IBM i 7.6 brought several security changes to the operating system. This overview will cover the new security features in IBM i 7.6 and how they might affect the average shop. Some key security changes introduced with i 7.6 include:
- Authority Requirement Changes
- Cluster Administrative Domain Changes
- IBM i Audit Journal (QAUDJRN) Entry Changes
- Integrated Multi-Factor Authentication (Native MFA)
- Native MFA Changes for Automation Interfaces
- Mandatory AES-DES Encryption Attempted for All DRDA/DDM First Connection Attempts
- Network File System (NFS) configuration files
- New Host Connection Server for Authentication and Transfer
- Not-Changeable (_NC) System User Profiles for Automated Processes
- QMGTC, QIBMHELP, and QPM400 User Profiles Deleted
- Security Attributes Interfaces Require *SECADM/*AUDIT Special Authorities
- Security System Value Changes
- How to find the IBM i 7.6 announcement
- IBM Power Hardware Needed to run i 7.6
Authority Requirement Changes
There are several i 7.6 authority requirement changes for viewing and modifying many different IBM i commands, SQL views, APIs, services and functions. These changes require increased special authority requirements (*IOSYSCFG, *SECADM, and *SECOFR) and excluding public (*PUBLIC) authority for several items, including:
- Command and API authority changes
- DB2 mirror
- NetServer
- QSYS2.SECURITY_INFO, QSYS2.DATABASE_MONITOR_INFO, and other views
- SQL services
- Start Pass-Through (STRPASTHR) command
- System values and network attributes
- Tape commands and APIs
See the i 7.6 Authority Requirements Changes page for more information.
Cluster Administrative Domain Changes
When generating audit records in the cluster administrative domain job while creating, changing, or deleting a monitored resource on a target node, the user profile will be changed from QSYS to QCLUSTER.
The IBM i cluster administrative domain has been updated to allow the synchronization of user profiles that are MFA enabled. However, most IBM i cluster operations will fail when invoked by a user with either a *TOTP or *REGFAC authentication method. In addition, operations performed on resources monitored by the administrative domain may cause the resource to become inconsistent if the operation is invoked by a user with either a *TOTP or *REGFAC authentication method.
Network File Cache (NFC) is no longer supported in the cluster administrative domain, and it can no longer be added as a monitored resource entry (MRE). Existing NFC *TCPA MRE will not be removed but will have limited value. IBM recommends the removal of existing NFC *TCPA MRE from the cluster administrative domain.
Also note that the INETD connection for starting cluster nodes has been changed to i 7.6. Before i 7.6, INETD connections would run under the QUSER user profile. Starting with 7.6, INETD connections use the QUSER_NC user profile.
IBM i Audit Journal (QAUDJRN) Entry Changes
Audit Entry Change for Authority Collections
QAUDJRN audit entries that indicate authority came from a function usage list (GR-F *CHKUSAGE) will no longer be sent in i 7.6, when checking function ID usage for the following commands:
- For function ID QIBM_DB_SECADM:
- Change Authority Collection (CHGAUTCOL) command
- Delete Authority Collection (DLTAUTCOL) command
- End Authority Collection (ENDAUTCOL) command
- Start Authority Collection (STRAUTCOL) command
- For function ID QIBM_SERVICE_DUMP:
- Dump User Profile (DMPUSRPRF) command
Audit Entry Change for Systems Management Changes
The SM (Systems Management Change) audit journal entry is changed in i 7.6, when the entry references the Change DDM TCP/IP Attributes (CHGDDMTCPA) CL command. The Entry Type for this scenario will now contain the value ‘M’, where it previously contained the value ‘D’ (DRDA).
Integrated Multi-Factor Authentication (Native MFA)
IBM incorporated Multi-Factor Authentication (MFA) login support directly into the IBM i 7.6 OS. Native MFA support is only available when running on Power10 servers. It uses IBM i user IDs, user passwords, and Timed One-Time Password (TOTP) credentials to authenticate valid users.
Native MFA also provides a separate TOTP MFA implementation for System Service Tools (SST) and Dedicated Service Tools (DST) user logins. SST/DST support is not connected to native IBM MFA support and uses a different MFA verification mechanism.
Native MFA Changes for Automation Interfaces
Note that enabling native IBM i MFA might disable processing for automation interfaces—such as the Submit Job (SBMJOB) command and the Get Profile Handle API—that run under specific user IDs without requiring passwords. To maintain automated processes, you may need to modify scheduled jobs or remote automated logins to utilize the new non-changeable (_NC) user profiles.
