IBM Support

Default SST profiles with default passwords are Expired after PTF upgrade

Troubleshooting


Problem

A change was made to the default user profiles for Service Tools (SST and DST).  When the PTFs listed are applied those profiles are now marked as Expired if they are still using a default password.
The profiles changed are 11111111, 22222222 and QSRV.  Note: the default profiles 11111111 and 22222222 are removed starting in V7R5.
The PTFs where this change was made are as follows:
V7R2= MF66639-A....Included in Cumulative package C9297720
V7R3= MF66501-A...Included in Cumulative package C9311730
V7R4= MF66502-A...Included in Cumulative Package C9304740
This particular change WILL NOT affect the QSECOFR profile that is already shipped as having an expired password.  If any of the profiles listed have a non-default password, they are also not affected.
For Example....the SST user profile 11111111 has a password of ABC1234.  That WILL NOT be affected since ABC1234 is not the default password.
There are options to change those passwords so that they do not go to an expired state:
System Service Tools:
- Get a 5250 (or Console) session
- Issue command STRSST...Sign in with SST ID QSECOFR
- Option 8- Work with Service Tools user IDs and Devices
- Option 1- Service tools user IDs
- Option 2- Change Password next to the user ID you want to reset. 
- Give it a unique password and change Set Password to Expire to 2 for No.
Dedicated Service Tools:
- Get a 5250 Console session
- Control Panel Options (when in Manual Mode) execute a Function 21 to force DST.  This can be done from Front Control Panel, Remote Control Panel or HMC Web Interface if HMC managed.
- Sign in to DST with QSECOFR
- Option 5- Work with DST Environment
- Option 3- Service tools user IDs
- Option 2 next to the ID you want to change
- Give it a unique password and make sure to change Set Password to Expire to 2 for No.
In V7R4 and earlier, Service Tools ID 11111111 can also be reset from the Front Control Panel with the following method.  Note: this is only needed if the 11111111 profile has been tried wrong too many times and goes to a disabled state as opposed to Expired Password.
- Get Front Control Panel access
- Put the system into Manual mode
   - Arrow to 02...hit enter 2 times to see 02 B N<
   - Up arrow 1 time...see 02 B M<
   - Enter 2 times to get back to 02
- Enable extended functions
   - Arrow to 25...hit enter...you see 25 00
   - Arrow to 26...hit enter...you see 26 00 (Note: If you see 26 FF, you will need to do 25 and 26 again)
- Reset 11111111
   - Arrow up to 65...hit enter...you see 65 00
   - Arrow down to 13...hit enter...you see many characters. The only one we are concerned with is the last digit on the top line.  Should look like this:
xxxxxxxxxxxxxxx1
xxxxxxxxxxxxxxxx
   - Continue going 65 - 13 and hitting enter until that number becomes a 9:
xxxxxxxxxxxxxxx9
xxxxxxxxxxxxxxxx
   - This indicates that 11111111 was reset to a password of 11111111 and marked expired. 
   - You can then launch a console session and at the initial Service Tools sign-on box use one of the previously disabled accounts:
image-20191210110051-1
   - This will populate the following message:
image-20191210110122-2
   - Click ok and you will then be prompted to set a new, unique, password for 11111111 (Must be 6-8 characters, is case-sensitive, cannot be any of the previous 17 passwords)
image-20191210110212-3
The PTF's listed also took away some non-essential functionality from the profile of 11111111.  You can re-grant any of these authorities you want as follows:
- 5250 session
- STRSST...Sign in with QSECOFR
- Option 8- Work with service tools user IDs and Devices
- Option 1- Service Tools user IDs
- Put a 7 next to the ID to Change Privileges and hit enter
- You can give the profile any permissions you want.  Remember that 11111111 profile can be reset through the Front Control Panel so limiting it's privileges is recommended.
Note: The Partition Remote Panel Key function is now revoked.  You will need to Grant this privilege if you plan to use the Remote Virtual Control Panel and 11111111 Service Tools profile.
Note: It is recommended by IBM that you create at least 1 other Service Tools profile with sufficient privileges to have as a backup should you ever have problems accessing Service Tools.
If you continue to get prompts that the password is still expired you'll need to go into System Service Tools to change the profile so that it is not expired:
  • 5250 session
  • STRSST....Sign in with QSECOFR
  • Option 8- Work with service tools user IDs and devices
  • Option 1- Service tools user IDs.
  • 2 next to the ID you want to work with.
Make sure the bottom option "Set password to expire" is set to "2" for "No."

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"V7R2 and later","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
18 February 2023

UID

ibm11127871