Change SST Security Attributes (CHGSSTSECA)
Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Change Service Tools Security Attributes (CHGSSTSECA) command allows a user to change the service tools security attributes.
The attributes that can be changed are:
- Service tools password level.
- Service tools password rules.
- Whether the security-related system values can be changed.
Restrictions:
- You must have security administrator (*SECADM) and service (*SERVICE) special authorities.
- The requesting service tools user ID must have the Service Tool user functional privilege "Service Tools Security".
Top |
Parameters
Keyword | Description | Choices | Notes |
---|---|---|---|
REQUSRID | Requesting SST user ID | Character value | Required, Positional 1 |
REQPWD | Requesting SST user ID pwd | Character value | Required, Positional 2 |
SSTPWDLVL | Service tools password level | Integer, *SAME, 2 | Optional |
SECSYSVAL | Allow security sysval changes | *SAME, *YES, *NO | Optional |
PWDRULES | SST Password Rules | Single values: *DFT Other values: Element list |
Optional |
Element 1: Limit profile name | *SAME, *YES, *NO | ||
Element 2: Hours to block password change | 1-99, *SAME, *NONE | ||
Element 3: Minimum password length | 1-128, *SAME | ||
Element 4: Maximum password length | 1-128, *SAME | ||
Element 5: Use chars from three groups | *SAME, *YES, *NO | ||
Element 6: Limit adjacent characters | *SAME, *YES, *NO | ||
Element 7: Limit repeating characters | *SAME, *YES, *NO | ||
Element 8: Limit characters same position | *SAME, *YES, *NO | ||
Element 9: Minimum digits | 1-9, *SAME, *NONE | ||
Element 10: Maximum digits | 0-9, *SAME, *NOMAX | ||
Element 11: Limit adjacent digits | *SAME, *YES, *NO | ||
Element 12: Limit digit first position | *SAME, *YES, *NO | ||
Element 13: Limit digit last position | *SAME, *YES, *NO | ||
Element 14: Minimum letters | 1-9, *SAME, *NONE | ||
Element 15: Maximum letters | 0-9, *SAME, *NOMAX | ||
Element 16: Limit adjacent letters | *SAME, *YES, *NO | ||
Element 17: Limit letter first position | *SAME, *YES, *NO | ||
Element 18: Limit letter last position | *SAME, *YES, *NO | ||
Element 19: Number of mixed case letters | 1-9, *SAME, *NONE | ||
Element 20: Minimum special characters | 1-9, *SAME, *NONE | ||
Element 21: Maximum special characters | 0-9, *SAME, *NOMAX | ||
Element 22: Limit adjacent special chars | *SAME, *YES, *NO | ||
Element 23: Limit special char first pos | *SAME, *YES, *NO | ||
Element 24: Limit special char last pos | *SAME, *YES, *NO |
Top |
Requesting SST user ID (REQUSRID)
The service tools user ID that will be used to make the specified changes. This user ID must have the Service Tool user functional privilege "Service Tools Security".
This is a required parameter.
Top |
Requesting SST user ID pwd (REQPWD)
The password for the requesting service tools user ID.
This is a required parameter.
Top |
Service tools password level (SSTPWDLVL)
Specifies the password level for service tools user ID passwords. The password level change does not take effect until a user creates or changes a password. For more information on the service tools password level see the Security Service Tools topic in the IBM i Information Center at http://www.ibm.com/systems/i/infocenter/.
Note: The password level cannot be changed from level 2 back to level 1.
- *SAME
- The value does not change.
- 2
- The service tools password level is set to 2.
Top |
Allow security sysval changes (SECSYSVAL)
Allow the security-related system values to be changed.
Security-related system values:
- QALWJOBITP
- QALWOBJRST
- QALWUSRDMN
- QAUDCTL
- QAUDENACN
- QAUDFRCLVL
- QAUDLVL
- QAUDLVL2
- QAUTOCFG
- QAUTORMT
- QAUTOVRT
- QCRTAUT
- QCRTOBJAUD
- QDEVRCYACN
- QDSCJOBITV
- QDSPSGNINF
- QFRCCVNRST
- QINACTMSGQ
- QLMTDEVSSN
- QLMTSECOFR
- QMAXSGNACN
- QMAXSIGN
- QPWDCHGBLK
- QPWDEXPITV
- QPWDEXPWRN
- QPWDLMTAJC
- QPWDLMTCHR
- QPWDLMTREP
- QPWDLVL
- QPWDMAXLEN
- QPWDMINLEN
- QPWDPOSDIF
- QPWDRQDDGT
- QPWDRQDDIF
- QPWDRULES
- QPWDVLDPGM
- QRETSVRSEC
- QRMTSIGN
- QRMTSRVATR
- QSCANFS
- QSCANFSCTL
- QSECURITY
- QSHRMEMCTL
- QSSLCSL
- QSSLCSLCTL
- QSSLPCL
- QUSEADPAUT
- QVFYOBJRST
- *SAME
- The value does not change.
- *YES
- The security-related system values may be changed using the Change System Value (CHGSYSVAL) command. This is the shipped value.
