Lock function of security-related system values

Most security system values can be altered only by a user with Security administrator (*SECADM) and All object (*ALLOBJ) special authorities. To prevent even these users from changing these system values during normal operation, system service tools (SST) and dedicated service tools (DST) provide an option to lock these security values.

Only some system values can be locked.

The default value is Yes; therefore, users can change security-related system values.

The following table identifies the system values that are affected by this option. Both the IBM® Navigator for i name and the character-based name are specified.

Table 1. Lockable system values
System value category / name Name in the character-based interface
Auditing system values
Activate action auditing
Activate object auditing QAUDCTL
Audit journal error action QAUDENDACN
Default auditing for newly created objects QCRTOBJAUD
Maximum number of journal entries in auxiliary storage QAUDFRCLVL
Device system values
Action to take when a device error occurs QDEVRCYACN
Local controllers and devices QAUTOCFG
Pass-through devices and Telnet QAUTOVRT
Remote controllers and devices QAUTORMT
Jobs system values
Allow jobs to be interrupted QALWJOBITP
Time-out interval QDSCJOBITV
When job reaches time-out QINACTMSGQ
Password system values
Maximum password length QPWDMAXLEN
Minimum password length QPWDMINLEN
Minimum time between password changes QPWDCHGBLK
Password expiration QPWDEXPITV
Password expiration warning interval QPWDEXPWRN
Password level QPWDLVL
Password reuse cycle QPWDRQDDIF
Password rules QPWDRULES
Password validation program QPWDVLDPGM
Require a new character in each position QPWDPOSDIF
Require at least one digit QPWDRQDDGT
Restrict repeating characters QPWDLMTREP
Restricted characters QPWDLMTCHR
Restrict consecutive digits QPWDLMTAJC
Messages and service system values
Allow remote service of system QRMTSRVATR
Save and restore system values
Allow restore of security sensitive objects QALWOBJRST
Convert objects during restore QFRCCVNRST
Verify object signatures on restore QVFYOBJRST
Security system values
Allow server security information to be retained QRETSVRSEC
Allow these objects in QALWUSRDMN
Allow use of shared or mapped memory with write capability QSHRMEMCTL
Default authority for newly created objects in QSYS.LIB file system QCRTAUT
Scan control QSCANFSCTL
Security level QSECURITY
Transport Layer Security cipher control QSSLCSLCTL
Transport Layer Security cipher specification list QSSLCSL
Transport Layer Security protocols QSSLPCL
Use registered exit programs to scan the root (/), QOpenSys, and user-defined file systems QSCANFS
Users who can work with programs with adopted authority QUSEADPAUT
Sign-on system values
Display sign-on information QDSPSGNINF
Incorrect sign-on attempts QMAXSIGN
Maximum number of device sessions a user can have QLMTDEVSSN
Remote sign-on QRMTSIGN
Restrict privileged users to specific device session QLMTSECOFR
When maximum is reached QMAXSGNACN

If you specify No for Allow security-related system values changes, users cannot change security-related system values. If you need to change a security-related system value, the Allow security-related system values changes parameter must be changed to Yes in SST.

If you specify Yes for Allow security-related system values changes, users with the required authorities can change security-related system values. Even though the security-related system values are unlocked, you still need Security administrator (*SECADM) and All object (*ALLOBJ) special authorities to change them. If you do not want to allow users to change a security-related system value, the Allow security-related system values changes parameter must be changed to No in SST.