SST and access id recovery
We have a 9407 M15 without a HMC. On the odd occasion we have required it we have used a remote LAN console setup on a pc. However I have either forgotten the special Access id or it has expired and I am unable to connect the console pgm. To compound the issue I am unable to logon on to SST as the password has also either expired or been changed without recording the password somewhere. I reset the qsecofr sst id using chgdstpwd *default but when I try and log on with this I get into a catch22 where it says the password has expired but when I try and change it I get an error that I am not authorised to change the password!! The IBM techs are confounded but hopefully a software guy will respond to the job logged and be able to assist. In the meantime does anyone here have any suggestions to resolve this impasse.
Software/Hardware used:
iseries 9407 m15
Software/Hardware used:
iseries 9407 m15
ASKED:
October 11, 2010 9:42 PM
UPDATED:
October 18, 2010 5:04 PM
Answer Wiki:
use the CHGDSTPWD *DEFAULT to change the password to default, then go back to the console PC and run the Console program. When it asks for the DST user/password, enter the default QSECOFR user/password. It will then tell you to change the password and you can do so.
To see all answers submitted to the Answer Wiki: View Answer History.
…it says the password has expired but when I try and change it I get an error that I am not authorised to change the password…
That makes me think that passwords were locked down in DST. You might be seeing a result of message ID CPF4AB7:
(If not CPF4AB7, it’s probably closely related.)
Within DST (not SST), there are options available to lock down various security settings including the ability to access password changes from outside of DST. Unless you have multiple DST/SST security profiles, those can be very risky options to lock down. You must enter DST in order to make changes to anything locked down to DST.
Of course, if you have now changed the QSECOFR DST/SST password to be a ‘default’ password with CHGDSTPWD *DEFAULT, it probably falls within the rules that stop it from setting a new password. You must get logged in to DST first, and that can only be done through an alternate security profile that has neither a default nor expired password.
But you don’t have a console available until you can log in to DST because the password is required in order to connect.
So, let’s start from here…
I have either forgotten the special Access id or it has expired…
Did you write “special Access id” because you are sure that an alternate DST/SST security profile other than QSECOFR was created? (Note that this is not a usual *SECOFR user profile. This would be a profile created explicitly within DST/SST for this type of use.)
Tom
The access ID is another separate password that appears in the prompt to logon via the remote lan console. Below that it also requires a SST user id and its password. The SST profile we were probably using originally was the 8 x 1′s with either of two possible passwords. If I leave the access ID blank it still gives me an error message.
BTW you are correct with the first part of your answer, it is a real catch-22.
The access ID is another separate password…
Ah, yes. It’s been too long (and too infrequent) since I had to go into a system by that route. And you changed all pre-configured passwords so even IBM Support can’t get maintenance access.
You tried the default passwords…? (It has to be asked.)
Tom