System values on i: Setting them up and locking i down

So many system values are security-related that the designers of the operating system provided an easy way to review and work with security settings. This is by using the "work with system values" (WRKSYSVAL) command with the "system value" (SYSVAL) parameter set to the special value of *SEC. Setting the OUTPUT parameter to *PRINT will produce a listing of the security system values. Alternativelyy, you can run the command with the OUTPUT parameter blank and the system will bring the security system values up for you to review. A similar review function is available from iSeries Access, but the security functions are spread out over several different selection tabs (at least on my version) and you have to go several places to find everything that is available from the single *SEC review ability of the WRKSYSVAL command.

When working with the values interactively, you can review the current setting using option 5 or you can change the value using option 2. The list of system values displayed shows the name of the value and a text description. Often this is not enough information to determine exactly what you're looking at. When I find myself in this situation, I put a 5 next to it, then position the cursor over the current value displayed and press the HELP key. The help text that comes with this command is quite comprehensive and very helpful.

Security changes should be planned for and locked down
Changing any of your security system values should not be done on a whim. Planning and preparation are the watchwords for this process. It is all too easy to shoot yourself in the foot by ma

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration A guide to System i security, Part 3: Digging in to the System i security environment Is your AS/400 secure?: How a hacker could get valuable information from your system iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions Security Tools Checking in on your IBM i authorization lists Expanded password rules available in System i/OS 6.1 How to tell if you're using the right security level Search400.com Products of the Year 2008 Detecting system changes made by outside IP address A guide to System i security, Part 3: Digging in to the System i security environment Encrypting files or fields on the iSeries Is your AS/400 secure?: How a hacker could get valuable information from your system System i security report roundup Necessity leads to iSeries Watchdog development

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

king a security change in the fly and then losing, for example, the ability to log into your system. All security changes should be researched in advance to determine the exact impact on your system. If you're not sure, do the work to find out rather than trying it out without knowing the impact.

Once you have your security system values set along with the other system value (and there are loads of them), it is a good idea to lock them in place. On too many systems, there are too many users with all object (*ALLOBJ) and security administrator (*SECADM) permissions in their user profiles. By locking the system values, you canl prevent casual changes to the system values and preserve the security policies that you've designed and implemented.

To lock your security system values in place, you can use the System Service Tools. To lock the settings, start the systemservice tools from a display session using the start system service tools (STRSST) command. You will need to supply your service tools user ID and password to complete the start of the tools. Once completed, choose option 7 from the menu (work with system security). Then, from the next screen, use option 2 to lock the security system values in place.

Once these are locked in place, you can only unlock them to make changes by going back into the system service tools and unlocking them from the same screen where you locked them. The unlock option is done by entering option 1. These settings can also be manipulated during IPL time by running the Dedicated System Tools (DST). Once locked, even users with *SECADM or *ALLOBJ cannot make capricious changes to the security system values so your security policy decisions will remain in force without worry.

If you have any questions about anything included in this tip, you can reach me at rich@kisco.com">rich@kisco.com. All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.