Security system values
System values allow you to customize many characteristics of your system. A group of system values are used to define system-wide security settings.
You can restrict users from changing the security-related system values. System service tools (SST) and dedicated service tools (DST) provide an option to lock these system values. By locking the system values, you can prevent even a user with *SECADM and *ALLOBJ authority from changing these system values with the CHGSYSVAL command. In addition to restricting changes to these system values, you can also restrict adding digital certificates to digital certificate store with the Add Verifier API and restrict password resetting on the digital certificate store.
You can restrict the following system values by using the lock option:
- QALWJOBITP
- QALWOBJRST
- QALWUSRDMN
- QAUDCTL
- QAUDENDACN
- QAUDFRCLVL
- QAUDLVL
- QAUDLVL2
- QAUTOCFG
- QAUTORMT
- QAUTOVRT
- QCRTAUT
- QCRTOBJAUD
- QDEVRCYACN
- QDSPSGNINF
- QDSCJOBITV
- QFRCCVNRST
- QINACTMSGQ
- QLMTDEVSSN
- QLMTSECOFR
- QMAXSGNACN
- QMAXSIGN
- QPWDCHGBLK
- QPWDEXPITV
- QPWDEXPWRN
- QPWDLMTAJC
- QPWDLMTCHR
- QPWDLMTREP
- QPWDLVL
- QPWDMAXLEN
- QPWDMINLEN
- QPWDPOSDIF
- QPWDRQDDGT
- QPWDRQDDIF
- QPWDRULES
- QPWDVLDPGM
- QRETSVRSEC
- QRMTSIGN
- QRMTSRVATR
- QSCANFS
- QSCANFSCTL
- QSECURITY
- QSHRMEMCTL
- QUSEADPAUT
- QVFYOBJRST
You can use system service tools (SST) or dedicated service tools (DST) to lock and unlock the security-related system values. However, you must use DST if you are in recovery mode because SST is not available during this mode. Otherwise, use SST to lock or unlock the security-related system values.
- Open a character-based interface.
- On the command line, type STRSST.
- Type your service tools user ID and password.
- Select option 7 (Work with system security).
- Type 1 to unlock security-related system values or 2 to lock security-related system values in the Allow system value security changes parameter.
- From the IPL or Install the System display, select option 3 (Use
Dedicated Service Tools). Note: This step assumes that you are in recovery mode and are performing an attended IPL.
- Sign on to DST using your service tools user ID and password.
- Select option 13 (Work with system security).
- Type 1 to unlock security-related system values or 2 to lock security-related system values in the Allow system value security changes parameter.