The TCP/IP server has a default security of user ID with clear-text password. This means that, as the server is installed, inbound TCP/IP connection requests must have at least a clear-text password accompanying the user ID under which the server job is to run.
The security can either be changed with the Change DDM TCP/IP Attributes (CHGDDMTCPA) command or under the in iSeries™ Navigator. You must have *IOSYSCFG special authority to change this setting.
There are two settings that can be used for lower server security:
Password is not required.
Password is not required, but must be valid if sent.
The difference between *NO and *VLDONLY is that if a password is sent from a client system, it is ignored in the *NO option. In the *VLDONLY option, however, if a password is sent, the password is validated for the accompanying user ID, and access is denied if incorrect.
Encrypted password required or PWDRQD(*ENCRYPTED) and Kerberos or PWDRQD(*KERBEROS) can be used for higher security levels. If Kerberos is used, user profiles must be mapped to Kerberos principles using Enterprise Identity Mapping (EIM).
The following example shows the use of the Change DDM TCP/IP Attributes (CHGDDMTCPA) command to specify that an encrypted password must accompany the user ID. To set this option, enter:
CHGDDMTCPA PWDRQD(*ENCRYPTED)