Software Integrity Checker

The Software Integrity Checker (SIC) enables you to check the integrity of your FTM SWIFT software on the following systems:
  • Installation system
  • Customization system
  • Runtime system
The SIC detects if any of the files that are stored on your hard disk during FTM SWIFT installation was manipulated. Processing information is provided in the FTM SWIFT event log if event options have been specified. If no event options are used, the Software Integrity Checker will provide information in the system log1. System log entries issued by the SIC are similar to the following: 
May 11 08:40:16 server1.ibm.com ftmuser: DNPD1118I Starting integrity check using level: 3.2.4.0-20201026-0727.
May 11 08:40:16 server1.ibm.com ftmuser: DNPD1109I Verifying the customization and runtime files in the directory
                                         '/opt/IBM/ftm/swift/v324'.
May 11 08:40:16 server1.ibm.com ftmuser: DNPD1111I 1,032 files and 23 directories verified. 2 mismatches detected:
May 11 08:40:16 server1.ibm.com ftmuser: DNPD1113I File 'admin/bin/dniccclt.jar' is missing or you have no read 
                                         access permissions.
May 11 08:40:16 server1.ibm.com ftmuser: DNPD1112I File 'run/classes/dnpdic.jar' was changed. 
                                         Checksum: 013607DCBAB110E55B1E558C19AF56B78DCFFB5E219A36787661846CA8...

If the Software Integrity Checker reports manipulations on files, your system was probably tampered and you must take appropriate actions.

Note: If you installed an emergency fix (eFix), the SIC also reports that the checksums of the replaced files are not correct. In this case, proceed as described in Emergency fix installation.
In addition, you are advised to do the following to ensure the integrity of your FTM SWIFT software:
  • Run the SIC at least once per day on both, your customization system and runtime system. To do this, you can, for example, set up a cron job.
  • Check the return code of the SIC after termination. For information on return code values, see Return codes.
  • Monitor the system and FTM SWIFT event log for messages from the SIC as described in Monitoring software integrity
  • Ensure that the SIC is executed during startup of FTM SWIFT, that is, when the message broker starts. This can be done by creating a script file work_path/config/broker_name/profiles/ftmswift_startup.sh where:
    work_path
    The value of environment variable MQSI_WORKPATH
    broker_name
    The name of your message broker
    For example, create the file /var/mqsi/config/MQM1BRK/profiles/ftmswift_startup.sh with the following content:
    #!/bin/sh
CLASSPATH=$CLASSPATH:/opt/mqm/java/lib/com.ibm.mq.jar;
/opt/IBM/ftm/swift/v324/run/bin/dnpsic \
-Djava.security.policy=/var/ftm/swift/v324/run/ftmswift.policy \
-check runtime \
-i INST1 -qmgr MQM1 -host localhost -channel SYSTEM.DEF.SVRCONN -port 1421;
exit_code=$?
# prevent broker startup in case of problems
if [ "$exit_code" -ne 0 ] ; then
    echo "Message Broker startup canceled due to software integrity problems";
    exit "$exit_code";
fi
    Notes:
    • If you use event options as shown in the example, you need to ensure that the queue manager is already running prior to starting the broker.
    • For more information on files being processed when the message broker starts, see the description of broker-specific command environment in the IBM Documentation for Message Broker.
1 The system log entries are written using facility "local0".