212 lines
12 KiB
HTML
212 lines
12 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Secure system access levels" />
|
||
|
<meta name="abstract" content="To help you implement the required level of security for your company, you may wish to restrict system access by using the password system values. A company can control the level of security by setting the password system values requiredly." />
|
||
|
<meta name="description" content="To help you implement the required level of security for your company, you may wish to restrict system access by using the password system values. A company can control the level of security by setting the password system values requiredly." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzmanage.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzoverviewparent.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzpasswordoverview.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzpasswordoverview.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzfinder.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzakzoverviewparent.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzakzsecureaccess" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Secure system access levels</title>
|
||
|
</head>
|
||
|
<body id="rzakzsecureaccess"><a name="rzakzsecureaccess"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Secure system access levels</h1>
|
||
|
<div><p>To help you implement the required level of security for your company,
|
||
|
you may wish to restrict system access by using the password system values.
|
||
|
A company can control the level of security by setting the password system
|
||
|
values requiredly.</p>
|
||
|
<p>For example, if your company has recently added an iSeries™ that runs highly confidential
|
||
|
financial applications, you should probably reassess your company's system
|
||
|
security policy. In general, your company follows a moderately strict security
|
||
|
policy. So, rather than completely rewriting the policy, you decide to restrict
|
||
|
signon access to the new Finance system by tightening the password rules.</p>
|
||
|
<p>To secure entry into the Finance system, you must do the following:</p>
|
||
|
<ul><li>Set a policy that states that passwords must not be trivial and must not
|
||
|
be shared.</li>
|
||
|
<li>Set system values to help you enforce the new policy. (See <a href="#rzakzsecureaccess__sysvalueset">Table 1</a>.)</li>
|
||
|
</ul>
|
||
|
<p>In addition, you may also want to provide users with this information:</p>
|
||
|
<ul><li>A list of the criteria for passwords.</li>
|
||
|
<li>Examples of passwords that are and are not valid. (See <a href="#rzakzsecureaccess__expassword">Table 2</a>.)</li>
|
||
|
<li>Suggestions for how to think of a good password.</li>
|
||
|
</ul>
|
||
|
<p>The following table lists the recommended password system value settings
|
||
|
to implement your new password requirements (These values can be changed depending
|
||
|
on how strict you want to control signon access.):</p>
|
||
|
|
||
|
<div class="tablenoborder"><a name="rzakzsecureaccess__sysvalueset"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzakzsecureaccess__sysvalueset" frame="void" border="0" rules="none"><caption>Table 1. System value
|
||
|
settings</caption><thead align="left"><tr><th valign="top" id="d0e59">Name in iSeries Navigator</th>
|
||
|
<th valign="top" id="d0e64">Recommended value</th>
|
||
|
<th valign="top" id="d0e66">Name in character-based interface</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdexpitv.htm">Password expiration</a></td>
|
||
|
<td valign="top" headers="d0e64 ">60 days</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDEXPITV</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdlmtajc.htm">Restrict consecutive digits</a></td>
|
||
|
<td valign="top" headers="d0e64 ">Yes</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDLMTAJC</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdlvl.htm">Password level</a></td>
|
||
|
<td valign="top" headers="d0e64 ">3 (See note <a href="#rzakzsecureaccess__password">1</a>.)</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDLVL</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdmaxlen.htm">Maximum password length</a></td>
|
||
|
<td valign="top" headers="d0e64 ">8 characters</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDMAXLEN</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdminlen.htm">Minimum password length</a></td>
|
||
|
<td valign="top" headers="d0e64 ">6 characters</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDMINLEN</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdposdif.htm">Require a new character in each position</a></td>
|
||
|
<td valign="top" headers="d0e64 ">Yes</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDPOSDIF</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdrqddgt.htm">Require at least one digit</a></td>
|
||
|
<td valign="top" headers="d0e64 ">Yes</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDRQDDGT</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdrqddif.htm">Password reuse cycle</a></td>
|
||
|
<td valign="top" headers="d0e64 ">10 passwords</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDRQDDIF</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdvldpgm.htm">Password validation program</a></td>
|
||
|
