IBM Support

Default SST profiles Exired Passwords after PTF upgrade

Troubleshooting


Problem

A change has been made to the default user Profiles for Service Tools (SST and DST) so that when the PTF's below are applied those profiles will be marked as Expired if they are still using a default password.
The profiles changed are 11111111, 22222222 and QSRV.
The PTF's where this change was made are listed below:
V7R2= MF66639-A....included in Cumulative package C9297720
V7R3= MF66501-A...included in Cumulative package C9311730
V7R4= MF66502-A...included in Cumulative Package C9304740
This particular change WILL NOT effect the QSECOFR profile which is already shipped as having an expired password.  If any of the profiles listed above have a non-default password they will not be effected either.
For Example....the SST user profile 11111111 has a password of ABC1234.  That WILL NOT be effected as it is not the default password.
Their are options to change those passwords so that they do not go to an expired state:
Via System Service Tools:
- Get a 5250 (or Console) session
- Issue command STRSST...login with SST ID QSECOFR
- Option 8- Work with Service Tools User IDs and Devices
- Option 1- Service tools User IDs
- Option 2- Change Password next to the user ID you want to reset. 
- Give it a unique password and change Set Password to Expire to 2 for No.
Via Dedicated Service Tools:
- Get a 5250 Console session
- Via Control Panel Options (when in Manual Mode) execute a Function 21 to force DST.  This can be done from Front Control Panel, Remote Control Panel or via HMC Web Interface if HMC managed.
- Sign into DST with QSECOFR
- Option 5- Work with DST Environment
- Option 3- Service tools user IDs
- Option 2 next to the ID you want to change
- Give it a unique password and make sure to change Set Password to Expire to 2 for No.
Service Tools ID 11111111 can also be reset from the Front Control Panel with the following method.  Note: this is only needed if the 11111111 profile has been tried wrong to many times and goes to a Disabled state as apposed to Expired Password.
- Get Front Control Panel access
- Put the system into Manual mode
   - Arrow to 02...hit enter 2 times to see 02 B N<
   - Up arrow 1 time...will see 02 B M<
   - Enter 2 times to get back to 02
- Enable extended functions
   - Arrow to 25...hit enter...you will see 25 00
   - Arrow to 26...hit enter...you will see 26 00 (Note: If you see 26 FF you will need to do 25 and 26 again)
- Reset 11111111
   - Arrow up to 65...hit enter...you will see 65 00
   - Arrow down to 13...hit enter...you will see a lot of characters, the only one we are concerned about is the last digit on the top line.  Should look like this:
xxxxxxxxxxxxxxx1
xxxxxxxxxxxxxxxx
   - Continue going between 65 and 13 and hitting enter until that number becomes a 9:
xxxxxxxxxxxxxxx9
xxxxxxxxxxxxxxxx
   - This indicates that 11111111 was reset to a password of 11111111 and marked expired. 
   - You can then launch a console session and at the initial Service Tools signon box use the above credentials:
image-20191210110051-1
   - This will populate the following message:
image-20191210110122-2
   - Click Ok and you will then be prompted to set a new, unique, password for 11111111 (Must be 6-8 characters, is case sensitive, can't be any of previous 17 by default)
image-20191210110212-3
The PTF's listed also took away some non-essential functionality from the profile of 11111111.  You can re-grant any of these authorities you see fit as follows:
- 5250 session
- STRSST...login with QSECOFR
- Option 8- Work with service tools User IDs and Devices
- Option 1- Service Tools User IDs
- Put a 7 next to the ID to Change Privileges and hit enter
- You can give the profile any permissions you would like.  Remember that 11111111 profile can be reset through the Front Control Panel so limiting it's privileges is recommended.
Note: The Partition Remote Panel Key function is now revoked.  You will need to Grant this privilege if you plan to utilize the Remote Virtual Control Panel and 11111111 Service Tools profile.
Note: It is recommended by IBM that you create at least 1 other Service Tools profile with sufficient privileges to have as a backup should you ever have problems with accessing Service Tools.

Document Location

Worldwide

[{"Business Unit":{"code":"BU009","label":"Systems - Cognitive"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V7R2 and later","Edition":""}]

Document Information

Modified date:
18 December 2019

UID

ibm11127871