IBM announced i 7.5 in May 2022 and it is now available to order and install. i 7.5 introduced a number of security changes to the operating system. Let’s look at what’s new with IBM i 7.5 security and where it can affect the average shop. Some of the key security changes introduced with IBM i 7.5 include:
- New password security level encryption schemes for user profile and service tools passwords
- Default user profile passwords are no longer the default
- IBM Eliminates 11111111 & 22222222 SST/DST Profiles
- New Password Validation API Available
- No More System Security (QSECURITY) Level 20
- Maximum Sign-on attempts can now be set for individual users
- NetServer Server & File Share Access Control by Authorization List
- Modification of Default *PUBLIC Rights for Many Objects
- More IBM i 7.5 security changes
- Where can I find the IBM i 7.5 announcement?
- What IBM Power hardware do I need to run i 7.5?
Note: Today’s post only covers major IBM i 7.5 security changes. In the coming weeks, we’ll look at other IBM i 7.5 changes in areas such as networking and administration.
i 7.5 adds a new system Password Level (QPWDLVL) to the system, password level 4. When you change QPWDLVL to level 4, two things happen:
- Any encrypted OS user profile password created and stored at password levels 0, 1, 2 or 3 are removed from an IBM i 7.5 system
- The operating system will create the one-way encrypted passwords to be used at password level 4. Level 4 passwords will be created using Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption. SHA-512 is a much stronger encryption scheme than the DES algorithms used for encryption at QPWDLVL 0 & 1 or the SHA-1 algorithm used at QPWDLVL 2 & 3.
For more information on how IBM i password encryption works at every password level, check out IBM Support Password Encryption document 634481.
Like the password encryption schemes provided for operating system user profile passwords, IBM also added a new password level 3 for Service Tools passwords (SST/DST). SST/DST level 3 allows admins to set PBKDF2 with HMAC SHA512 encryption for Service Tools passwords.
Default user profile passwords are no longer the default
In IBM i 7.4 and below, when creating a user profile, the user profile PASSWORD parameter defaults to *USRPRF if no other value is assigned. If PASSWORD remains set at *USRPRF, users are assigned default user profile passwords, where the profile password is equal to the username. A definite security vulnerability.
In i 7.5, the default value for the user profile PASSWORD parameter will be set to *NONE (no password) if you don’t enter another value. *USRPRF will no longer be the default value for a new user profile password, which should cut down on the number of default passwords in the system.
The eight-digit 11111111 & 22222222 system provided SST/DST profiles have been part of the operating system almost since there was an operating system. No more. During a i 7.5 version upgrade or during a “from scratch” install, these profiles will be removed from 7.5 systems. Going forward, the only IBM-supplied SST/DST profiles will be:
- QSRV, which is disabled by default
Other SST/DST profiles not supplied by IBM will remain on the system after an upgrade.
i 7.5 introduces the QSYSCHKPR API, that can be used to verify whether a password meets the security rules defined in your system values. Even though QSYSCHKPR verifies system passwords, it doesn’t allow for password modification. QSYSCHKPR complements the SQL_CHECK_PASSWORD service and both features can be used for authentication.
With i 7.5, IBM has removed System Security (QSECURITY) level 20 (user ID & password security with no resource or integrity security) from the system. Systems set at level 20 can continue to run on level 20. But i 7.5 no longer allows QSECURITY to be set to level 20.
Before i 7.5, the maximum number of sign-on attempts per user was set globally on each system, using the Maximum Sign-on attempts system value (QMAXSIGN). All users had the same maximum number of incorrect sign-on attempts before the system took action for that user (using the Actions When Sign-On Attempts Reached system value, QMAXSGNACN).
i 7.5 adds a parameter called Maximum sign-on attempts (MAXSIGN) to its user profiles that allows you to set a per user maximum number of incorrect sign-ons before the system takes action. This allows you to set higher or lower numbers of incorrect sign-on attempts for different users. For example, you may set higher number of incorrect sign-on attempts for scanner users and a lower number for administrators or users with financial/inventory access.
A new NetServer and File Share setting allow you to control access to the NetServer server or to restrict access to individual NetServer file shares, using an IBM i authorization list (*AUTL). This provides global and granular control over who can access file shares, which should be helpful in securing IFS folders against ransomware attacks.
IBM has changed the default *PUBLIC authority for many objects from *CHANGE or *ALL to *USE. For objects that exist in a secondary language library, the *PUBLIC authority will also be changed for those objects. For a listing of the type and names of objects affected by this change, see IBM’s Public authority changes for objects web page.
Time doesn’t allow us to list off all of the security changes IBM included with i 7.5. To see more Security changes that aren’t listed here, go to the IBM i 7.5 Security Related Changes web page.
You can read IBM’s entire announcement by clicking here. However, some additional changes listed here can also be found in the IBM i 7.5 Security Related Changes web page or the IBM i 7.5 base enhancements page.
IBM i 7.5 is only supported on select IBM Power9 and Power10 systems. To understand what IBM i OS version will run on your Power processors, consult IBM’s system to IBM i mapping Web site. If you’re running IBM i in the cloud or at an MSP, consult your provider to see if you’re eligible to upgrade your IBM i systems to i 7.5.