Adding IBM i Systems

Overview

If you are adding IBM i systems, you must install and start the SSH server on the target system before you can connect using Privileged Access Service.

Accounts on IBM i are called profiles. For example, you can specify the user profile QSECOFR as the account used to access the system. This is the most powerful user profile, and is similar to root on UNIX. The use of a proxy account and password is not supported on IBM i.

For any user profile (account) you add, you can choose whether you want the Privileged Access Service to manage the account password. If you select Manage this credential, the Privileged Access Service automatically changes the password immediately after the account and system are added and each time the account is checked in for each password profile associated with the account.

If you select Manage this credential for IBM i devices, keep in mind that the Privileged Access Service can only manage passwords for privileged user accounts that have sufficient rights to configure and save settings. In addition, if there are any pending changes for other user accounts, those changes will be saved when the Privileged Access Service updates a managed password.

For more information about password and system management for IBM i systems, see the following topic:

Password Complexity Rules

Password Complexity Rules

All managed passwords generated by the Privileged Access Service consist of at least one upper case letter, one lower case letter, one number, and one special character regardless of the system type. For IBM i systems, the following additional password rules apply:

  • On IBM i, the password complexity is affected by system settings, especially the password level, QPWDLVL. Administrators select the password level based on interoperability requirements for the system.
  • A password level of 0 or 1 restricts the password length to 10 characters. Supports special characters are $, @, #, and underscore.
  • A password level of 2 or 3 supports up to 128 characters. All characters are supported, except that the password must not begin with an asterisk (*). These password levels allow the use of a passphrase with internal blanks (spaces) between words. Trailing blanks are ignored. The password is case-sensitive.

The default password profile for IBM i systems will only include supported special characters. You can clone the default password profile to modify its settings. For example, with a custom password profile you could set the password to allow more than 10 characters when running QPWDLVL 2 or 3.

If you clone the default or another system password profile to create a custom password profile, however, you should be aware that on some versions of the operating system, some special characters might not be supported and should not be used in the password. You can also create a custom profile.

Additional IBM i system settings also impact the maximum password length and other password rules.

  • QPWDCHGBLK: Block password change
  • QPWDEXPITV: Expiration interval
  • QPWDEXPWRN: Password expiration warning
  • QPWDLMTCHR: Restricted characters
  • QPWDLMTAJC: Restrict adjacent characters
  • QPWDLMTREP: Restrict repeating characters
  • QPWDMINLEN: Minimum length
  • QPWDMAXLEN: Maximum length
  • QPWDPOSDIF: Character position difference
  • QPWDRQDDIF: Required difference
  • QPWDRQDDGT: Require numeric character
  • QPWDRULES: Password rules
  • QPWDVLDPGM: Password validation program

For more information about managing user passwords, see “System values that apply to passwords in the IBM System i Security Reference” for the appropriate IBM i release:

  • "6.1: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_61/rzarl/sc415302.pdf"
  • "7.1: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzarl/sc415302.pdf"