ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvqpwdlvltwo.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Considerations for changing QPWDLVL from 0 or 1 to 2" />
<meta name="abstract" content="Password level 2 introduces the use of case sensitive passwords up to 128 characters in length, also called passphrases, and provides the maximum ability to revert back to QPWDLVL 0 or 1." />
<meta name="description" content="Password level 2 introduces the use of case sensitive passwords up to 128 characters in length, also called passphrases, and provides the maximum ability to revert back to QPWDLVL 0 or 1." />
<meta name="DC.Relation" scheme="URI" content="rzamvpasswdlvlchg.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="qpwdlvltwo" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Considerations for changing QPWDLVL from 0 or 1 to 2</title>
</head>
<body id="qpwdlvltwo"><a name="qpwdlvltwo"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Considerations for changing QPWDLVL from 0 or 1 to 2</h1>
<div><p>Password level 2 introduces the use of case sensitive passwords
up to 128 characters in length, also called passphrases, and provides the
maximum ability to revert back to QPWDLVL 0 or 1.</p>
<p>Regardless of the password level of the system, password level 2 and 3
passwords are created whenever a password is changed or a user signs on to
the system. Having a level 2 and 3 password created while the system is still
at password level 0 or 1 helps prepare for the change to password level 2
or 3.</p>
<div class="p">Prior to changing QPWDLVL to 2, you should use the DSPAUTUSR or PRTUSRPRF
TYPE(*PWDINFO) commands to locate all user profiles which do not have a password
that is usable at password level 2. Depending on which profiles these commands
locate, you may want to use one of the following mechanisms to have a password
level 2 and 3 password added to the profiles.<ul><li>Change the password for the user profile using the CHGUSRPRF or CHGPWD
CL command or the QSYCHGPW API. This will cause the system to change the password
that is usable at password levels 0 and 1; and the system also creates two
equivalent case sensitive passwords that are usable at password levels 2 and
3. An all uppercase and all lowercase version of the password is created for
use at password level 2 or 3. <p>For example, changing the password to C4D2RB4Y
results in the system generating C4D2RB4Y and c4d2rb4y password level 2 passwords.</p>
</li>
<li>Sign on to the system through a mechanism that presents the password in
clear text, not using password substitution. If the password is valid and
the user profile does not have a password that is usable at password levels
2 and 3, the system creates two equivalent case sensitive passwords that are
usable at password levels 2 and 3. An all uppercase and all lowercase version
of the password is created for use at password level 2 or 3.</li>
</ul>
The absence of a password that is usable at password level 2 or 3 can
be a problem whenever the user profile also does not have a password that
is usable at password levels 0 and 1 or when the user tries to sign on through
a product that uses password substitution. In these cases, the user will not
be able to sign on when the password level is changed to 2.</div>
<p>If a user profile does not have a password that is usable at password levels
2 and 3, the user profile does have a password that is usable at password
levels 0 and 1, and the user signs on through a product that sends clear text
passwords, then the system validates the user against the password level 0
password and creates two password level 2 passwords (as described above) for
the user profile. Subsequent signons will be validated against the password
level 2 passwords.</p>
<p>Any client or service which uses password substitution will not work correctly
at QPWDLVL 2 if the client or service hasn’t been updated to use the new password
or passphrase substitution scheme. The administrator should check whether
a client or service which hasn’t been updated to the new password substitution
scheme is required.</p>
<div class="p">The clients and services that use password substitution include:<ul><li>TELNET</li>
<li>iSeries™ Access</li>
<li>iSeries Host
Servers</li>
<li>QFileSrv.400</li>
<li>iSeries NetServer™ print
support</li>
<li>DDM</li>
<li>DRDA<sup>®</sup></li>
<li>SNA LU6.2</li>
</ul>
It is highly recommended that the security data be saved prior to changing
to QPWDLVL 2. Having a backup of your security data can help make the transition
back to QPWDLVL 0 or 1 easier if that becomes necessary. </div>
<p>It is recommended that the other password system values, such as QPWDMINLEN
and QPWDMAXLEN, not be changed until after some testing at QPWDLVL 2 has occurred.
This will make it easier to transition back to QPWDLVL 1 or 0 if necessary.
However, the QPWDVLDPGM system value must specify either *REGFAC or *NONE
before the system will allow QPWDLVL to be changed to 2.</p>
<p>Therefore, if you use a password validation program, you may wish to write
a new one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point by
using the ADDEXITPGM command.</p>
<div class="p">iSeries NetServer passwords
are still supported at QPWDLVL 2, so any function or service that requires
an iSeries NetServer password
should still work correctly. Once the administrator is comfortable
with running the system at QPWDLVL 2, they can begin to change the password
system values to exploit longer passwords. However, the administrator needs
to be aware that longer passwords will have these effects:<ul><li>If passwords greater than 10 characters are specified, the password level
0 and 1 password is cleared. This user profile would not be able to signon
if the system is returned to password level 0 or 1.</li>
<li>If passwords contain special characters or do not follow the composition
rules for simple object names (excluding case sensitivity), the password level
0 and 1 password is cleared.</li>
<li>If passwords greater than 14 characters are specified, the iSeries NetServer password
for the user profile is cleared.</li>
<li>The password system values only apply to the new password level 2 value
and do not apply to the system generated password level 0 and 1 password or iSeries NetServer password
values (if generated).</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvpasswdlvlchg.htm" title="Operations with other systems may fail or users may not be able to sign on to the system if you haven’t planned for the password level change adequately.">Plan password level changes</a></div>
</div>
</div>
</body>
</html>