Change SST Security Attributes (CHGSSTSECA)
| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Change Service Tools Security Attributes (CHGSSTSECA) command changes the security attributes related to service tools functions and service tools user IDs.
Restrictions:
- You must have security administrator (*SECADM) and service (*SERVICE) special authorities.
- The requesting service tools user ID must have the Service Tool user functional privilege "Service Tools Security".
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| REQUSRID | Requesting SST user ID | Character value | Required, Positional 1 |
| REQPWD | Requesting SST user ID pwd | Character value | Required, Positional 2 |
| SSTPWDLVL | Service tools password level | Integer, *SAME, 2, 3 |
Optional |
| MAXSGN |
Maximum sign-on attempts |
2-15, *SAME |
Optional |
| PWDEXPITV |
Password expiration interval |
1-366, *SAME, *NOMAX |
Optional |
| DUPPWDCTL |
Duplicate password control |
1-32, *SAME, *NONE |
Optional |
| SECSYSVAL | Allow security sysval changes | *SAME, *YES, *NO | Optional |
| ADDDIGCERT |
Allow add of digital certs |
*SAME, *YES, *NO |
Optional |
| SSTPWDCHG |
Allow SST password change |
*SAME, *YES, *NO |
Optional |
| PWDEXITPGM |
Add and remove pwd exit pgms |
*SAME, *YES, *NO |
Optional |
| PWDRULES | SST Password Rules | Single values: *DFT Other values: Element list |
Optional |
| Element 1: Limit profile name | *SAME, *YES, *NO | ||
| Element 2: Hours to block password change | 1-99, *SAME, *NONE | ||
| Element 3: Minimum password length | 1-128, *SAME | ||
| Element 4: Maximum password length | 1-128, *SAME | ||
| Element 5: Use chars from three groups | *SAME, *YES, *NO | ||
| Element 6: Limit adjacent characters | *SAME, *YES, *NO | ||
| Element 7: Limit repeating characters | *SAME, *YES, *NO | ||
| Element 8: Limit characters same position | *SAME, *YES, *NO | ||
| Element 9: Minimum digits | 1-9, *SAME, *NONE | ||
| Element 10: Maximum digits | 0-9, *SAME, *NOMAX | ||
| Element 11: Limit adjacent digits | *SAME, *YES, *NO | ||
| Element 12: Limit digit first position | *SAME, *YES, *NO | ||
| Element 13: Limit digit last position | *SAME, *YES, *NO | ||
| Element 14: Minimum letters | 1-9, *SAME, *NONE | ||
| Element 15: Maximum letters | 0-9, *SAME, *NOMAX | ||
| Element 16: Limit adjacent letters | *SAME, *YES, *NO | ||
| Element 17: Limit letter first position | *SAME, *YES, *NO | ||
| Element 18: Limit letter last position | *SAME, *YES, *NO | ||
| Element 19: Number of mixed case letters | 1-9, *SAME, *NONE | ||
| Element 20: Minimum special characters | 1-9, *SAME, *NONE | ||
| Element 21: Maximum special characters | 0-9, *SAME, *NOMAX | ||
| Element 22: Limit adjacent special chars | *SAME, *YES, *NO | ||
| Element 23: Limit special char first pos | *SAME, *YES, *NO | ||
| Element 24: Limit special char last pos | *SAME, *YES, *NO |
| Top |
Requesting SST user ID (REQUSRID)
The service tools user ID that will be used to make the specified changes. This user ID must have the Service Tool user functional privilege "Service Tools Security".
This is a required parameter.
| Top |
Requesting SST user ID pwd (REQPWD)
The password for the requesting service tools user ID.
This is a required parameter.
| Top |
Service tools password level (SSTPWDLVL)
Specifies the password level for service tools user ID passwords. The password level change does not take effect until a user creates or changes a password. For more information on the service tools password level see the Security Service Tools topic in the IBM i Information Center at http://www.ibm.com/systems/i/infocenter/.
Note: The password level cannot be changed from a higher level back to a lower level.
- *SAME
- The value does not change.
- 2
- The service tools password level is set to 2.
- 3
- The service tools password level is set to 3.
| Top |
Maximum sign-on attempts (MAXSGN)
Specifies the maximum number of sign-on attempts a service tools user ID is allowed. The shipped value is 3.
- *SAME
- The value does not change.
- 2-15
- The maximum number of sign-on attempts allowed.
| Top |
Password expiration interval (PWDEXPITV)
Specifies the password expiration interval for a service tools user ID, in days. The shipped value is 180 days.
- *SAME
- The value does not change.
