Security system values

System values allow you to customize many characteristics of your system. A group of system values are used to define system-wide security settings.

You can restrict users from changing the security-related system values. System service tools (SST) and dedicated service tools (DST) provide an option to lock these system values. By locking the system values, you can prevent even a user with *SECADM and *ALLOBJ authority from changing these system values with the CHGSYSVAL command. In addition to restricting changes to these system values, you can also restrict adding digital certificates to digital certificate store with the Add Verifier API and restrict password resetting on the digital certificate store.

Note: If you lock the security-related system values and need to perform a restore operation as part of a system recovery, be aware that you need to unlock the system values to complete the restore operation. This ensures that the system values are free to be changed during the initial program load (IPL).

You can restrict the following system values by using the lock option:

  • QALWJOBITP
  • QALWOBJRST
  • QALWUSRDMN
  • QAUDCTL
  • QAUDENDACN
  • QAUDFRCLVL
  • QAUDLVL
  • QAUDLVL2
  • QAUTOCFG
  • QAUTORMT
  • QAUTOVRT
  • QCRTAUT
  • QCRTOBJAUD
  • QDEVRCYACN
  • QDSPSGNINF
  • QDSCJOBITV
  • QFRCCVNRST
  • QINACTMSGQ
  • QLMTDEVSSN
  • QLMTSECOFR
  • QMAXSGNACN
  • QMAXSIGN
  • QPWDCHGBLK
  • QPWDEXPITV
  • QPWDEXPWRN
  • QPWDLMTAJC
  • QPWDLMTCHR
  • QPWDLMTREP
  • QPWDLVL
  • QPWDMAXLEN
  • QPWDMINLEN
  • QPWDPOSDIF
  • QPWDRQDDGT
  • QPWDRQDDIF
  • QPWDRULES
  • QPWDVLDPGM
  • QRETSVRSEC
  • QRMTSIGN
  • QRMTSRVATR
  • QSCANFS
  • QSCANFSCTL
  • QSECURITY
  • QSHRMEMCTL
  • QUSEADPAUT
  • QVFYOBJRST

You can use system service tools (SST) or dedicated service tools (DST) to lock and unlock the security-related system values. However, you must use DST if you are in recovery mode because SST is not available during this mode. Otherwise, use SST to lock or unlock the security-related system values.

To lock or unlock security-related system values with the Start System Service Tools (STRSST) command, follow these steps:
Note: You must have a service tools user ID and password to lock or unlock the security-related system values.
  1. Open a character-based interface.
  2. On the command line, type STRSST.
  3. Type your service tools user ID and password.
  4. Select option 7 (Work with system security).
  5. Type 1 to unlock security-related system values or 2 to lock security-related system values in the Allow system value security changes parameter.
To lock or unlock security-related system values using dedicated service tools (DST) during an attended IPL of a system recovery, follow these steps:
  1. From the IPL or Install the System display, select option 3 (Use Dedicated Service Tools).
    Note: This step assumes that you are in recovery mode and are performing an attended IPL.
  2. Sign on to DST using your service tools user ID and password.
  3. Select option 13 (Work with system security).
  4. Type 1 to unlock security-related system values or 2 to lock security-related system values in the Allow system value security changes parameter.