Planning password level changes

Changing password levels should be planned carefully. Operations with other systems might fail or users might not be able to sign on to the system if you haven't planned for the password level change adequately.

Before changing the QPWDLVL system value, make sure that you have saved your security data using the SAVSECDTA or SAVSYS command. If you have a current backup, you will be able to reset the passwords for all users' profiles, even if you need to return to a lower password level.

Products that you use on the system, and on clients with which the system interfaces, might have problems when the password level (QPWDLVL) system value is set to 2 or 3. Any product or client that sends passwords to the system in an encrypted form, rather than in the clear text that a user enters on a sign-on screen, must be upgraded to work with the password encryption rules for QPWDLVL 2 or 3. Sending the encrypted password is known as password substitution. Password substitution is used to prevent a password from being captured during transmission over a network. Password substitutes generated by older clients that do not support the algorithm for QPWDLVL 2 or 3, even if the specific characters typed in are correct, will not be accepted. This also applies to any IBM® i to IBM i peer access which utilizes the encrypted values to authenticate from one system to another.

The problem is compounded by the fact that some affected products (such as IBM Toolbox for Java™) are provided as middleware. A third party product that incorporates a prior version of one of these products will not work correctly until rebuilt using an updated version of the middleware.

Given this and other scenarios, it is easy to see why careful planning is necessary before you chang the QPWDLVL system value.