friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvsetuserenviron.htm

227 lines
20 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Set up your user environment" />
<meta name="abstract" content="This topic describes how to set up your user environment and sign on to the system." />
<meta name="description" content="This topic describes how to set up your user environment and sign on to the system." />
<meta name="DC.Relation" scheme="URI" content="rzamvimplementsecstrat.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvchangepwd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzamvchangesignonerror.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="setuserenviron" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Set up your user environment</title>
</head>
<body id="setuserenviron"><a name="setuserenviron"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Set up your user environment</h1>
<div><p>This topic describes how to set up your user environment and sign on to the system.</p>
<p>To begin setting up user security, you need to set up the overall environment for your users. Use the SETUP menu to set system values, and create your own user profile. You also need to change user IDs and passwords for the Dedicated Service Tools (DST) profiles.</p>
<p>In the following procedures, you will find example command-line screens that illustrate these steps. However, these examples do not show the entire screen. They show only the information necessary to complete the task.</p>
<div class="section" id="setuserenviron__setuserforms"><a name="setuserenviron__setuserforms"><!-- --></a><h4 class="sectiontitle">What forms are needed?</h4><div class="p">Enter information from the <a href="rzamvsysvalworksheet.htm#sysvalworksheet">system values selection worksheet</a> that you prepared in <a href="rzamvplansecstrat.htm#plansecstrat">Plan your security strategy</a>. To set up your overall environment, you need to complete these tasks: <ol><li><a href="#setuserenviron__setuser1">Signing on to the system</a></li>
<li><a href="#setuserenviron__setuser2">Selecting the right assistance level</a></li>
<li><a href="#setuserenviron__setuser3">Preventing others from signing on</a></li>
<li><a href="#setuserenviron__setuser4">Enter signon system values for security</a></li>
<li><a href="#setuserenviron__setuser5">Applying the new system values</a></li>
<li><a href="#setuserenviron__setuser6">Creating a security officer profile</a></li>
</ol>
</div>
</div>
<div class="section" id="setuserenviron__setuser1"><a name="setuserenviron__setuser1"><!-- --></a><h4 class="sectiontitle">Signing on to the system</h4><div class="p">To begin setting up your system environment, you need to sign on to the system. <ol><li>At the console, sign on as the security officer (QSECOFR). If you are signing on for the first time, use the password QSECOFR. Because the system ships this password as expired, the system will prompt you to change this password. You must change this password to successfully sign on.</li>
<li>Enter SETUP in the Menu field on the Sign On display.</li>
</ol>
</div>
<div class="note"><span class="notetitle">Note:</span> The SETUP menu is called the Customize Your System, Users, and Devices menu. This text refers to it as the SETUP menu throughout.</div>
<pre class="screen"> Sign On
System . . . . .
Subsystem . . . .
Display . . . . .
