123 lines
7.7 KiB
HTML
123 lines
7.7 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Considerations for changing QPWDLVL from 0 or 1 to 2" />
|
|||
|
<meta name="abstract" content="Password level 2 introduces the use of case sensitive passwords up to 128 characters in length, also called passphrases, and provides the maximum ability to revert back to QPWDLVL 0 or 1." />
|
|||
|
<meta name="description" content="Password level 2 introduces the use of case sensitive passwords up to 128 characters in length, also called passphrases, and provides the maximum ability to revert back to QPWDLVL 0 or 1." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvpasswdlvlchg.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="qpwdlvltwo" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Considerations for changing QPWDLVL from 0 or 1 to 2</title>
|
|||
|
</head>
|
|||
|
<body id="qpwdlvltwo"><a name="qpwdlvltwo"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Considerations for changing QPWDLVL from 0 or 1 to 2</h1>
|
|||
|
<div><p>Password level 2 introduces the use of case sensitive passwords
|
|||
|
up to 128 characters in length, also called passphrases, and provides the
|
|||
|
maximum ability to revert back to QPWDLVL 0 or 1.</p>
|
|||
|
<p>Regardless of the password level of the system, password level 2 and 3
|
|||
|
passwords are created whenever a password is changed or a user signs on to
|
|||
|
the system. Having a level 2 and 3 password created while the system is still
|
|||
|
at password level 0 or 1 helps prepare for the change to password level 2
|
|||
|
or 3.</p>
|
|||
|
<div class="p">Prior to changing QPWDLVL to 2, you should use the DSPAUTUSR or PRTUSRPRF
|
|||
|
TYPE(*PWDINFO) commands to locate all user profiles which do not have a password
|
|||
|
that is usable at password level 2. Depending on which profiles these commands
|
|||
|
locate, you may want to use one of the following mechanisms to have a password
|
|||
|
level 2 and 3 password added to the profiles.<ul><li>Change the password for the user profile using the CHGUSRPRF or CHGPWD
|
|||
|
CL command or the QSYCHGPW API. This will cause the system to change the password
|
|||
|
that is usable at password levels 0 and 1; and the system also creates two
|
|||
|
equivalent case sensitive passwords that are usable at password levels 2 and
|
|||
|
3. An all uppercase and all lowercase version of the password is created for
|
|||
|
use at password level 2 or 3. <p>For example, changing the password to C4D2RB4Y
|
|||
|
results in the system generating C4D2RB4Y and c4d2rb4y password level 2 passwords.</p>
|
|||
|
</li>
|
|||
|
<li>Sign on to the system through a mechanism that presents the password in
|
|||
|
clear text, not using password substitution. If the password is valid and
|
|||
|
the user profile does not have a password that is usable at password levels
|
|||
|
2 and 3, the system creates two equivalent case sensitive passwords that are
|
|||
|
usable at password levels 2 and 3. An all uppercase and all lowercase version
|
|||
|
of the password is created for use at password level 2 or 3.</li>
|
|||
|
</ul>
|
|||
|
The absence of a password that is usable at password level 2 or 3 can
|
|||
|
be a problem whenever the user profile also does not have a password that
|
|||
|
is usable at password levels 0 and 1 or when the user tries to sign on through
|
|||
|
a product that uses password substitution. In these cases, the user will not
|
|||
|
be able to sign on when the password level is changed to 2.</div>
|
|||
|
<p>If a user profile does not have a password that is usable at password levels
|
|||
|
2 and 3, the user profile does have a password that is usable at password
|
|||
|
levels 0 and 1, and the user signs on through a product that sends clear text
|
|||
|
passwords, then the system validates the user against the password level 0
|
|||
|
password and creates two password level 2 passwords (as described above) for
|
|||
|
the user profile. Subsequent signons will be validated against the password
|
|||
|
level 2 passwords.</p>
|
|||
|
<p>Any client or service which uses password substitution will not work correctly
|
|||
|
at QPWDLVL 2 if the client or service hasn’t been updated to use the new password
|
|||
|
or passphrase substitution scheme. The administrator should check whether
|
|||
|
a client or service which hasn’t been updated to the new password substitution
|
|||
|
scheme is required.</p>
|
|||
|
<div class="p">The clients and services that use password substitution include:<ul><li>TELNET</li>
|
|||
|
<li>iSeries™ Access</li>
|
|||
|
<li>iSeries Host
|
|||
|
Servers</li>
|
|||
|
<li>QFileSrv.400</li>
|
|||
|
<li>iSeries NetServer™ print
|
|||
|
support</li>
|
|||
|
<li>DDM</li>
|
|||
|
<li>DRDA<sup>®</sup></li>
|
|||
|
<li>SNA LU6.2</li>
|
|||
|
</ul>
|
|||
|
It is highly recommended that the security data be saved prior to changing
|
|||
|
to QPWDLVL 2. Having a backup of your security data can help make the transition
|
|||
|
back to QPWDLVL 0 or 1 easier if that becomes necessary. </div>
|
|||
|
<p>It is recommended that the other password system values, such as QPWDMINLEN
|
|||
|
and QPWDMAXLEN, not be changed until after some testing at QPWDLVL 2 has occurred.
|
|||
|
This will make it easier to transition back to QPWDLVL 1 or 0 if necessary.
|
|||
|
However, the QPWDVLDPGM system value must specify either *REGFAC or *NONE
|
|||
|
before the system will allow QPWDLVL to be changed to 2.</p>
|
|||
|
<p>Therefore, if you use a password validation program, you may wish to write
|
|||
|
a new one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point by
|
|||
|
using the ADDEXITPGM command.</p>
|
|||
|
<div class="p">iSeries NetServer passwords
|
|||
|
are still supported at QPWDLVL 2, so any function or service that requires
|
|||
|
an iSeries NetServer password
|
|||
|
should still work correctly. Once the administrator is comfortable
|
|||
|
with running the system at QPWDLVL 2, they can begin to change the password
|
|||
|
system values to exploit longer passwords. However, the administrator needs
|
|||
|
to be aware that longer passwords will have these effects:<ul><li>If passwords greater than 10 characters are specified, the password level
|
|||
|
0 and 1 password is cleared. This user profile would not be able to signon
|
|||
|
if the system is returned to password level 0 or 1.</li>
|
|||
|
<li>If passwords contain special characters or do not follow the composition
|
|||
|
rules for simple object names (excluding case sensitivity), the password level
|
|||
|
0 and 1 password is cleared.</li>
|
|||
|
<li>If passwords greater than 14 characters are specified, the iSeries NetServer password
|
|||
|
for the user profile is cleared.</li>
|
|||
|
<li>The password system values only apply to the new password level 2 value
|
|||
|
and do not apply to the system generated password level 0 and 1 password or iSeries NetServer password
|
|||
|
values (if generated).</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvpasswdlvlchg.htm" title="Operations with other systems may fail or users may not be able to sign on to the system if you haven’t planned for the password level change adequately.">Plan password level changes</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|