The system values listed below can be changed through the Change System Value (CHGSYSVAL) command or using the Work with System Values
(WRKSYSVAL *SEC) command. Changes to the system values become effective immediately, except for the security level (QSECURITY) value, which becomes effective only after the next IPL.
QALWOBJRST Allow objects that are security-sensitive to be restored to the system. Specifies whether system state objects or objects that adopt their owner¢s authority may be restored to the system.
QALWUSRDMN Allow user domain objects in the libraries. Specifies which libraries are allowed to contain user domain objects of type *USRSPC, *USRIDX, and *USRQ. These objects are a potential security exposure on a system with high security requirements. The system cannot audit the movement of data to and from user domain objects. QALWUSRDMN can be left at its default value at security levels below 40. It must be considered when going to level 40 or higher.
QCRTAUT Authority for New Objects. This value is used to determine the public authority of a newly created object, if the following conditions are met:
# The create authority (CRTAUT) parameter for the library of the new object is set to *SYSVAL.
# The new object is created with public authority (AUT) of *LIBCRTAUT (the default).
The default value is *CHANGE. It is recommended that you do
not change this value. It is better to change the CRTAUT value at the library level. It may impact your day-to-day operations.
QDSPSGNINF Display Signon Information. Specifies that the signon information display is to be shown.This displays information such as the date of last signon, invalid signon attempts, and the number of days until the
password expires (if applicable).This information can alert users that there has been unauthorized attempt to access the system using their user profile.For users requiring a value different from the system value, the DSPSGNINF keyword for an individual user profile can be set to
*YES (to display the information) or *NO (for no information displayed).
QINACTITV Inactive Job Time-Out Interval. Specifies in minutes how long the system allows a job to be inactive before taking action. A workstation is considered to be inactive if is waiting at a menu or display, or if it is waiting for some message input with no user interaction. When you specify a time-out interval, if a job reaches that interval the system will take the action specified in the QINACTMSGQ system value. Local jobs that are currently signed on to a remote system are excluded. PC Support/400 jobs are also included. An inactive workstation might allow unauthorized persons access to the system. This system value helps you to prevent users from leaving workstations inactive. Be sure to discuss the impact of a change of QINACTITV with the users on the system and inform them at the time you make
the change.
QINACTMSGQ Inactive Job Time-Out Message Queue.The QINACTMSGQ value specifies either the name of the message queue to which a notification message is sent, or the action the system takes when an interactive job has been inactive for a specified interval of time. The time interval is specified by the system value QINACTITV. There are considerations for PC Support/400 jobs.
QLMTDEVSSN Limit Device Sessions. Specifies whether users are limited to sign on to more than one device at one time.
QLMTSECOFR Limit Security Officer. Restricts privileged users (with *ALLOBJ or
*SERVICE authority) to specified workstations. A privileged user who leaves the terminal unattended represents a considerable security exposure. QMAXSIGN Maximum Number of Signon Attempts.
Defines the maximum number of invalid signon attempts by local or remote users. This also works for PC Router signon. Invalid attempts
QMAXSGNACN. The value should be high enough to allow correction for typing errors but low enough to prevent opportunities to guess a valid user profile and password. You can use security auditing to log signon violations. You must create aquery, or you can use Security/400.
QMAXSGNACN Action When Signon Attempts Reached.This system value determines what the system does when the maximum number of signon attempts (specified in QMAXSIGN) is reached.
Possible values for QMAXSGNACN are:
· 3: Disable both the user profile and device.
· 1: Disable the device only.
· 2: Disable the user profile only.
With, PC Support/400, invalid attempts will only disable the user profile, but not the device. If you create the message queue QSYSMSG in QSYS, messages about critical system events are sent to that message queue as well to QSYSOPR. You can use the QSYSMSG message queue to monitor any invalid attempt to signon to the system, just by seeing it or controlling it by a program. Refer to Appendix A,
“QSYSMSG Message Queue” on page A-1 for more details. The events sent to QSYSMSG can also be logged in the audit journal. If QSECOFR is disabled, and no other user profile has the authority to enable it, QSECOFR can still sign on from the system console. If the console is varied off the system must be IPLed.
QRMTSIGN Remote Signon Control. Specifies how the system handles remote signon requests.
QSECURITY System Security Level. QSECURITY controls the security level of the system. AS/400 security offers five levels of security:
· Level 10: There is no user authentication, or resource protection. No password is required to sign on. The system is shipped with this value. It should be changed immediately, preferably to 30. If you wish to move to a security level above 30, you should first test your installation on level 30.
· Level 20: Password - User authentication through user profile and password checking; no resource protection.
· Level 30: Password and Resource - User authentication and resource protection. Users require authority to access objects.
· Level 40: Password, Resource and Operating System Integrity
- User authentication, resource protection, and machine interface protection.
· Level 50: Password, Resource and enhanced Operating System
Integrity - User authentication, resource protection, and machine interface protection. Security level 50 is intended for AS/400 systems with high security requirements and to meet C2 security requirements.
System Value IBM Shipped Value Production System Domino System
QALWOBJRST *ALL *ALL *ALL
The following system values, while not specifically security-related, affect system functions when certain security system values are set.
QAUTOVRT Automatic Configuration of Virtual Devices Specifies whether
display station passthrough virtual devices and TELNET full screen virtual devices are automatically configured.
QDSCJOBITV Disconnected Job Time-Out Interval. This system value determines if and when the system ends a disconnected job. The interval is specified in minutes.
System Values for Passwords
The following values apply to passwords. These values require users to change their passwords regularly as well as enforce rules for the creation of new passwords which prevents the use of passwords that are trivial or easy to guess. Whenever you want to change any of these system values, be sure to discuss the impact with the users on the system. Do remember to inform them when any change is made. The password