Security considerations
Use this information to securely scan a system connection.
Scanning an IBM Storage Scale instance involves the use of the mmapplypolicy command on the IBM Storage Scale system, which requires superuser permissions. When you are creating the data source connection for the target IBM Storage Scale system in the IBM Spectrum® Discover interface, you are prompted for a userid and password to enable automated scans. You are not required to provide these credentials if scans are run only manually on the target IBM Storage Scale system by an administrator. However, if you want to run automation and/or schedule scans, then the authentication credentials are required. By default, IBM Spectrum Discover uses password authentication to the Scale cluster to run commands remotely. However, you can supply your own RSA private key by selecting the shared key authentication option when you are configuring the connection if you want to avail passwordless authentication.
Rather than providing root login credentials, an administrator must create a special user ID with limited permissions on the IBM Storage Scale system. The administrator must also enable a password-less sudo for the user ID, to the binaries needed for scanning. This prevents someone from gaining root access to the target IBM Storage Scale system if the IBM Spectrum Discover system is somehow compromised.
Changing passwordless SSH keys
You can rotate RSA authentication key pairs for passwordless SSH on a frequency and remove old security keys from the authorized_hosts file on the IBM Storage Scale node that IBM Spectrum Discover connects to. To update the authentication keys, follow these steps:
- Make sure that the id_rsa.pub contents for the new authentication key pair are in the ~/.ssh/authorized_hosts file for the user that is specified in the IBM Spectrum Discover connection document for the IBM Storage Scale target file system.
- Edit the connection and paste the contents of the new private key file (id_rsa) in the input form.
After you edit the connection with the new private key file, IBM Spectrum Discover uses it to connect to the IBM Storage Scale target system.