Expert GuideIBM Storage Protect Server version 8.1.20.0 provides new CREDENTIALSFILE feature for Admin CLI (dsmadmc)

Andreas Schwab — 17. October 2023
Reading time: 1:25 Minutes

IBM Storage Protect Server Version 8.1.20.0 bringt die neue Funktion CREDENTIALSFILE für Admin CLI (dsmadmc)

With IBM Storage Protect Server version 8.1.20.0, IBM has implemented a long-awaited option for the Admin Commandline Interface (CLI) dsmadmc.

Save your administrator ID and password with a login file

The dsmadmc command has been extended with the -CREDentialsfile=filename option.

With this you are able to pass the credentials UserID and password, which are normally passed to the command by the options -ID=userid and -PAssword=password, via a credential file. In this credential file only the administrator and the password are written one below the other.

Anmeldedatei Beispiel: /home/ispadmin/.topsecretpw
Login file example: /home/ispadmin/.topsecretpw
Login with the CREDentialsfile option
This finally puts an end to UserIDs and passwords in plain text in shell scripts.

 

The security aspect

 
For security reasons, you should make sure that this TOP SECRET login file is well hidden and not immediately visible or readable by everyone.

Possible security measures in a Linux environment

 
In a Linux environment you could for example create a .topsecretpw (hidden file), this is not visible with a normal "ls" command.
 
Also, you should make the file readable only by the owner. This way only you and root are able to read the file.
Mögliche Sicherheitsvorkehrungen in einer Linux-Umgebung
Example: chmod 400 .topsecretfille

This is especially important because if you do ps -ef | grep dsmadmc, you can also see the name and possibly the path of the login file, as shown in the following image.

Dies ist besonders wichtig, da man bei einem ps -ef | grep dsmadmc auch den Namen und ggf. auch den Pfad der Anmeldedatei sehen kann, wie im folgenden Bild dargestellt.

To avoid specifying the filename and possibly the path of the login file in plain text, you could also set an "environment variable" for this purpose.

Security precautions in a Windows environment

In a Windows environment you could hide the file via the file properties.

Sicherheitsvorkehrungen in einer Windows-Umgebung

In addition, it would be possible to use a different file extension or no file extension at all. This makes the file more inconspicuous. Again, the path and filename of the login file could be hidden by a variable.

 

If the file is located in the own files, only the own user and the administrator can access it.

 

If you need to store the file outside your own files, you could restrict access via "Group and user names" in the "File properties" in the "Security" tab, e.g. as follows.

Die Option -CREDentialsfile kann nicht in Verbindung mit Multifactor Authentification (MFA) verwendet werden.
And of course, the path or file name should not contain TOPSECRET or PW 😉.
 
Important notice:
 
The -CREDentialsfile option cannot be used in conjunction with Multifactor Authentication (MFA).

Conclusion

 
At this point, I would like to express a conclusion and my personal opinion about this option. This option is a nice way to make admins and passwords disappear from scripts. User and password are not visible anymore at first. However, if an intruder finds the login file, they will have the admin and password again.
 
I would have hoped that the IBM developers would have worked with an encryption method here, similar to the Backup/Archive Client and the PASSWORDACCESS GENERATE option. They could have also worked with a PKI solution.
 
From my point of view, this method is half-baked and not really secure. Nevertheless, I gratefully accept this option and will use it for scripting in the future.

Source

 

https://www.ibm.com/docs/en/storage-protect/8.1.20?topic=client-administrative-options

Andreas Schwab

Andreas Schwab

Andreas Schwab ist IT-Consultant und Senior Service Engineer bei der Empalis. Seit drei Jahren bereichert er unser Managed Service Team mit über 25 Jahren Erfahrung und Know-how aus der Systemadministration - vom Aufbau über Weiterentwicklung bis hin zu Betrieb der gesamten IBM Spectrum Protect Umgebung (Client und Server).

You were interested in this, then you may also be interested in...