ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvchangeknownpwd.htm

157 lines
8.5 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Change known passwords" />
<meta name="abstract" content="Do the following to close some well-known entrances into the server that may exist on your system." />
<meta name="description" content="Do the following to close some well-known entrances into the server that may exist on your system." />
<meta name="DC.Relation" scheme="URI" content="rzamvpwdlvl.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="changeknownpwd" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Change known passwords</title>
</head>
<body id="changeknownpwd"><a name="changeknownpwd"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Change known passwords</h1>
<div><p>Do the following to close some well-known entrances into the server
that may exist on your system.</p>
<div class="p">You will need information from these tables for some of the steps
in this procedure.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Passwords for IBM-supplied profiles</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e23">User ID</th>
<th valign="bottom" id="d0e25">Password</th>
<th valign="bottom" id="d0e27">Recommended value</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e23 ">QSECOFR</td>
<td valign="top" headers="d0e25 ">QSECOFR<sup>1</sup></td>
<td valign="top" headers="d0e27 ">A nontrivial value known only to the security administrator.
Write down the password that you have selected and store it in a safe place.</td>
</tr>
<tr><td valign="top" headers="d0e23 ">QSYSOPR</td>
<td valign="top" headers="d0e25 ">QSYSOPR</td>
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e23 ">QPGMR</td>
<td valign="top" headers="d0e25 ">QPGMR</td>
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e23 ">QUSER</td>
<td valign="top" headers="d0e25 ">QUSER</td>
<td valign="top" headers="d0e27 ">*NONE<sup>2, 3</sup></td>
</tr>
<tr><td valign="top" headers="d0e23 ">QSRV</td>
<td valign="top" headers="d0e25 ">QSRV</td>
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e23 ">QSRVBAS</td>
<td valign="top" headers="d0e25 ">QSRVBAS</td>
<td valign="top" headers="d0e27 ">*NONE<sup>2</sup></td>
</tr>
<tr><td colspan="3" valign="top" headers="d0e23 d0e25 d0e27 "><div class="note"><span class="notetitle">Note:</span> <ol><li>The system arrives with the Set password to expired value for the QSECOFR
set to *YES. The first time that you sign on to a new system, you must change
the QSECOFR password.</li>
<li>The system needs these user profiles for system functions, but you should
not allow users to sign on with these profiles. For new systems installed
with V3R1 or later releases, this password is shipped as *NONE. If you run
the CFGSYSSEC command, the system sets these passwords to *NONE.</li>
<li>To run iSeries™ Access
for Windows<sup>®</sup> using
TCP/IP, the QUSER user profile must be enabled.</li>
</ol>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 2. Passwords for dedicated service tools</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e110">DST Level1</th>
<th valign="bottom" id="d0e112">User ID<sup>1</sup></th>
<th valign="bottom" id="d0e116">Password</th>
<th valign="bottom" id="d0e118">Recommended value</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e110 ">Basic capability</td>
<td valign="top" headers="d0e112 ">11111111</td>
<td valign="top" headers="d0e116 ">11111111</td>
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e110 ">Full capability</td>
<td valign="top" headers="d0e112 ">22222222</td>
<td valign="top" headers="d0e116 ">22222222<sup>3</sup></td>
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e110 ">Security capability</td>
<td valign="top" headers="d0e112 ">QSECOFR</td>
<td valign="top" headers="d0e116 ">QSECOFR<sup>3</sup></td>
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e110 ">Service capability</td>
<td valign="top" headers="d0e112 ">QSRV</td>
<td valign="top" headers="d0e116 ">QSRV<sup>3</sup></td>
<td valign="top" headers="d0e118 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td colspan="4" valign="top" headers="d0e110 d0e112 d0e116 d0e118 "><div class="note"><span class="notetitle">Note:</span> <ol><li>A user ID is only required for PowerPC<sup>®</sup> AS (RISC) releases of the operating
system.</li>
<li>If your hardware service representative needs to sign on with this user
ID and password, change the password to a new value after the hardware service
representative leaves.</li>
<li>The service tools user profile will expire as soon as it is used for the
first time.</li>
</ol>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<ol><li class="stepexpand"><span>Make sure that no user profiles still have default passwords (equal
to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD)
command.</span></li>
<li class="stepexpand"><span>Try to sign on to your system with the combinations of user profiles
and passwords that are shown in the table, "Passwords for IBM-supplied profiles."
These passwords are published, and they are the first choice of anyone who
is trying to break into your system. If you can sign on, use the Change User
Profile (CHGUSRPRF) command to change the password to the recommended value.</span></li>
<li class="stepexpand"><span>Start the Dedicated Service Tools (DST) and try to sign on with
the passwords that are shown in Table 2. </span></li>
<li class="stepexpand"><span>If you can sign on to DST with any of these passwords, you should
change the passwords.</span> DST passwords can only be changed by an authenticated
device. This is also true for all passwords and corresponding user IDs that
are identical. For more information on authenticated devices, see the Operations
Console setup information.</li>
<li class="stepexpand"><span>Finally, make sure that you cannot sign on just by pressing the
Enter key at the Sign On display without entering a user ID and password.
Try several different displays. If you can sign on without entering information
on the Sign On display, do one of the following:</span><ol type="a"><li class="substepexpand"><span>Change to security level 40 or 50 (QSECURITY system value).</span> Your applications might run differently when you increase your security
level to 40 or 50.</li>
</ol>
<ol type="a"><li><span>Change all of the workstation entries for interactive subsystems
to point to job descriptions that specify USER(*RQD).</span></li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvpwdlvl.htm" title="This system value allows you to set a specific password environment where all user profile passwords can have the same length specification.">Password level</a></div>
</div>
</div>
</body>
</html>