Admin Alert: QPWDRULES Rules!!! Opening Up User Password Options with i 6.1
February 2, 2011 Joe Hertvik
Like many i/OS shops, we recently started upgrading several systems from i/OS V5R4Mx to i 6.1. One of the more interesting features about i 6.1 is the new Password rules (QPWDRULES) system value, which allows you to control and extend password composition settings to designate all your password rules in one place and to include password composition options that weren’t available in earlier versions of the operating system.
What is QPWDRULES?
Think of QPWDRULES as a password composition rule aggregator. In earlier i/OS and AS/400 operating systems, IBM did not consolidate password composition system values in one place on the green screen. You had to set several different password system values individually in PC5250. There was a system value for minimum password length (QPWDMINLEN), another system value for maximum password length (QPWDMAXLEN), system values for limiting repeating characters (QPWDLMTCHR), system values for requiring a digit (QPWDRQDDGT), and so on. There was no central place on a 5250 screen where you could go to view your entire password composition scheme in toto. If you wanted to see your password composition settings in tandem, you had to go to iSeries Navigator (OpsNav) and view your Password Policies by clicking on Security→Policies→Password Policy from your system’s OpsNav node.
QPWDRULES changes all this on the green screen. After you perform your operating system upgrade, your QPWDRULES system value will look like this.
When QPWDRULES is set to *PWDSYSVAL, the operating system ignores QPWDRULES and falls back on the pre-i 6.1 individual password composition values that were set in the prior operating system. This protects your current password composition scheme so that after the upgrade, all of your older password settings are still in effect.
When you’re ready to change your password values to add new 6.1-related settings, you can modify QPWDRULES to more or less redo your password values. You do this by running the following green screen Work with System Values (WRKSYSVAL) command and taking Option 2=Change to modify your QPWDRULES setting.
This will bring you to a screen that looks like this:
You activate PWDRULES settings by erasing the *PWDSYSVAL entry and entering in the password composition entries that you want to use going forward. All the same password settings that you may have used in your pre-i 6.1 operating system setup are still available in a slightly different format under QPWDRULES and you’ll want to make sure that you enter all relevant system values again. Be careful however, because if you skip putting in certain QPWDRULES values, the system will make choices for you and that could throw your password composition settings into chaos.
For example, here’s one set of PWDRULES values that you can enter for your system.
In this case, the minimum password length is 10 characters, which is designated by the *MINLEN10 literal (*MINLENnnn, where the nnnrepresents the minimum number of characters for your passwords). The maximum password length is 128 characters, and that is specified by the *MAXLEN128 literal (*MAXLENnnn, where nnn equals the maximum number of characters).
It’s important to note that you definitely want to enter *MINLENnnn and *MAXLENnnn values in the QPWDRULES system value. If *MINLENnnn is not entered, i 6.1 will assume you have entered a value of *MINLEN1. This means that the system will automatically accept user-generated passwords with a minimum password length of one (1) character. I’m not sure why IBM settled on minimum one character passwords as the system’s default password length but most i/OS administrators wouldn’t stand for that so make sure to put in a value for *MINLENnnn.
If *MAXLENnnn is not entered, i 6.1 will assume one of the following two values for maximum password length.
So if you don’t enter *MINLENnnn and *MAXLENnnn values for QPWDRULES, the system will automatically assume you want either 1 to 10 character passwords or 1 to 128 character pass phrases. So it’s wise to be explicit and make sure your recommended password lengths are entered.
*MIXCASE1 specifies that each accepted password must contain at least one uppercase and one lowercase letter, as specified by the number following the ‘*MIXCASE’ substring (*MIXCASEn). You can specify any number between 0 and 9 for *MIXCASEn. Also note that for *MIXCASEn the Password level system value (QPWDLVL) must be set to 2 or 3 (passphrase support) because all capital letters must be entered for password levels 0 and 1 (1 to 10 character passwords).
Similar to *MIXCASE1, the *DGTMIN1 literal designates that each password must contain at least one digit.
So with this simple QPWDRULES setup, you can set up the same password composition security that is common on many commercial Web sites. You’ve designated that the password length must be greater than 10 characters and less than 128 characters, that each password must contain at least one uppercase and one lowercase letter, and that each password must also contain at least one digit. This is a simple way to bring your i 6.1 password settings in line with the rest of the world.
Any changes to the PWDRULES system value will take effect the next time a password is changed.
But these aren’t the only values you can set in QPWDRULES. Here are some other values that you can add to your password composition rules in this system value.
QPWDRULES makes it easier to enter a complete password composition scheme on the green screen, and it also makes it easier to view your password settings in tandem. Don’t be afraid to give it a try.