Secure password storage

Beginning in IBM Spectrum Protect™ Version 8.1.2 and V7.1.8, the location of the IBM Spectrum Protect password is changed.

In V8.1.0 and V7.1.6 and earlier clients, the IBM Spectrum Protect password was stored in the Windows registry for Windows clients, and stored in the TSM.PWD file on UNIX and Linux clients.

Beginning in V8.1.2 and V7.1.8, the IBM® Global Security Kit (GSKit) keystores are used to store all IBM Spectrum Protect passwords. The process of importing server certificates is simplified. For information about importing server certificates, see Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer.

When you upgrade to the IBM Spectrum Protect V8.1.2 or later client from an earlier client that uses the old password locations, the existing passwords are migrated to the following files in the new password store:
TSM.KDB
The file that stores the encrypted passwords.
TSM.sth
The file that stores the random encryption key that is used to encrypt passwords in the TSM.KDB file. This file is protected by the file system. This file is needed for automated operations.
TSM.IDX
An index file that is used to track the passwords in the TSM.KDB file.

Linux operating systemsWindows operating systemsFor Data Protection for VMware clients, the Data Protection for VMware GUI server administration password is migrated to a keystore.

Windows operating systems

Password locations on Windows clients

On Windows clients, the passwords in the SOFTWARE\IBM\ADSM\CurrentVersion\BackupClient\Nodes registry key and the SOFTWARE\IBM\ADSM\CurrentVersion\Nodes registry key are migrated to the new password store.

The password entries in these registry keys are deleted after the migration.

The migrated server and encryption passwords are stored in the password stores in separate subdirectories of the C:\ProgramData\Tivoli\TSM\baclient directory (a hidden directory). Separating the server passwords this way allows an administrator to grant a non-administrative user access to individual passwords without giving that user access to all the other passwords. The following directories are examples of password file locations:
  • C:\ProgramData\Tivoli\TSM\BAClient\NodeName\ServerName
  • C:\ProgramData\Tivoli\TSM\BAClient\(VCB)\ServerName
  • C:\ProgramData\Tivoli\TSM\BAClient\(DOMAIN)\ServerName
  • C:\ProgramData\Tivoli\TSM\BAClient\(FILER)\ServerName

Access to the password stash files (TSM.sth) is restricted to the creator of the keystore, Administrators, and System. A utility (dsmcutil addace) is available to allow Windows users to easily modify password file access control lists. For more information, see ADDACE and DELETEACE.

AIX operating systemsLinux operating systemsMac OS X operating systemsOracle Solaris operating systems

Password locations on UNIX and Linux clients

On UNIX and Linux clients, the existing passwords in the TSM.PWD files are migrated to the new password store in the same location. For root users, the default location for the password store is /etc/adsm. For non-root users, the location of the password store is specified by the passworddir option.

The TSM.PWD file is deleted after the migration.

Note: The new password store will not be in the default location (/etc/adsm) in the following situations:
  • The TSM.PWD file did not exist in the /etc/adsm directory.
  • The options file specifies a passworddir option that points to a different location.
AIX operating systemsLinux operating systemsMac OS X operating systemsOracle Solaris operating systems

The trusted communications agent is no longer available

The trusted communications agent (TCA), previously used by non-root users in V8.1.0 and V7.1.6 and earlier clients, is no longer available. Root users can use the following methods to allow non-root users to manage their files:
Help desk method
With the help desk method, the root user runs all backup and restore operations. The non-root user must contact the root user to request certain files to be backed up or restored.
Authorized user method
With the authorized user method, a non-root user is given read/write access to the password store by using the passworddir option to point to a password location that is readable and writable by the non-root user. This method allows non-root users to back up and restore their own files, use encryption, and manage their passwords with the passwordaccess generate option.

For more information, see Enable non-root users to manage their own data.

If neither of these methods are satisfactory, you must use the earlier clients that included the TCA.

Windows operating systems

Password locations in cluster environments

If you are operating the client in a cluster environment (CLUSTERNODE YES in the client options file), the password files are stored in a subdirectory of the client options file location. The subdirectory name is:
NODES\NodeName\ServerName

To store an encrypted password file when you set up a cluster environment, use the clustersharedfolder option to specify the directory location in which to store the encrypted password file. For more information, see Clustersharedfolder.

In a cluster configuration, the options file is stored on a cluster disk so that it can be accessed by the takeover node. The password files must also be stored on a cluster disk so that after a failure, the generated backup-archive client password is available to the takeover node.

For example, if the dsm.opt file is in the c:\ClusterStorage\Volume1\SPData directory, the node name is Cluster-B, and the server name is Bigdata, the location for password files is:
C:\ClusterStorage\Volume1\SPdata\Nodes\Cluster-B\Bigdata