Changing QPWDLVL to a lower password level
Returning to a lower QPWDLVL value, while possible, is not expected to be a completely painless operation. In general, the mind set should be that this is a one-way trip from lower QPWDLVL values to higher QPWDLVL values. However, there might be cases where a lower QPWDLVL value must be reinstated.
A change to the QPWDLVL system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command.
Considerations for changing from QPWDLVL 3 to 2
This change is relatively easy. After the QPWDLVL is set to 2, the administrator needs to determine if any user profile is required to contain IBM® i NetServer LAN manager passwords or password level 0 or 1 passwords and, if so, change the password of the user profile to an allowable value.
Additionally, the password system values might need to be changed back to values compatible with IBM i NetServer LAN manager passwords and password level 0 or 1 passwords, if those passwords are needed.
Considerations for changing from QPWDLVL 3 to 1 or 0
Because of the very high potential for causing problems for the system (such as no one can sign on because all of the password level 0 and 1 passwords have been cleared), this change is not supported directly. To change from QPWDLVL 3 to QPWDLVL 1 or 0, the system must first make the intermediary change to QPWDLVL 2.
Considerations for changing from QPWDLVL 2 to 1
Before changing QPWDLVL to 1, you should use the DSPAUTUSR or PRTUSRPRF TYPE(*PWDINFO) command to locate any user profiles that do not have a password level 0 or 1 password. If the user profile requires a password after the QPWDLVL is changed, make sure that a password level 0 and 1 password is created for the profile using one of the following mechanisms:
- Change the password for the user profile using the CHGUSRPRF or
CHGPWD CL command or the QSYCHGPW API. This causes the system to change
the password that is usable at password levels 2 and 3; and the system
also creates an equivalent uppercase password that is usable at password
levels 0 and 1. The system is only able to create the password level
0 and 1 password if the following conditions are met:
- The password is 10 characters or less in length.
- The password can be converted to uppercase EBCDIC characters A-Z, 0-9, @, #, $, and underline.
- The password does not begin with a numeric or underline character.
For example, changing the password to a value of RainyDay can result in the system generating a password level 0 and 1 password of RAINYDAY. But changing the password value to Rainy Days In April can cause the system to clear the password level 0 and 1 password (because the password is too long and it contains blanks).
No message or indication is produced if the password level 0 or 1 password cannot be created.
- Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is valid and the user profile does not have a password that is usable at password levels 0 and 1, the system creates an equivalent uppercase password that is usable at password levels 0 and 1. The system is only able to create the password level 0 and 1 password if the conditions listed above are met.
The administrator can then change QPWDLVL to 1. All IBM i NetServer LAN manager passwords are cleared when the change to QPWDLVL 1 takes effect (next IPL).
Considerations for changing from QPWDLVL 2 to 0
The considerations are the same as those for changing from QPWDLVL 2 to 1 except that all IBM i NetServer LAN manager passwords are retained when the change takes effect.
Considerations for changing from QPWDLVL 1 to 0
After changing QPWDLVL to 0, you should use the DSPAUTUSR or PRTUSRPRF command to locate any user profiles that do not have an IBM i NetServer LAN manager password. If the user profile requires an IBM i NetServer LAN manager password, it can be created by changing the user's password or signing on through a mechanism that presents the password in clear text.
You can then change QPWDLVL to 0.