aka – “What do I need to consider before moving my IBM i to a Higher Password Level?”
Before moving your IBM i Power System to a higher password level, there are several important considerations to ensure a smooth transition and maintain system security:
- Backup Security Data: Always save your security data using the SAVSECDTA or SAVSYS command before making any changes. This ensures you can restore user profiles and passwords if needed
- Compatibility with Other Systems: Ensure that all systems and applications interacting with your IBM i can handle the new password level. This includes verifying that any middleware or third-party products are compatible with the higher password level
- Password Rules and Length: Higher password levels (2 and 3) allow for longer and more complex passwords, up to 128 characters. Ensure your password policies are updated to reflect these changes
- Testing: Before fully implementing the new password level, test the changes in a controlled environment. This helps identify any potential issues with applications or user access
- User Communication: Inform users about the upcoming changes and provide guidance on creating compliant passwords. This helps minimize confusion and ensures a smoother transition
- System Values: Adjust related system values such as QPWDMINLEN, QPWDMAXLEN, and QPWDRULES to align with the new password level. These settings control the minimum and maximum password lengths and complexity rules
- Plan for Rollback: Have a rollback plan in case the new password level causes unforeseen issues. This includes knowing how to revert to the previous password level and restore security data
By carefully planning and considering these factors, you can successfully move your IBM i System to a higher password level while maintaining system security and user accessibility.
Prepare to activate longer passwords (IBM i Password Level 2)
DSPSYSVAL SYSVAL(QPWDLVL)
Passwords levels are:
- 0 – User profile passwords with a length of 1-10 characters are supported. There is no difference between level 0 and 1.
- 1 – User profile passwords with a length of 1-10 characters are supported. There is no difference between level 0 and 1.
- 2 – User profile passwords with a length of 1-128 characters are supported.
- 3 – User profile passwords with a length of 1-128 characters are supported. User profile passwords for password levels 0 and 1 are removed from the system.
- 4 – User profile passwords with a length of 1-128 characters are supported. User profile passwords for password levels 0, 1, 2, and 3 are removed from the system.
To ensure all user profiles are ready for the QPWDLVL 2 password level on IBM i, follow these steps:
- Backup Security Data: Use the
SAVSECDTA
command to back up your current security profiles and passwords. - Display Security Attributes: Use the
DSPSECA
command to display the current and pending password level values. - Check User Profiles: Use the
DSPAUTUSR
command to list user profiles and identify any profiles with passwords that do not meet the requirements for QSECLVL 20. - Validate Passwords: Ensure that all user passwords comply with the new password level requirements. For QPWDLVL 2, passwords must be between 1-128 characters and can include any character, with case sensitivity.
- Update Non-Compliant Profiles: Update any user profiles with passwords that do not meet the new requirements. You can use the
CHGUSRPRF
command to change user profile passwords. - Change Password Level: Once all profiles are compliant, change the password level using the
CHGSYSVAL
command:CHGSYSVAL SYSVAL(QPWDLVL) VALUE(2)
- Restart the System: Changes to the password level will take effect after the next system restart.
By following these steps, you can ensure a smooth transition to the QPWDLVL 2 password level
You should also check if all needed user profiles are ready for the password level you want to move to, i.e the password needs to have been changed at least one time since the IBM i OS got support for it:
I use SQL, but it can be done with DSPUSRPRF to an outfile and query the outfile as well:
Should by a YES if the the user profile have a password that can be used when moved to PASSWORD_LEVEL_2_3 or PASSWORD_LEVEL_4
select AUTHORIZATION_NAME,
PREVIOUS_SIGNON,
STATUS,
NO_PASSWORD_INDICATOR,
PASSWORD_LEVEL_2_3,
PASSWORD_LEVEL_4
from QSYS2.USER_INFO
where NO_PASSWORD_INDICATOR = ‘NO’
and (PASSWORD_LEVEL_2_3 = ‘NO’
or PASSWORD_LEVEL_4 = ‘NO’);
Great Idea – Thanks Krister!