System security changes

Security system value changes

The Password Level (QPWDLVL) system value will be shipped with a default value of 3 or 4 in a future release. This will affect only new system installs.

Note: Start of changeWhen the Password Level (QPWDLVL) system value is set to 4, IBM i Access Client Solutions (ACS) version or later is required to connect to that system using ACS.End of change

The System Security Level (QSECURITY) system value can no longer be set to a value of 20. If a system currently has a security level of 20, that will not change. However, if the security level is changed to a different value, then the security level cannot be changed back to 20.

When restoring system values and QSECURITY is set to 20 on the save, the QSECURITY system value will not be restored. If the QSECURITY system value is set to 20 on the system prior to the restore, it will stay at 20.

If the System Security Level (QSECURITY) system value is set to a value of 10, a user will no longer be able to sign on to the system without having a valid user profile. A user profile will no longer be created for the user name specified at sign-on.

The Retain Server Security Data (QRETSVRSEC) system value is now obsolete. The QRETSVRSEC system value no longer needs to be set to '1' to retain the security data needed by a server for authentication. This includes the Server Authentication Entry interfaces and the Validation List (*VLDL) interfaces. If the system value is set to '0', and the Clear Server Security Data (CLRSVRSEC) command is run, it will no longer clear the decryptable authentication information that is associated with user profiles and *VLDL entries. The CLRSVRSEC command will be removed in a future release. The CPF9898 INFO message,
"The CLRSVRSEC command is no longer supported because the QRETSVRSEC system value is no longer used"
is sent when the CLRSVRSEC command is run.

APPC communications jobs and commands require QPWDLVL 3 or lower when encrypted passwords are used. Beginning with IBM® i 7.5, APPC communications jobs and commands that specify a userid and password will not support QPWDLVL 4, unless support is explicitly indicated. Customers who are actively using APPC communications jobs and commands that attempt to automatically sign on with an encrypted password must NOT change to use QPWDLVL of 4.

APPC communications that do not use an encrypted password will continue to function as normal. The type of failure and how errors are reported depend on how the specific APPC function or application implements password encryption and substitution.

Examples of applications and commands likely to be affected by no support of QPWDLVL 4, are user written programs that send in passwords, and DDM files where the APPC device on the target system has SECURELOC(*VFYENCPWD) specified. An example of a command that is not supported with QPWDLVL 4 is Display Station Pass Through - STRPASTHR RMTPWD().

CRTUSRPRF command changes

The Create User Profile (CRTUSRPRF) command has been changed to use *NONE as the default value for the User Password (PASSWORD) parameter. Previously, the default value was *USRPRF, which set the password to the user profile name.

The Password Expired (PWDEXP) attribute will no longer be required to be *NO if the password is *NONE. The PWDEXP attribute will only apply if the password is not *NONE and the Local Password Management (LCLPWDMGT) attribute is *YES.

WRKUSRPRF *BASIC interface changes

Work with User Enrollment (WRKUSRPRF ASTLVL(*BASIC)) interface has been changed to use *NONE as the default value for the Password field when using the Add and Copy options.

The User field has been changed to allow a 10-character user profile name when using the Add and Copy options.

A 'Directory entry user ID' field has been added to allow specifying an 8-character user ID field that will be used as the User ID parameter on the Add Directory Entry (ADDDIRE) command call. The 10-character User field will be used as the 'User profile' (USER) parameter on the ADDDIRE command call.

DMPUSRPRF command change

The Dump User Profile (DMPUSRPRF) command will no longer dump information about the previous passwords. If there is a previous password then '********' will be dumped. If there is not a previous password, then '*BLANK' will continue to be dumped.

Password authentication message and return code changes

Interfaces that authenticate a user ID and password now send one message or return code for user profile not found and password not correct. For example, green screen sign on will send CPF1120 for user profile not found and password not correct. CPF1107 for password not correct will no longer be sent.

Change User Password (QSYCHGPW), Get Profile Handle (QSYGETPH,QsyGetProfileHandle), Generate Profile Token (QSYGENPT), and Generate ProfileToken Extended (QsyGenPrfTknE) APIs now send CPF22E2 for user profile not found and password not correct. CPF9801 or CPF2204 will no longer be sent when both the user ID and password are specified (special value for password not specified).


The data in the buffer returned from the Retrieve Encrypted User Password (QSYRUPWD) API is not compatible with previous releases. The API documentation states that the data should not be sent to a system that is at a different release or password level. If the data must be sent from an IBM i 7.5 system to an IBM i 7.4 or 7.3 system, the appropriate PTFs (7.4 = SI76821, 7.3 = SI76822) must be installed so that the Set Encrypted User Password (QSYSUPWD) and Check Encrypted User Password (QSYCUPWD) APIs can process the QSYRURPWD buffer. Without the PTFs, QSYSUPWD and QSYCUPWD will return error CPF4AB2
"Receiver variable from QSYRUPWD has been altered"

Restrict adding or removing an exit program to the password exit points

To add or remove an exit program to the QIBM_QSY_CHK_PASSWRD or QIBM_QSY_VLD_PASSWRD exit points, the ‘Allow add and remove of password exit programs’ attribute on the Display Security Attributes (DSPSECA) command must be set to *YES. The attribute can be displayed using the Display Security Attributes (DSPSECA) or Display SST Security Attributes (DSPSSTSECA) command. The attribute can be changed using the Change SST Security Attributes (CHGSSTSECA) command. The default shipped value is *YES.

IBM i NetServer LAN Manager password removed

The IBM i NetServer LAN Manager password will be removed from all user profiles when IBM i 7.5 is installed regardless of the current Password Level (QPWDLVL) system value. This password has not been supported since Windows XP, which is no longer supported by IBM i. There will no longer be a difference between password levels 0 and 1.