Troubleshooting
Problem
A general system user with no special authorities can view the Master Key hash values through IBM Navigator for i. This document includes a method of restricting a general user's ability to view these Master Key hash values.
Resolving The Problem
It has been noted that a general system user with no special authorities can view the Master Key hash values through IBM Navigator for i. This document includes a method of restricting a general user's ability to view these Master Key has values.
A hash is a one-way function. It is not feasible to determine the master key from any given hash value so the Master keys are not actually visible. There is not a security exposure with the hash values being visible.
Even though visibility to the Master key hash values does not represent a security exposure, the request to restrict visibility may stand.
It is possible to restrict public access by changing the object authority to the program used to display the hash values. You should do the following:
1. Issue the WRKOBJ OBJ(QC3TSTMK) command.
2. Select Option 2 (Edit authority) on the QC3TSTMK object.
3. On the next screen, change *PUBLIC to have Object Authority of *EXCLUDE as shown below:
The result of this change is that general users will still be able to go through the steps in IBM Navigator for i to display Master keys without error; however, the display will have none of the status or Current Key Verification Values displayed, as shown in the example below:
A hash is a one-way function. It is not feasible to determine the master key from any given hash value so the Master keys are not actually visible. There is not a security exposure with the hash values being visible.
Even though visibility to the Master key hash values does not represent a security exposure, the request to restrict visibility may stand.
It is possible to restrict public access by changing the object authority to the program used to display the hash values. You should do the following:
1. Issue the WRKOBJ OBJ(QC3TSTMK) command.
2. Select Option 2 (Edit authority) on the QC3TSTMK object.
3. On the next screen, change *PUBLIC to have Object Authority of *EXCLUDE as shown below:
The result of this change is that general users will still be able to go through the steps in IBM Navigator for i to display Master keys without error; however, the display will have none of the status or Current Key Verification Values displayed, as shown in the example below:
Note: There is a risk to restricting *PUBLIC access to this program, as it is possible that applications written to access this information under *PUBLIC would then fail because users would require both *ALLOBJ and *SECADM authorities to access the values. After making the change, access for required personnel and applications should be verified.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CIrAAM","label":"Cryptography-\u003ECryptographic Services"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0;and future releases"}]
Historical Number
646580484
Was this topic helpful?
Document Information
Modified date:
28 April 2025
UID
nas8N1010772