Retain Server Security (QRETSVRSEC)

The Retain Server Security (QRETSVRSEC) system value determines whether decryptable authentication information associated with user profiles or validation list (*VLDL) entries can be retained on the host system. This does not include the IBM® i user profile password.

The recommended value for QRETSVRSEC is 1.

Application failure will occur when QRETSVRSEC is set to 0 because many web servers, IBM i code, and applications require data that is encryptable and decryptable. When QRETSVRSEC is set to 0, storage of this encryptable and decryptable data is not allowed. QRETSVRSEC was originally implemented to provide a layer of security that is no longer necessary because of the current use of the latest level of hardware protection called Hardware Storage Protection (HSP). The internal objects that are used to store the encryptable and decryptable data are created with public authority of *EXCLUDE and are protected with latest level of HSP, which provides the strongest level of protection available on the Power® hardware. Only operating system programs can access these objects directly, users must use defined interfaces such as APIs .

If you change the value from 1 to 0, the system disables access to the authentication information. If you change the value back to 1, the system re-enables access to the authentication information.

The authentication information can be removed from the system by setting the QRETSVRSEC system value to 0 and running the Clear Server Security Data (CLRSVRSEC) command. If you have many user profiles or validation lists on your system the CLRSVRSEC command might run for an extensive period of time.

The encrypted data field of a validation list entry is typically used to store authentication information. Applications specify whether to store the encrypted data in a decryptable or non-decryptable form. If the applications choose a decryptable form and the QRETSVRSEC value is changed from 1 to 0, the encrypted data field information is not accessible from the entry. If the encrypted data field of a validation list entry is stored in a non-decryptable from, it is not affected by the QRETSVRSEC system value.

Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 1. Possible values for the QRETSVRSEC system value:
Value Description
0 Server security data is not retained.
1 Server security data is retained.

Recommended value: 1