<td valign="top" headers="d0e64 ">None (See note <a href="#rzakzsecureaccess__sysvalue">2</a>.)</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDVLDPGM</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdlmtrep.htm">Restrict repeating characters</a></td>
|
||
|
<td valign="top" headers="d0e64 ">Characters may not be used consecutively</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDLMTREP</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e59 "><a href="rzakzqpwdlmtchr.htm">Restricted characters</a></td>
|
||
|
<td valign="top" headers="d0e64 ">A,E,I,O,U,@,#, and $</td>
|
||
|
<td valign="top" headers="d0e66 ">QPWDLMTCHR</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="3" valign="top" headers="d0e59 d0e64 d0e66 "> </td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<div class="note"><span class="notetitle">Notes:</span> <ol><li id="rzakzsecureaccess__password"><a name="rzakzsecureaccess__password"><!-- --></a>You may not be able to use password level 3 (Long passwords
|
||
|
using an unlimited character set. Disable iSeries NetServer™ on Windows<sup>®</sup> 95/98/ME
|
||
|
clients.) if you need to connect to or from an iSeries server at V5R1 or earlier or
|
||
|
a server that does not support long passwords.</li>
|
||
|
<li id="rzakzsecureaccess__sysvalue"><a name="rzakzsecureaccess__sysvalue"><!-- --></a>To change this system value, you must use the character-based
|
||
|
interface. It is not in iSeries Navigator. Open a character-based interface
|
||
|
and type <pre>CHGSYSVAL VALUE(QPWDVLDPGM) VALUE('*NONE')</pre>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<p>The following table provides examples of good and bad passwords:</p>
|
||
|
|
||
|
<div class="tablenoborder"><a name="rzakzsecureaccess__expassword"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="rzakzsecureaccess__expassword" frame="border" border="1" rules="all"><caption>Table 2. Example passwords</caption><thead align="left"><tr><th valign="top" id="d0e231">Password</th>
|
||
|
<th valign="top" id="d0e233">Details</th>
|
||
|
</tr>
|
||
|
</thead>
|
||
|
<tbody><tr><td valign="top" headers="d0e231 ">JohnDoe</td>
|
||
|
<td valign="top" headers="d0e233 ">Bad. Do not use a name. Also, no digits are used.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e231 ">112000</td>
|
||
|
<td valign="top" headers="d0e233 ">Bad. Do not use a date that can be identified with you.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e231 ">aaaxyz</td>
|
||
|
<td valign="top" headers="d0e233 ">Bad. Uses more than 2 consecutive characters and uses a character that
|
||
|
is not allowed (a). Also, no digit is used.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e231 ">cm2s0j</td>
|
||
|
<td valign="top" headers="d0e233 ">Good. Meets all the criteria for a good password.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e231 ">c0mptr</td>
|
||
|
<td valign="top" headers="d0e233 ">Good. Meets all the criteria for a good password.</td>
|
||
|
</tr>
|
||
|
<tr><td valign="top" headers="d0e231 ">Mfc1RB</td>
|
||
|
<td valign="top" headers="d0e233 ">Good. Meets all the criteria for a good password. The stategy for this
|
||
|
password uses the first letter of each word in a sentence, 'My favorite color
|
||
|
is Royal Blue.' It also replaces the vowel with a number and uses a combination
|
||
|
of upper and lower case characters.</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>By completing these steps, you have tightened signon access to the finance
|
||
|
system by changing the password system values. You can alter the values for
|
||
|
each of the password system values to meet the security level for your company.
|
||
|
This example has provided one way that the password system values can work
|
||
|
together to produce a moderately strict environment.</p>
|
||
|
<p>To learn more about these and other system values you can view and change
|
||
|
in iSeries Navigator,
|
||
|
see the following:</p>
|
||
|
<dl><dt class="dlterm">Password overview</dt>
|
||
|
<dd>Describes all password system values. In addition, you will find links
|
||
|
to specific password articles that describe the different settings for each
|
||
|
system value.</dd>
|
||
|
<dt class="dlterm">i5/OS™ system
|
||
|
value finder</dt>
|
||
|
<dd> Use this tool to find system values in iSeries Navigator. The i5/OS system
|
||
|
value finder can be particularly helpful if you are trying to make the switch
|
||
|
from the system value terms that were used in the character-based interface
|
||
|
to the terms that are now used in iSeries Navigator.</dd>
|
||
|
<dt class="dlterm">System values categories</dt>
|
||
|
<dd>Find an introduction to all the categories of system values found in iSeries Navigator.</dd>
|
||
|
</dl>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzakzmanage.htm" title="As an administrator, you can perform many tasks to help you manage system values. Select this topic to learn how to save, configure, and lock system values.">Manage system values</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzakzoverviewparent.htm" title="iSeries Navigator groups system values into categories to streamline system value management.">System value categories</a></div>
|
||
|
<div><a href="rzakzpasswordoverview.htm" title="Use i5/OS password system values to control the password values and password restrictions.">System values: Password overview</a></div>
|
||
|
</div>
|
||
|
<div class="relinfo"><strong>Related information</strong><br />
|
||
|
<div><a href="rzakzfinder.htm">System value finder</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|