MC Press Online

Wednesday, Feb 22nd

Last updateSun, 19 Feb 2017 12pm

You are here: Home ARTICLES Security Security - Other TechTip: DSPSSTUSR: Get Quick Information About Your Service Tools Accounts

Security - Other

TechTip: DSPSSTUSR: Get Quick Information About Your Service Tools Accounts

Support MC Press - Visit Our Sponsors

NEW BOOK!

Evolve Your RPG Coding: Move from OPM to ILE ... and Beyond


ORDER YOUR COPY

*******************

Click for this Month's

Bookstore Special Deals

IBM i 6.1 and 7.1 gave us many new commands and functions, including Display Service Tools User ID (DSPSSTUSR), which is very useful and should be part of your regularly scheduled security audits.

 

System Service Tools (SST) accounts can perform moderate maintenance on your Power Systems and IBM i operating system. You can work with disk configuration and partitions, view the product activity log, and much more. Dedicated Service Tools (DST) require the system to be in manual mode and allow you access to additional functions, such as working with the Licensed Internal Code (LIC). The same accounts are set up to access both SST and DST. Ideally, you want to ensure that these Service Tools accounts are under the watchful eye of your most trusted administrators. Any oddities should be investigated.

 

In IBM i 5.4 and its predecessors, you had to physically log into Service Tools (SST or DST) to get information about your Service Tools accounts. Now, with the DSPSSTUSR command provided in 6.1, you can get this information quite quickly and bypass the Service Tools environment altogether.

 

This is a display-only command. Any changes to Service Tools accounts require you to actually log into Service Tools. As well, you need special authority *SECADM or *AUDIT in order to run DSPSSTUSR.

 

When you run DSPSSTUSR and prompt with your F4 key (see Figure 1), you can route the output to the screen, which is the default, or to a spooled file or an output file. In addition, you can specify specific Service Tools accounts to display (i.e., QSECOFR) or all accounts (*ALL is the default).

 

040612PitcherFigure1

Figure 1: Route output to the screen, a spooled file, or an output file. (Click images to enlarge.)

 

Figure 2 shows the listing of Service Tools accounts, their status, their linked accounts, and their descriptions.

 

040612PitcherFigure2 

Figure 2: See a list of Service Tools accounts.

 

 

Figures 3, 4, and 5 show the details about a specific Service Tools account.

 

040612PitcherFigure3 

Figure 3: See password information.

 

040612PitcheFigure4 

Figure 4: View some sys admin details.

 

040612PitcherFigure5

Figure 5: View more sys admin details.

 

This is quick and dirty at its finest. You can schedule to run this command each month or quarter so you can understand what service accounts are being created, when they're being used, and if they're being changed. DSPSSTUSR gives us administrators very valuable insight into our most precious accounts. In fact, it really doesn't get any simpler.

Steve Pitcher
Steve Pitcher is the Enterprise Systems Manager for Scotsburn Dairy Group in Nova Scotia, Canada, and is a specialist in IBM i and IBM Lotus Domino solutions since 2001. Visit Steve's Website, follow his Twitter account, or contact him directly at stevepitcher@scotsburn.com.
BLOG COMMENTS POWERED BY DISQUS