IBM announced i 7.5 in May 2022 and it is now available to order and install. i 7.5 introduced a number of security changes to the operating system. Let’s look at what’s new with IBM i 7.5 security and where it can affect the average shop. Some of the key security changes introduced with IBM i 7.5 include:
- New password security level encryption schemes for user profile and service tools passwords
- Default user profile passwords are no longer the default
- IBM Eliminates 11111111 & 22222222 SST/DST Profiles
- New Password Validation API Available
- No More System Security (QSECURITY) Level 20
- Maximum Sign-on attempts can now be set for individual users
- NetServer Server & File Share Access Control by Authorization List
- Modification of Default *PUBLIC Rights for Many Objects
- More IBM i 7.5 security changes
- Where can I find the IBM i 7.5 announcement?
- What IBM Power hardware do I need to run i 7.5?
This is is the first in a series of blog posts covering the enhanced capabilities introduced in IBM i 7.5.
Today’s post covers major IBM i 7.5 security changes. Click here to see the system administration changes introduced in i 7.5.
New Password Security level encryption schemes for user profile & service tools passwords
i 7.5 adds a new system Password Level (QPWDLVL) to the system, password level 4. When you change QPWDLVL to level 4, two things happen:
- Any encrypted OS user profile password created and stored at password levels 0, 1, 2 or 3 are removed from an IBM i 7.5 system
- The operating system will create the one-way encrypted passwords to be used at password level 4. Level 4 passwords will be created using Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption. SHA-512 is a much stronger encryption scheme than the DES algorithms used for encryption at QPWDLVL 0 & 1 or the SHA-1 algorithm used at QPWDLVL 2 & 3.
For more information on how IBM i password encryption works at every password level, check out IBM Support Password Encryption document 634481.
Like the password encryption schemes provided for operating system user profile passwords, IBM also added a new password level 3 for Service Tools passwords (SST/DST). SST/DST level 3 allows admins to set PBKDF2 with HMAC SHA512 encryption for Service Tools passwords.
Default user profile passwords are no longer the default
In IBM i 7.4 and below, when creating a user profile, the user profile PASSWORD parameter defaults to *USRPRF if no other value is assigned. If PASSWORD remains set at *USRPRF, users are assigned default user profile passwords, where the profile password is equal to the username. A definite security vulnerability.
In i 7.5, the default value for the user profile PASSWORD parameter will be set to *NONE (no password) if you don’t enter another value. *USRPRF will no longer be the default value for a new user profile password, which should cut down on the number of default passwords in the system.
IBM Eliminates 11111111 & 22222222 SST/DST Profiles
The eight-digit 11111111 & 22222222 system provided SST/DST profiles have been part of the operating system almost since there was an operating system. No more. During a i 7.5 version upgrade or during a “from scratch” install, these profiles will be removed from 7.5 systems. Going forward, the only IBM-supplied SST/DST profiles will be:
- QSCOEN
- QSRV, which is disabled by default
Other SST/DST profiles not supplied by IBM will remain on the system after an upgrade.
New Password Validation API Available
i 7.5 introduces the QSYSCHKPR API, that can be used to verify whether a password meets the security rules defined in your system values. Even though QSYSCHKPR verifies system passwords, it doesn’t allow for password modification. QSYSCHKPR complements the SQL_CHECK_PASSWORD service and both features can be used for authentication.
No More System Security (QSECURITY) Level 20
With i 7.5, IBM has removed System Security (QSECURITY) level 20 (user ID & password security with no resource or integrity security) from the system. Systems set at level 20 can continue to run on level 20. But i 7.5 no longer allows QSECURITY to be set to level 20.
Maximum Sign-on attempts can now be set for individual users
Before i 7.5, the maximum number of sign-on attempts per user was set globally on each system, using the Maximum Sign-on attempts system value (QMAXSIGN). All users had the same maximum number of incorrect sign-on attempts before the system took action for that user (using the Actions When Sign-On Attempts Reached system value, QMAXSGNACN).
i 7.5 adds a parameter called Maximum sign-on attempts (MAXSIGN) to its user profiles that allows you to set a per user maximum number of incorrect sign-ons before the system takes action. This allows you to set higher or lower numbers of incorrect sign-on attempts for different users. For example, you may set higher number of incorrect sign-on attempts for scanner users and a lower number for administrators or users with financial/inventory access.
NetServer Server & File Share Access Control by Authorization List
A new NetServer and File Share setting allow you to control access to the NetServer server or to restrict access to individual NetServer file shares, using an IBM i authorization list (*AUTL). This provides global and granular control over who can access file shares, which should be helpful in securing IFS folders against ransomware attacks.
Modification of Default *PUBLIC Rights for Many Objects
IBM has changed the default *PUBLIC authority for many objects from *CHANGE or *ALL to *USE. For objects that exist in a secondary language library, the *PUBLIC authority will also be changed for those objects. For a listing of the type and names of objects affected by this change, see IBM’s Public authority changes for objects web page.
More IBM i 7.5 security changes
Time doesn’t allow us to list off all of the security changes IBM included with i 7.5. To see more Security changes that aren’t listed here, go to the IBM i 7.5 Security Related Changes web page.
Where can I find the IBM i 7.5 announcement?
You can read IBM’s entire announcement by clicking here. However, some additional changes listed here can also be found in the IBM i 7.5 Security Related Changes web page or the IBM i 7.5 base enhancements page.
What IBM Power hardware do I need to run i 7.5?
IBM i 7.5 is only supported on select IBM Power9 and Power10 systems. To understand what IBM i OS version will run on your Power processors, consult IBM’s system to IBM i mapping Web site. If you’re running IBM i in the cloud or at an MSP, consult your provider to see if you’re eligible to upgrade your IBM i systems to i 7.5.
