By Rich Loeber
Nothing supports the popularity of the IBM i as much as the number of customers with multiple systems installed. These can be either multiple partitions on a single box or separate boxes. For security officers, this can easily mean a lot of extra work keeping each system setup and configured for company security policies.
While this can be a complex task, IBM has provided an little known capability in the IBM i OS for quite a while now that can help you to enforce standard security configuration setup rules across separate systems. This is through the use of the CFGSYSSEC (Configure System Security) command. This command, which has no parameters, calls a CL program named QSECCFGS in the QSYS library. This program sets the security related system values to standard settings recommended by IBM.
The good news for the security officer with multiple systems to control is that this CL program can be changed to meet your unique setup requirements. The base program as shipped with IBM i can be retrieved and then modified for your unique needs (not unlike the way the system startup program QSTRUPPGM works).
To retrieve the CL program, just run the following command on your system:
RTVCLSRC PGM(QSYS/QSECCFGS) SRCFILE(mylib/QCLSRC)
This will place a source member in your QCLSRC source physical file named QSECCFGS. To be on the safe side, you should probably rename this and, when you recompile it, place the new compiled program into QUSRSYS. Once this is done, just change the IBM i CFGSYSSEC command to run the your modified program from QUSRSYS with the following command:
CHGCMD CMD(QSYS/CFGSYSSEC) PGM(QUSRSYS/myseccfgs)
When you review the CL program source that has been retrieved, there is some housekeeping that takes place early in the program. You can review the settings imposed by the program after the housekeeping to see how IBM recommends your security setup and make changes that will implement standard security settings for your own requirements.
To implement the standard security setup across your multiple system environment, simply install your custom setup program on each system in your network and modify the CFGSYSSEC command on each system to call your modified program in place of the IBM default program. To guard against possible changes being made to the setup, you can even add this to your automatic schedule to run on a weekly or even daily basis to keep these setting enforced.
The retrieve CL program is a little tough to read, but perseverance will prevail. If you need help with it, let me know what you need specifically and I’ll see if I can help. If you have any questions about anything in this tip, just ask me and I’ll give you my best shot. My email address is rich at kisco.com. All email will be answered.