REGISTER ADMIN (Register an administrator ID)

Use this command to add an administrator to the server. After registration, the administrator can issue a limited set of commands, including all query commands. To provide additional privileges, use the GRANT AUTHORITY command.

Privilege class

To issue this command, you must have system privilege.

When you register an administrator with the same name as an existing node, be aware of the administrator authentication method and the SSLREQUIRED setting. Any node that has the same name as the administrator that is being registered inherits those settings.
For users of Lightweight Directory Access Protocol (LDAP) servers:
  • The information in this documentation applies to the LDAP authentication method that is preferred for IBM Spectrum Protect V7.1.7 or later servers. For instructions about using the previous LDAP authentication method, see Managing passwords and logon procedures.
  • Do not specify an administrative user ID that matches a node name. If the administrative user ID matches the node name, you might see unexpected behavior because of automatic password changes that update the same password twice. As a result, the password might become unknown to the administrative user ID. Alternatively, the password update operation might fail.

Syntax

Read syntax diagramSkip visual syntax diagram REGister Admin admin_name password1PASSExp=daysCONtact=textFORCEPwreset=NoFORCEPwreset=NoYesEMAILADdress=userID@node2AUTHentication=LOcalAUTHentication=LOcalLDapSSLrequired=DEFault3SSLrequired=YesNoDEFaultSESSIONSECurity=TRANSitionalSESSIONSECurity=STRictTRANSitionalALert=NoALert=YesNo
Notes:
  • 1 The PASSEXP command does not apply to administrators who authenticate to an LDAP directory server.
  • 2 The default value can change if you issued the SET DEFAULTAUTHENTICATION command and specified LDAP.
  • 3 The SSLREQUIRED parameter is deprecated.

Parameters

admin_name (Required)
Specifies the name of the administrator to be registered. The maximum length of the name is 64 characters.

You cannot specify an administrator name of NONE.

If you plan to authenticate the administrator ID with an LDAP server, ensure that the administrator ID does not match the name of any node that authenticates with an LDAP server.

password
Specifies the password of the administrator to be registered. The minimum length of the password is 8 characters unless a different value is specified by using the SET MINPWLENGTH command. The maximum length of the password is 64 characters.
If you authenticate passwords locally with the IBM Spectrum Protect server, you must specify a password. The password is not case-sensitive.
If you authenticate passwords with a Lightweight Directory Access Protocol (LDAP) server, do not specify a password on the REGISTER ADMIN command.
PASSExp
Specifies the number of days the password remains valid. You can set the password expiration period in the range 0 - 9999 days. A value of 0 means that the password never expires. This parameter is optional. If you do not specify this parameter, the password is set with the global expiration period of 90 days. This parameter does not affect passwords that authenticate with an LDAP directory server.
CONtact
Specifies information identifying the administrator being registered. This parameter is optional. The maximum length of this string is 255 characters. The contact information must be enclosed in quotation marks if it contains any blanks.
FORCEPwreset
Specifies whether the administrator is required to change or reset the password. This parameter is optional. The default value is NO. Possible values are:
No
Specifies that the administrator does not need to change or reset the password while attempting to sign on to the server.
Yes
Specifies that the administrator's password expires at the next sign-on. The client or administrator must change or reset the password then. If a password is not specified, you receive an error message.
Restriction: For administrative user IDs that authenticate with an LDAP server, password expiration is set by using LDAP server utilities. For this reason, do not specify FORCEPWRESET=YES if you specify AUTHENTICATION=LDAP.
EMAILADdress
Specifies the email address for this administrator.
AUTHentication
This parameter specifies the authentication method for the administrator user ID. Specify one of the following values: LDAP or LOCAL. The parameter is optional and defaults to LOCAL. The default can change to LDAP if you use the SET DEFAULTAUTHENTICATION command and specify LDAP.
LOcal
Specifies that the local IBM Spectrum Protect server database is used.
LDap
Specifies that the administrator user ID authenticates passwords with an LDAP directory server. Passwords that authenticate with an LDAP directory server are case-sensitive.
Tip: A password is not required if you register an administrator and select AUTHENTICATION=LDAP. At logon, you are prompted for a password.
SSLrequired (deprecated)

Specifies whether the administrator user ID must use the Secure Sockets Layer (SSL) protocol to communicate between the IBM Spectrum Protect server and the backup-archive client. When you authenticate passwords with an LDAP directory server, you must protect the sessions by using SSL or another network security method.

