Changing known passwords
To keep your system secure, change the known passwords for user profiles and dedicated service tools.
- Make sure that no user profiles still have default passwords (equal to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD) command.
- Try to sign on to your system with the combinations of user profiles and passwords that are shown in Table 1. These passwords are published, and they are the first choice of anyone who is trying to break into your system. If you can sign on, use the Change User Profile (CHGUSRPRF) command to change the password to the recommended value.
- Start the Dedicated Service Tools (DST) and try to sign on with the passwords that are shown in Table 2.
- If you can sign on to DST with any of these passwords, you should change the passwords.
- Make sure that you cannot sign on just by pressing the Enter key at the
Sign On display without entering a user ID and password. Try several different
displays. If you can sign on without entering information about the
Sign On display, complete one of these steps:
- Change to security level 40 or 50 (QSECURITY system value). Remember, Your applications might run differently when you increase your security level to 40 or 50.
- Change all of the workstation entries for interactive subsystems to point to job descriptions that specify USER(*RQD).
User ID | Password | Recommended value |
---|---|---|
QSECOFR | QSECOFR1 | A nontrivial value known only to the security administrator. Write down the password that you have selected and store it in a safe place. |
QSYSOPR | QSYSOPR | *NONE2 |
QPGMR | QPGMR | *NONE2 |
QUSER | QUSER | *NONE2, 3 |
QSRV | QSRV | *NONE2 |
QSRVBAS | QSRVBAS | *NONE2 |
Note:
|
DST Level | User ID1 | Password | Recommended Value |
---|---|---|---|
Basic capability | 11111111 | 11111111 | A nontrivial value known only to the security administrator.2 |
Full capability | 22222222 | 222222223 | A nontrivial value known only to the security administrator.2 |
Security capability | QSECOFR | QSECOFR3 | A nontrivial value known only to the security administrator.2 |
Service capability | QSRV | QSRV3 | A nontrivial value known only to the security administrator.2 |
Note:
|
Using system service tools to change passwords
You also can use system service tools (SST) instead of dedicated service tools (DST) to change passwords.
You can manage and create service tools user IDs from system service tools (SST) by selecting option 8 (Work with service tools user IDs) from the main SST display. You no longer need to go into DST to reset passwords, grant or revoke privileges, or create service tools user IDs.
The server is shipped with limited ability to change default and expired passwords. This means that you cannot change service tools user IDs that have default and expired passwords through the Change Service Tools User ID (QSYCHGDS) API, nor can you change their passwords through SST. You can only change a service tools user ID with a default and expired password through DST. You can change the setting to allow default and expired passwords to be changed. Also, you can use the new Start service tools (STRSST) privilege to create a service tools user ID that can access DST, but can be restricted from accessing SST.
Changing passwords for IBM-supplied user profiles
If you need to sign on with one of the IBM-supplied profiles, you can change the password using the CHGUSRPRF command. You can also change these passwords using an option from the SETUP menu.