System security changes

The Password Level (QPWDLVL) system value will be shipped with a default value of 3 or 4 in a future release. This will affect only new system installs.

Note: When the Password Level (QPWDLVL) system value is set to 4, IBM i Access Client Solutions (ACS) version 1.1.9.0 or later is required to connect to that system using ACS.

The System Security Level (QSECURITY) system value can no longer be set to a value of 20. If a system currently has a security level of 20, that will not change. However, if the security level is changed to a different value, then the security level cannot be changed back to 20.

When restoring system values and QSECURITY is set to 20 on the save, the QSECURITY system value will not be restored. If the QSECURITY system value is set to 20 on the system prior to the restore, it will stay at 20.

If the System Security Level (QSECURITY) system value is set to a value of 10, a user will no longer be able to sign on to the system without having a valid user profile. A user profile will no longer be created for the user name specified at sign-on.

"The CLRSVRSEC command is no longer supported because the QRETSVRSEC system value is no longer used"

APPC communications jobs and commands require QPWDLVL 3 or lower when encrypted passwords are used. Beginning with IBM® i 7.5, APPC communications jobs and commands that specify a userid and password will not support QPWDLVL 4, unless support is explicitly indicated. Customers who are actively using APPC communications jobs and commands that attempt to automatically sign on with an encrypted password must NOT change to use QPWDLVL of 4.

APPC communications that do not use an encrypted password will continue to function as normal. The type of failure and how errors are reported depend on how the specific APPC function or application implements password encryption and substitution.

Examples of applications and commands likely to be affected by no support of QPWDLVL 4, are user written programs that send in passwords, and DDM files where the APPC device on the target system has SECURELOC(*VFYENCPWD) specified. An example of a command that is not supported with QPWDLVL 4 is Display Station Pass Through - STRPASTHR RMTPWD().

The Create User Profile (CRTUSRPRF) command has been changed to use *NONE as the default value for the User Password (PASSWORD) parameter. Previously, the default value was *USRPRF, which set the password to the user profile name.

The Password Expired (PWDEXP) attribute will no longer be required to be *NO if the password is *NONE. The PWDEXP attribute will only apply if the password is not *NONE and the Local Password Management (LCLPWDMGT) attribute is *YES.

Work with User Enrollment (WRKUSRPRF ASTLVL(*BASIC)) interface has been changed to use *NONE as the default value for the Password field when using the Add and Copy options.

The User field has been changed to allow a 10-character user profile name when using the Add and Copy options.

A 'Directory entry user ID' field has been added to allow specifying an 8-character user ID field that will be used as the User ID parameter on the Add Directory Entry (ADDDIRE) command call. The 10-character User field will be used as the 'User profile' (USER) parameter on the ADDDIRE command call.

The Dump User Profile (DMPUSRPRF) command will no longer dump information about the previous passwords. If there is a previous password then '********' will be dumped. If there is not a previous password, then '*BLANK' will continue to be dumped.

Interfaces that authenticate a user ID and password now send one message or return code for user profile not found and password not correct. For example, green screen sign on will send CPF1120 for user profile not found and password not correct. CPF1107 for password not correct will no longer be sent.

Change User Password (QSYCHGPW), Get Profile Handle (QSYGETPH,QsyGetProfileHandle), Generate Profile Token (QSYGENPT), and Generate ProfileToken Extended (QsyGenPrfTknE) APIs now send CPF22E2 for user profile not found and password not correct. CPF9801 or CPF2204 will no longer be sent when both the user ID and password are specified (special value for password not specified).

To add or remove an exit program to the QIBM_QSY_CHK_PASSWRD or QIBM_QSY_VLD_PASSWRD exit points, the ‘Allow add and remove of password exit programs’ attribute on the Display Security Attributes (DSPSECA) command must be set to *YES. The attribute can be displayed using the Display Security Attributes (DSPSECA) or Display SST Security Attributes (DSPSSTSECA) command. The attribute can be changed using the Change SST Security Attributes (CHGSSTSECA) command. The default shipped value is *YES.

The IBM i NetServer LAN Manager password will be removed from all user profiles when IBM i 7.5 is installed regardless of the current Password Level (QPWDLVL) system value. This password has not been supported since Windows XP, which is no longer supported by IBM i. There will no longer be a difference between password levels 0 and 1.