Operations with other systems may fail or users may not be able to sign on to the system if you haven’t planned for the password level change adequately.
Changing password levels should be planned carefully. Prior to changing the QPWDLVL system value, make sure you have saved your security data using the SAVSECDTA or SAVSYS command. If you have a current backup, you will be able to reset the passwords for all users’ profiles if you need to return to a lower password level.
Products that you use on the system and on clients with which the system interfaces, may have problems when the password level (QPWDLVL) system value is set to 2 or 3. Any product or client that sends passwords to the system in an encrypted form, rather than in the clear text a user enters on a signon screen, must be upgraded to work with the new password encryption rules for QPWDLVL 2 or 3. Sending the encrypted password is known as password substitution.
Password substitution is used to prevent a password from being captured during transmission over a network. Password substitutions generated by older clients that do not support the new algorithm for QPWDLVL 2 or 3, even if the specific characters are correct, will not be accepted. This also applies to any iSeries™ to iSeries peer access which utilizes the encrypted values to authenticate from one system to another.
The problem is compounded by the fact that some affected products, such as Java™ Toolbox, are provided as middle-ware. A third party product that incorporates a prior version of one of these products will not work correctly until rebuilt using an updated version of the middle-ware. Given this and other scenarios, it is easy to see why careful planning is necessary before changing the QPWDLVL system value.