IBM Support

Managing access to products within the IBM i2 Intelligence Analysis Portfolio - Frequently Asked Questions

Product Documentation


Abstract

This document contains common questions and answers about the optional product access management capabilities of products in the IBM i2 Intelligence Analysis Portfolio.

Content

Question: Which products support product access management?
Answer:

  • IBM i2 Analyst's Notebook
  • IBM i2 Analyst's Notebook Premium
  • IBM i2 iBase User and Designer
  • IBM i2 Analyst's Workstation User and Designer. * Only the Analysts' Notebook and iBase components

Question: How can personal computers on the network receive permits?
Answer: Depending on deployment, the following apply:
Normal connected-to-the-server use: The entitled number of permits are stored on a server at the customer premises. When a user starts a product with access management enabled, a permit is requested from the server. Based on availability, either a permit is provided or the request is rejected (because a permit is not available). When the user closes the product, the permit is returned to the server.
Borrowing from a server: While there is a network connection from the client computer to the server, it is also possible to borrow a permit. Permits can be borrowed for a minimum of a day and for any period up to five years. While borrowed, the permit is stored on the local computer, and is only available for use on that computer. The local permit is used instead of attempting to gain a permit from the server. This means that the computer can disconnect from the network and still use the protected product. While the permit is borrowed, it is not available for use from the pool of permits on the server. This borrowed permit is usable until the day count reaches zero. When the day count reaches zero, the permit is not usable on the computer that borrowed it. The permit is made available on the server again.
Borrowing remotely: If there is no network connection, it is possible to use tools on the product distribution media to borrow a permit remotely. When borrowed, the experience is the same as for borrowing from a network. Note that for this process to work, there must be a method for exchanging text files (for example, by email or USB stick).

Question: How can I deploy permits to computers that are not connected to the network, and is it possible to limit time of usage?
Answer: The responses 'Borrowing from a server' and 'Borrowing remotely' respond to this question.
The approximate process for borrowing remotely is as follows:
  1. On the remote computer
    • Run a command-line tool (supplied on the distribution media)
    • Send the resulting text file to an administrator that has access to the server
  2. On the network that is connected to the permit server
    • The administrator runs another tool. This tool uses the file that is generated by the remote computer to borrow the required permits for the number of days required.
    • The administrator sends the resulting text file to the user of the remote computer
  3. On the remote computer
    • Run another command-line tool to apply the permits

Question: Is it possible to hand over permits on a USB flash drive?
Answer: Yes. Remote borrowing is possible, and borrowed licenses can be transferred on a USB flash drive.

Question: What is the upgrade path for customers that use software license management (SLM)?
Answer: The old software license management and new product access management are not compatible with each other. To take advantage of product access management, customers must uninstall any existing licensing mechanism before installation. Any SLM permits become redundant and product access management permits must be requested.

Question: Can the permits be maintained on different servers?
Answer: Yes. You can maintain permits on multiple servers. A basic scenario would be to use two servers on your network to ensure that some permits are always available. You might have half of the total number of permits on each server. Under default operation, the client broadcasts a request to all servers on the network, and uses the first one to respond. It is possible to configure the client to go to a specific server, and also to configure a search order. In this situation, configure half your clients to connect to server 1 first, and half to connect to server 2 first. This configuration balances your usage over the two servers and also gives a level of backup in the event of server failure.

Question: Is a mirroring of permits on different servers possible?
Answer: No. Mirroring is not supported. An alternative might be to set the search order as detailed in the previous answer.

Question: Is it possible to place a time limit on the allocation of a permit?
Answer: It depends on the deployment:
Normal connected-to-the-server use: When a user starts the product, the computer requests a permit from the server. While the permit is allocated, that permit cannot be used by anyone else until it is returned to the pool. When the user closes the product, the permit is made available for use on another computer again.
Borrowing from a server & Borrowing remotely: In the 'borrowing' scenario, a permit is allocated to the computer for a time period, ranging from one day up to five years. The advice is always to set a sensible 'borrowing' period. For example, if the user is working remotely for seven days, set the period for seven days.

Question: What is the smallest time period that a permit can be allocated for?
Answer: Permits can be borrowed for a minimum of one day.

