friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6290434003
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvchangepwd.htm

160 lines
11 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Change known passwords" />
<meta name="abstract" content="To keep your system secure, change known passwords for user profiles and dedicated service tools." />
<meta name="description" content="To keep your system secure, change known passwords for user profiles and dedicated service tools." />
<meta name="DC.Relation" scheme="URI" content="rzamvsetuserenviron.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="changepwd" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Change known passwords</title>
</head>
<body id="changepwd"><a name="changepwd"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Change known passwords</h1>
<div><p>To keep your system secure, change known passwords for user profiles and dedicated service tools.</p>
<div class="p">Do the following to close some well-known entrances into the server that may exist on your system. <ol><li>Make sure that no user profiles still have default passwords (equal to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD) command.</li>
<li>Try to sign on to your system with the combinations of user profiles and passwords that are shown in <a href="#changepwd__pwdtab1">Table 1</a>. These passwords are published, and they are the first choice of anyone who is trying to break into your system. If you can sign on, use the Change User Profile (CHGUSRPRF) command to change the password to the recommended value.</li>
<li>Start the Dedicated Service Tools (DST) and try to sign on with the passwords that are shown in <a href="#changepwd__pwdtab2">Table 2</a>.</li>
<li>If you can sign on to DST with any of these passwords, you should change the passwords.</li>
<li>Make sure that you cannot sign on just by pressing the Enter key at the Sign On display without entering a user ID and password. Try several different displays. If you can sign on without entering information on the Sign On display, do one of the following:<ul><li>Change to security level 40 or 50 (QSECURITY system value). (Your applications might run differently when you increase your security level to 40 or 50.)</li>
<li>Change all of the workstation entries for interactive subsystems to point to job descriptions that specify USER(*RQD).</li>
</ul>
</li>
</ol>
</div>
<div class="tablenoborder"><a name="changepwd__pwdtab1"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="changepwd__pwdtab1" width="100%" frame="border" border="1" rules="all"><caption>Table 1. Passwords for IBM-supplied profiles</caption><thead align="left"><tr><th valign="top" id="d0e45">User ID</th>
<th valign="top" id="d0e47">Password</th>
<th valign="top" id="d0e49">Recommended value</th>
</tr>
</thead>
<tbody><tr><td valign="top" headers="d0e45 ">QSECOFR</td>
<td valign="top" headers="d0e47 ">QSECOFR<sup>1</sup></td>
<td valign="top" headers="d0e49 ">A nontrivial value known only to the security administrator. <span class="uicontrol">Write down the password that you have selected and store it in a safe place.</span></td>
</tr>
<tr><td valign="top" headers="d0e45 ">QSYSOPR</td>
<td valign="top" headers="d0e47 ">QSYSOPR</td>
<td valign="top" headers="d0e49 ">*NONE<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e45 ">QPGMR</td>
<td valign="top" headers="d0e47 ">QPGMR</td>
<td valign="top" headers="d0e49 ">*NONE<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e45 ">QUSER</td>
<td valign="top" headers="d0e47 ">QUSER</td>
<td valign="top" headers="d0e49 ">*NONE<sup>2</sup>, <sup>3</sup></td>
</tr>
<tr><td valign="top" headers="d0e45 ">QSRV</td>
<td valign="top" headers="d0e47 ">QSRV</td>
<td valign="top" headers="d0e49 ">*NONE<sup>2</sup></td>
</tr>
<tr><td valign="top" headers="d0e45 ">QSRVBAS</td>
<td valign="top" headers="d0e47 ">QSRVBAS</td>
<td valign="top" headers="d0e49 ">*NONE<sup>2</sup></td>
</tr>
<tr><td colspan="3" valign="top" headers="d0e45 d0e47 d0e49 "><div class="note"><span class="notetitle">Note:</span> <ol><li>'The system arrives with the <em>Set password to expired value</em> for the QSECOFR set to *YES. The first time that you sign on to a new system, you must change the QSECOFR password.</li>
<li>The system needs these user profiles for system functions, but you should not allow users to sign on with these profiles. This password is shipped as *NONE. When you run the CFGSYSSEC command, the system sets these passwords to *NONE.</li>
<li>To run iSeries™ Access for Windows<sup>®</sup> using TCP/IP, the QUSER user profile must be enabled.</li>
</ol>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div class="tablenoborder"><a name="changepwd__pwdtab2"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="changepwd__pwdtab2" width="100%" frame="border" border="1" rules="all"><caption>Table 2. Passwords for Dedicated Service Tools</caption><thead align="left"><tr><th valign="top" width="25%" id="d0e140">DST Level</th>
<th valign="top" width="25%" id="d0e142">User ID<sup>1</sup></th>
