General IBM i Security System Values

The general security-related system values provide a variety of system-level security functions.

The Allow Restoring of Security-Sensitive Objects security system value, QALWOBJRST, determines whether objects that are security-sensitive are allowed to be restored to the system. Use it to prevent anyone from restoring a system state object or an object that adopts authority. To view this value, enter the command DSPSYSVAL SYSVAL(QALWOBJRST). The default value of *ALL will let any object, including security-sensitive objects, to be restored by a user with the appropriate authority. Entering the value of *NONE will prevent restoration of either system state objects or programs that adopt authority. To allow users to restore system state objects, but not programs that adopt authority, we issue the command CHGSYSVAL SYSVAL(QALWOBJRST) VALUE(*ALWSYSSTT). To allow restoration of programs that adopt authority, but not system state objects, we run the command CHGSYSVAL SYSVAL(QALWOBJRST) VALUE(*ALWPGMADP).

The Create Authority system value, QCRTAUT, specifies the default public authority. Any new public object created with the authority set to *SYSVAL, which is the default, will reference the value set in QCRTAUT. The default value for the QCRTAUT system value is *CHANGE. To view the current value, we issue the command DSPSYSVAL SYSVAL(QCRTAUT). Security auditors may ask for the QCRTAUT value to be set to *USE, which allows users to view, but not change, newly created objects. Be aware that existing objects are unaffected by a change to the QCRTAUT value.

Setting the QALWOBJRST security system value to *NONE allows us to have maximum control over the restoration of system state objects and programs that adopt authority. Note, however, that before installing a new licensed product, applying PTFs, or recovering the system, we should change the QALWOBJRST system value to *ALL. Otherwise, those operations may fail. Setting QALWOBJRST to the *ALWPTF value would allow restoring security-sensitive objects as part of a PTF, but reports from the field indicate that this does not always work as intended.

The Remote Sign-on Value, QRMTSIGN, determines how our system handles any automatic passthrough request that it receives. The default value for QRMTSIGN is *FRCSIGNON, which requires the user to go through the normal sign on procedure when accessing the IBM i remotely. To allow the bypass signon feature for IBM’s Client Access software, we should set QRMTSIGN to *VERIFY. If the value is not set to *VERIFY, we will not be able to bypass the sign on display. Note that automatic passthrough requests must contain a valid user profile and the valid password for that profile.

The Limit Device Sessions security system value, QLMTDEVSSN, determines if a user can have more than one workstation occurring at one time. A value of 0 allows a user profile to work at more than one workstation simultaneously. The initial value for QLMTDEVSSN is 0, which allows users to sign on to more than one device. To limit users to only one session, we issue the command CHGSYSVAL SYSVAL(QLMTDEVSSN) VALUE(‘1’).

The Inactive Job Time-out Interval system value, QINACTITV, controls the inactive job time-out interval. The initial value is *NONE. We can set the value to any length of time between 5 and 300 minutes. Note that FTP jobs are not covered under this system value.

The Allow User Domain Objects in These Libraries system value, QALWUSRDMN, specifies which libraries allow user domain objects to be located in them. User domain objects include those of type User Index, *USRIDX, User Queue, *USRQ, and User Space, *USRSPC. The default value for QALWUSRDMN is *ALL; removing *ALL requires the definition of the libraries that we want to allow user domain objects to be created in, such a list must include QTMP. It might also be a good idea to include library QRPLOBJ.

The Automatic Virtual Device Creation system value, QAUTOVRT, controls the number of virtual devices configured for pass-through in a remote communications environment. A virtual device is simply a device description that does not have hardware associated with it. To allow the maximum number of virtual devices to be created, we use the special value *NOMAX and issue the command CHGSYSVAL SYSVAL(QAUTORVT) VALUE(*NOMAX).

UBD (Universal Backup Device) is a backup appliance that plugs into your IBM i and appears as a tape device http://laservault.com/lv-ubd/iseries-tapeless-backup-and-restore/

Advertisements
General IBM i Security System Values

Working with Date and Time System Values

The date and time values, *DATTIM, lets us view, set, and change the date and time the system stores and makes available to applications and utilities.

The system value that hold the current date for the system is QDATE. The QDATE value includes the day, month, and year. To see the current date on the system, run the command DSPSYSVAL SYSVAL(QDATE). The day, month, and year are set individually by the subvalues QDAY, QMONTH, and QYEAR, respectively. We can also view what century the IBM i platform thinks it is via the QCENTURY system value.

Screenshot (132)

The current time of day is stored in the QTIME system value. Time can be further divided into QHOUR, QMINUTE, and QSECOND. The current system time as an offset of Coordinated Universal Time (UTC) is set in the system value QUTCOFFSET.

The system date and time are stored in the value QDATETIME. To see both the current date and time, run the command DSPSYSVAL SYSVAL(QDATETIME).

The day of the week is defined by the system value QDAYOFWEEK; therefore, to see what day of the week it is, we would issue the command DSPSYSVAL SYSVAL(QDAYOFWEEK). The days of the week are indicated by the special values *SUN, *MON, *TUE, *WED, *THU, *FRI, and *SAT.

We can change the date and time system values using the CHGSYSVAL command, for which we need to specify two parameters, the first being the name of the system value we wish to change, and the second being the value we wish to change it to. To change the current year on the system, we would issue the command CHGSYSVAL SYSVAL(QYEAR) followed by the VALUE parameter, and the year we wish to set QYEAR to. For example, we could travel into the future by setting the date to the year 2042 by issuing the command CHGSYSVAL SYSVAL(QYEAR) VALUE(’42’). Note that we place the year value in single quotation marks. So, to change the date to April 21, 2015, we would issue the command CHGSYSVAL SYSVAL(QDATE) VALUE(‘042115’). Note again that we place the date value in single quotation marks.

We can modify the entire date at once by changing the system value QDATE. However, before changing QDATE using the CHGSYSVAL command, we should check the Date Format system value, QDATFMT. The QDATFMT system value determines the format in which a date can be specified. To view the date format, let’s issue the command DSPSYSVAL SYSVAL(QDATFMT). In the United States and outlying territories, this value will be MDY, indicating that the date format is month, day, and then year. To set the format to day, month, year, we issue the command CHGSYSVAL SYSVAL(QDATFMT) VALUE(DMY).

The system time is stored in QTIME and related subvalues. We can change the time to 5 PM, for instance, by issuing the command CHGSYSVAL SYSVAL(QHOUR) VALUE(‘17’). We should note well that the system value for time is set in 24-hour increments. The QTIME system value is six characters in length, and follows the format hours-minutes-seconds. Therefore, if we wanted to change the time to 5:20 in the morning, we would issue the command CHGSYSVAL SYSVAL(QTIME) VALUE(‘052000’).

Finally, we can always list all of the system values by entering the Work with System Value command,  WRKSYSVAL, at the prompt. Entering the command WRKSYSVAL SYSVAL(*DATTIM) will list all of the date and time system values.

Screenshot (133)
Want to get the most out of your IBM i system? Take a look at LaserVault, the friendly backup solution.

Working with Date and Time System Values