Question: What happens to a permit if the computer that contains that permit is stolen? Is it possible to retrieve the permit?
Answer: There is no specific way to "pull" a permit back to the server. Where 'connected-to-the-server' use applies, the permit is returned as soon as the program is closed. In the 'borrowing' scenario, the recommendation is to implement sensible borrowing times. For example, if the user is working remotely for 10 days, then set the borrowing time for 10 days. If the computer is stolen after seven days, on the 10th day the permit would be automatically returned. Alternatively, you can request a replacement permit file from IBM, which would then supersede your original permit file.

Question: Can I manage permits myself?
Answer: No. IBM provides a permit file that is structured according to your needs as defined in the request form. You are not able to configure the permit file after it is delivered. If the structure changes over time, come back to IBM and request a replacement permit file.

Question: Is it possible to limit the number of permits available for checkout?
Answer: Yes. Through some implementation setup, permits can be limited. In your design, identify at least two servers:
  • The first server holds most of the permits that will be allocated/available.
  • The second server holds a small set of permits that are not allocated and not advertised.
If a user wants access to a product, and there are no permits available from the first server, provide access to the second server and use those permits.

Question: Is it possible to report on concurrent usage?


Answer: Each transaction that is carried out by the server is logged in the following format:

0 1 MTY1NQ== Fri Mar 12 14:42:55 2010 1268404975 ANB.main v8 0 1 0 Administrator TestBed_Shwcase 8.3.0.900 1 - - - - - - 0 - - - MA== 655259 MTI2OTA2MDIzNA==

This log file can be exported as a CSV file. By looking at the highlighted entry, you can see how many permits are in use at that moment. See the IBM i2 Product Access Management Administration Guide for more information.

Question: Are the product access management capabilities deployable and supported in virtual environments?
Answer: The virtual environments that are supported for each of the products that use access management are listed in the relevant system requirements documents.

Question: We have hundreds of desktops that require product access management capabilities. Can 'push' tools be used (for example, SMS)?
Answer: Like the rest of our products that use Microsoft Installer, silent installs across a network are possible. The parameters that are used are described in the IBM i2 Product Access Management Administration Guide.

Question: Is product access management a proprietary IBM solution?
Answer: No, product access management is based on third-party technology from SafeNet inc.

Question: What operating systems are supported by the Sentinel RMS license server that enables product access management capabilities?
Answer: Sentinel RMS license server includes support for the following operating systems:
  • 32-bit versions of Windows Server 2000, 2003, and 2008
  • 64-bit versions of Windows Server 2003, 2008, and 2008 R2

Question: Can IBM i2 Intelligence Analysis Portfolio products at version 8.9 be installed alongside older versions of those products?
Answer: No. 8.9 products are not compatible with earlier versions.

Question: Is it possible for an administrator to control when permits are required?
Answer: Yes. When a product is installed with product access management configured, a permit is always required, and the administrator controls access to permits.

Question: When permit files are requested, what information about my network is accessible by IBM?
Answer: The lock codes that are used to identify each server are generated using the server's MAC address and disk ID. The information is encrypted with an SHA-256 algorithm. It is not possible to work back to the original information that generated the code.

Question: In what country are the permit files generated?
Answer: The permit files are generated in the United Kingdom, and distributed from the United Kingdom and the USA. All supported countries can use the permits that are generated.

Question: Are there plans to support product access management in the IBM i2 Intelligence Analysis Platform?
Answer: Not currently.

Question: Is it possible to run more than 1 Sentinel RMS license server per machine?
Answer: No, you can only run 1 Sentinel RMS license server per machine. You should be able to use permits from multiple software vendors on the same server (the only aspect to be watch out for is the version of the server software).

Question: What might prevent my client broadcast from finding the Sentinel RMS license server?
Answer: The Sentinel RMS license server must exist in the same subnet as the client broadcasting.

[{"Product":{"code":"SSXVTH-1","label":"i2 Intelligence Analysis Platform"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.9.3","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSXUXD","label":"i2 Analyst\u0027s Notebook"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSXVMQ","label":"i2 Analyst\u0027s Notebook Premium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSXW43","label":"i2 iBase"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 February 2022

UID

swg27037961