IBM i System Service Tools (SST) Password Management and Configuration Updates
IBM has implemented critical updates to the default user profiles for System Service Tools (SST) and Dedicated Service Tools (DST) as part of recent PTF (Program Temporary Fixes) upgrades. These changes aim to enhance system security by ensuring that default passwords are no longer active after specific maintenance packages are applied. This update affects key administrative profiles, requiring users to reset passwords to maintain access to essential system management tools.
Key Changes to Default SST and DST Profiles
The default user profiles 11111111, 22222222, and QSRV are now marked as “Expired” if they still use their default passwords after applying the specified PTFs. This update applies to various IBM i operating system versions, including:
- V7R2: PTF MF66639-A (included in Cumulative Package C9297720)
- V7R3: PTF MF66501-A (included in Cumulative Package C9311730)
- V7R4: PTF MF66502-A (included in Cumulative Package C9304740)
Notably, the 11111111 and 22222222 profiles will be completely removed starting with IBM i version V7R5. The QSECOFR profile, which is already shipped with an expired password, remains unaffected by this change.
How to Reset Passwords for SST and DST Access
If administrators need to reset passwords for the affected profiles, IBM provides step-by-step procedures for both System Service Tools (SST) and Dedicated Service Tools (DST):

System Service Tools (SST)
- Access a 5250 (or Console) session.
- Issue the command
STRSSTto start SST. - Sign in using the
QSECOFRprofile. - Navigate to Option 8 → Work with Service Tools user IDs and Devices.
- Select Option 1 → Service tools user IDs.
- Choose Option 2 to Change Password for the desired user ID.
- Set a unique password and ensure Set Password to Expire is set to 2 for No.
Dedicated Service Tools (DST)
- Access a 5250 Console session.
- Use the Control Panel Options in Manual Mode to execute Function 21 to force DST.
- Sign in to DST using the
QSECOFRprofile. - Select Option 5 → Work with DST Environment.
- Choose Option 3 → Service tools user IDs.
- Select Option 2 to Change Password for the desired user ID.
- Set a unique password and confirm Set Password to Expire is set to 2 for No.
For IBM i versions V7R4 and earlier, administrators can also reset the 11111111 profile using the Front Control Panel with specific procedures outlined in IBM documentation.
Security Implications and Best Practices
The removal of default passwords and the expiration of existing ones are critical steps in securing IBM i systems. These updates prevent unauthorized access to low-level system management tools, which could otherwise be exploited by malicious actors. Administrators are strongly advised to:
- Regularly review and update user passwords for SST and DST profiles.
- Implement strict access controls to limit who can modify service tool configurations.
- Stay informed about PTF updates and apply them promptly to maintain system integrity.
For detailed guidance, IBM recommends consulting the official support documentation for the latest instructions and compatibility details.
Conclusion
IBM’s recent updates to SST and DST password policies reflect a broader industry trend toward proactive security measures. By expiring default passwords and removing outdated profiles, IBM aims to reduce vulnerabilities
Related reading