User . . . . . . . . . . . . . . QSECOFR
Password . . . . . . . . . . . . __________
Program/procedure . . . . . . . __________
Menu . . . . . . . . . . . . . . SETUP
Current library . . . . . . . . __________</pre>
<p>After you sign on to the system, you must select the appropriate assistance level.</p>
</div>
<div class="section" id="setuserenviron__setuser2"><a name="setuserenviron__setuser2"><!-- --></a><h4 class="sectiontitle">Selecting the right assistance level</h4><div class="p">After signing on to the system, you can choose the appropriate assistance level for users. The assistance level determines what version of a display you see. Many system displays have two different versions: <ul><li>A basic assistance level version, which contains less information and does not use technical terminology.</li>
<li>An intermediate assistance level version, which shows more information and uses technical terms.</li>
</ul>
</div>
<p>Some fields or functions are available only on a particular version of a display. The instructions tell you which version to use. To change from one assistance level to another, use F21 (Select assistance level). F21 is not available from all displays. After you select your assistance level, you must prevent others from signing on to the system while you set up security.</p>
</div>
<div class="section" id="setuserenviron__setuser3"><a name="setuserenviron__setuser3"><!-- --></a><h4 class="sectiontitle">Preventing others from signing on</h4><div class="p">After you select the right assistance level, you must prevent anyone else from signing on to the system. If you are concerned about people tampering with your system before you have a chance to secure it, you can prevent anyone from signing on at another workstation. This is optional. Do it only if you feel that temporary security is necessary: <ol><li>From the SETUP menu, press F9 to display a command line.</li>
<li>On the command line, type GO DEVICESTS.</li>
<li>The screen shows the Device Status Tasks menu. If you see the Work with Configuration Status menu, use F21 (Select assistance level) to change to basic assistance level.</li>
<li>Select option <kbd class="userinput">1</kbd> (Work with display devices).</li>
<li>On the Work with Display Devices display, make all the workstations except the one you are using unavailable. Do this by typing <kbd class="userinput">2</kbd> in front of each workstation name and pressing the Enter key.</li>
<li>Return to the SETUP menu by pressing F3 (Exit) twice.</li>
<li>Press F12 (Cancel) to remove the command line.</li>
</ol>
</div>
<pre class="screen"> Work with Display Devices
Type options below, then press Enter.
1=Make available 2=Make unavailable 5=Display
7=Display message 8=Work with controller and line
13=Change description
Opt Device Type Status
__ DSP01 3196 QSECOFR
<strong>2</strong>_ DSP02 3196 Available to use
<strong>2</strong>_ DSP03 3196 Available to use
<strong>2</strong>_ DSP04 3196 Available to use</pre>
<p>When you make a device unavailable, it does not have a Sign On display, even if it is powered on. Workstations stay unavailable only until you stop and start your system again. You may need to repeat this step.</p>
</div>
<div class="section" id="setuserenviron__setuser4"><a name="setuserenviron__setuser4"><!-- --></a><h4 class="sectiontitle">Enter signon system values for security</h4><div class="p">After you have prevented others from signing on, you need to enter system values into the system. Use this procedure to enter the information from Part 1 of your System Values Selection form:<ol><li>From the SETUP menu, select option <kbd class="userinput">1</kbd> (Change system options). </li>
<li>Enter information from your System Values Selection form on the Change System Options display. If you do not want to change one of the choices on the display, you can use the Tab key to skip over it. </li>
<li>Enter the correct date and time on this display, if they were not set when you started the system. </li>
<li>After you type the information on this page, page down to the next page. </li>
<li>Type your choices on the second page of the display and page down.</li>
<li>Type your choices on the third page of the display and press the Enter key.</li>
<li>You should see the SETUP menu again. Notice the message at the bottom of your display: <tt class="sysout">System options successfully changed. IPL required.</tt> (The system requires an IPL only if you changed the security level.)</li>
</ol>
</div>
<p>The following table describes possible errors and recovery steps. Use these tables for assistance if your results are different from those described. </p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Possible errors and recovery steps</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e151">Possible error</th>
<th valign="bottom" id="d0e153">Recovery steps</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e151 ">The MAIN menu is displayed.</td>
<td valign="top" headers="d0e153 ">You pressed F3 (Exit) or F12 (Cancel). Type <kbd class="userinput">GO SETUP</kbd> and try again.</td>
</tr>
<tr><td valign="top" headers="d0e151 ">You see another display, such as the Change Cleanup Options display.</td>
<td valign="top" headers="d0e153 ">You selected the wrong option from the SETUP menu. Press F3 (Exit) to return to the menu and try again.</td>
</tr>
<tr><td valign="top" headers="d0e151 ">The Change System Option display is shown again after you press the Enter key.</td>
<td valign="top" headers="d0e153 ">Look for an error message at the bottom of the display. You probably typed a value that is not allowed. Use F1 (Help) if you need more information. Use F5 (Refresh) if you want the system to restore all the values to what they were before you started typing. Try again.</td>
</tr>
<tr><td valign="top" headers="d0e151 ">You pressed the Enter key before you typed all your choices on the display.</td>
<td valign="top" headers="d0e153 ">You can use this display as many times as necessary to change system values. Select option <kbd class="userinput">1</kbd> from the SETUP menu and enter the values you missed the first time. <div class="attention"><span class="attentiontitle">Attention:</span> Once your system is operational, do not change the security level without consulting a programmer. Also, do not change the system name if you are using iSeries™ Access or communicating with another computer.</div>
</td>
</tr>
<tr><td valign="top" headers="d0e151 ">You pressed the Enter key instead of paging down.</td>
<td valign="top" headers="d0e153 ">Select option <kbd class="userinput">1</kbd> from the SETUP menu again and page down to display the second page. Type your choices and press the Enter key.</td>
</tr>
</tbody>
</table>
</div>
<p>The following table shows several values that you can set to make it more difficult for an unauthorized person to sign on to your system. If you run the CFGSYSSEC command, it sets these system values to the recommended settings. </p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Recommended system value settings</caption><thead align="left"><tr><th valign="top" id="d0e206">System Value Name</th>
<th valign="top" id="d0e208">Description</th>
<th valign="top" id="d0e210">Recommended Setting</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e206 ">QAUTOCFG</td>
<td valign="top" headers="d0e208 ">Whether the system automatically configures new devices.</td>
<td valign="top" headers="d0e210 ">0 (No)</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QAUTOVRT</td>
<td valign="top" headers="d0e208 ">The number of virtual device descriptions that the system will automatically create if no device is available for use.</td>
<td valign="top" headers="d0e210 ">0</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QDEVRCYACN</td>
<td valign="top" headers="d0e208 ">What the system does when a device reconnects after an error.<sup>1</sup></td>
<td valign="top" headers="d0e210 ">*DSCMSG</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QDSCJOBITV</td>
<td valign="top" headers="d0e208 ">How long the system waits before ending a disconnected job.</td>
<td valign="top" headers="d0e210 ">120</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QDSPSGNINF</td>
<td valign="top" headers="d0e208 ">Whether the system displays information about previous sign-on activity when a user signs on.</td>
<td valign="top" headers="d0e210 ">1 (Yes)</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QINACTITV</td>
<td valign="top" headers="d0e208 ">How long the system waits before taking action when an interactive job is inactive.</td>
<td valign="top" headers="d0e210 ">60</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QINACTMSGQ</td>
<td valign="top" headers="d0e208 ">What the system does when the QINACTITV time period is reached.</td>
<td valign="top" headers="d0e210 ">*ENDJOB</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QLMTDEVSSN</td>
<td valign="top" headers="d0e208 ">Whether the system prevents a user from signing on at more than one workstation at the same time.</td>
<td valign="top" headers="d0e210 ">1 (Yes)</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QLMTSECOFR</td>
<td valign="top" headers="d0e208 ">Whether users with *ALLJOB or *SERVICE special authority can sign on only at specific workstations.</td>
<td valign="top" headers="d0e210 ">1 (Yes)<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e206 ">QMAXSIGN</td>
<td valign="top" headers="d0e208 ">Maximum consecutive, incorrect sign-on attempts (user profile or password is incorrect).</td>
<td valign="top" headers="d0e210 ">3</td>
</tr>
<tr><td valign="top" headers="d0e206 ">QMAXSGNACN</td>
<td valign="top" headers="d0e208 ">What the system does when the QMAXSIGN limit is reached.</td>
<td valign="top" headers="d0e210 ">3 (Disable both user profile and device)</td>
</tr>
<tr><td colspan="3" valign="top" headers="d0e206 d0e208 d0e210 "><div class="note"><span class="notetitle">Note:</span> <ol><li>The system can disconnect and reconnect TELNET sessions when the device description for the session is explicitly assigned.</li>
