Service tools user IDs

Service tools user IDs are required to access service functions through DST, SST, iSeries Navigator (for logical partitions (LPAR) and disk unit management), and Operations Console. Service tools user IDs are created through DST or SST and are separate from i5/OS user profiles.

IBM provides the following service tools user IDs:

 QSECOFR

 QSRV

 22222222

 11111111

The passwords for service tools user IDs QSECOFR, QSRV, and 22222222 are shipped as expired. All service tools passwords are case sensitive. The service tools passwords are shipped in uppercase.

You can create a maximum of 100 service tools user IDs, including the four IBM-supplied user IDs listed earlier.

For information about how to work with service tools user IDs, see the Service tools topic in the iSeries Information Center at the following Web address. When you reach this Information Center, follow the path Security→ Service tools user IDs and passwords in the left navigation area:

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp

Changing a password for service tools user ID To change a service tools user ID password using SST:

1. Start SST. Type STRSST on an i5/OS command line and press Enter.

2. The Start SST Sign On display appears. Sign on to SST using a service tools user ID and password that has the service tool security privilege.

3. The System Service Tools (SST) main menu appears. Type option 8 (Work with service tools user IDs and devices) and press Enter.

4. From the Work With Service Tools User IDs and Devices display, type option 1 (Service tools user IDs) and press Enter.

5. On the Service Tools User IDs display, find the user ID to change. In the Option field next to it, type option 2 (Change password) and press Enter.

Important: Some IBM-supplied user profiles are granted private authorities to objects that are shipped with the operating system. You must not remove such authorities, because removing any of these authorities may cause the system functions to fail.

6. The Change Service Tools User Password for Another User display appears.

The service tools user ID name is displayed. Verify that this is the user ID name that you want to change and complete the following fields:

– New password: Enter a new password. This password cannot be one of your 18 previous passwords for this service tools user ID.

– Set Password to expired: Type 1 (Yes) or 2 (No) in this field. The default value is 1 (Yes).

Press Enter to complete the change.

If your new password was not accepted, you may not have complied with the password policies for service tools user IDs. Review these policies and make sure that you comply with them when choosing a service tools user ID password.

Resetting the QSECOFR service tools password

If you know the password for the QSECOFR user profile, you can use it to reset the password for the IBM-supplied service tools user ID that has service tools security privilege (QSECOFR) to the IBM-supplied default value. One method is explained in the following steps:

1. Make sure that your system is in normal operating mode, not DST.

2. Sign on at a workstation using the QSECOFR user profile.

3. On a command line, type the Change IBM Service Tools Password

(CHGDSTPWD) command and press F4 to prompt the command (do not press Enter).

4. You see the Change IBM Service Tools Password (CHGDSTPWD) display (Figure 4-3). For Password, type *DEFAULT and press Enter. This sets the IBM-supplied service tools user ID that has service tools security privilege (QSECOFR) and its password (case sensitive) to QSECOFR.

Figure 4-3 Changing the DST password display

You must change your QSECOFR service tools password. Do not leave the QSECOFR service tools user ID and password set to the default value.

Change IBM Service Tools Pwd (CHGDSTPWD)

If you set the Allow a service tools user ID with a default and expired password to change its own password parameter to the default value 2 (No), you must use the following procedure to change your default password:

1. From the front panel of your system, place the system into manual mode.

2. Use the arrow keys to access Function 21, and press the Enter button on the panel.

3. On the console, a DST sign-on screen is shown. Sign on with the DST security profile QSECOFR. You are forced to change your password; select a password that complies with your security policy. Remember that the

password is case sensitive.

4. Exit the Dedicated Service tools menu.

5. Remove the system from Manual mode.

You have now reset the password for the IBM-supplied service tools user ID QSECOFR to the IBM-supplied default value and changed its password.

Resetting the i5/OS user profile QSECOFR password

To reset the QSECOFR password, use the following method and then IPL your system:

1. From the front panel of your system, place the system into manual mode.

2. Use the arrow keys to access Function 21, and press the Enter button on the panel.

3. On the console, you see a DST sign-on screen. Sign on with the DST security profile. This profile is QSECOFR, but it is not the QSECOFR user profile.

4. From the Use Dedicated Service Tools menu, type option 5 (Work with DST Environment) and press Enter.

5. From the Work with DST Environment menu, type option 6 (Work with Service Tools Security Data) and press Enter.

6. You see the Work with Service Tools Security Data menu. Type option 1 (Reset operating system default password) and press Enter.

7. The Confirm Reset of System Default Password display appears. Press Enter to confirm the reset. You see a confirmation message informing you that the system has set the operating system password to override.

Note: You can only change the Allow a service tools user ID with a default and expired password to change its own password parameter when you are logged on in the service tool.

8. Press F3 (Exit) continuously until you return to the Exit Dedicated Service tools menu.

9. Remove the system from Manual mode.

The system resets the QSECOFR user profile to the default shipped value on next IPL. The IPL may be a normal (unattended) one. You must have the system scheduled to IPL, or have someone, such as an operator or someone with authority to power down the system, do it. If you do not, then you must power down the system from the front panel, and then start it from there.

For more information about how to reset the QSECOFR password, see the iSeries Information Center at the following Web address and select the path Security→ Service tools user IDs and passwords→ Manage service tools user IDs and passwords→ Manage service tools user IDs→ Recover or reset QSECOFR passwords:

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp