Set up your user environment

This topic describes how to set up your user environment and sign on to the system.

To begin setting up user security, you need to set up the overall environment for your users. Use the SETUP menu to set system values, and create your own user profile. You also need to change user IDs and passwords for the Dedicated Service Tools (DST) profiles.

In the following procedures, you will find example command-line screens that illustrate these steps. However, these examples do not show the entire screen. They show only the information necessary to complete the task.

What forms are needed?

Enter information from the system values selection worksheet that you prepared in Plan your security strategy. To set up your overall environment, you need to complete these tasks:
  1. Signing on to the system
  2. Selecting the right assistance level
  3. Preventing others from signing on
  4. Enter signon system values for security
  5. Applying the new system values
  6. Creating a security officer profile

Signing on to the system

To begin setting up your system environment, you need to sign on to the system.
  1. At the console, sign on as the security officer (QSECOFR). If you are signing on for the first time, use the password QSECOFR. Because the system ships this password as expired, the system will prompt you to change this password. You must change this password to successfully sign on.
  2. Enter SETUP in the Menu field on the Sign On display.
Note: The SETUP menu is called the Customize Your System, Users, and Devices menu. This text refers to it as the SETUP menu throughout.
                     Sign On 
                                System . . . . . 
                                Subsystem . . . . 
                                Display . . . . . 
User . . . . . . . . . . . . . . QSECOFR 
Password . . . . . . . . . . . . __________ 
Program/procedure . . . . . . .  __________ 
Menu . . . . . . . . . . . . . . SETUP 
Current library . . . . . . . .  __________

After you sign on to the system, you must select the appropriate assistance level.

Selecting the right assistance level

After signing on to the system, you can choose the appropriate assistance level for users. The assistance level determines what version of a display you see. Many system displays have two different versions:
  • A basic assistance level version, which contains less information and does not use technical terminology.
  • An intermediate assistance level version, which shows more information and uses technical terms.

Some fields or functions are available only on a particular version of a display. The instructions tell you which version to use. To change from one assistance level to another, use F21 (Select assistance level). F21 is not available from all displays. After you select your assistance level, you must prevent others from signing on to the system while you set up security.

Preventing others from signing on

After you select the right assistance level, you must prevent anyone else from signing on to the system. If you are concerned about people tampering with your system before you have a chance to secure it, you can prevent anyone from signing on at another workstation. This is optional. Do it only if you feel that temporary security is necessary:
  1. From the SETUP menu, press F9 to display a command line.
  2. On the command line, type GO DEVICESTS.
  3. The screen shows the Device Status Tasks menu. If you see the Work with Configuration Status menu, use F21 (Select assistance level) to change to basic assistance level.
  4. Select option 1 (Work with display devices).
  5. On the Work with Display Devices display, make all the workstations except the one you are using unavailable. Do this by typing 2 in front of each workstation name and pressing the Enter key.
  6. Return to the SETUP menu by pressing F3 (Exit) twice.
  7. Press F12 (Cancel) to remove the command line.
              Work with Display Devices 

Type options below, then press Enter. 
   1=Make available   2=Make unavailable  5=Display
   7=Display message  8=Work with controller and line
   13=Change description 

Opt  Device  Type  Status 
__   DSP01   3196  QSECOFR 
2_ DSP02 3196 Available to use
2_ DSP03 3196 Available to use
2_ DSP04 3196 Available to use

When you make a device unavailable, it does not have a Sign On display, even if it is powered on. Workstations stay unavailable only until you stop and start your system again. You may need to repeat this step.

Enter signon system values for security

After you have prevented others from signing on, you need to enter system values into the system. Use this procedure to enter the information from Part 1 of your System Values Selection form:
  1. From the SETUP menu, select option 1 (Change system options).
  2. Enter information from your System Values Selection form on the Change System Options display. If you do not want to change one of the choices on the display, you can use the Tab key to skip over it.
  3. Enter the correct date and time on this display, if they were not set when you started the system.
  4. After you type the information on this page, page down to the next page.
  5. Type your choices on the second page of the display and page down.
  6. Type your choices on the third page of the display and press the Enter key.
  7. You should see the SETUP menu again. Notice the message at the bottom of your display: System options successfully changed. IPL required. (The system requires an IPL only if you changed the security level.)

The following table describes possible errors and recovery steps. Use these tables for assistance if your results are different from those described.

Table 1. Possible errors and recovery steps
Possible error Recovery steps
The MAIN menu is displayed. You pressed F3 (Exit) or F12 (Cancel). Type GO SETUP and try again.
You see another display, such as the Change Cleanup Options display. You selected the wrong option from the SETUP menu. Press F3 (Exit) to return to the menu and try again.
The Change System Option display is shown again after you press the Enter key. Look for an error message at the bottom of the display. You probably typed a value that is not allowed. Use F1 (Help) if you need more information. Use F5 (Refresh) if you want the system to restore all the values to what they were before you started typing. Try again.
You pressed the Enter key before you typed all your choices on the display. You can use this display as many times as necessary to change system values. Select option 1 from the SETUP menu and enter the values you missed the first time.
Attention: Once your system is operational, do not change the security level without consulting a programmer. Also, do not change the system name if you are using iSeries™ Access or communicating with another computer.
You pressed the Enter key instead of paging down. Select option 1 from the SETUP menu again and page down to display the second page. Type your choices and press the Enter key.

The following table shows several values that you can set to make it more difficult for an unauthorized person to sign on to your system. If you run the CFGSYSSEC command, it sets these system values to the recommended settings.

Table 2. Recommended system value settings
System Value Name Description Recommended Setting
QAUTOCFG Whether the system automatically configures new devices. 0 (No)
QAUTOVRT The number of virtual device descriptions that the system will automatically create if no device is available for use. 0
QDEVRCYACN What the system does when a device reconnects after an error.1 *DSCMSG
QDSCJOBITV How long the system waits before ending a disconnected job. 120
QDSPSGNINF Whether the system displays information about previous sign-on activity when a user signs on. 1 (Yes)
QINACTITV How long the system waits before taking action when an interactive job is inactive. 60
QINACTMSGQ What the system does when the QINACTITV time period is reached. *ENDJOB
QLMTDEVSSN Whether the system prevents a user from signing on at more than one workstation at the same time. 1 (Yes)
QLMTSECOFR Whether users with *ALLJOB or *SERVICE special authority can sign on only at specific workstations. 1 (Yes)2
QMAXSIGN Maximum consecutive, incorrect sign-on attempts (user profile or password is incorrect). 3
QMAXSGNACN What the system does when the QMAXSIGN limit is reached. 3 (Disable both user profile and device)
Note:
  1. The system can disconnect and reconnect TELNET sessions when the device description for the session is explicitly assigned.
  2. If you set the system value to 1 (Yes), you will need to explicitly authorize users with *ALLOBJ or *SERVICE special authority to devices. The simplest way to do this is to give the QSECOFR user profile *CHANGE authority to specific devices.

After entering your system values, you must then apply the new system values.

For more information, see "Values That Are Set by the Configure System Security Command" in the iSeries Security Reference.

Applying the new system values

After you enter your system values, you need to apply some of these values. Most changes to system values take effect immediately. However, when you change the security level on your system, the change does not take effect until you stop your system and start it again. After you verify that you typed all the values on the Change System Options display correctly, you are ready to apply the new values.

Note: Attach your workstations to the system, if you have not already done so. When you start the system, it automatically configures those devices using the naming format you chose on the Change System Options display.
Use the following procedure to stop your system and start it again. When your system starts, the values you entered on the Change System Options display take effect.
  1. Make sure you have signed on at the console and that no other workstations are signed on.
  2. Make sure that the keylock switch on the processor unit is in the Normal position.
  3. From the SETUP menu, select the option for Power On and Off Tasks.
  4. Select the option to power off the system immediately and then power on. Press the Enter key.
  5. The system shows a display that requests you to confirm your power-down request. Press F16 (Confirm).

This causes the system to stop and then start again automatically. Your display goes blank for a few minutes. Then you should see the Sign On display again.

After you apply your new system values, you must create a security officer profile for yourself on the system.

Creating a security officer profile

A security officer on the system is any user with *SECOFR user class or *ALLOBJ and *SECADM special authorities.

After you apply the system values from the Change System Option display, create a user profile for yourself and for the alternate security officer. In the future, use your profile, rather than the QSECOFR profile, when you perform security officer functions.
  1. Sign on to the system as QSECOFR and request the SETUP menu. Notice that the system name you chose appears in the upper right of the Sign On display.
  2. From the SETUP menu, select the Work with user enrollment option. The Work with User Enrollment display lists the profiles currently on your system. (If you see the Work with User Profile display, press F21 (Select assistance level) and change to basic assistance level.)
  3. To create a new profile, type 1 (Add) in the Opt (option) column and the name of your profile in the User column. Press the Enter key.
  4. On the Add User display, assign yourself a password.
  5. Fill in the fields shown on the sample display with your own appropriate information.
  6. Page down to the next page of the display.
  7. Fill in the second page of the display and press the Enter key.
  8. Check for confirmation messages at the bottom of the Work with User Enrollment display.
  9. Press F3 (Exit) to return to the SETUP menu.

After you create a security officer profile for yourself, you need to change user ID and passwords for Service Tools users.

Parent topic: Implement your security strategy