SecureMyi.com Security and Systems Management Newsletter for the IBM i                             Issue Date:     March 5, 2019
Security Training from SecureMyi.com




Training from The 400 School



Training from The 400 School



Training from The 400 School



Security Services

Feature Article

Preventing Matching Passwords in IBM i V7R2M0

By Dan Riehl - SecureMyi.com

When you create a new user profile, the historical tendency is to use the IBM supplied default value for the User's new password. The password value is shown on the command prompt as *USRPRF. (See Figure 1)

When the value *USRPRF is used to specify the password, the User's Password will be set to match the name of their User Profile. So, a User Profile of JSMITH, will have the password set to the value JSMITH.

A snippet of the command prompt for the CRTUSRPRF(Create User Profile) command is shown below with the IBM supplied Password default setting of *USRPRF. This tells the system to assign the password to be identical to the name of the User Profile being created. This is referred to as a 'Default Password'. Using this default setting opens obvious vulnerabilities for the User Profile. But, the ability to set a Default Password, or to use the default value *USRPRF, can be totally rejected under some recent security updates discussed in this article.

Figure 1)





In my opinion, a proper security policy would prevent the use of any Default Password. Default Passwords should never be allowed.

Please read this entire article to see how you can technically enforce a Total Ban on the use of all Default Passwords.

Why is this a Big Deal?

Let's consider for a moment the main pitfall of allowing Default Passwords. If I know your system’s User Profile naming convention (e.g. First Character of the First Name followed by the Last Name), I can know everyone's UserID by simply viewing the company employee directory. (e.g. ASMITH, BSMITH, CSMITH, DSMITH). I also know that, in numerous companies, a high percentage of these users will have a Default Password. It seems like an easy nut to crack.

Default Passwords open up a world of vulnerabilities and exposures. Why even have a Password if everyone can know it?

Restricting the use of Default Passwords with System Values

We’ll now examine how to prevent the assignment of a Default Password. The key to this prevention is found in some recent updates in the Password related System Values.

Examples for the QPWDRULES setting *ALLCRTCHG

The V7R2 update of the QPWDRULES System Value allows for the new setting of *ALLCRTCHG, which specifies to enforce all password composition rules defined in the QPWDRULES system value when setting a password via the Create User Profile (CRTUSRPRF) command or the Change User Profile (CHGUSRPRF) command. Note that this setting has no effect when a user changes their own password using the CHGPWD command or the Change User Password (QSYCHGPW) API. It is a restriction only when creating and changing a user profile using the CRTUSRPRF and CHGUSRPRF commands.

However, when this new IBM i V7R2 setting(*ALLCRTCHG) is used in conjunction with the V6R1 Setting of *LMTPRFNAME, it is impossible to assign a Default Password to a User Profile through ANY means.

Click - to Read the Entire Article for the details


Training from 400 School.com

In This Issue


Featured Article - Ban Default Passwords

Featured Video - Limited Capabilities??

Security Shorts - Save All Spooled Files

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives




Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


IBM i Security Resources

IBM Security Incident Response BLOG

IBM i Security Videos - from SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i - SecureMyi

IBM i Security Reference - 6.1

IBM i Security Reference - 7.1

IBM i Security Reference - 7.2

IBM i Security Reference - 7.3

QAUDJRN Journal Entry Types 7.3

QAUDJRN Entry Layout 7.2

QAUDJRN Entry Layout 7.3

QAUDJRN Entries by AUDLVL 7.2

QAUDJRN Entries by AUDLVL 7.3

RedBook - Security Guide for IBM i 6.1


National Vulnerability Database - NIST

PCI Security Standards Council

COBIT - ISACA

HIPAA Resources

EU GDPR Information Portal

CISSP - Certification


Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube


Training from The 400 School



Training from The 400 School

Featured YouTube Educational Video

IBM i Security

Misconceptions on User Limited Capabilities LMTCPB(*YES)

Featured Video - Misconceptions on User Limited Capabilities LMTCPB(*YES)


Training from The 400 School

Security Shorts

Security Shorts

CL Program to Save All Your Spooled Files

By Dan Riehl - SecureMyi.com

Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents(the spooled file reports) in the output queue.

