Admin Alert: Bringing V5R1 DST Passwords Under Control

by Joe Hertvik

Before I go any further, it's important to point out that service tool user profiles are different from OS/400 user profiles. For OS/400 V5R1 and V4R5, service tool user profiles and passwords are required in order to sign on to Dedicated Service Tools (DST). In V5R1, a service tool user profile is also required to use the Start System Service Tools (STRSST) command. Service tool user profiles are maintained inside of DST, while regular OS/400 passwords are maintained through the Change User Profile (CHGUSRPRF) command or through the iSeries Operations Navigator.

The problem is that changing service tool passwords in V5R1 is a bit of a kludge and--from my experience, anyway--it is embarrassingly easy to disable the QSECOFR service tool user profile in the process. And if you have more than one person making changes, a disabled QSECOFR service tool user profile is almost guaranteed. One solution is to create different service profiles for different users, each with its own password and capabilities. Each user can then use his own service profile and--as an alternative to the QSECOFR service profile--one or more profiles can be enabled with the same authorities as the QSECOFR service profile.

Of course, if you have a disabled QSECOFR service profile, it's harder to create new profiles, because all new profiles are added through DST. So you need to know the following in order to create new service tool user profiles:

Here's my game plan for getting these tasks done:

1. To reset the QSECOFR service profile to its default value of QSECOFR, sign on to OS/400 with the QSECOFR user profile, and then run the Change DST Password (CHGDSTPWD) command, as follows:

   CHGDSTPWD *DEFAULT
   

2. To add or change service tool profiles, you need to sign on to DST for the machine or partition you're working with. For a non-partitioned machine or the primary partition of a partitioned box, you can go to the control panel, switch to manual mode, and enter option 21. That will bring up the DST sign-on screen on that machine's system console.

   To enter DST for a primary or a secondary partition, go into Start System Service Tools (STRSST) on your primary partition. When SST asks for a DST service tool user profile and password, use QSECOFR for the service profile ID, but--if you're still using the default password of QSECOFR--don't enter the password. Since you must change the password the first time you use it, or after a CHGDSTPWD reset, press F9 to change the password, follow the instructions to change the password, and then sign on to SST with the QSECOFR service profile and your new password. (In my testing, I have found that this technique is less likely to disable the QSECOFR service profile. Also, remember that DST passwords are case-sensitive, so take that into account as well.) Once you're inside SST, use the instructions outlined in the last issue to force DST to start on the system console of your partition.

3. To create new service tool user profiles, sign on to DST with the QSECOFR service profile, using either the default password or the one you just created. If you're using the default password, DST may require that you change the password in the same manner outlined in step 2. Once inside the Use Dedicated Service Tools menu, select option 5, Work with DST Environment. On the Work with DST Environment screen, select option 3, Service tools user profiles. On the Service tools user profiles screen, create a new DST user profile by typing a "1," Create, and then entering the name of the service profile you want to create on the blank input line on the first entry of the existing service profiles. The Create screen will then ask you for the password, whether you want to allow service profile access before the storage management phase of an IPL, whether the profile password should be set to expire, and for a description of the DST service profile you created. Follow the instructions to add the DST profile. (Be careful entering the password, because DST passwords are case-sensitive. Another potential problem is that the password field for DST service tool user profiles can be up to 128 characters long, and that field is divided into several lines. Because of the extended password length, you have to be careful not to inadvertently add other characters to the password.)

   Once the profile is added, OS/400 will take you back to the Work with Service Tools User Profiles screen.

4. To add or remove privileges from a DST service profile, press F5 to refresh the Service tools user profile screen, and then enter a "7," Change privileges, in front of the entry for your new DST service profile. This brings you to the Change Service Tools User Privileges screen, where you can grant or revoke authority to any of the user's DST and SST privileges. If you want to make this user a backup QSECOFR service profile, you would grant authority by entering a "2" in front of every entry on the Change Service Tools User Privileges screen.

   In addition to adding service tool user profiles, you may also want to check out some of the other options on the Work with Service Tools User Profiles screen. In particular, entering a "5" or a "6" in front of a service profile allows you to enable or disable that service profile. You can also change a DST service profile password by entering a "2" in front of the target service profile.

5. Once you've finished adding as many DST service profiles as you wish, exit DST. The next time you sign on to either DST or SST, you can use your new DST service profile in lieu of the QSECOFR service tool user profile. And if you accidentally disable your DST service profile, you can use the QSECOFR service profile to reenable it.