Recommendations for managing service tools user IDs

Here are the recommendations to ensure the security of your service tools user IDs.

Creating your own version of the QSECOFR service tools user ID

Do not use the IBM-supplied service tools user ID QSECOFR. Instead, review what functional privileges are given to QSECOFR and create a duplicate user ID with a different name that has the same functional privileges. Use this new user ID to manage your other service tools user IDs. This can help eliminate the security exposure that originates because QSECOFR is the value included in every system and is commonly known.

Attention: Do not leave the QSECOFR service tools user ID and password set to the default value. This is a security exposure because this is the value included in every system and is commonly known.

Service tools security functional privilege

The Service tools security functional privilege is the privilege that allows a service tools user ID to create and manage other service tools user IDs. Because this is a powerful privilege, only your QSECOFR-equivalent service tools user ID should be given this privilege. Give careful consideration to whom you grant this functional privilege.

Backup user ID for console connections

Start of change System administrators using the operations console (LAN console) should consider creating a backup service tools user ID with limited or no functional privileges and multi-factor authentication turned off/disabled for the user ID. This would allow the administrator to more easily connect the operations console in the event of disaster recovery or system clock timestamp issues for TOTP authentication. By having limited functional privileges, this allows the user ID to only connect a new console session, but will not able to perform any service tools functions. End of change

Special user ID for licensed internal code install recovery

Start of change System administrators who have configured MFA for all service tools user ids should consider creating a non-MFA enabled special service tools user id to perform a D-mode IPL for installing a system save from media. The D-mode install screen will require a user id and password and TOTP factor for any user ids that have MFA enabled that are in that system save media. The TOTP factor will require a valid time clock in the partition you are performing the recovery restore. It is suggested you create a "install recovery" service tools user id with MFA disabled on the system save. This will allow you to recover in those cases where the system clock is not accurate or initialized. It could be a user id with a limited number of functional privileges. . End of change

Service tools multi-factor authentication (MFA)

Start of change Multi-Factor authentication (MFA) an optional security feature that introduces an time-base one-time password (TOTP) credential factor when authenticating during the service tools sign-on process. MFA is a security best practice that can help prevent unauthorized access to service tools, even if a password is compromised. Refer to service tools multi-factor authentication concept and introduction. End of change