Secure password storage
Beginning in IBM Spectrum® Protect Version 8.1.2 and V7.1.8, the location of the IBM Spectrum Protect password is changed.
In V8.1.0 and V7.1.6 and earlier clients, the IBM Spectrum Protect password was stored in the Windows registry for Windows clients, and stored in the TSM.PWD file on UNIX and Linux® clients.
Beginning in V8.1.2 and V7.1.8, the IBM® Global Security Kit (GSKit) keystores are used to store all IBM Spectrum Protect passwords. The process of importing server certificates is simplified. For information about importing server certificates, see Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer.
- The file that stores the encrypted passwords.
- The file that stores the random encryption key that is used to encrypt passwords in the TSM.KDB file. This file is protected by the file system. This file is needed for automated operations.
- An index file that is used to track the passwords in the TSM.KDB file.
For Data Protection for VMware clients, the Data Protection for VMware GUI server administration password is migrated to a keystore.
Password locations on Windows clients
On Windows clients, the passwords in the SOFTWARE\IBM\ADSM\CurrentVersion\BackupClient\Nodes registry key and the SOFTWARE\IBM\ADSM\CurrentVersion\Nodes registry key are migrated to the new password store.
The password entries in these registry keys are deleted after the migration.
Access to the password stash files (TSM.sth) is restricted to the creator of the keystore, Administrators, and System. A utility (dsmcutil addace) is available to allow Windows users to easily modify password file access control lists. For more information, see ADDACE and DELETEACE.
Password locations on UNIX and Linux clients
On UNIX and Linux clients, the existing passwords in the TSM.PWD files are migrated to the new password store in the same location. For root users, the default location for the password store is /etc/adsm. For non-root users, the location of the password store is specified by the passworddir option.
The TSM.PWD file is deleted after the migration.
- The TSM.PWD file did not exist in the /etc/adsm directory.
- The options file specifies a passworddir option that points to a different location.
The trusted communications agent is no longer available
- Help desk method
- With the help desk method, the root user runs all backup and restore operations. The non-root user must contact the root user to request certain files to be backed up or restored.
- Authorized user method
- With the authorized user method, a non-root user is given read/write access to the password
store by using the passworddir option to point to a password location that is
readable and writable by the non-root user. This method allows non-root users to back up and restore
their own files, use encryption, and manage their passwords with the passwordaccess
For more information, see Enable non-root users to manage their own data.
If neither of these methods are satisfactory, you must use the earlier clients that included the TCA.
Password locations in cluster environments
To store an encrypted password file when you set up a cluster environment, use the clustersharedfolder option to specify the directory location in which to store the encrypted password file. For more information, see Clustersharedfolder.
In a cluster configuration, the options file is stored on a cluster disk so that it can be accessed by the takeover node. The password files must also be stored on a cluster disk so that after a failure, the generated backup-archive client password is available to the takeover node.
Cluster-B, and the server name is
Bigdata, the location for password files is: