IBM i 6.1 and 7.1 gave us many new commands and functions, including Display Service Tools User ID (DSPSSTUSR), which is very useful and should be part of your regularly scheduled security audits.
System Service Tools (SST) accounts can perform moderate maintenance on your Power Systems and IBM i operating system. You can work with disk configuration and partitions, view the product activity log, and much more. Dedicated Service Tools (DST) require the system to be in manual mode and allow you access to additional functions, such as working with the Licensed Internal Code (LIC). The same accounts are set up to access both SST and DST. Ideally, you want to ensure that these Service Tools accounts are under the watchful eye of your most trusted administrators. Any oddities should be investigated.
In IBM i 5.4 and its predecessors, you had to physically log into Service Tools (SST or DST) to get information about your Service Tools accounts. Now, with the DSPSSTUSR command provided in 6.1, you can get this information quite quickly and bypass the Service Tools environment altogether.
This is a display-only command. Any changes to Service Tools accounts require you to actually log into Service Tools. As well, you need special authority *SECADM or *AUDIT in order to run DSPSSTUSR.
When you run DSPSSTUSR and prompt with your F4 key (see Figure 1), you can route the output to the screen, which is the default, or to a spooled file or an output file. In addition, you can specify specific Service Tools accounts to display (i.e., QSECOFR) or all accounts (*ALL is the default).
Figure 1: Route output to the screen, a spooled file, or an output file. (Click images to enlarge.)
Figure 2 shows the listing of Service Tools accounts, their status, their linked accounts, and their descriptions.
Figure 2: See a list of Service Tools accounts.
Figures 3, 4, and 5 show the details about a specific Service Tools account.
Figure 3: See password information.
Figure 4: View some sys admin details.
Figure 5: View more sys admin details.
This is quick and dirty at its finest. You can schedule to run this command each month or quarter so you can understand what service accounts are being created, when they're being used, and if they're being changed. DSPSSTUSR gives us administrators very valuable insight into our most precious accounts. In fact, it really doesn't get any simpler.
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online