record the host name and host ID that it displays: nslookup Tivoli_server The results are the host name and IP address of the queried system. If you get unexpected results, your Domain Name System (DNS) resolution is not operational. You can also see the host name and IP address for the OS/2 machine by running the hostname and hostid commands, respectively. If you get unexpected results, check the hosts file on the Tivoli server to see whether these entries are in it. Ensure that the names in the hosts file match, including case. Installing Tivoli Management Platform Security Installable Security Subsystems operate in an environment provided by a component of the OS/2 operating system called Security Enabling Services (SES). The architecture of SES allows only one Installable Security Subsystem at a time to be active on an OS/2 machine. Because of this, you must use the Installable Security Subsystem supplied with Tivoli Management Framework. Before you can install a gateway on an OS/2 system, you must install the Tivoli management platform security for OS/2 function. This OS/2 function is packaged on the Tivoli Management Framework 1 of 2 CD. To install the security application, perform the following steps: 1. With the Tivoli Management Framework CD in the CD-ROM drive, change to the \OS2SEC subdirectory. 2. Enter install. 3. The information window is displayed. After you read this information, click Continue. 4. When the Install window is displayed, click OK. 5. An Install Progress bar and a message window appear. When installation is complete, the Installation and Maintenance window prompts you to reboot because of changes to your config.sys file. Click OK. 6. Reboot your system. Log on with the default user ID root and the default password root. 7. After reboot, when the Tivoli management platform security for OS/2 screen appears, press Ctrl+Alt+Del to change your password. Enter your new password twice in the Change User Password window and click OK. Making security modifications Because the Tivoli management platform security for OS/2 function blocks all known opportunities for unintended modification of your OS/2 system, you might need to disable parts of the security system until after you install the OS/2 gateway. Until installation is complete, you might want to edit your config.sys file to change the trusted path statement to read: set trustedpath=no set backgroundbitmap=x:\os2\security\ses\tivoli2.bmp where x is the boot drive. This allows you to press the Enter key to open the security log window instead of Ctrl+Alt+Del. It also allows you take a system dump to diskette using Ctrl+Alt+NumLock. Adding new users After the Tivoli management platform security for OS/2 function is installed, you can add new users. root is your default administrator. You can define additional administrators or users as needed. Note You do not need to add new users for Tivoli functions. To add new users, perform the following steps: 1. From the OS/2 desktop, double-click the Tivoli Management Platform (TMP) Security icon. The TMP Security window is opened. 2. From this window, double-click the Local Work Station icon to open its properties window. 3. Click the User tab and the click the Create user button. This opens a Create a User Account window. 4. Type the user ID and a description of the user you are adding. A description must be entered or the record cannot be created. 5. Select a user type, either user or administrator. To define an administrator, select Administrator. 6. Allow the user to log on by selecting Logon-Allowed. 7. Enter a password for the user. Enter it again for verification. 8. Select the do not lock check box or set a time value as the Inactivity Time-Out period. 9. When this information is complete, click OK. 10. Close the windows you no longer need. Blocking unauthorized TCP/IP access Although the Tivoli management platform security for OS/2 function is robust enough to block access from users entering the system using the rexecd utility, it cannot block access from TCP/IP file transfer utilities. This includes: ftp Prior to TCP/IP for OS/2, Version 4.1, user ID and password security for file transfer protocol (FTP) were controlled within FTP using the trusers file. The Tivoli management platform security for OS/2 function cannot control FTP access. telnet TCP/IP for OS/2, Version 4.1, provides improved security support. All releases of TCP/IP for OS/2 prior to Version 4.1 include the telnet password in the config.sys file. You control telnet access using this password. rsh Remote shell (RSH) controls access using the rhosts file. The system administrator is responsible for managing these applications. Configuring TCP/IP to support the OS/2 gateway You need to configure your TCP/IP system to automatically start the inetd, rexecd, sendmail, and portmap services. The rexecd service processes binary data and might cause your system to beep and your installation could fail. This can be disabled in the following ways: * Starting the rexecd service in a foreground session (minimized) and passing it the -q option. * Starting the rexecd service under the super daemon (inetd) and adding the following line to the config.sys file: set quietmode=yes