New password-control security features for i5/OS V6R1

Rich Loeber

IBM's new i5/OS for System i will be available March 21. All reports so far indicate that this will be a major release. IBM has done a good job of previewing information about the release, especially the need for program conversion during the OS upgrade and the preparation that process requires. If you're considering a move to V6 and you haven't started down this road yet, you need to do it now.

Current documentation on V6 highlights new security features included in the release. You can start planning for three new system values now. All three involve password controls, which are always important considerations. Here is a recap of the new values and some information on each one.

QPWDCHGBLK: Block password change.
This new system value specifies the time period, in hours, during which a password is blocked from being changed after the prior successful password change was

More on i5/OS V6 and System i security: AS/400 security levels System i5/OS operating system due out in March New i5/OS features announced as anticipation mounts

made. A value between 1 and 99 is allowed, or you can keep things the way they are today by using the *None setting. This can be used to prevent users from changing their password to a new value and then changing it back to their old value. In earlier releases, this could also be handled by not allowing the same password to be used until N iterations had been processed, but a determined user could just change his password N times and get back to his favorite password rather quickly. This new value forces users to play by the rules.

QPWDEXPWRN: Password expiration warning.
This specifies the number of days before a password expiration warning message appears upon user sign-on. This provides better control over this warning feature than was available in previous releases and, if needed, allows for longer warning periods. The default value is seven days to conform to earlier processing, but it can be changed to any value between 1 and 99.

QPWDRULES: Password rules.
This system value allows for multiple entries to incorporate up to 24 sets of rules to be applied when passwords are validated by the system. These rules are applied when a password is created or changed. This consolidates all the password validation rules previously available into a single parameter setting and expands the validation rules with new sets of rules.

Other than these system values, V6 also supports several new options for capturing job audit information in the security journal and new exit points to make your system more secure. In future tips, I will explore both of these new options.

If you have any questions about anything included in this tip, you can reach me at rich@kisco.com. All email messages will be answered as quickly as possible.

---------------------------
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i iSeries system upgrades and compatibility Library QUSRSYS not completely installed Is i5/OS V6R1 in your System i shop's future i5/OS Recovering from DST QSECOFR password disablement on V5R4 Checking if a local port is used by another job on AS/400 How to: Configure a backup schedule between partitions on HMC Enhancements in the intrusion detection system for i5/OS V6R1 The enhanced DB2 inside i5/OS V6R1 Is i5/OS V6R1 in your System i shop's future New i5/OS features announced as anticipation mounts Using indexes on DB2 for i5/OS to improve performance IBM previews new version of i5/OS for System i IBM System i division filing for divorce i5/OS Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AS/400  (Search400.com) i5/OS  (Search400.com) iSeries  (Search400.com) OS/400  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.