Re: DST

["Neil Palmer" <neilp@xxxxxxxxxxx>]

Various excerpts from V5R1 Memo To Users:

2t.viii)  CHGDSTPWD behavior

The Change Dedicated Service Tools Password (CHGDSTPWD) command no
longer resets the password for all three IBM-supplied service tools user
IDs. CHGDSTPWD resets only the password for the IBM-supplied security
capability ID (QSECOFR service tools user ID).

2ab)  Service tools user IDs extended to STRSST and Operations Navigator

Before V5R1, service tools user IDs were only required when you use
dedicated service tools (DST). The passwords for these user IDs did not
expire and few password composition rules existed. There was no
functional privilege checking with respect to each service function.
There were only three IBM-supplied service tools user IDs (QSECOFR,
11111111, and 22222222), and these user IDs were not disabled based on
incorrect sign-on attempts.

Beginning in V5R1, these service tools user IDs are now required to
access system service tools (STRSST command) and to use the Operations
Navigator functions for LPAR management and DASD management.

The service tools user IDs are sometimes referred to as DST user
profiles, DST user IDs, service tools user profiles, or a variation of
these names. Within this topic, service tools user IDs are used to
define these users.

Detailed information on the security aspects of service tools is located
in the iSeries Information Center at:
      www.ibm.com/eserver/iseries/infocenter



      For Tips and Tools for Securing your iSeries: Click Security -->
      Manuals and Redbooks --> Tips and Tools for Securing your iSeries
      (Chapter 7)

      For the iSeries Security Reference manual:Click Security -->
      Manuals and Redbooks --> iSeries Security Reference

      For the Backup and Recovery manual: Click Systems Management -->
      Backup, recovery, and availability --> Manuals and Redbooks -->
      Backup and Recovery

2ab.i)  Changes to service tools user ID passwords and authentication

In V5R1, the following IBM-supplied service tools user IDs are
available: 11111111, 22222222, QSRV, and QSECOFR. QSRV is a new
IBM-supplied service tools user ID. You can now create additional
service tools user IDs; there is a maximum of 100 service tools user IDs
(which includes the four IBM-supplied user IDs).

Also new for V5R1, users of system service tools (STRSST) are required
to authenticate themselves by using a service tools user ID and
password. The passwords for IBM-supplied service tools user IDs (except
for 11111111) are initially set as expired. You need to change your
service tools user ID passwords as soon as you use the user ID. You can
change the passwords for these user IDs either by bringing up DST on the
console, by using the Change Dedicated Service Tools Profiles (QSYCHGDS)
API, or by selecting F9 from the STRSST sign-on display.

Passwords for service tools user IDs are case sensitive and the
passwords for the IBM-supplied user IDs are all initially in uppercase.
When changing the password through the QSYCHGDS API or the STRSST
command, the minimum length required for passwords is 6 characters. The
maximum length of a password ranges from 10 to 128 characters depending
on the password level. The last 18 passwords that are used are tracked;
therefore, you cannot re-use these passwords when changing a password
for a service tools user ID.

Service tools user IDs are disabled based on the number of incorrect
sign-on attempts. The user is allowed three failed attempts to sign on.
If the user successfully signs on before failing a third time, the
failed sign-on count is reset to zero. After the third failed attempt to
sign on, the service tools user ID is disabled.

Note: A user who has a disabled QSECOFR service tools user ID can still
      sign on to DST.

Password level support for service tools user IDs

New in V5R1 is support for a password level for service tools user IDs.
The default password level uses Data Encryption Standard (DES)
encryption. You can change the password level to use SHA encryption. Once
you change to SHA encryption, however, you cannot change back to DES
encryption.

When you use DES encryption, service tools user IDs and passwords have
the following characteristics:
*  10-digit, uppercase-character user IDs.
*  8-digit, case-sensitive passwords. (Before V5R1, passwords for
   service tools user IDs were insensitive because the input field was a
   case-insensitive field.) When you create a user ID and password, the
   minimum required for the password is 1 digit. When you change a
   password, the minimum required is 6 digits.
*  Passwords for user IDs do not have an expiration date.
*  By default, passwords are created as expired unless explicitly set to
   non-expired by a security administrator.