Since the V5R4 upgrade, many of us have not updated our backup routines to take advantage of this new support. Instead, when we save a library or an output queue, we still only save the output queue object, but not the spooled files contained in the output queue.

The following command saves all objects in the PRODLIB library, including all the spooled files in all the output queues that reside in the library:

SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(*ALL)

When you do a SAVLIB(Save Library) or SAVOBJ(Save Object) command, you must specify SPLFDTA(*ALL) in order to save the spooled files in the saved output queues. The parameter SPLFDTA(*ALL) is the key to saving the spooled files.

I encourage you to update your backup routines to begin saving your spooled files. But, perhaps you are using the IBM supplied SAVE menu to perform your backups, and not a home grown backup program. Or perhaps your vendor supplied backup software does not give you the option to save your spooled files. If that is the case, then here is a simple solution. Below is the source code for a Control Language program you can use that will save all of the output queues on your system and will save all of the spooled files in those output queues. This would be a nice program to add to your weekly backup routine.

Note: In this program you must replace 'TAP02' with the name of your backup device.



            PGM        /* Save Spooled Files  */       
            DCL        VAR(&MSGID) TYPE(*CHAR) LEN(7)     
            DCL        VAR(&MSGF) TYPE(*CHAR) LEN(10)   
            DCL        VAR(&MSGFLIB) TYPE(*CHAR) LEN(10)          
            DCL        VAR(&MSGDTA) TYPE(*CHAR) LEN(100)          
            DCLF       FILE(QADSPOBJ)                             
                                                                   
            MONMSG     MSGID(CPF0000) EXEC(GOTO ERROR)            
                                                                 
            DSPOBJD    OBJ(*ALL/*ALL) OBJTYPE(*OUTQ) +            
                         OUTPUT(*OUTFILE) OUTFILE(QTEMP/QADSPOBJ) 
                                                                   
            OVRDBF     FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ)      
                                                                   
LOOP:       RCVF                                                  
            MONMSG     MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDIT))    
                                                                   
            SAVOBJ     OBJ(&ODOBNM) LIB(&ODLBNM) DEV(TAP02) +     
                         OBJTYPE(*OUTQ) SPLFDTA(*ALL)      
                                                                   
            GOTO LOOP                                                       
                                                                             
ENDIT:      RETURN                                                         
                                                                             
ERROR:      RCVMSG     MSGTYPE(*LAST) MSGDTA(&MSGDTA) MSGID(&MSGID) +       
                         MSGF(&MSGF) SNDMSGFLIB(&MSGFLIB)                   
            MONMSG     CPF0000 /* Just in case */                           
            SNDPGMMSG  MSGID(&msgid) MSGF(&msgflib/&msgf) MSGDTA(&msgdta) + 
                         MSGTYPE(*ESCAPE)                                   
            MONMSG     CPF0000 /* Just in case */                           
                                                                             
            ENDPGM                                                                 

When it comes time to recover a deleted spooled file, or an entire output queue, you can use the command RSTOBJ(Restore Object) to restore the saved output queue, including all of the spooled files that are not found on the system at restore time.


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group

  • In Depth Security Assessment of IBM i
  • Upgrade to QSECURITY level 40
  • Forensic Research and Analysis
  • Audit Assistance and Remediation
  • Security Training for IT and Audit Staff
  • Software Selection & Configuration
  • Security and Systems Programming
  • General Security and System Assistance


LIVE Training from The 400 School, Inc


Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices


LIVE Online Hands-On Workshops

  • ILE RPG IV Programming
  • RPG/400 and RPG III Programming
  • ILE COBOL/400 Programming
  • Interactive Programming Workshops
  • System Operations Workshops
  • System Administration and Control
  • Security and Auditing Workshops
  • Control Language Programming
  • IBM i Concepts and Facilities
  • Query Workshop







Training from The 400 School
Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014-2019 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017