Reset Root Password

Reset your root password on the appliance using your own private passkey by executing the following CLI command (requires access key: "t0Tach"):

support reset-password root <random>

Save the passkey used in your documentation to allow future Technical Support root accessibility. To see the current pass key use the following CLI command:

support show passkey root 
Questions - How secure is the Guardium system root password? Who has access to it?

Guardium appliances are "black box" environments with the end user only having access to limited access Operating System accounts, such as:

cli; guardcli1; guardcli2; guardcli3; guardcli4; and, guardcli5.

The Graphical User Interface user accounts (for example admin and accessmgr) are not defined by the Guardium system's operating system, but are application IDs defined and managed via an application interface (accessmgr).

Being a secured server, root access is not readily available to anyone, but, is often required by Guardium support to gain access to the Guardium apoliances to troubleshoot and resolve issues. Guardium support does not use sudo, or any other userid other than root, to gain access to Guardium appliances.

The root password is secured using a "joint password" mechanism. The customer holds the keys to the appliance in the form of a eight-digit numeric passkey. IBM holds the passkey decoder. Without having both, the passkey and passkey decoder, neither IBM nor the customer can access the appliance as root.

The passkey is managed by the customer via the CLI interface. The customer can change the passkey at any time, without notifying IBM, by using the following CLI command:

support reset-password root 

Anyone with CLI access can retrieve the passkey for root by using the following CLI command:

support show passkey root

When involving Guardium support, on a remote desktop sharing session, the support analyst will request the root passkey for the Guardium appliance in question. Once the passkey has been decoded, Guardium support will use the root password to gain access to the appliance as root. After the remote desktop sharing session terminates, the customer can change the passkey using the above CLI command, thereby ensuring IBM no longer has the root password for this appliance.

Being an eight-digit numeric key, the passkey has a range of 10000000 to 99999999. This range provides 89,999,999 possible passwords. All encoded passwords are hardened. They do not contain any common passwords, any dictionary words, their length varies and they contain national, special, alphabetic (upper and lower case) and/or numeric characters.

Access to the passkey decoder is restricted to a select few IBM Guardium employees, such as Guardium R&D, Guardium QA and Guardium support staff members. It is not available to IBM staff.

The CLI userids mentioned above (cli, guardcli1, guardcli2, guardcli3, guardcli4, guardcli5) do not use the passkey mechanism and their passwords are 100% governed by the customer with IBM having no access to their passwords. For this reason, IBM recommends keeping the root passkey in a password vault to ensure the appliance is accessible even if the CLI account passwords have been forgotten or misplaced.