Password policies for service tools user IDs

This topic describes the password policies for service tools user IDs and the process of changing Data Encryption Standard (DES) and Secure Hash Algorithm (SHA) encryption.

Note: Multiple incorrect password attempts to sign on will disable the service tools user ID. If that occurs, you can sign on with the disabled user ID from the console, and then reset the user ID.

Service tools user IDs are separate from i5/OS™ user profiles. Passwords for service tools user IDs are encrypted at different levels for security. The default password level uses DES encryption. You should use DES encryption if you have pre-V5R1 clients using iSeries™ Navigator to connect to service functions such as logical partitions and disk unit management.

You can change the password level to use SHA encryption, which is mathematically impossible to reverse and provides stronger encryption and a higher level of security. If you change to SHA encryption, however, you cannot change back to DES encryption. Also, if you change to SHA encryption, you can no longer connect to the service tools server with pre-V5R1 clients, such as Operations Console. When you upgrade your password level to SHA, you need to upgrade any clients that use these functions.

DES encryption

When you use DES encryption, service tools user IDs and passwords have the following characteristics:

Use 10-digit, uppercase user IDs.
Use 8-digit, case-sensitive passwords. When you create a user ID and password, the minimum required for the password is 1 digit. When you change a password, the minimum required is 6 digits.
Passwords for user IDs do not expire after 180 days. By default, the initial passwords for IBM-supplied service tools user IDs, however, are shipped as expired. The exception to this is the user ID 11111111. This user ID is not expired.

SHA encryption

When you use SHA encryption, service tools user IDs and passwords have the following characteristics:

Use 10-digit, uppercase user IDs.
Use 128-digit case-sensitive passwords. When you create a user ID and password, the minimum required for the password is 1 digit. When you change a password, the minimum required is 6 digits.
Passwords for user IDs expire after 180 days.
By default, passwords are initially set as expired (unless explicitly set on the display to No).
Passwords can be set as expired by a security administrator.

To change to use SHA encryption, access DST and perform the following steps:

Sign on to DST using your service tools user ID. The Use dedicated service tools (DST) display appears.
Select option 5 (Work with DST environment) and press Enter. The Work with DST Environment display appears.
Select option 6 (Service tools security data) and press Enter.
Select option 6 (Password level) and press Enter. Press Enter again if you are ready to go to the new password level.