<li>If you set the system value to <kbd class="userinput">1 (Yes)</kbd>, you will need to explicitly authorize users with *ALLOBJ or *SERVICE special authority to devices. The simplest way to do this is to give the QSECOFR user profile *CHANGE authority to specific devices.</li>
</ol>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<p>After entering your system values, you must then apply the new system values.</p>
<p>For more information, see <span class="q">"Values That Are Set by the Configure System Security Command"</span> in the <cite>iSeries Security Reference</cite>.</p>
</div>
<div class="section" id="setuserenviron__setuser5"><a name="setuserenviron__setuser5"><!-- --></a><h4 class="sectiontitle">Applying the new system values</h4><p>After you enter your system values, you need to apply some of these values. Most changes to system values take effect immediately. However, when you change the security level on your system, the change does not take effect until you stop your system and start it again. After you verify that you typed all the values on the Change System Options display correctly, you are ready to apply the new values.</p>
<div class="note"><span class="notetitle">Note:</span> Attach your workstations to the system, if you have not already done so. When you start the system, it automatically configures those devices using the naming format you chose on the Change System Options display.</div>
<div class="p">Use the following procedure to stop your system and start it again. When your system starts, the values you entered on the Change System Options display take effect.<ol><li>Make sure you have signed on at the console and that no other workstations are signed on. </li>
<li>Make sure that the keylock switch on the processor unit is in the Normal position. </li>
<li>From the SETUP menu, select the option for Power On and Off Tasks. </li>
<li>Select the option to power off the system immediately and then power on. Press the Enter key. </li>
<li>The system shows a display that requests you to confirm your power-down request. Press F16 (Confirm).</li>
</ol>
</div>
<p>This causes the system to stop and then start again automatically. Your display goes blank for a few minutes. Then you should see the Sign On display again. </p>
<p>After you apply your new system values, you must create a security officer profile for yourself on the system.</p>
</div>
<div class="section" id="setuserenviron__setuser6"><a name="setuserenviron__setuser6"><!-- --></a><h4 class="sectiontitle">Creating a security officer profile</h4><p>A security officer on the system is any user with *SECOFR user class or *ALLOBJ and *SECADM special authorities. </p>
<div class="p">After you apply the system values from the Change System Option display, create a user profile for yourself and for the alternate security officer. In the future, use your profile, rather than the QSECOFR profile, when you perform security officer functions.<ol><li>Sign on to the system as QSECOFR and request the SETUP menu. Notice that the system name you chose appears in the upper right of the Sign On display.</li>
<li>From the SETUP menu, select the Work with user enrollment option. The Work with User Enrollment display lists the profiles currently on your system. (If you see the Work with User Profile display, press F21 (Select assistance level) and change to basic assistance level.) </li>
<li>To create a new profile, type <kbd class="userinput">1</kbd> (Add) in the Opt (option) column and the name of your profile in the User column. Press the Enter key.</li>
<li>On the Add User display, assign yourself a password. </li>
<li>Fill in the fields shown on the sample display with your own appropriate information. </li>
<li>Page down to the next page of the display.</li>
<li>Fill in the second page of the display and press the Enter key. </li>
<li>Check for confirmation messages at the bottom of the Work with User Enrollment display. </li>
<li>Press F3 (Exit) to return to the SETUP menu.</li>
</ol>
</div>
<p>After you create a security officer profile for yourself, you need to change user ID and passwords for Service Tools users.</p>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzamvchangepwd.htm">Change known passwords</a></strong><br />
To keep your system secure, change known passwords for user profiles and dedicated service tools.</li>
<li class="ulchildlink"><strong><a href="rzamvchangesignonerror.htm">Change signon error messages</a></strong><br />
This topic discusses how to change signon error messages to discourage hackers who are trying to break into a system.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvimplementsecstrat.htm" title="This topic describes the tasks for implementing your security strategy, explains why they are important, and provides links to the implementation topics.">Implement your security strategy</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink