Reset QSECOFR service tools password

[Falco]

Is there a way to reset the QSECOFR service tools user password in
V6.1 Here is what I have tried.
Signed on to the console with QSECOFR
CHGDSTPWD PASSWORD(*DEFAULT)
STRSST, press F9 to Chagne the password and it tells me:
"Service tools user ID password cannot be changed."
Cause . . . . . : Your system is configured to prevent a service
tools user
ID with a default and expired password from changing its own
password.

Is there any other way of doing this?

Thank You

[CRPence]

On 02 May 2012 07:06, Falco wrote:
> Is there a way to reset the QSECOFR service tools user password in
> V6.1 Here is what I have tried.
> Signed on to the console with QSECOFR
> CHGDSTPWD PASSWORD(*DEFAULT)

> STRSST, press F9 to Change the password and it tells me:

> "Service tools user ID password cannot be changed."
> Cause . . . . . : Your system is configured to prevent a service
> tools user ID with a default and expired password from changing its
> own password.
>
> Is there any other way of doing this?
>

I am aware of the policy setting to effect that restriction, however
I was unaware of its capability to impact the high-authority user QSECOFR.

Was that an F9 presented as an option at an "expired password" prompt
upon first login after the reset? I seem to recall having a similar
issue once, and maybe that I had to press Enter first.?.? That is, I
seem to recall I was confused by a message that eventually I got past
when I realized what the message meant and my intentions were not at
odds. Might it be so simple? Perhaps not, so I offer some doc links if
that may be of assistance:

Many links available in the v6r1 InfoCenter that may assist:
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp
Search: service tools user password expired
Search: service tools user

Can DST be accessed by any of the Service Tools Users? The Service
Security Date could be restored if QSRV or another user-created or the
IBM-supplied profiles are enabled to effect that action; and if a backup
had been made when QSECOFR password was and is known. A reload of the
LIC from a SAVSYS taken before that restriction was implemented or from
when the QSECOFR password was known?

Here is an older reference I had a link for my issue long ago,
presumably replaced by the next link:
_i Tips and Tools for Securing Your iSeries i_
http://publib.boulder.ibm.com/iseries/v5r1/ic2924/books/c4153005.pdf

IBM i 6.1 Information Center -> Security -> Service tools
PDF file for Service tools
_i System i Security Service tools Version 6 Release 1 i_
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzamh/rzamh.pdf

Merely for reference to changing manual title; and it was handy:
_i Service tools user IDs and passwords i_
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/rzamh/rzamh.pdf

Regards, Chuck

[CRPence]

On 02 May 2012 07:06, Falco wrote:

Ah, I remember now; having seen the following docs. The switch from
using SST to DST is what was required for that message;;; it was not
just Enter vs F9. Refer to:

_i System i Security Service tools i_
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzamh/rzamh.pdf
" ...

_i Troubleshooting service tools user IDs and passwords i_
When you have problems with service tools user IDs and passwords, refer
to this information for solutions.

...

Problem 4:

You get the error Service tools user ID password cannot be changed
when attempting to change the password for your service tools user ID
using the Change Password display from STRSST or when using the QSYCHGDS
API.

Your service tools user ID is the default and has expired. The password
cannot be changed from system service tools (SST) or by using the
QSYCHGDS API. Use one of the following options:

v Use another service tools ID with appropriate functional
privileges to change your password. Then sign on and change your
password to a value only you know.

v Access DST to change your password.

...
"

Regards, Chuck

[CRPence]

On 02 May 2012 11:35, CRPence wrote:
> <<SNIP>>

>
> _i System i Security Service tools i_
> http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzamh/rzamh.pdf
>
> " ...
>
> _i Troubleshooting service tools user IDs and passwords i_
> When you have problems with service tools user IDs and passwords, refer
> to this information for solutions.
>
> ...
>
> Problem 4:

> <<SNIP>>

I only just now noticed [in my browser tab, as I was about to close
it,] that the first of the InfoCenter searches I gave in my first reply,
has the above quoted doc snippet available outside of the PDF. I
figured I would post that as well. The second item listed in that
search [Search: service tools user password expired] was:

_Troubleshooting service tools user IDs and passwords_
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzamh/rzamhtroubleshoot.htm
" ...
_i Problem 4: i_

You get the error Service tools user ID password cannot be changed when
attempting to change the password for your service tools user ID using
the Change Password display from STRSST or when using the QSYCHGDS API.

Your service tools user ID is the default and has expired. The password
cannot be changed from system service tools (SST) or by using the
QSYCHGDS API. Use one of the following options:

* Use another service tools ID with appropriate functional

privileges to change your password. Then sign on and change your
password to a value only you know.

* Access DST to change your password.
* Use another service tools user ID with the appropriate functional
privileges to access the Work with System Security option (from DST or
SST) and change the setting of the Allow a service tools user ID with a
default and expired password to change its own password setting to 1
(Yes). Change your password, and then have the setting changed back to
option 2 (No).

_i Parent topic: i_ Managing service tools
_Related concepts_
Recovering or resetting QSECOFR passwords
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzamh/rzamhrecover.htm
Accessing service tools using DST
http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/topic/rzamh/rzamhaccessdst.htm
"

Regards, Chuck

[Dr.Ugo Gagliardelli]

il 02.05.2012 16:06, Scrive Falco 215047532:

This has to do with service-user permissions. To change a password that
expired, you must have that permission. Unfortunately, to change user
permissions you have to operate with a service-user that have the
permission to change permissions. If QSECOFR is the only "upper-class"
service-user, and you have no mean to access SST with this kind of user,
you must go to DST, inside dst you'll be able to change an expired
password. DST is accessible in 2 ways: through a manual IPL, or
selecting 21 from the control panel. Function 21 will force DST to the
console device. You can access dst with function 21 during normal
operations without interrupting actve jobs, unless you'll do somthing
wrong from dst menus (e.g. perform an ipl).

[iseriesflorida]

On May 3, 3:28 am, "Dr.Ugo Gagliardelli" <do.not.s...@me.please>
wrote:

You need to switch the setting via manual IPL in DST.

[iseriesflorida]

> You need to switch the setting via manual IPL in DST.- Hide quoted text -
>
> - Show quoted text -

Let me rephrase this, it depends on if your using an HMC, Lan console,
Dumb Terminal in how you would envoke option 21. You can get into DST
mode via manual IPL as well.

[jse...@yahoo.co.nz]

This is controlled by a setting in SST/DST. Your current settings do not allow a profile with a default and expired password to change itself through SST. Unless you are able to change this setting with another SST ID which has security capable authorities (given you have reset QSECOFR in this way, I would guess not), the only way you can do this is via DST. As has been mentioned, you can easily put the console into DST mode via the control panel or the HMC depending on what you use. This does not disrupt the operation of the system.

If you wish to change this setting, you can do so from the "Work with System Security" option in SST.