Password policies for service tools user IDs

Here are the password policies for service tools user IDs and the process of changing Data Encryption Standard (DES) and Secure Hash Algorithm (SHA) encryption.

Note: Multiple attempts to sign on with incorrect password can disable the service tools user ID. If the user ID is QSECOFR, additional sign-on attempts are allowed until the correct password has been entered, and the user is signed on. You can now re-enable the QSECOFR user ID. To enable other user IDs, you must have the QSECOFR user ID or another user ID that has the service tool security privilege.

Service tools user IDs are separate from IBM® i user profiles. Passwords for service tools user IDs are encrypted at different levels of security. The default password level uses DES encryption. You should use DES encryption if you have pre-V5R1 clients that use System i® Navigator to connect to service functions, such as logical partitions and disk unit management.

You can change the password level to use SHA encryption, which is mathematically impossible to reverse and provides stronger encryption and a higher level of security. If you change to SHA encryption, however, you cannot change back to DES encryption. Also, if you change to SHA encryption, you can no longer connect to the service tools server with pre-V5R1 clients, such as Operations Console. When you upgrade your password level to SHA, you need to upgrade any clients that use these functions.

DES encryption

When you use DES encryption, service tools user IDs and passwords have the following characteristics:

  • Use 10-digit, uppercase user IDs.
  • Use 8-digit, case-sensitive passwords. When you create a user ID and password, the minimum required for the password is 1 digit. When you change a password, the minimum required is 6 digits.
  • Passwords for user IDs do not expire after 180 days. By default, the initial passwords for IBM-supplied service tools user IDs, however, are shipped as expired. The exception to this is the user ID 11111111. This user ID is not expired.
  • Even though passwords don't expire when using DES encryption, it still can be created expired.
  • By default, passwords are initially set as expired (unless explicitly set on the display to No).

SHA encryption

When you use SHA encryption, service tools user IDs and passwords have the following characteristics:

  • Use 10-digit, uppercase user IDs.
  • Use 128-digit case-sensitive passwords. When you create a user ID and password, the minimum required for the password is 1 digit. When you change a password, the minimum required is 6 digits.
  • By default, passwords for user IDs expire after 180 days. The expiration interval can be changed through Option 8 (Password expiration interval in days) on the Work with Service Tools Security Data menu in Dedicated Service Tools (DST), or by the following steps in System Service Tools (SST). The value can be 0 for *NOMAX or up to 999 days.
    1. Access SST.
    2. Select Work with service tools user IDs and devices.
    3. Select Work with service tools security options.
    4. Change the Password expiration interval in days and press Enter.
  • By default, passwords are initially set as expired (unless explicitly set on the display to No).

To change to use SHA encryption, perform the following steps using SST or DST:

Access SST
  1. Select Work with service tools user IDs and devices.
  2. Enter 5, Change service tools password level, and press Enter. Press Enter again if you are ready to go to the new password level. The current status of PWLVL 2 is displayed.
Access DST
  1. Sign on to DST using your service tools user ID. The Use dedicated service tools (DST) display is shown.
  2. Select option 5, Work with DST environment, and press Enter. The Work with DST Environment display is shown.
  3. Select option 6, Service tools security data, and press Enter.
  4. Select option 6, Change password level, and press Enter. Press Enter again if you are ready to go to the new password level. The current status of PWLVL 2 is displayed.