Monday, September 21, 2009

Recover or reset QSECOFR passwords

When IBM ships a server, both a QSECOFR OS/400 user profile and a QSECOFR service tools user ID are supplied. These are not the same. They exist in different locations and are used to access different functions. Your QSECOFR service tools user ID can have a different password from your QSECOFR OS/400 user profile. Service tools user IDs have different password policies than OS/400 user profiles.
If you lose or forget the passwords for both the QSECOFR OS/400 user profile and the QSECOFR service tools user ID, you may need to install your operating system again to recover them. Contact your service provider for assistance. If you know either of these passwords, this information tells you how to recover the password you do not know.
Reset the QSECOFR OS/400 user profile password
If you know the QSECOFR service tools user ID, you can use it to reset the QSECOFR OS/400 user profile to its initial value (QSECOFR). This procedure requires you to perform an initial program load (IPL) on your server. The change does not take affect until after the IPL. Complete the following steps to reset the QSECOFR OS/400 user profile:
Start DST.
Enter the QSECOFR service tools user ID and password on the DST Sign-On display.
Select option 5 (Work with DST environment) from the Use DST menu.
Select option 6 (Work with Service Tools Security Data) from the Work with DST Environment menu. You will see the Work with Service Tools Security Data menu:
+——————————————————————————–+
| Work with Service Tools Security Data |
| System: _____________ |
| Select one of the following: |
| 1. Reset operating system default password |
| 2. Change operating system install security |
| 3. Work with service tools security log |
| 4. Restore service tools security data |
| 5. Save service tools security data |
| 6. Password level |
| Selection |
+——————————————————————————–+
Select option 1 (Reset operating system default password). The Confirm Reset of System Default Password display appears.
Press Enter to confirm the reset. A confirmation message appears telling you that the system has set the operating system password override.
Continue pressing F3 (Exit) to return to the Exit DST menu.
Select option 1 (Exit DST). The IPL or Install the System menu appears.
Select option 1 (Perform an IPL). The system continues with a manual IPL. If you need additional information about performing an IPL, see the Starting and stopping the iSeries topic.
When the IPL completes, return the keylock switch or electronic keystick to the Auto position, if applicable.
Sign on to OS/400 as QSECOFR. Use the CHGPWD command to change the QSECOFR password to a new value. Store the new value in a safe place.
Attention: Do not leave the QSECOFR password set to the default. This is a security exposure because this is the value shipped with every iSeries server and is commonly known.
Reset the QSECOFR service tools user ID and password
If you know the password for the QSECOFR OS/400 user profile, you can use it to reset the password for the IBM-supplied service tools user ID that has service tools security privilege (QSECOFR) to the IBM-supplied default value by completing the following steps:
Ensure that the server is in normal operating mode, not DST.
Sign on at a workstation using the QSECOFR OS/400 user profile.
On a command line, type CHGDSTPWD (Change IBM Service Tools Password). You see the Change IBM Service Tools Password (CHGDSTPWD) display:
+——————————————————————————–+
| Change IBM Service Tools Pwd (CHGDSTPWD) |
| |
|Type choices, press Enter. |
| |
|Password . . . . . . . . . . . . *DEFAULT *SAME, *DEFAULT |
| |
+——————————————————————————–+
Type *DEFAULT and press the Enter key. This sets the IBM-supplied service tools user ID that has service tools security privilege and its password to QSECOFR.
Attention: Do not leave the QSECOFR service tools user ID and password set to the default value. This is a security exposure because this is the value shipped with every iSeries server and is commonly known. See the Recommendations for managing service tools user IDs for more information.

No comments:

Post a Comment