By now, most of you have probably seen a quick overview and summaries of the recent announcements from IBM surrounding the next release of the IBM i OS. Release 7.5 includes lots of goodies in different areas but I want to take a look at the security changes and improvements and try to give them some context.
Some of these changes have been a long time coming. For example, under 7.5 when a new user profile is created, the system will no longer default to a password that is the same as the user profile. This default password issue has been with us for a long time and this release finally puts it to rest. The default setting is now that the user will get a password set to *NONE. Another new default setting here will force the new user to be expired. This, hopefully, will force security admins to spend a few extra moments to get new users properly configured before hitting enter to add them to the system.
No More Security Level 20
Another change that is a long time coming is the removal of security level 20. This follows on the removal of security level 10 (ie: no security) which was taken out long ago. Level 20 required user profiles and passwords, but nothing further than that. Under level 20, there were no object level controls, so every user had the equivalent of *ALLOBJ access to the system, leaving it very exposed. Thankfully, level 20 is now gone and level 30 is the minimum level which imposes object level controls. IBM has been shipping the IBM i OS with a default setting of 40 for some time now, so hopefully this will not be an issue for most customers. If your system is currently running at level 20, be prepared to do some advance planning.
Read more about security levels here
System Level Password Settings
Also with IBM i 7.5 is a new system password level setting. Until now, the IBM i OS has supported password levels of zero through three. IBM i 7.5 adds password level four. This new level imposes SHA512 encryption for all IBM i user passwords. Level 4 is similar to levels 2 and 3 in that it provides for long (up to 128 character) password phrases and not the more familiar 10 character passwords. In order to move to level 4, you must first be at level 2 or 3. IBM has posted instructions online about how to make the move to level 4. If you are already at level 2 or 3, IBM i 7.5 will start creating and maintaining level 4 passwords for you any time a user profile is added or a current password is changed. This will simplify moving to level 4 down the road.
Read more about password levels here
Incorrect Password Attempts
User profiles have been enhanced in IBM i 7.5 as well. Prior to this, a global system value setting (QMAXSIGN) controlled how many incorrect password tries were allowed before a log in process was rejected. With 7.5, you can optionally control this setting for each individual user profile. A default setting of *SYSVAL will still enforce the system value, but you can modify it as needed for end user situations where more (or fewer) attempts may be needed.
Password Validation API
Also included in the release is a new system API that can be used to validate a new password prior to posting it. This new API (QSYSCHKPR) will let your application check a new password for all system based password controls and let you know if it passes or fails. This API only validates the password and does not update it. Prior to this, an application had to try to make the change and then watch for API error codes to see if it failed.
Block Outdated Connections
For those of you still in the dark ages with your attached PC’s, another security change will prevent any Win95, Win98 or Win 2000 PC’s from connecting. These connections were very insecure and needed to be removed from the OS. If you have any of this older technology, start making plans now.
System Service Tools
You will also see some new System Service Tools changes in 7.5. The age old user/password combinations of eight 1's or eight 2's go away. You will also be able to lock your password validation exit program at the system level not allowing it to be changed or removed without previously changing the SST setting. SST profiles can now have a password expiration term set and enforced. Several other SST setting are also included with new options on the Change SST Security Attributes (CHGSSTSECA) command.
IBM i Navigator Access
For those using IBM i Navigator, a new capability will let you control which users can access the IBM i NetServer interface by controlling it with an Authorization List. You add the authorization list of the NetServer and it will only permit users specified in the list to use the NetServer functions.
Managing Digital Certificates
The IBM Digital Certificate Manager (DCM), a long suffering application that many have reported having issues with (including this writer) has gotten a face lift with new controls and capabilities added. This list of changes and enhancements is extensive and we hope to see a much improved implementation.
FTP Client Configuration
A change to the IBM i OS FTP Client will optionally allow a user to accept an untrusted certificate from a remote server. The default setting will reject such certificates, but a change in the OS will allow a security admin to grant permission to specific users to allow such connections.
There are many more security related changes included with this large announcement, but I think these are enough for users to start considering. Keep in mind to read the Memo to Users for IBM i 7.5 to make sure that you plan for all eventualities that might come along during an upgrade. This is especially so for users moving up from 7.2 or earlier; in fact you may have to consult multiple memos to users for the interim update levels. By now, most of you have probably seen a quick overview and summaries of the recent announcements from IBM surrounding the next release of the IBM i OS. Release 7.5 includes lots of goodies in different areas but I want to take a look at the security changes and improvements and try to give them some context.