<th valign="top" width="25%" id="d0e146">Password</th>
<th valign="top" width="25%" id="d0e148">Recommended Value</th>
</tr>
</thead>
<tbody><tr><td valign="top" width="25%" headers="d0e140 ">Basic capability</td>
<td valign="top" width="25%" headers="d0e142 ">11111111</td>
<td valign="top" width="25%" headers="d0e146 ">11111111</td>
<td valign="top" width="25%" headers="d0e148 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td valign="top" width="25%" headers="d0e140 ">Full capability</td>
<td valign="top" width="25%" headers="d0e142 ">22222222</td>
<td valign="top" width="25%" headers="d0e146 ">22222222<sup>3</sup></td>
<td valign="top" width="25%" headers="d0e148 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td valign="top" width="25%" headers="d0e140 ">Security capability</td>
<td valign="top" width="25%" headers="d0e142 ">QSECOFR</td>
<td valign="top" width="25%" headers="d0e146 ">QSECOFR<sup>3</sup></td>
<td valign="top" width="25%" headers="d0e148 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td valign="top" width="25%" headers="d0e140 ">Service capability</td>
<td valign="top" width="25%" headers="d0e142 ">QSRV</td>
<td valign="top" width="25%" headers="d0e146 ">QSRV<sup>3</sup></td>
<td valign="top" width="25%" headers="d0e148 ">A nontrivial value known only to the security administrator.<sup>2</sup></td>
</tr>
<tr><td colspan="4" valign="top" headers="d0e140 d0e142 d0e146 d0e148 "><div class="note"><span class="notetitle">Note:</span> <ol><li>A user ID is only required for PowerPC<sup>®</sup> AS (RISC) releases of the operating system.</li>
<li>If your hardware service representative needs to sign on with this user ID and password, change the password to a new value after the hardware service representative leaves.</li>
<li>The service tools user profile will expire as soon as it is used for the first time.</li>
</ol>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div class="important"><span class="importanttitle">Important:</span> DST passwords can only be changed by an authenticated device. This is also true for all passwords and corresponding user IDs that are identical. For more information on authenticated devices, see the Operations Console setup information in the iSeries Information Center.</div>
<div class="section"><h4 class="sectiontitle">Use system service tools to change passwords</h4><p>You also can use system service tools (SST) instead of DST to change passwords.</p>
<p>You can manage and create service tools user IDs from system service tools (SST) by selecting option 8 (Work with service tools user IDs) from the main SST display. You no longer need to go into DST to reset passwords, grant or revoke privileges, or create service tools user IDs.</p>
<p>The server is shipped with limited ability to change default and expired passwords. This means that you cannot change service tools user IDs that have default and expired passwords through the Change Service Tools User ID (QSYCHGDS) API, nor can you change their passwords through SST. You can only change a service tools user ID with a default and expired password through DST. You can change the setting to allow default and expired passwords to be changed. Also, you can use the new Start service tools (STRSST) privilege to create a service tools user ID that can access DST, but can be restricted from accessing SST.</p>
</div>
<div class="section"><h4 class="sectiontitle">Change passwords for IBM-supplied user profiles</h4><p>If you need to sign on with one of the IBM-supplied profiles, you can change the password using the CHGUSRPRF command. You can also change these passwords using an option from the SETUP menu. To protect your system, you should leave the password set to *NONE for all IBM-supplied profiles except QSECOFR. Do not allow trivial passwords for the QSECOFR profile.</p>
<pre class="screen">Change Passwords for IBM-Supplied Profiles
Type new password below for IBM-supplied user,
type password again to verify change, then press Enter.
New security officer (QSECOFR) password . . . . . .
New password (to verify) . . . . . . . . . . . . .
New system operator (QSYSOPR) password . . . . . . .
New password (to verify) . . . . . . . . . . . . .
New programmer (QPGMR) password . . . . . . . . . .
New password (to verify) . . . . . . . . . . . . .
New user (QUSER) password . . . . . . . . . . . . .
New password (to verify) . . . . . . . . . . . . .
New service (QSRV) password . . . . . . . . . . . .
New password (to verify) . . . . . . . . . . . . .</pre>
<div class="p">Page down to change additional passwords:<pre class="screen">Change Passwords for IBM-Supplied Profiles
Type new password below for IBM-supplied user,
type change, then press Enter.
New basic service (QSRVBAS) password . . . . . . . .
New password (to verify) . . . . . . . . . . . .</pre>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvsetuserenviron.htm" title="This topic describes how to set up your user environment and sign on to the system.">Set up your user environment</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink