Change known passwords

To keep your system secure, change known passwords for user profiles and dedicated service tools.

Do the following to close some well-known entrances into the server that may exist on your system.
  1. Make sure that no user profiles still have default passwords (equal to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD) command.
  2. Try to sign on to your system with the combinations of user profiles and passwords that are shown in Table 1. These passwords are published, and they are the first choice of anyone who is trying to break into your system. If you can sign on, use the Change User Profile (CHGUSRPRF) command to change the password to the recommended value.
  3. Start the Dedicated Service Tools (DST) and try to sign on with the passwords that are shown in Table 2.
  4. If you can sign on to DST with any of these passwords, you should change the passwords.
  5. Make sure that you cannot sign on just by pressing the Enter key at the Sign On display without entering a user ID and password. Try several different displays. If you can sign on without entering information on the Sign On display, do one of the following:
    • Change to security level 40 or 50 (QSECURITY system value). (Your applications might run differently when you increase your security level to 40 or 50.)
    • Change all of the workstation entries for interactive subsystems to point to job descriptions that specify USER(*RQD).
Table 1. Passwords for IBM-supplied profiles
User ID Password Recommended value
QSECOFR QSECOFR1 A nontrivial value known only to the security administrator. Write down the password that you have selected and store it in a safe place.
QSYSOPR QSYSOPR *NONE2
QPGMR QPGMR *NONE2
QUSER QUSER *NONE2, 3
QSRV QSRV *NONE2
QSRVBAS QSRVBAS *NONE2
Note:
  1. 'The system arrives with the Set password to expired value for the QSECOFR set to *YES. The first time that you sign on to a new system, you must change the QSECOFR password.
  2. The system needs these user profiles for system functions, but you should not allow users to sign on with these profiles. This password is shipped as *NONE. When you run the CFGSYSSEC command, the system sets these passwords to *NONE.
  3. To run iSeries™ Access for Windows® using TCP/IP, the QUSER user profile must be enabled.
Table 2. Passwords for Dedicated Service Tools
DST Level User ID1 Password Recommended Value
Basic capability 11111111 11111111 A nontrivial value known only to the security administrator.2
Full capability 22222222 222222223 A nontrivial value known only to the security administrator.2
Security capability QSECOFR QSECOFR3 A nontrivial value known only to the security administrator.2
Service capability QSRV QSRV3 A nontrivial value known only to the security administrator.2
Note:
  1. A user ID is only required for PowerPC® AS (RISC) releases of the operating system.
  2. If your hardware service representative needs to sign on with this user ID and password, change the password to a new value after the hardware service representative leaves.
  3. The service tools user profile will expire as soon as it is used for the first time.
Important: DST passwords can only be changed by an authenticated device. This is also true for all passwords and corresponding user IDs that are identical. For more information on authenticated devices, see the Operations Console setup information in the iSeries Information Center.

Use system service tools to change passwords

You also can use system service tools (SST) instead of DST to change passwords.

You can manage and create service tools user IDs from system service tools (SST) by selecting option 8 (Work with service tools user IDs) from the main SST display. You no longer need to go into DST to reset passwords, grant or revoke privileges, or create service tools user IDs.

The server is shipped with limited ability to change default and expired passwords. This means that you cannot change service tools user IDs that have default and expired passwords through the Change Service Tools User ID (QSYCHGDS) API, nor can you change their passwords through SST. You can only change a service tools user ID with a default and expired password through DST. You can change the setting to allow default and expired passwords to be changed. Also, you can use the new Start service tools (STRSST) privilege to create a service tools user ID that can access DST, but can be restricted from accessing SST.

Change passwords for IBM-supplied user profiles

If you need to sign on with one of the IBM-supplied profiles, you can change the password using the CHGUSRPRF command. You can also change these passwords using an option from the SETUP menu. To protect your system, you should leave the password set to *NONE for all IBM-supplied profiles except QSECOFR. Do not allow trivial passwords for the QSECOFR profile.

Change Passwords for IBM-Supplied Profiles

Type new password below for IBM-supplied user,
type password again to verify change, then press Enter.

New security officer (QSECOFR) password . . . . . . 
New password (to verify) . . . . . . . . . . . . . 

New system operator (QSYSOPR) password . . . . . . . 
New password (to verify) . . . . . . . . . . . . . 

New programmer (QPGMR) password . . . . . . . . . . 
New password (to verify) . . . . . . . . . . . . . 

New user (QUSER) password . . . . . . . . . . . . . 
New password (to verify) . . . . . . . . . . . . . 

New service (QSRV) password . . . . . . . . . . . . 
New password (to verify) . . . . . . . . . . . . .
Page down to change additional passwords:
Change Passwords for IBM-Supplied Profiles

Type new password below for IBM-supplied user, 
type change, then press Enter.

New basic service (QSRVBAS) password . . . . . . . .
  New password (to verify)  . . . . . . . .  . . . .
Parent topic: Set up your user environment