Solved

ISeries User Profiles

Posted on 2014-03-04
5
1,001 Views
Last Modified: 2014-03-05
Cannot figure out what is up with my QSECOFR profile.  I can sign on to the system with the QSECOFR but when I try to go to DST or SST, it tells me that the user is disabled.  When I do a WRKUSRPRF the profile is displayed as enabled.  What am I missing?
0
Comment
Question by:Don1411
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:_b_h
ID: 39904965
The QSECOFR user profile is separate from the QSECOFR DST profile.

The QSECOFR DST profile password can be changed by QSECOFR user profile using the Change DST password command:
CHGDSTPWD PASSWORD(*DEFAULT)  
Since you have access to DST, sign on to DST using uppercase QSECOFR as the password. You will be prompted to change the password.  This step can also be done from SST depending on your system settings; use DSPSECA to check.

It is generally a good idea to have a backup DST profile that is equivalent to QSECOFR so that it can be used to reset QSECOFR DST password.

Hope this helps!
Barry
0
 
LVL 27

Accepted Solution

by:
tliotta earned 500 total points
ID: 39905457
In general, neither the QSECOFR user profile nor the QSECOFR DST profile should ever be used except (1) during initial setup of system security and (2) when IBM instructions direct you to use one of those profiles.

In the case of (1), you should initially use the two QSECOFR profiles to create at least one additional user profile with *SECOFR user class special authorities and at least one additional DST profile with all DST security capabilities. After those are created, use them instead of QSECOFR. Once that's done, there should no longer be much concern about problems with QSECOFR passwords. The QSECOFR profiles would only be needed in normal operation to recover your other profiles if problems come up with them.

(By avoiding use of the two QSECOFR profiles, you minimize the risk of object damage to them. Object damage is rare nowadays, but it happens most often when objects are in use and being updated by the system. Updates may happen when other objects are being created/deleted and ownership or authority is being set in the *USRPRF object. Unexpected power losses, etc., can cause the damage. Recovering damaged QSECOFR *USRPRF objects can require costly help from IBM. The simplest rule-of-thumb is "Don't use them.")

In the context of this question, the existence and use of secondary security profiles for standard system operations and for SST/DST would effectively make the problem irrelevant. Creating such profiles should be the first thing done after signing on with QSECOFR and after accessing SST/DST. The two QSECOFR passwords should be made to be different and then stored in a safe location. After that, they should only be needed in emergencies. The replacement profiles would be the ones used for most things.

Tom
0
 

Author Comment

by:Don1411
ID: 39906460
Thanks for the assistance.  I think I have it cleared up now.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39908096
I think Barry's comment should have a significant award of points. It was first; it was correct. I was primarily simply providing background and general justification for avoiding "QSECOFR" rather than directly accessing QSECOFR.

If Barry chooses to follow up, this comment is here for reference.

Tom
0
 
LVL 13

Expert Comment

by:_b_h
ID: 39908187
Thanks for the consideration, Tom.
The answers are complete and correct, enough said.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question