- *NOMAX
- The password does not expire.
- 1-366
- The number of days between the date when a service tools user ID password is changed and the date when the password expires.
| Top |
Duplicate password control (DUPPWDCTL)
Specifies the number of previous passwords that must not be duplicated before a password is allowed to be used again. The shipped value is 18.
- *SAME
- The value does not change.
- *NONE
- No duplicate checking is performed.
- 1-32
- The number of previous passwords checked.
| Top |
Allow security sysval changes (SECSYSVAL)
Allow the security-related system values to be changed.
Security-related system values:
- QALWJOBITP
- QALWOBJRST
- QALWUSRDMN
- QAUDCTL
- QAUDENACN
- QAUDFRCLVL
- QAUDLVL
- QAUDLVL2
- QAUTOCFG
- QAUTORMT
- QAUTOVRT
- QCRTAUT
- QCRTOBJAUD
- QDEVRCYACN
- QDSCJOBITV
- QDSPSGNINF
- QFRCCVNRST
- QINACTMSGQ
- QLMTDEVSSN
- QLMTSECOFR
- QMAXSGNACN
- QMAXSIGN
- QPWDCHGBLK
- QPWDEXPITV
- QPWDEXPWRN
- QPWDLMTAJC
- QPWDLMTCHR
- QPWDLMTREP
- QPWDLVL
- QPWDMAXLEN
- QPWDMINLEN
- QPWDPOSDIF
- QPWDRQDDGT
- QPWDRQDDIF
- QPWDRULES
- QPWDVLDPGM
- QRETSVRSEC
- QRMTSIGN
- QRMTSRVATR
- QSCANFS
- QSCANFSCTL
- QSECURITY
- QSHRMEMCTL
- QSSLCSL
- QSSLCSLCTL
- QSSLPCL
- QUSEADPAUT
- QVFYOBJRST
- *SAME
- The value does not change.
- *YES
- The security-related system values may be changed using the Change System Value (CHGSYSVAL) command. This is the shipped value.
- *NO
- The security-related system values may not be changed. The CHGSYSVAL command will not allow these system values to change and sends message CPF18C0.
| Top |
Allow add of digital certs (ADDDIGCERT)
Allow add of digital certificates.
- *SAME
- The value does not change.
- *YES
- Digital certificates can be added to a certificate store using the Add Verifier (QYDOADDV) API and the password for a certificate store can be reset using Digital Certificate Manager (DCM).
- *NO
- Digital certificates cannot be added to a certificate store and the password for a certificate store cannot be reset using DCM.
| Top |
Allow SST password change (SSTPWDCHG)
Allow SST password change.
- *SAME
- The value does not change.
- *YES
- A system service tools (SST) user ID with a default password that is expired can change its own password using the Change Service Tools User ID (QSYCHGDS) API, Change Service Tools User ID (CHGSSTUSR) command, or the SST change password support.
- *NO
- A system service tools (SST) user ID with a default password that is expired cannot change its own password.
| Top |
Add and remove pwd exit pgms (PWDEXITPGM)
Allow exit programs to be added to and removed from the password exit points.
- *SAME
- The value does not change.
- *YES
- New exit programs may be added to the QIBM_QSY_CHK_PASSWRD and QIBM_QSY_VLD_PASSWRD exit points using the Add Exit Program (ADDEXITPGM) command or the Add Exit Program (QUSADDEP, QusAddExitProgram) API, and existing exit programs can be removed from the exit points using the Remove Exit Program (RMVEXITPGM) command or the Remove Exit Program (QUSRMVEP, QusRemoveExitProgram) API. This is the shipped value.
- *NO
- New exit programs may not be added to the QIBM_QSY_CHK_PASSWRD and QIBM_QSY_VLD_PASSWRD exit points, and existing exit programs may not be removed from the exit points.
| Top |
SST Password Rules (PWDRULES)
Specifies the rules used to check whether a service tools user password is formed correctly. Changes to these rules take effect the next time a password is changed unless a specific rule indicates otherwise. The password rules are only enforced when the service tools password level is 2.
Single value
- *DFT
- Set all the password rules to the shipped values.
Element 1: Limit profile name
The uppercase password value may not contain the complete user profile name in consecutive positions.
- *SAME
- The value does not change.
- *YES
- The uppercase password value may not contain the complete profile name.
- *NO
- The uppercase password value may contain the complete user profile name. This is the shipped value.
Element 2: Hours to block password change
The number of hours a user must wait after a prior successful password change before they can change the password again. Change takes effect immediately.
- *SAME
- The value does not change.