- *NO
- The security-related system values may not be changed. The CHGSYSVAL command will not allow these system values to change and sends message CPF18C0.
Top |
SST Password Rules (PWDRULES)
Specifies the rules used to check whether a service tools user password is formed correctly. Changes to these rules take effect the next time a password is changed unless a specific rule indicates otherwise. The password rules are only enforced when the service tools password level is 2.
Single value
- *DFT
- Set all the password rules to the shipped values.
Element 1: Limit profile name
The uppercase password value may not contain the complete user profile name in consecutive positions.
- *SAME
- The value does not change.
- *YES
- The uppercase password value may not contain the complete profile name.
- *NO
- The uppercase password value may contain the complete user profile name. This is the shipped value.
Element 2: Hours to block password change
The number of hours a user must wait after a prior successful password change before they can change the password again. Change takes effect immediately.
- *SAME
- The value does not change.
- *NONE
- There is no restriction on how frequently a user can change a password. This is the shipped value.
- 1-99
- The number of hours a user must wait after a prior successful password change before they can change the password again.
Element 3: Minimum password length
The minimum number of characters in a password.
If a Maximum password length value is also specified, the Maximum password length value must be greater than or equal to the Minimum password length value.
- *SAME
- The value does not change.
- 1-128
- The minimum number of characters in a password. The shipped value is 6.
Element 4: Maximum password length
The maximum number of characters in a password.
The Maximum password length value must be large enough to accommodate the values specified for Number of mixed case characters, Maximum digits, Maximum letters, Maximum special characters, first and last character restrictions, and non-adjacent character requirements.
If a Minimum password length value is also specified, the Maximum password length value must be greater than or equal to the Minimum password length value.
- *SAME
- The value does not change.
- 1-128
- The maximum number of characters in a password. The shipped value is 128.
Element 5: Use chars from three groups
The password must contain characters from at least three of the following four types of characters.
- Uppercase letters
- Lowercase letters
- Digits
- Special characters
- *SAME
- The value does not change.
- *YES
- The password must contain characters from at least three of the groups.
- *NO
- The password does not need to contain characters from at least three of the groups. This is the shipped value.
Element 6: Limit adjacent characters
The password may not contain 2 or more occurrences of the same character that are positioned adjacent (consecutive) to each other. This value cannot be *YES if Limit repeating characters is *YES.
- *SAME
- The value does not change.
- *YES
- The password may not contain the same character positioned adjacent to each other.
- *NO
- The password may contain the same character positioned adjacent to each other. This is the shipped value.
Element 7: Limit repeating characters
The password may not contain 2 or more occurrences of the same character. This value cannot be *YES if Limit adjacent characters is *YES.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more occurrences of the same character.
- *NO
- The password may contain 2 or more occurrences of the same character. This is the shipped value.
Element 8: Limit characters same position
The same character may not be used in a position corresponding to the same position in the previous password.
- *SAME
- The value does not change.
- *YES
- The same character may not be used in a position corresponding to the same position in the previous password.
- *NO
- The same character may be used in a position corresponding to the same position in the previous password. This is the shipped value.
Element 9: Minimum digits
Specifies the minimum number of digit characters that must occur in the password. If this value is not *NONE, the Maximum digits value must be *NOMAX or greater than or equal to the Minimum digits value.
- *SAME
- The value does not change.
- *NONE
- No digits are required in a password. This is the shipped value.
- 1-9
- The minimum number of digits required in a password. Specifying 1 means that at least 1 digit is required in the password. Specifying 3 means that at least 3 digits are required in the password.
Element 10: Maximum digits
Specifies the maximum number of digit characters that may occur in the password. If Minimum digits value is not *NONE, the Maximum digits value must be *NOMAX or greater than or equal to the Minimum digits value.
- *SAME
- The value does not change.
- *NOMAX
- Any number of digits are allowed in a password. This is the shipped value.
- 0-9
- The maximum number of digits allowed in a password. Specifying 0 means no digits are allowed in the password. Specifying 3 means that 3 or fewer digits are allowed in the password.
Element 11: Limit adjacent digits
The password may not contain 2 or more adjacent (consecutive) digit characters.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more adjacent digits.
- *NO
- The password may contain 2 or more adjacent digits. This is the shipped value.
Element 12: Limit digit first position
The first character of the password may not be a digit character. This value cannot be *YES if Limit letter first position is *YES and Limit special character first position is *YES.
- *SAME
- The value does not change.
- *YES
- The first character of the password may not be a digit.
- *NO
- The first character of the password may be a digit. This is the shipped value.
Element 13: Limit digit last position
The last character of the password may not be a digit character. This value cannot be *YES if Limit letter last position is *YES and Limit special character last position is *YES.
- *SAME
- The value does not change.
- *YES
- The last character of the password may not be a digit.
- *NO
- The last character of the password may be a digit. This is the shipped value.
Element 14: Minimum letters
Specifies the minimum number of letter characters that must occur in the password. If this value is not *NONE, the Maximum letters value must be *NOMAX or greater than or equal to the Minimum letters value.
- *SAME
- The value does not change.
- *NONE
- No letters are required in a password. This is the shipped value.
- 1-9
- The minimum number of letters required in a password. Specifying 1 means that at least 1 letter is required in the password. Specifying 3 means that at least 3 letters are required in the password.
Element 15: Maximum letters
Specifies the maximum number of letter characters that may occur in the password. If Minimum letters value is not *NONE, the Maximum letters value must be *NOMAX or greater than or equal to the Minimum letters value.
- *SAME
- The value does not change.
- *NOMAX
- Any number of letters are allowed in a password. This is the shipped value.
- 0-9
- The maximum number of letters allowed in a password. Specifying 0 means no letters are allowed in the password. Specifying 3 means that 3 or fewer letters are allowed in the password.
Element 16: Limit adjacent letters
The password may not contain 2 or more adjacent (consecutive) letter characters.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more adjacent letters.
- *NO
- The password may contain 2 or more adjacent letters. This is the shipped value.
Element 17: Limit letter first position
The first character of the password may not be a letter character. This value cannot be *YES if Limit digit first position is *YES and Limit special character first position is *YES.
- *SAME
- The value does not change.
- *YES
- The first character of the password may not be a letter.
- *NO
- The first character of the password may be a letter. This is the shipped value.
Element 18: Limit letter last position
The last character of the password may not be a letter character. This value cannot be *YES if Limit digit last position is *YES and Limit special character last position is *YES.
- *SAME
- The value does not change.
- *YES
- The last character of the password may not be a letter.
- *NO
- The last character of the password may be a letter. This is the shipped value.
Element 19: Number of mixed case letters
The password must contain at least the specified number of uppercase letters and at least the specified number of lowercase letters.
If this value is not *NONE, the Maximum letters value must be *NONE or greater than or equal to two times the value specified for the Number of mixed case letters.
- *SAME
- The value does not change.
- *NONE
- Mixed case letters are not required in a password. This is the shipped value.
- 1-9
- The number of mixed case letters required in a password. Specifying 2 means that at least 2 uppercase letters and 2 lowercase letters are required in the password.
Element 20: Minimum special characters
Specifies the minimum number of special characters that must occur in the password. If this value is not *NONE, the Maximum special characters value must be *NOMAX or greater than or equal to the Minimum special characters value.
- *SAME
- The value does not change.
- *NONE
- No special characters are required in a password. This is the shipped value.
- 1-9
- The minimum number of special characters required in a password. Specifying 1 means that at least 1 special character is required in the password. Specifying 3 means that at least 3 special characters are required in the password.
Element 21: Maximum special characters
Specifies the maximum number of special characters that may occur in the password. If Minimum special characters value is not *NONE, the Maximum special characters value must be *NOMAX or greater than or equal to the Minimum special characters value.
- *SAME
- The value does not change.
- *NOMAX
- Any number of special characters are allowed in a password. This is the shipped value.
- 0-9
- The maximum number of special characters allowed in a password. Specifying 0 means no special characters are allowed in the password. Specifying 3 means that 3 or fewer special characters are allowed in the password.
Element 22: Limit adjacent special chars
The password may not contain 2 or more adjacent (consecutive) special characters.
- *SAME
- The value does not change.
- *YES
- The password may not contain 2 or more adjacent special characters.
- *NO
- The password may contain 2 or more adjacent special characters. This is the shipped value.
Element 23: Limit special char first pos
The first character of the password may not be a special character. This value cannot be *YES if Limit digit first position is *YES and Limit letter first position is *YES.
- *SAME
- The value does not change.
- *YES
- The first character of the password may not be a special character.
- *NO
- The first character of the password may be a special character. This is the shipped value.
Element 24: Limit special char last pos
The last character of the password may not be a special character. This value cannot be *YES if Limit digit last position is *YES and Limit letter last position is *YES.
- *SAME
- The value does not change.
- *YES
- The last character of the password may not be a special character.
- *NO
- The last character of the password may be a special character. This is the shipped value.
Top |
Examples
Example 1: Set service tools password rules to the shipped values
CHGSSTSECA REQUSRID(SSTUSR) REQPWD(SSTPWD) PWDRULES(*DFT)
This command sets all the SST password rules to the shipped values.
Example 2: Control changing of security-related system values
CHGSSTSECA REQUSRID(SSTUSR) REQPWD(SSTPWD) SECSYSVAL(*NO)
This command will not allow the Change System Value (CHGSYSVAL) command to be used to change the security-related system values.
Top |
Error messages
*ESCAPE Messages
- CPF222E
- &1 special authority is required.
- CPF225C
- Requesting service tools ID not correct.
- CPF225D
- Requesting service tools ID password not correct.
- CPF4AD0
- SST password rules cannot be changed.
- CPF4AD1
- Service tools password level &1 not correct.
- CPF4AD3
- Error changing SST password rules. Reason code &1.
- CPF4AD4
- Error changing SST password rules. Reason code &1.
- CPF4ADF
- SST security attributes not changed. Reason code &1.
Top |