When you use SHA encryption, service tools user IDs and passwords have
the following characteristics:
*  10-digit, uppercase-character user IDs.
*  128-digit case-sensitive passwords. When you create a user ID and
   password, the minimum required for the password is 1 digit. When you
   change a password, the minimum required is 6 digits.
*  Passwords for user IDs expire in 180 days from the creation date or
   date last changed.
*  By default, passwords are created as expired unless explicitly set to
   non-expired by a security administrator.

To change to use SHA encryption, go to the Work with DST Environment
display. Select option 6 (Service tools security data) and then select
option 6 (Password level).

2ab.ii)  Functional privileges

Functional privileges are new in V5R1. The ability for a service tools
user to access individual service functions can be granted or revoked.
Before a user is allowed to use or perform a service function from DST,
SST, or Operations Navigator; a functional privilege check is performed
based on the privileges granted to the service tools user. If a user has
insufficient privileges, access to the service function is denied. Also
added this release is an audit log to monitor service function usage by
service tools users.

The DST menu flow has changed to support the user-created service tools
user IDs and the management of their functional privileges.

2ab.iii)  Service tools server

In V5R1, a new service tools server is used by the logical partitions,
disk management, Operations Console, and some cluster graphical
interfaces to access service functions. In order to use the service
tools server, you must first add a table entry to the service table. The
instructions for adding a table entry to the service table are located
in the iSeries Information Center:
      www.ibm.com/eserver/iseries/infocenter



      Click Security --> Manuals and Redbooks --> Tips and Tools for
      Securing your iSeries

 After adding the table entry, you have the ability to use these
graphical user interfaces. However, you are required to sign on to the
service tools server by using a service tools user ID. If you have not
already changed the password for your user ID, you are asked to change
it when you sign on to the service tools server. A change password
display automatically appears, and you need to enter your current
password and a new password.

2ac)  Save and restore operations for service tools user IDs

The following information pertains if you currently perform save and
restore operations for OS/400 user profiles by using any of these
functions:
*  SAVE Menu Option 23
*  Save Security Data (SAVSECDTA) command
*  Restore User Profile (RSTUSRPRF) command

You should save and restore the service tools security data for recovery
purposes from DST. To do this, perform these steps:
1. From Work with DST Environment display, select option 6 (Work with
   service tools security data).
2. From the Work with Service Tools Security Data display, select either
   option 4 (Restore service tools security data) or option 5 (Save
   service tools security data).


2ad)  OS/400 user profile passwords change

Beginning in V5R1, there are four OS/400 password security levels (0, 1,
2, and 3) for user profiles. However, if a user profile is saved in a
release prior to V5R1 at level 1, for example, and the user profile is
then restored on a V5R1 server at password level 3, the restored user
profile password is reset to *NONE.

For more information on security levels or save and restore functions,
see the user profiles sections of the Backup and Recovery (SC41-5304)
and iSeries Security Reference (SC41-5302) manuals in the iSeries
Information Center at:
      www.ibm.com/eserver/iseries/infocenter




also, FYI:

2aa)  Changes to MI instructions

2aa.i)  MATRMD option 0x13

In V5R1, the Number of processors configured on the machine field in
MATRMD option 0x13 indicates the maximum number of processors that can
become active during the IPL of the partition. Previously, this value
displayed the total number of processors assigned to the current
partition, including failed ones.

For example, a system has four processors (one of which has failed) and
no partitioning. Prior to V5R1, MATRMD option 0x13 would have reported
four as the value of Number of processors configured on the machine
field. In V5R1, the value reported for this field is three.

A system without logical partitions no longer sees failed processors in
MATRMD option 0x13.

2aa.ii)  Number of Configured Processors field value changed

The Number of configured processors field returned by option hexadecimal
01DC of the MATMATR MI instruction includes on-demand processors that
are installed but not in use, and on-demand processors that are in use
but have not been purchased.

...Neil






"Leif Svalgaard" <leif@leif.org>
Sent by: midrange-l-admin@midrange.com
2002/02/25 21:07
Please respond to midrange-l


        To:     "Midrange List Tech" <MIDRANGE-L@midrange.com>
        cc:
        Subject:        DST


Folks,
Just installed V5R1, and I knew this would hit me:
When signing on to SST to check configuration,(as QSECOFR
upper case), I get: user profile disables, go to DST to enable
user. When IPLing and selecting DST, I'm again faced with
a signon screen and the message "user profile disabled".
What gives?