- *NONE
- There is no restriction on how frequently a user can change a password. This is the shipped value.
- 1-99
- The number of hours a user must wait after a prior successful password change before they can change the password again.
Element 3: Minimum password length
The minimum number of characters in a password.
If a Maximum password length value is also specified, the Maximum password length value must be greater than or equal to the Minimum password length value.
- *SAME
- The value does not change.
- 1-128
- The minimum number of characters in a password. The shipped value is 6.
Element 4: Maximum password length
The maximum number of characters in a password.
The Maximum password length value must be large enough to accommodate the values specified for Number of mixed case characters, Maximum digits, Maximum letters, Maximum special characters, first and last character restrictions, and non-adjacent character requirements.
If a Minimum password length value is also specified, the Maximum password length value must be greater than or equal to the Minimum password length value.
- *SAME
- The value does not change.
- 1-128
- The maximum number of characters in a password. The shipped value is 128.
Element 5: Use chars from three groups
The password must contain characters from at least three of the following four types of characters.
- Uppercase letters
- Lowercase letters
- Digits
- Special characters
- *SAME
- The value does not change.
- *YES
- The password must contain characters from at least three of the groups.
- *NO
- The password does not need to contain characters from at least three of the groups. This is the shipped value.
Element 6: Limit adjacent characters
The password may not contain 2 or more occurrences of the same character that are positioned adjacent (consecutive) to each other. This value cannot be *YES if Limit repeating characters is *YES.
- *SAME
- The value does not change.
- *YES
- The password may not contain the same character positioned adjacent to each other.
- *NO
- The password may contain the same character positioned adjacent to each other. This is the shipped value.
Element 7: Limit repeating characters
The password may not contain 2 or more occurrences of the same character. This value cannot be *YES if Limit adjacent characters is *YES.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more occurrences of the same character.
- *NO
- The password may contain 2 or more occurrences of the same character. This is the shipped value.
Element 8: Limit characters same position
The new password may not use the same character in a position corresponding to the same position in the current password. This value is only enforced when a user is changing their own password.
- *SAME
- The value does not change.
- *YES
- The new password may not use the same character in a position corresponding to the same position in the current password.
- *NO
- The new password may use the same character in a position corresponding to the same position in the current password. This is the shipped value.
Element 9: Minimum digits
Specifies the minimum number of digit characters that must occur in the password. If this value is not *NONE, the Maximum digits value must be *NOMAX or greater than or equal to the Minimum digits value.
- *SAME
- The value does not change.
- *NONE
- No digits are required in a password. This is the shipped value.
- 1-9
- The minimum number of digits required in a password. Specifying 1 means that at least 1 digit is required in the password. Specifying 3 means that at least 3 digits are required in the password.
Element 10: Maximum digits
Specifies the maximum number of digit characters that may occur in the password. If Minimum digits value is not *NONE, the Maximum digits value must be *NOMAX or greater than or equal to the Minimum digits value.
- *SAME
- The value does not change.
- *NOMAX
- Any number of digits are allowed in a password. This is the shipped value.
- 0-9
- The maximum number of digits allowed in a password. Specifying 0 means no digits are allowed in the password. Specifying 3 means that 3 or fewer digits are allowed in the password.
Element 11: Limit adjacent digits
The password may not contain 2 or more adjacent (consecutive) digit characters.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more adjacent digits.
- *NO
- The password may contain 2 or more adjacent digits. This is the shipped value.
Element 12: Limit digit first position
The first character of the password may not be a digit character. This value cannot be *YES if Limit letter first position is *YES and Limit special character first position is *YES.
- *SAME
- The value does not change.
- *YES
- The first character of the password may not be a digit.
- *NO
- The first character of the password may be a digit. This is the shipped value.
Element 13: Limit digit last position
The last character of the password may not be a digit character. This value cannot be *YES if Limit letter last position is *YES and Limit special character last position is *YES.
- *SAME
- The value does not change.
- *YES
- The last character of the password may not be a digit.
- *NO
- The last character of the password may be a digit. This is the shipped value.
Element 14: Minimum letters
Specifies the minimum number of letter characters that must occur in the password. If this value is not *NONE, the Maximum letters value must be *NOMAX or greater than or equal to the Minimum letters value.
- *SAME
- The value does not change.
- *NONE
- No letters are required in a password. This is the shipped value.
- 1-9
- The minimum number of letters required in a password. Specifying 1 means that at least 1 letter is required in the password. Specifying 3 means that at least 3 letters are required in the password.
Element 15: Maximum letters
Specifies the maximum number of letter characters that may occur in the password. If Minimum letters value is not *NONE, the Maximum letters value must be *NOMAX or greater than or equal to the Minimum letters value.
- *SAME
- The value does not change.
- *NOMAX
- Any number of letters are allowed in a password. This is the shipped value.
- 0-9
- The maximum number of letters allowed in a password. Specifying 0 means no letters are allowed in the password. Specifying 3 means that 3 or fewer letters are allowed in the password.
Element 16: Limit adjacent letters
The password may not contain 2 or more adjacent (consecutive) letter characters.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more adjacent letters.
- *NO
- The password may contain 2 or more adjacent letters. This is the shipped value.
Element 17: Limit letter first position
The first character of the password may not be a letter character. This value cannot be *YES if Limit digit first position is *YES and Limit special character first position is *YES.
- *SAME
- The value does not change.
- *YES
- The first character of the password may not be a letter.
- *NO
- The first character of the password may be a letter. This is the shipped value.
Element 18: Limit letter last position
The last character of the password may not be a letter character. This value cannot be *YES if Limit digit last position is *YES and Limit special character last position is *YES.
- *SAME
- The value does not change.
- *YES
- The last character of the password may not be a letter.
- *NO
- The last character of the password may be a letter. This is the shipped value.
Element 19: Number of mixed case letters
The password must contain at least the specified number of uppercase letters and at least the specified number of lowercase letters.
If this value is not *NONE, the Maximum letters value must be *NONE or greater than or equal to two times the value specified for the Number of mixed case letters.
- *SAME
- The value does not change.
- *NONE
- Mixed case letters are not required in a password. This is the shipped value.
- 1-9
- The number of mixed case letters required in a password. Specifying 2 means that at least 2 uppercase letters and 2 lowercase letters are required in the password.
Element 20: Minimum special characters
Specifies the minimum number of special characters that must occur in the password. If this value is not *NONE, the Maximum special characters value must be *NOMAX or greater than or equal to the Minimum special characters value.
- *SAME
- The value does not change.
- *NONE
- No special characters are required in a password. This is the shipped value.
- 1-9
- The minimum number of special characters required in a password. Specifying 1 means that at least 1 special character is required in the password. Specifying 3 means that at least 3 special characters are required in the password.
Element 21: Maximum special characters
Specifies the maximum number of special characters that may occur in the password. If Minimum special characters value is not *NONE, the Maximum special characters value must be *NOMAX or greater than or equal to the Minimum special characters value.
- *SAME
- The value does not change.
- *NOMAX
- Any number of special characters are allowed in a password. This is the shipped value.
- 0-9
- The maximum number of special characters allowed in a password. Specifying 0 means no special characters are allowed in the password. Specifying 3 means that 3 or fewer special characters are allowed in the password.
Element 22: Limit adjacent special chars
The password may not contain 2 or more adjacent (consecutive) special characters.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more adjacent special characters.
- *NO
- The password may contain 2 or more adjacent special characters. This is the shipped value.
Element 23: Limit special char first pos
The first character of the password may not be a special character. This value cannot be *YES if Limit digit first position is *YES and Limit letter first position is *YES.
- *SAME
- The value does not change.
- *YES
- The first character of the password may not be a special character.
- *NO
- The first character of the password may be a special character. This is the shipped value.
Element 24: Limit special char last pos
The last character of the password may not be a special character. This value cannot be *YES if Limit digit last position is *YES and Limit letter last position is *YES.
- *SAME
- The value does not change.
- *YES
- The last character of the password may not be a special character.
- *NO
- The last character of the password may be a special character. This is the shipped value.
| Top |
Examples
Example 1: Set service tools password rules to the shipped values
CHGSSTSECA REQUSRID(SSTUSR) REQPWD(SSTPWD) PWDRULES(*DFT)
This command sets all the SST password rules to the shipped values.
Example 2: Control changing of security-related system values
CHGSSTSECA REQUSRID(SSTUSR) REQPWD(SSTPWD) SECSYSVAL(*NO)
This command will not allow the Change System Value (CHGSYSVAL) command to be used to change the security-related system values.
| Top |
Error messages
*ESCAPE Messages
- CPF222E
- &1 special authority is required.
- CPF225C
- Requesting service tools ID not found or not correct.
- CPF225D
- Requesting service tools ID password not correct.
- CPF4AD0
- SST password rules cannot be changed.
- CPF4AD1
- Service tools password level &1 not correct.
- CPF4AD3
- Error changing SST password rules. Reason code &1.
- CPF4AD4
- Error changing SST password rules. Reason code &1.
- CPF4ADF
- SST security attributes not changed. Reason code &1.
| Top |