Related reading: FAQ: Using iSecurity Multi Factor Authentication versus Native IBM i MFA
Mandatory AES-DES Encryption Attempted for All DRDA/DDM First Connection Attempts
All i 7.6 DRDA/DDM connection attempts will first attempt handshaking with the more secure AES encryption algorithm. If AES encryption is not supported, handshaking will be attempted with the DES encryption algorithm for all DDM files and any RDB directory entries configured with ENCALG(*DES).
Be sure to test your DRDA/DDM connections before upgrading to 7.6.
Network File System (NFS) configuration files
Objects that were created by the Perform NFS Options (QZNFNFSO) API will undergo ownership and *PUBLIC authority changes after an IBM i 7.6 upgrade. The /etc/nfs directory object and all files created in that directory will now be owned by QSYS, and their *PUBLIC authorities will be set to *EXCLUDE. Note that object ownership and authorities may be reset to their new values when i 7.6 NFS objects are restored to a previous release.
New Host Connection Server for Authentication and Transfer
IBM i 7.6 introduces a new Host Connection Server (HCS) to authenticate and transfer new connections to other host servers. HCS requires connections to use Transport Layer Security (TLS) and digital certificates for its connections. It eliminates the need for users to repeatedly authenticate and supply additional authentication factors when establishing new connections with a host server. Clients can authenticate and establish a secure session once, then leverage that authenticated session to create subsequent connections through HCS without re-authentication.
Not-Changeable (_NC) System User Profiles for Automated Processes
To facilitate automated processes, IBM i 7.6 introduced the following set of not-changeable, system-supplied user profiles:
- QSECOFR_NC—Security Officer profile
- QPGMR_NC—Programmer and Batch User profile
- QSYSOPR_NC—System Operator profile
- QUSER_NC—Work-station user profile
The new “_NC” suffix profiles inherit the same privileges as their non-NC counterparts: QPGMR, QSECOFR, QSYSOPR, and QUSER. They are shipped without passwords and cannot be modified. For security reasons, these users cannot be enrolled in native IBM i Multi-Factor Authentication (MFA), and they cannot be denied access to the QIBM_RUN_UNDER_USER_NO_AUTH function usage ID.
As a result, _NC profiles can be used to bypass MFA authentication and other restrictions for automated processing that must be run under a designated user ID. Common use cases for _NC profiles include the Submit Job (SMBJOB) command or the Get Profile Handle (QsyGetProfileHandle) API. Per IBM, many i 7.6 interfaces have been changed to run under the new user profiles.
IBM provides a sample SQL query that can identify if there are differences between a previous profile and its new “_NC” profile counterpart. See the IBM i 7.6 Security Related Changes web page for more details.
QMGTC, QIBMHELP, and QPM400 User Profiles Deleted
IBM will delete the QMGTC, QIBMHELP, and QPM400 IBM-supplied user profiles when you upgrade to IBM i 7.6. These profiles will be deleted along with any objects they own.
IBM provides a query you can run before a 7.6 upgrade, that will confirm whether these profiles exclusively own objects in the QSYS or QUSRSYS libraries.
Security Attributes Interfaces Require *SECADM/*AUDIT Special Authorities
The Display Security Attributes (DSPSECA), command, the Retrieve Security Attributes (QSYRTVSA) API, and QSYS2.SECURITY_INFO view now require *SECADM or *AUDIT special authority to use on IBM i 7.6.
Security System Value Changes
The Password Level (QPWDLVL) system value will now be shipped with a default value of 3 (user passwords with a length of 1-128 characters are supported). This change will only affect new system installs.
The Password Rules (QPWDRULES) system value will be shipped with a default value of *ALLCRTCHG *LMTPRFNAME *MINLEN15 *REQANY3. This change will only affect new system installs.
How to find the IBM i 7.6 announcement
You can read IBM’s i 7.6 announcement by clicking here. Additional security changes not listed here can also be found in the IBM i 7.6 Security Related Changes web page or the IBM i 7.6 base enhancements page.
IBM Power Hardware Needed to run i 7.6
IBM i 7.6 is only supported on select IBM Power10 systems. To understand what IBM i OS version will run on your Power processors, consult IBM’s system to IBM i mapping Web site. If you’re running IBM i in the cloud or at an MSP, consult your provider to see if you’re eligible to upgrade your IBM i systems to i 7.6.
