Admin Alert: QPWDRULES Rules!!! Opening Up User Password Options with i 6.1

February 2, 2011 Joe Hertvik

Like many i/OS shops, we recently started upgrading several systems from i/OS V5R4Mx to i 6.1. One of the more interesting features about i 6.1 is the new Password rules (QPWDRULES) system value, which allows you to control and extend password composition settings to designate all your password rules in one place and to include password composition options that weren’t available in earlier versions of the operating system.

What is QPWDRULES?

Think of QPWDRULES as a password composition rule aggregator. In earlier i/OS and AS/400 operating systems, IBM did not consolidate password composition system values in one place on the green screen. You had to set several different password system values individually in PC5250. There was a system value for minimum password length (QPWDMINLEN), another system value for maximum password length (QPWDMAXLEN), system values for limiting repeating characters (QPWDLMTCHR), system values for requiring a digit (QPWDRQDDGT), and so on. There was no central place on a 5250 screen where you could go to view your entire password composition scheme in toto. If you wanted to see your password composition settings in tandem, you had to go to iSeries Navigator (OpsNav) and view your Password Policies by clicking on Security→Policies→Password Policy from your system’s OpsNav node.

QPWDRULES changes all this on the green screen. After you perform your operating system upgrade, your QPWDRULES system value will look like this.

When QPWDRULES is set to *PWDSYSVAL, the operating system ignores QPWDRULES and falls back on the pre-i 6.1 individual password composition values that were set in the prior operating system. This protects your current password composition scheme so that after the upgrade, all of your older password settings are still in effect.

When you’re ready to change your password values to add new 6.1-related settings, you can modify QPWDRULES to more or less redo your password values. You do this by running the following green screen Work with System Values (WRKSYSVAL) command and taking Option 2=Change to modify your QPWDRULES setting.

WRKSYSVAL SYSVAL(QPWDRULES)

This will bring you to a screen that looks like this:

You activate PWDRULES settings by erasing the *PWDSYSVAL entry and entering in the password composition entries that you want to use going forward. All the same password settings that you may have used in your pre-i 6.1 operating system setup are still available in a slightly different format under QPWDRULES and you’ll want to make sure that you enter all relevant system values again. Be careful however, because if you skip putting in certain QPWDRULES values, the system will make choices for you and that could throw your password composition settings into chaos.

For example, here’s one set of PWDRULES values that you can enter for your system.

In this case, the minimum password length is 10 characters, which is designated by the *MINLEN10 literal (*MINLENnnn, where the nnnrepresents the minimum number of characters for your passwords). The maximum password length is 128 characters, and that is specified by the *MAXLEN128 literal (*MAXLENnnn, where nnn equals the maximum number of characters).

It’s important to note that you definitely want to enter *MINLENnnn and *MAXLENnnn values in the QPWDRULES system value. If *MINLENnnn is not entered, i 6.1 will assume you have entered a value of *MINLEN1. This means that the system will automatically accept user-generated passwords with a minimum password length of one (1) character. I’m not sure why IBM settled on minimum one character passwords as the system’s default password length but most i/OS administrators wouldn’t stand for that so make sure to put in a value for *MINLENnnn.

If *MAXLENnnn is not entered, i 6.1 will assume one of the following two values for maximum password length.

If your system is operating at a password level of 0 or 1–the Password level system value (QPWDLVL) is equal to 0 or 1–the system will assume *MAXLEN10 for its maximum password length.
If your system is operating at a password level of 2 or 3–QPWDLVL equals 2 or 3–the system will assume *MAXLEN128 as its maximum password length.

So if you don’t enter *MINLENnnn and *MAXLENnnn values for QPWDRULES, the system will automatically assume you want either 1 to 10 character passwords or 1 to 128 character pass phrases. So it’s wise to be explicit and make sure your recommended password lengths are entered.

*MIXCASE1 specifies that each accepted password must contain at least one uppercase and one lowercase letter, as specified by the number following the ‘*MIXCASE’ substring (*MIXCASEn). You can specify any number between 0 and 9 for *MIXCASEn. Also note that for *MIXCASEn the Password level system value (QPWDLVL) must be set to 2 or 3 (passphrase support) because all capital letters must be entered for password levels 0 and 1 (1 to 10 character passwords).

Similar to *MIXCASE1, the *DGTMIN1 literal designates that each password must contain at least one digit.

So with this simple QPWDRULES setup, you can set up the same password composition security that is common on many commercial Web sites. You’ve designated that the password length must be greater than 10 characters and less than 128 characters, that each password must contain at least one uppercase and one lowercase letter, and that each password must also contain at least one digit. This is a simple way to bring your i 6.1 password settings in line with the rest of the world.

Any changes to the PWDRULES system value will take effect the next time a password is changed.

But these aren’t the only values you can set in QPWDRULES. Here are some other values that you can add to your password composition rules in this system value.

QPWDRULES value

Password Composition setting

*CHRLMTAJC

The password cannot repeat the same character in two adjacent
positions. This would prevent someone from entering a password such as ‘aaaaaaaaaa1’

*CHRLMTREP

Any single character cannot appear more than once in a password

*DGTLMTAJC

The password cannot contain two numeric digits in a row

*DGTLMTFST

*DGTLMTLST

Specifies that the first letter of a password (*DGTLMTFST) or the
last letter of a password cannot be a digit (*DGTLMTLST).

*DGTMAXn

The password cannot contain more than n number of digits

*DGTMINn

The password must contain at least n number of digits

*LTRLMTFST

*LTRLMTLST

Specifies that the first letter of a password (LTRLMTFST) cannot be a
letter or the last letter of a password cannot be a letter (LTRLMTLST)

*LMTPRFNAME

Prevents a user from entering their complete user profile name into
their password (i.e., a user profile named ‘JOEH’ cannot have a password
equal to ‘JOEH1’)

*REQANY3

The password must contain at least three of the following four categories
of characters:

·
Uppercase characters

·
Lowercase characters

·
Digits

·
Special characters

*REQANY3 can be used to replace both the *MIXCASEn and the *DGTMINn values explained above. But this creates a problem since
it requires only three of the four categories to exist in a new password, which
makes it harder to tell the users exactly what character types are required.

*SPCCHRLMTAJC

*SPCCHRLMTFST

*SPCCHRLMTLST

*SPCCHRMAXn

*SPCCHRMINn

Literals designating how special characters can be used in a
password. *SPCCHRLMTAJC specifies that the password cannot contain two or
more adjacent special characters. *SPCCHRLMTFST specifies that the password
cannot start with a special character, while SPCCRHLMTLST specifies that the
character cannot end with a special character. *SPCCHRMAXn and *SPCCHRMINn specify the minimum and
maximum number of special characters that can be contained in a password.

QPWDRULES makes it easier to enter a complete password composition scheme on the green screen, and it also makes it easier to view your password settings in tandem. Don’t be afraid to give it a try.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot