Change known passwords

Do the following to close some well-known entrances into the server that may exist on your system.

You will need information from these tables for some of the steps in this procedure.
Table 1. Passwords for IBM-supplied profiles
User ID Password Recommended value
QSECOFR QSECOFR1 A nontrivial value known only to the security administrator. Write down the password that you have selected and store it in a safe place.
QSYSOPR QSYSOPR *NONE2
QPGMR QPGMR *NONE2
QUSER QUSER *NONE2, 3
QSRV QSRV *NONE2
QSRVBAS QSRVBAS *NONE2
Note:
  1. The system arrives with the Set password to expired value for the QSECOFR set to *YES. The first time that you sign on to a new system, you must change the QSECOFR password.
  2. The system needs these user profiles for system functions, but you should not allow users to sign on with these profiles. For new systems installed with V3R1 or later releases, this password is shipped as *NONE. If you run the CFGSYSSEC command, the system sets these passwords to *NONE.
  3. To run iSeries™ Access for Windows® using TCP/IP, the QUSER user profile must be enabled.
Table 2. Passwords for dedicated service tools
DST Level1 User ID1 Password Recommended value
Basic capability 11111111 11111111 A nontrivial value known only to the security administrator.2
Full capability 22222222 222222223 A nontrivial value known only to the security administrator.2
Security capability QSECOFR QSECOFR3 A nontrivial value known only to the security administrator.2
Service capability QSRV QSRV3 A nontrivial value known only to the security administrator.2
Note:
  1. A user ID is only required for PowerPC® AS (RISC) releases of the operating system.
  2. If your hardware service representative needs to sign on with this user ID and password, change the password to a new value after the hardware service representative leaves.
  3. The service tools user profile will expire as soon as it is used for the first time.
  1. Make sure that no user profiles still have default passwords (equal to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD) command.
  2. Try to sign on to your system with the combinations of user profiles and passwords that are shown in the table, "Passwords for IBM-supplied profiles." These passwords are published, and they are the first choice of anyone who is trying to break into your system. If you can sign on, use the Change User Profile (CHGUSRPRF) command to change the password to the recommended value.
  3. Start the Dedicated Service Tools (DST) and try to sign on with the passwords that are shown in Table 2.
  4. If you can sign on to DST with any of these passwords, you should change the passwords. DST passwords can only be changed by an authenticated device. This is also true for all passwords and corresponding user IDs that are identical. For more information on authenticated devices, see the Operations Console setup information.
  5. Finally, make sure that you cannot sign on just by pressing the Enter key at the Sign On display without entering a user ID and password. Try several different displays. If you can sign on without entering information on the Sign On display, do one of the following:
    1. Change to security level 40 or 50 (QSECURITY system value). Your applications might run differently when you increase your security level to 40 or 50.
    1. Change all of the workstation entries for interactive subsystems to point to job descriptions that specify USER(*RQD).
Parent topic: Password level