157 lines
8.5 KiB
HTML
157 lines
8.5 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="task" />
|
|
<meta name="DC.Title" content="Change known passwords" />
|
|
<meta name="abstract" content="Do the following to close some well-known entrances into the server that may exist on your system." />
|
|
<meta name="description" content="Do the following to close some well-known entrances into the server that may exist on your system." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvpwdlvl.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="changeknownpwd" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Change known passwords</title>
|
|
</head>
|
|
<body id="changeknownpwd"><a name="changeknownpwd"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Change known passwords</h1>
|
|
<div><p>Do the following to close some well-known entrances into the server
|
|
that may exist on your system.</p>
|
|
<div class="p">You will need information from these tables for some of the steps
|
|
in this procedure.
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Passwords for IBM-supplied profiles</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e23">User ID</th>
|
|
<th valign="bottom" id="d0e25">Password</th>
|
|
<th valign="bottom" id="d0e27">Recommended value</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e23 ">QSECOFR</td>
|
|
<td valign="top" headers="d0e25 ">QSECOFR<sup>1</sup></td>
|
|
<td valign="top" headers="d0e27 ">A nontrivial value known only to the security administrator.
|
|
Write down the password that you have selected and store it in a safe place.</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e23 ">QSYSOPR</td>
|
|
<td valign="top" headers="d0e25 ">QSYSOPR</td>
|
|
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e23 ">QPGMR</td>
|
|
<td valign="top" headers="d0e25 ">QPGMR</td>
|
|
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e23 ">QUSER</td>
|
|
<td valign="top" headers="d0e25 ">QUSER</td>
|
|
<td valign="top" headers="d0e27 ">*NONE<sup>2, 3</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e23 ">QSRV</td>
|
|
<td valign="top" headers="d0e25 ">QSRV</td>
|
|
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e23 ">QSRVBAS</td>
|
|
<td valign="top" headers="d0e25 ">QSRVBAS</td>
|
|
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td colspan="3" valign="top" headers="d0e23 d0e25 d0e27 "><div class="note"><span class="notetitle">Note:</span> <ol><li>The system arrives with the Set password to expired value for the QSECOFR
|
|
set to *YES. The first time that you sign on to a new system, you must change
|
|
the QSECOFR password.</li>
|
|
<li>The system needs these user profiles for system functions, but you should
|
|
not allow users to sign on with these profiles. For new systems installed
|
|
with V3R1 or later releases, this password is shipped as *NONE. If you run
|
|
the CFGSYSSEC command, the system sets these passwords to *NONE.</li>
|
|
<li>To run iSeries™ Access
|
|
for Windows<sup>®</sup> using
|
|
TCP/IP, the QUSER user profile must be enabled.</li>
|
|
</ol>
|
|
</div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 2. Passwords for dedicated service tools</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e110">DST Level1</th>
|
|
<th valign="bottom" id="d0e112">User ID<sup>1</sup></th>
|
|
<th valign="bottom" id="d0e116">Password</th>
|
|
<th valign="bottom" id="d0e118">Recommended value</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e110 ">Basic capability</td>
|
|
<td valign="top" headers="d0e112 ">11111111</td>
|
|
<td valign="top" headers="d0e116 ">11111111</td>
|
|
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e110 ">Full capability</td>
|
|
<td valign="top" headers="d0e112 ">22222222</td>
|
|
<td valign="top" headers="d0e116 ">22222222<sup>3</sup></td>
|
|
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e110 ">Security capability</td>
|
|
<td valign="top" headers="d0e112 ">QSECOFR</td>
|
|
<td valign="top" headers="d0e116 ">QSECOFR<sup>3</sup></td>
|
|
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e110 ">Service capability</td>
|
|
<td valign="top" headers="d0e112 ">QSRV</td>
|
|
<td valign="top" headers="d0e116 ">QSRV<sup>3</sup></td>
|
|
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
|
|
</tr>
|
|
<tr><td colspan="4" valign="top" headers="d0e110 d0e112 d0e116 d0e118 "><div class="note"><span class="notetitle">Note:</span> <ol><li>A user ID is only required for PowerPC<sup>®</sup> AS (RISC) releases of the operating
|
|
system.</li>
|
|
<li>If your hardware service representative needs to sign on with this user
|
|
ID and password, change the password to a new value after the hardware service
|
|
representative leaves.</li>
|
|
<li>The service tools user profile will expire as soon as it is used for the
|
|
first time.</li>
|
|
</ol>
|
|
</div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
<ol><li class="stepexpand"><span>Make sure that no user profiles still have default passwords (equal
|
|
to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD)
|
|
command.</span></li>
|
|
<li class="stepexpand"><span>Try to sign on to your system with the combinations of user profiles
|
|
and passwords that are shown in the table, "Passwords for IBM-supplied profiles."
|
|
These passwords are published, and they are the first choice of anyone who
|
|
is trying to break into your system. If you can sign on, use the Change User
|
|
Profile (CHGUSRPRF) command to change the password to the recommended value.</span></li>
|
|
<li class="stepexpand"><span>Start the Dedicated Service Tools (DST) and try to sign on with
|
|
the passwords that are shown in Table 2. </span></li>
|
|
<li class="stepexpand"><span>If you can sign on to DST with any of these passwords, you should
|
|
change the passwords.</span> DST passwords can only be changed by an authenticated
|
|
device. This is also true for all passwords and corresponding user IDs that
|
|
are identical. For more information on authenticated devices, see the Operations
|
|
Console setup information.</li>
|
|
<li class="stepexpand"><span>Finally, make sure that you cannot sign on just by pressing the
|
|
Enter key at the Sign On display without entering a user ID and password.
|
|
Try several different displays. If you can sign on without entering information
|
|
on the Sign On display, do one of the following:</span><ol type="a"><li class="substepexpand"><span>Change to security level 40 or 50 (QSECURITY system value).</span> Your applications might run differently when you increase your security
|
|
level to 40 or 50.</li>
|
|
</ol>
|
|
<ol type="a"><li><span>Change all of the workstation entries for interactive subsystems
|
|
to point to job descriptions that specify USER(*RQD).</span></li>
|
|
</ol>
|
|
</li>
|
|
</ol>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvpwdlvl.htm" title="This system value allows you to set a specific password environment where all user profile passwords can have the same length specification.">Password level</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |