Security Officer Password Lost

Posted on 2004-11-28
Last Modified: 2008-01-09
I lost/forget the Security Officer Password.

I know that their is a manual form to rest the password, but I didn't find the information.

Can somebody help me on this.

Our AS/400 is a eServer i5 520 V5R3


Danny Pastrana
Question by:dpastrana
    LVL 6

    Accepted Solution

    hi, you need to have the DST password for QSECOFR, do you have it?

    go to the machine panel, then set IPL mode to manual, then select option 21 from the panel, it will display DST screen on your console (If it doesn't work, you have to do manual IPL to reach the DST screen).

    From the DST main menu:
    Select "Work with DST Environment" (option#5?)
    Select "DST User Profile" (option#3?)
    Select "Reset System Default Password" (option#4?)

    You may try the user QSECOFR with password=QSECOFR, if still doesn't work, you may need to do IPL.

    good luck.

    PS: If you don't have your DST password, then you may have to find a "backdoor", there is usually some loopholes in the system that allow us to penetrate.
    LVL 16

    Assisted Solution

    by:theo kouwenhoven
    I know (long time ago when the AS.400 had a key) that you can set the key on "Service" and start th IPL, during the IPL a Service menu is shown on the console (an other old thing). In this service menu there was an option to change the QSECOFR password. I''m sure there is still a service option but because I didn't see an AS/400 for 5 years (it's phisically somewhere in Europe) I don't know how it is done now?

    So go for te service menu !!!!
    LVL 3

    Assisted Solution

    Thats what dedy is talking about, exept nowadays you can use *part* of the service menu (DST = dedicated service tools) without having to IPL. You get into the DST screen by selecting option 21 on the control panel (the part of the AS/400 with the key you mentioned)
    LVL 26

    Assisted Solution

    Because a lost QSECOFR password is the problem, it's just barely possible that DST provides an answer. I say it that way for a variety of reasons.

    For a start, the easiest way would be just to sign on with the site's security officer profile (*NOT* QSECOFR) and then simply change the QSECOFR password. No muss, no fuss.

    That is, the smallest bit of applied principles would've avoided this altogether. The primary principle here is: Don't use QSECOFR except at IBM's direction. There is no need ever to use QSECOFR otherwise. The very first time it's used -- to start the system initially -- create a site security officer profile as user class *SECOFR and all special authorities. Then change the QSECOFR password from the default and stash the password away. Use the site security officer logon from then on. The QSECOFR password ought to be in a safe location.

    If the site security officer password is lost, use QSECOFR to recover. Or create a CL program owned by QSECOFR that will reset the site security officer password back to default and will also log the change. Grant authority to that program to some other profile(s) that is(are) responsible for system management and *EXCLUDE *PUBLIC from it. Then the password can be recovered just by calling the program from an authorized profile.

    Note that these might be the _only_ ways to accomplish this at V5R3 unless you want to pay IBM a tidy sum to do it. At V5R3 (and perhaps all the way back to V5R1?) you can restrict DST access to passwords. If that option has been set, then DST will not be any help. (Unless you're really really really good at Display/Alter/Print and can walk all the chains necessary and can can directly change DASD exactly right; but I don't know that anyone has managed that yet.)

    But, if a lost QSECOFR password is the problem, then I'd guess the system hasn't been secured yet anyway. So DST will probably work.



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now