Kisco Systems

IBM i Security Tips

Home : Blog : Lock Up Your System Values

Lock Up Your System Values

By Rich Loeber

When you implement your company's security policy on your IBM i, often the first thing you do is review your system values. System values define global, system-wide settings on your IBM i platform. Many of these system values pertain to how you want to implement system security. This tip will review how to look at these settings and then, how to lock them in place so that they cannot be changed.

So many of these system values are security related that the OS designers provided an easy way for you to review and work with the security settings. This is by using the "Work with System Values" command (WRKSYSVAL) with the "System value" (SYSVAL) parameter set to the special value of *SEC. Like this:


Setting the OUTPUT parameter to *PRINT will produce a listing of the security system values for you. Or, you can just run the command with the OUTPUT parameter blank and the system will bring the security system values up for you to review. A similar review function is available from iSeries Navigator, but the security functions are spread out over several different selection tabs (at least on my version) and you have to go several places to find everything that is available from the single *SEC review ability of the WRKSYSVAL command.

When working with the values interactively, you can review the current setting using option 5 or you can change the value using option 2. The list of system values displayed shows the name of the value and a text description. Often, this is not enough information for you to determine exactly what you're looking at. When I find myself in this situation, I put a 5 next to it, then position the cursor over the current value displayed and press the HELP (or F1) key. The help text that comes with this command is quite comprehensive and very helpful.

Changing any of your security system values should not be done on a whim. Planning and preparation are the watchwords for this process. It is all too easy to shoot yourself in the foot by making a security change in the fly and then losing, for example, the ability to log into your system. All security changes should be researched in advance to determine the exact impact on your system. If you're not sure, do the work to find out rather than just trying it out without knowing the impact.

Once you have your security system values set along with the other system values (and there are loads of them), it is a good idea to lock them in place. On too many systems, there are just too many users with all object (*ALLOBJ) and security administrator (*SECADM) permissions in their user profiles. By locking the system values, this will prevent casual changes to the system values and thereby preserve the security policies that you've designed and implemented.

To lock your security system values in place, you can use the System Service Tools. To lock the settings, start up the System Service Tools from a display session using the Start System Service Tools (STRSST) command. You will need to supply your service tools user ID and password to complete the start of the tools. Once started, choose option #7 from the menu (Work with system security). Then, from the next screen, use option 2 to lock the security system values in place.

Once these are locked in place, you can only unlock them to make changes by first going back into the System Service Tools and unlocking them from the same screen where you locked them. The unlock option is done by entering option 1. These settings can also be manipulated during IPL time by running the Dedicated System Tools (DST). Once locked, even users with *SECADM or *ALLOBJ cannot make capricious changes to the security system values so your security policy decisions will remain in force without worry.

If you have any questions about this topic you can reach me at (rich at kisco dot com), I'll try to answer any questions you may have. All email messages will be answered.