Troubleshooting
Problem
This document describes how to reset the QSECOFR user profile using DST.
Resolving The Problem
If the Operating System Security Officer user profile (QSECOFR) password is lost or forgotten, there are ways to reset it:
The system resets the Operating System QSECOFR user profile to the default shipped value when it is next IPLed. The IPL may be a normal (unattended) one. You must have the system scheduled to IPL or have someone (an operator or someone with authority to power down the system) do it. If you do not, you will have to power down the system from the front panel, and start it from there.
Resetting QSECOFR with an Attended IPL
This method is used when:
To reset QSECOFR with an attended IPL, you should do the following:
For Both Methods
After the password has been reset, change the password. On the operating system command line, type the following:
CHGUSRPRF QSECOFR
Press the F4 key to prompt the command. Type a new password, and change the status of the profile to *ENABLED if it is set to *DISABLED. Press the Enter key to have the changes take effect.
|
1. |
The easiest way would be for another user profile that has *ALLOBJ and *SECADM special authority to use the Change User Profile (CHGUSRPRF) command.
On the operating system command line, type the following: CHGUSRPRF QSECOFR PASSWORD(newpwd) where newpwd is the new password. Press the Enter key. To look for a user profile with *SECADM and authority to QSECOFR, refer to the following document: |
| 2. | Many systems do not have another profile with these special authorities. In that case, use the Dedicated Service Tools (DST) to reset it. The rest of this document describes how to use DST to reset the QSECOFR password. |
The following methods can be used. In both cases, an IPL is required. One method allows the IPL to be unattended and can be scheduled to happen at a later time (for example, overnight). The other way is to do a manual IPL and reset the password during the IPL.
- Resetting QSECOFR with an Unattended IPL
- This method is used when:
o You can wait before you must use QSECOFR o You cannot interrupt the machine for an IPL, and nobody is available to operate the system when the system is IPLing
- This method is used when:
| 1. | From the front panel of the machine, put the system into Manual mode. |
| 2. | Use the arrow keys to get to function 21, and press the Enter button. |
| 3. | On the console, a dedicated service tools (DST) sign-on screen is shown. Sign on with the System Service Tools (SST/DST) QSECOFR user ID and password. |
| 4. | Select Option 5, Work with DST Environment, from the Use Dedicated Service Tools menu. |
| 5. | Select Option 4 or 6 (depending on OS version), Service Tools Security Data. |
| 6. | Select Option 1, Reset operating system default password. |
| 7. | The Confirm Reset of System Default Password display is shown. Press the Enter key to confirm your request. |
| 8. | You receive a confirmation message telling you the operating system password override has been set. |
| 9. | Continue pressing F3 (Exit) to return to the Exit Dedicated Service tools. |
| 10. | Take the system out of Manual mode. |
Resetting QSECOFR with an Attended IPL
This method is used when:
| o | You cannot wait, and you need to use QSECOFR now. |
| o | You are available and ready to IPL the system now. |
| 1. | With the keylock switch in the Manual position, start an attended Initial Program Load (IPL). |
| 2. | When the system displays the IPL or the Install the System menu, select Option 3, Use dedicated Service Tools. |
| 3. | On the Dedicated Service Tools (DST) sign-on display, sign on with the System Service Tools (SST/DST) QSECOFR user ID and password. |
| 4. | Select Option 5, Work with DST Environment, from the Use Dedicated Service Tools (DST) menu. |
| 5. | Select Option 4 or 6 (depending on OS version), Service Tools Security Data. |
| 6. | Select Option 1, Reset operating system default password. |
| 7. | The Confirm Reset of System Default Password display is shown. Press the Enter key to confirm your request. |
| 8. | You receive a confirmation message telling you the operating system password override has been set. |
| 9. | Continue pressing F3 (Exit) to return to the Exit Dedicated Service Tools menu. |
| 10. | Select Option 1, Exit Dedicated Service Tools. |
| 11. | The IPL or Install the System menu is shown. Select Option 1, Perform an IPL. |
| 12. | The system continues with a manual IPL. The procedure for performing a manual IPL is described in the System Operation manual. |
| 13. | When the IPL has completed, return the system to the Normal mode. |
After the password has been reset, change the password. On the operating system command line, type the following:
| Caution: Do not leave the QSECOFR password set to the default. This poses a security exposure. This is the value shipped with every system and is commonly known. |
CHGUSRPRF QSECOFR
Press the F4 key to prompt the command. Type a new password, and change the status of the profile to *ENABLED if it is set to *DISABLED. Press the Enter key to have the changes take effect.
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0;and future releases"}]
Historical Number
23531757
Was this topic helpful?
Document Information
Modified date:
15 May 2023
UID
nas8N1019462