Changing QPWDLVL to a lower password level

Returning to a lower QPWDLVL value, while possible, is not expected to be a completely painless operation. In general, the mind set should be that this is a one-way trip from lower QPWDLVL values to higher QPWDLVL values. However, there might be cases where a lower QPWDLVL value must be reinstated.

A change to the QPWDLVL system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command.

Considerations for changing from QPWLDLVL 4 to 1 or 0

Because of the very high potential for causing problems for the system (such as no one can sign on because all of the password level 0 and 1 passwords have been cleared), this change is not supported directly. To change from QPWDLVL 4 to QPWDLVL 1 or 0, the system must first make the intermediary change to QPWDLVL 2.

Considerations for changing from QPWLDLVL 4 to 3 or 2

Because the password level 2 and 3 passwords are cleared when the QPWDLVL was changed to 4, a password level 2 and 3 password will need to be created for user profiles after the change to password level 2 or 3.

Any client that uses password substitution will not work correctly after the change to password level 2 or 3 until a password level 2 and 3 password is created for the user profile.

A password level 2 and 3 password is created using one of the following mechanisms:
  • Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). The user profile will be able to sign on to a password level 3 or 2 system using their password level 4 password. Any password that is valid for password level 4 will be valid for password level 2 or 3.
  • Change the password for a user profile using the CHGUSRPRF command or the QSYCHGPW API.

Considerations for changing from QPWDLVL 3 to 2

This change is relatively easy. After the QPWDLVL is set to 2, the administrator needs to determine if any user profile is required to have password level 0 or 1 passwords and, if so, change the password of the user profile to an allowable value.

Additionally, the password system values might need to be changed back to values compatible with password level 0 or 1 passwords, if those passwords are needed.

Considerations for changing from QPWDLVL 3 to 1 or 0

Because of the very high potential for causing problems for the system (such as no one can sign on because all of the password level 0 and 1 passwords have been cleared), this change is not supported directly. To change from QPWDLVL 3 to QPWDLVL 1 or 0, the system must first make the intermediary change to QPWDLVL 2.

Considerations for changing from QPWDLVL 2 to 1 or 0

Before changing QPWDLVL to 1, the system administrator should use one of these options to locate the user profiles that do not have a password that is usable at password level 0 or 1:
  • The Display Authorized Users (DSPAUTUSR) command.
  • The Print User Profile (PRTUSRPRF) command with parameter TYPE(*PWDLVL).
  • The QSYS2.USER_INFO view using this query: SELECT * FROM QSYS2.USER_INFO WHERE PASSWORD_LEVEL_0_1 <> 'YES'
If the user profile requires a password after the QPWDLVL is changed, make sure that a password level 0 and 1 password is created for the profile using one of the following mechanisms:
  • Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API. This causes the system to change the password that is usable at password levels 2 and 3; and the system also creates an equivalent uppercase password that is usable at password levels 0 and 1. The system is only able to create the password level 0 and 1 password if the following conditions are met:
    • The password is 10 characters or less in length.
    • The password can be converted to uppercase EBCDIC characters A-Z, 0-9, @, #, $, and underline.
    • The password does not begin with a numeric or underline character.

    For example, changing the password to a value of RainyDay can result in the system generating a password level 0 and 1 password of RAINYDAY. But changing the password value to Rainy Days In April can cause the system to clear the password level 0 and 1 password (because the password is too long and it contains blanks).

    No message or indication is produced if the password level 0 or 1 password cannot be created.

  • Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is valid and the user profile does not have a password that is usable at password levels 0 and 1, the system creates an equivalent uppercase password that is usable at password levels 0 and 1. The system is only able to create the password level 0 and 1 password if the conditions listed above are met.

The administrator can then change QPWDLVL to 1.

Password level 4 passwords are removed from all user profiles when the password level is changed from 2 to 1 or 0.

Considerations for changing from QPWDLVL 1 to 0

Password level 0 and 1 are the same. There is no need to change from password level 1 to 0.