Jeff,

I agree this will be a pain, especially because IBM forces the password to
expire. I think it should be my decision whether/when it should expire. I
never had a need for ridiculously long case-sensitive "passphrases"
containing punctuation, etc, but I guess it is for M$ compatibility or
high-security environments.

I don't know who called for the "added level of security." I cannot put
words in IBM's mouth, but my two cents is that the added security is
necessitated by DST functions going into Ops Navigator and because of the
support for LAN console. It seems to me that this means there will be a
TCP/IP stack and an DST server exposed to the network as soon as the system
is IPL'd to at least DST. You will no longer need physical access to the
computer room to really trash the machine. Do you want some bozo who gets
their hands on a Client Access CD to be able to plug in your machine's IP
address and 22222222 and start configuring DASD? That is my guess as to why
they're making us jump through new hoops with DST security.

-Marty

------------- original message -----------------

Date: Fri, 6 Jul 2001 17:29:35 -0500
From: jeff_carey@baxter.com
Subject: V5R1 DST passwords

In case you didn't know, in V5R1 you have to provide a DST profile and 
password to get into SST (or eve into some of the configuration functions 
in Ops Nav). 

They've added the CHGDSTPWD command to reset DST QSECOFR to QSECOFR. Now 
here's the kicker - the password for DST is case sensitive (as I forgot 
today, typing in qsecofr time and time again when only QSECOFR will work). 
 You then need to change the password, but it seems that this follows its 
own rules - even if QPWDRQDDIF is set to 0, you can't duplicate an old 
password for the DST profile. 

So pretty easily, DST password management can become an issue - especially 
since you may not be going into SST that often. 

Was there really a call for this added level of security?   If so, what 
about a WRKDSTPRF command and system values to manage these profiles like 
any other? 


Jeff Carey
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.