Configuring the system to use security tools

This information describes how to set up your system to use the security tools that are part of i5/OS^®.

When you install i5/OS, the security tools are ready to use. The topics that follow provide suggestions for operating procedures with the security tools.

Using security tools securely

When you install i5/OS, the objects that are associated with the security tools are secure. To operate the security tools securely, avoid making authority changes to any security tool objects.

Following are the security settings and requirements for security tool objects:

• The security tool programs and commands are in the QSYS product library. The commands and the programs ship with the public authority of *EXCLUDE. Many of the security tool commands create files in the QUSRSYS library. When the system creates these files, the public authority for the files is *EXCLUDE. Files that contain information for producing changed reports have names that begin with QSEC. Files that contain information for managing user profiles have names that begin with QASEC. These files contain confidential information about your system. Therefore, you should not change the public authority to the files.

• The security tools use your normal system setup for directing printed output. These reports contain confidential information about your system. To direct the output to a protected output queue, make appropriate changes to the user profile or job description for users who will be running the security tools.

• Because of their security functions and because they access many objects on the system, the security tool commands require *ALLOBJ special authority. Some of the commands also require *SECADM, *AUDIT, or *IOSYSCFG special authority. To ensure that the commands run successfully, you should sign on as a security officer when you use the security tools. Therefore, you should not need to grant private authority to any security tool commands.

Avoiding file conflicts

Many of the security tool report commands create a database file that you can use to print a changed version of the report. [Commands and menus for security commands] tells the file name for each command. You can only run a command from one job at a time. Most of the commands now have checks that enforce this. If you run a command when another job has not yet finished running it, you will receive an error message.

Many print jobs are long-running jobs. You need to be careful to avoid file conflicts when you submit reports to batch or add them to the job scheduler. For example, you might want to print two versions of the PRTUSRPRF report with different selection criteria. If you are submitting reports to batch, you should use a job queue that runs only one job at a time to ensure that the report jobs run sequentially.

If you are using the job scheduler, you need to schedule the two jobs far enough apart that the first version completes before the second job starts.

• Saving security tools
  You save the security tool programs whenever you run either the Save System (SAVSYS) command or an option from the Save menu that runs the SAVSYS command.

• Commands for customizing security
  This section describes the commands and menus for security tools.

• Values set by the Configure System Security command
  This table lists the system values that are set when you run the CFGSYSSEC command. The CFGSYSSEC command runs a program that is called QSYS/QSECCFGS.

• Functions of the Revoke Public Authority command
  You can use the Revoke Public Authority (RVKPUBAUT) command to set the public authority to *EXCLUDE for a set of commands and programs.

Parent topic:

Related concepts
System security tools