December 5, 2012 - Vol 2, Issue 20

Cilasoft Security Solutions - Intelligently Engineered Security Solutions

Cilasoft Security Solutions - Intelligently Engineered Security Solutions

Powertech - Secure Inside and Out

Security Training for IBM i from Skyview Partners

Feature Article

The "Hidden" Security Configuration Options of IBM i

By Dan Riehl

Dan is the Editor of the SecureMyi Security Newsletter and an IBM i Security Specialist for the IT Security and Compliance Group, LLC. Dan also teaches numerous IBM i technical classes, including Security classes, through The 400 School, Inc.

Editors Note: The Featured Video in this issue contains additional information on the topic of the "Hidden" Security Configuration Options of the IBM i.

There are vast concealed treasures in some of the deep, dark recesses of our wonderful IBM i - hidden configuration options that give you tighter, more customized control. For many of us, these treasures have been elusive, yet they've been so close at hand. Just a click away, a CL command away. IBM hasn't tried to keep these treasures hidden, but, as far as I know, IBM hasn't gone out of its way to educate us about them either. These "hidden" configuration options let you customize access to several security-, system-, and network-related functions through a simple CL command interface or through Navigator for i (Navigator, for short).

The CL commands Work with Function Usage (WRKFCNUSG), Change Function Usage (CHGFCNUSG), and Display Function Usage (DSPFCNUSG), are the command interfaces to these "hidden" configuration options. Navigator provides access to these configuration options through a little-known application I discuss shortly.

What Is "Function Usage"?

Sensitive Control Language commands and system operations are typically restricted to a select group of users through a combination of object authorities (i.e., are you authorized to use the command?) and special authorities (i.e., do you have the special authorities (e.g., *SECADM, *JOBCTL) required to run this command or function?).

Function Usage is an additional hidden layer placed on certain sensitive operations. For example, to create a user profile, a user needs to be authorized to use the command Create User Profile (CRTUSRPRF), and then the CRTUSRPRF command checks whether the user running the command has Security Administrator (*SECADM) special authority. If so, the profile can be created. In this case, no additional hidden Function Usage configuration options are involved.

When a user wants to examine the active joblog of an *ALLOBJ user (e.g., QSECOFR), however, the user must be authorized to the DSPJOBLOG command, must have Job Control (*JOBCTL) special authority, and must have *ALLOBJ authority. Those are the system's default rules. But by changing the hidden configuration options of Function Usage, you can override the rules to let anyone with *JOBCTL special authority view the active joblog of the *ALLOBJ user.

Because these configuration options are hidden in Function Usage, most of us concede to giving the operations staff *ALLOBJ authority. There seems to be no other way of allowing them to view the active joblog of an *ALLOBJ user when the job has failed. They must be able to troubleshoot the problem by viewing the active joblog. But we can change the rules by changing the Function Usage.

Viewing the JOBLOG of an *ALLOBJ User Job

IBM maintains a registry of functions that provide "hidden" configuration options via Function Usage. One of the functions, as we've discussed, is the configuration of which users can view the active joblog of an *ALLOBJ user job. The registered name of that function is QIBM_ACCESS_ALLOBJ_JOBLOG.

Read More.

In This Issue

Featured Article - "Hidden" Security Options

Security Shorts - Numeric UserID/Password

Featured Video - "Hidden" Security Options

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit

Our Newsletter Sponsors

Platinum Sponsor
    Cilasoft Security Solutions

Gold Sponsor
    The PowerTech Group

    Skyview Partners, Inc

    The 400 School, Inc

IBM i Security Resources

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Powertech - Secure Inside and Out

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Configuring and Consolidating Real-Time Security Alerts
Live Webcast - Sponsored by Powertech
Tuesday, December 11 1:00 PM CST
More Information and Register to Attend

IFS Security: Don't Leave Your Server Vulnerable
Live Webcast - Sponsored by Powertech
Wednesday, December 19 1:00 PM CST
More Information and Register to Attend

IBM i Encryption Made Easy with DB2 Field Procedures
Live Webcast - Sponsored by Linoma Software
Thursday, January 24 12:00 PM CST
More Information and Register to Attend

SkyView Security Deep Dive Training for IBM i - With Carol Woodbury
Live Classroom Training - Presented by Skyview Partners
Instructor - Security Expert Carol Woodbury
Four Full Days - January 28-31
Location - Seattle, WA - Pan Pacific Hotel
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - February 5-8 9:00am - 4:00pm CST
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

April 7-10 - COMMON - User Group
2013 Annual Conference and Exposition - Austin, TX

Security Training for IBM i from Skyview Partners

Featured YouTube Video

Discover and Control The "Hidden" Security Options for IBM i

Featured Video - WRKFCNUSG - Control The

Cannot Access Youtube from your office? Here is the presentation in wmv format.   Click to Download the wmv file

Security Shorts - All Numeric Passwords and User IDs

By Dan Riehl

My UserID is 77 and My Password is 123456

Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive.

However, when it comes to user profile names and passwords, an interesting phenomenon occurs.

When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.)


Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward.

But consider this next example:


When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain.

  • The user can log on with user Q12345 with a password or Q11111.
  • The user can log on with user Q12345 with an all-numeric password of 11111.
  • The user can log on with an all-numeric user 12345 with a password of Q11111.
  • The user can log-on with an all-numeric user 12345 with an all-numeric password 11111.

The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process.

You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command.

As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API.

In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value *DGTLMTAJC in the system value QPWDRULES. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

Special Winter Class Discounts

Intro RPG IV Programming - Jan 7-11
Intro System Operations - Jan 14-16
Expanded Operations - Jan 14-18
System Admin & Control - Jan 28-Feb 1
Expanded Security Workshop - Feb 5-8
Concepts & Control Language - Mar 4-8

Training from The 400 School

Send your IBM i Security Related News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2012 -, all rights reserved | St Louis MO 63017