There are considerations for you to make before you change to a
lower password level.
Returning to a lower QPWDLVL value, while possible, is not going to be
a completely painless operation. In general, the mind set should be that changing
from lower QPWDLVL values to higher QPWDLVL values is a one-way trip. However,
there may be cases where a lower QPWDLVL value must be reinstated.
The following sections each discuss the work required to move back to a
lower password level.
Considerations for changing from QPWDLVL 3 to 2
This
change is relatively easy. Once the QPWDLVL is set to 2, the administrator
needs to determine if any user profile is required to contain iSeries™ NetServer™ passwords
or password level 0 or 1 passwords and, if so, change the password of the
user profile to an allowable value.
Additionally, the password system
values may have to be changed back to values compatible with iSeries NetServer and
password level 0 or 1 passwords, if those passwords are needed.
Considerations for changing from QPWDLVL 3 to 1 or 0
Because
of the very high potential for causing problems for the system, such as no
one can being able to sign on because all of the password level 0 and 1 passwords
have been cleared, this change is not supported directly. To change from QPWDLVL
3 to QPWDLVL 1 or 0, the system must first make the intermediary change to
QPWDLVL 2.
Considerations for changing from QPWDLVL 2 to 1
Prior
to changing QPWDLVL to 1, the administrator should use the DSPAUTUSR or PRTUSRPRF
TYPE(*PWDINFO) commands to locate any user profiles that do not have a password
level 0 or 1 password. If the user profile will require a password after the
QPWDLVL is changed, the administrator should ensure that a password level
0 and 1 password is created for the profile using one of the following mechanisms:
- Change the password for the user profile using the CHGUSRPRF or CHGPWD
CL command or the QSYCHGPW API. This will cause
the system to change the password that is usable at password levels 2 and
3; and the system also creates an equivalent uppercase password that is usable
at password levels 0 and 1. The system is only able to create the password
level 0 and 1 password if the following conditions are met:
- The password is 10 characters or less in length.
- The password can be converted to uppercase EBCDIC characters A-Z, 0-9,
@, #, $, and underscore.
- The password does not begin with a numeric or underscore character.
For example, changing the password to a value of RainyDay would result
in the system generating a password level 0 and 1 password of RAINYDAY. But
changing the the password value to Rainy Days In April would cause the system
to clear the password level 0 and 1 password, as the password is too long
and it contains blanks. No message or indication is produced if the password
level 0 or 1 password could not be created.
- Sign on to the system through a mechanism that presents the password in
clear text (does not use password substitution). If the password
is valid and the user profile does not have a password that is usable at password
levels 0 and 1, the system creates an equivalent uppercase password that is
usable at password levels 0 and 1. The system is only able to create the password
level 0 and 1 password if the conditions listed above are met.
The administrator can then change QPWDLVL to 1. All iSeries NetServer passwords
are cleared when the change to QPWDLVL 1 takes effect (next IPL).
Considerations for changing from QPWDLVL 2 to 0
The
considerations are the same as for changing from QPWDLVL 2 to 1 except that
all iSeries NetServer passwords
are retained when the change takes effect.
Considerations for changing from QPWDLVL 1 to 0
After
changing QPWDLVL to 0, the administrator should use the DSPAUTUSR or PRTUSRPRF
commands to locate any user profiles that do not have an iSeries NetServer password.
If the user profile requires an iSeries NetServer password, it can be created
by changing the user’s password or signing on through a mechanism that presents
the password in clear text. The administrator can then change QPWDLVL to 0.