Important: Beginning with IBM Spectrum Protect Version 8.1.2 software and Tivoli® Storage Manager Version 7.1.8 software, this parameter is deprecated. Validation that was enabled by this parameter is replaced by the TLS 1.2 protocol, which is enforced by the SESSIONSECURITY parameter. The SSLREQUIRED parameter is ignored. Update your configuration to use the SESSIONSECURITY parameter.
SESSIONSECurity
Specifies whether the administrator must use the most secure settings to communicate with an IBM Spectrum Protect server. This parameter is optional.

You can specify one of the following values:

STRict
Specifies that the strictest security settings are enforced for the administrator. The STRICT value uses the most secure communication protocol available, which is currently TLS 1.2. The TLS 1.2 protocol is used for SSL sessions between the server and the administrator. To specify whether the server uses TLS 1.2 for the entire session or only for authentication, see the SSL client option.
To use the STRICT value, the following requirements must be met to ensure that the administrator can authenticate with the server:
  • Both the administrator and server must be using IBM Spectrum Protect software that supports the SESSIONSECURITY parameter.
  • The administrator must be configured to use the TLS 1.2 protocol for SSL sessions between the server and the administrator.
Administrators set to STRICT that do not meet these requirements are unable to authenticate with the server.
TRANSitional
Specifies that the existing security settings are enforced for the administrator. This is the default value. This value is intended to be used temporarily while you update your security settings to meet the requirements for the STRICT value.

If SESSIONSECURITY=TRANSITIONAL and the administrator has never met the requirements for the STRICT value, the administrator will continue to authenticate by using the TRANSITIONAL value. However, after an administrator meets the requirements for the STRICT value, the SESSIONSECURITY parameter value automatically updates from TRANSITIONAL to STRICT. Then, the administrator can no longer authenticate on the same server by using a version of the client or an SSL/TLS protocol that does not meet the requirements for STRICT. In addition, after an administrator successfully authenticates by using a more secure communication protocol, the administrator can no longer authenticate by using a less secure protocol. For example, if an administrator that is not using SSL is updated and successfully authenticates by using TLS 1.2, the administrator can no longer authenticate by using no SSL protocol or TLS 1.1. This restriction also applies when you use functions such as command routing or server-to-server export, when the administrator authenticates to the IBM Spectrum Protect server as an administrator from another server.

Tip: Beginning with V8.1.7, you can also use the UPDATE ADMIN command to modify the SESSIONSECURITY parameter value of an administrator ID on a managed server.
ALert
Specifies whether alerts are sent to an administrators email address.
Yes
Specifies that alerts are sent to the specified administrators email address.
No
Specifies that alerts are not sent to the specified administrators email address. This is the default value.
Tip: Alert monitoring must be enabled, and email settings must be correctly defined to successfully receive alerts by email. To view the current settings, issue the QUERY MONITORSETTINGS command.

Example: Register an administrator

Define an administrator, LARRY, with the password PASSWORDONE. You can identify LARRY as second-shift personnel by specifying this information with the CONTACT parameter. Issue the command: 
register admin larry passwordone contact='second shift'

Example: Register an administrator ID and set the authentication method

Define an administrator ID for Harry so that Harry can authenticate to an LDAP server. Issue the command:
register admin harry authentication=ldap

Example: Register an administrator and enforce strict session security

Register an administrator named Harry, and require Harry to use the strictest security settings to authenticate with the server. Issue the command:
register admin harry sessionsecurity=strict

Related commands

Table 1. Commands related to REGISTER ADMIN
Command Description
GRANT AUTHORITY Assigns privilege classes to an administrator.
LOCK ADMIN Prevents an administrator from accessing IBM Spectrum Protect.
QUERY ADMIN Displays information about one or more IBM Spectrum Protect administrators.
QUERY MONITORSETTINGS (Query the configuration settings for monitoring alerts and server status) Displays information about monitoring alerts and server status settings.
REGISTER NODE Defines a client node to the server and sets options for that user.
REMOVE ADMIN Removes an administrator from the list of registered administrators.
RENAME ADMIN Changes an IBM Spectrum Protect administrator’s name.
SET DEFAULTAUTHENTICATION Specifies the default password authentication method for any REGISTER NODE or REGISTER ADMIN commands.
SET PASSEXP Specifies the number of days after which a password is expired and must be changed.
UNLOCK ADMIN Enables a locked administrator to access IBM Spectrum Protect.
UPDATE ADMIN Changes the password or contact information associated with any administrator.
UPDATE NODE Changes the attributes that are associated with a client node.