On 06-Oct-2016 06:17 -0500, Rob Berendt wrote:
On 05-Oct-2016 12:05 [ed: 18:59 -0500], Justin Taylor wrote:
My understanding is the IBM recommendation is to leave the profile
enabled with a password set, and that there are some system
functions that won't run if the profile is disabled or has no
password.
(Never tried it myself though.)
Is this documented anywhere?
Yes:
[](
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzamv/rzamvchangepwd.htm)
"…
Table 1. Passwords for IBM-supplied profiles
User ID Password Recommended value
QSECOFR QSECOFR¹ A nontrivial value known only to the security
administrator. Write down the password that you have selected and store
it in a safe place.
…
Note:
1. 'The system arrives with the Set password to Expired value for the
QSECOFR set to *YES. The first time that you sign on to a new system,
you must change the QSECOFR password.
…"
But, there are also these references of note; the first reference
below is clearly an acknowledgment of a /policy/ of keeping the QSECOFR
User Profile (USRPRF) with the attribute of STATUS(*DISABLED) [that is
apparently typical enough to mention], and the other referencess are
less directly "in case you do that", but of possible note about that
policy and/or the actual password:
[under two topics for "Implementing high
availability"](
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_61/rzaig/rzaigsoltrouble.htm)
and
(
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_61/rzaig/rzaigfinishpanel.htm)
"…
If your normal security policy is to have the QSECOFR profile disabled
and you enabled the QSECOFR profile to set up your high-availability
solution, then you should return to your normal security policy and
disable the QSECOFR profile.
…"
[Security topic for Recovering Security Information"Restoring user
profiles"](
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzarl/rzarlrstusr.htm)
"…
… RSTUSRPRF command.
If all of the user profiles are being restored to your system, all of
the fields in any of the profiles that already exist on the system are
restored from the save media, including the password.
Attention:
User Profiles saved from a system with a different password
level (QPWDLVL system value) than the system that is being restored
might result in having a password that is not valid on the restored
system. For example, if the saved user profile came from a system that
was running password level 2, the user can have a password of "This is
my password". This password will not be valid on a system running
password level 0 or 1.
Keep a record of the security officer (QSECOFR) password
associated with each version of your security information that is saved.
This ensures that you can sign on to your system if you need to do a
complete restore operation.
You can use DST (Dedicated Service Tools) to reset the password for the
QSECOFR profile.
…
Related information:
[Resetting the QSECOFR IBM i user profile
password](
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzamh/rzamhresetqsecofrpass.htm?view=kc)
"
[Setting up your central system for the first
time](
http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_72/rzaih/rzaih1d.htm)
"…
To complete an initialization, the Management Central sever requires
that QSECOFR is enabled and active. If you use a different profile name
with the same kind of authorization as QSECOFR, you need to run the
following command on the central system.
CALL PGM(QSYS/QYPSCONFIG) PARM(QYPSJ_SYSTEM_ID 'XXXXX')
(xxxxx is a user ID other than the default of QSECOFR)
…"
midrange.com
