Log In

Depending on the hub server configuration and the administrator ID definition, the login password is authenticated either by the hub server or by a Lightweight Directory Access Protocol (LDAP) server. If you are using LDAP authentication and experience login issues, verify that LDAP is configured correctly and that the LDAP server is available.

Depending on your organization's security guidelines, log in might require multifactor authentication. Multifactor authentication requires users to verify their identity by using more than one method. If multifactor authentication is required, you must provide a one-time passcode in addition to your password. The passcode is valid only for the current session and is generated on a trusted device. A trusted device is a device that only you can access. A trusted device is typically a cell phone, but can be a different type of device such as a tablet or laptop. Because a new passcode must be generated for each session, the trusted device must be available to you each time you log in.

If multifactor authentication is required, you are prompted to enter a one-time passcode after you enter your password. The first time that you log in, you must register your administrator ID with an authentication app that is installed on your trusted device. An authentication app is a lightweight program that generates short-lived passcodes based on the current time and a secret key that was generated for your administrator ID. The secret key is a shared secret between your authentication app and the hub server. When you attempt to log in by using a passcode generated by the authentication app, the server also calculates the passcode. Like the authentication app, the server calculates the passcode by using the Time-based One-time Password (TOTP) algorithm, the current time, and the shared secret key that identifies your administrator ID. You are logged in only if the passcode that is calculated by the server matches the passcode that was entered by the administrator.

If the Operation Center prompts you to register your administrator ID with an authentication app, complete the following steps:

On your trusted device, install an authentication app that can generate passcodes by using the TOTP algorithm. Authentication apps that are supported by IBM Spectrum Protect include IBM® Verify and Google Authenticator. For a complete list of supported authentication apps, see the IBM Spectrum Protect documentation.
Add the shared secret key to your authentication app. When you log in to the Operations Center for the first time after the multifactor authentication requirement is set, the login page displays a Quick Response (QR) code that contains your shared secret key. If your trusted device has a built-in camera that the authentication app can access, you can scan the QR code to add the shared secret key to your authenticator app.
Tips:
- The QR code encodes a TOTP Uniform Resource Identifier (URI), which contains the shared secret key and other information that is needed to configure your authentication app. If your trusted device does not have a working camera, you can copy the TOTP URI to the clipboard and paste the information into your authentication app.
- If your trusted device is later lost or stolen, or if you think your shared secret key was compromised, you can generate a new shared secret key for your administrator ID. You can generate a new shared secret key by using the UPDATE ADMIN command. The next time that you log in, you are prompted to reregister your administrator ID with an authentication app.

Communication between the hub server and the Operations Center must be secured by using TLS. If you are experiencing login issues, make sure that the hub server certificate was added to the truststore file of the Operations Center. For instructions on installing certificates, see the IBM Spectrum Protect documentation.

Although the Operations Center reports only that authentication failed, more specific information is reported to the server console and activity log of the hub server.

To determine the specific cause of the authentication failure, use the QUERY ACTLOG command.

If a secure communication issue occurred during the login attempt, the activity log contains the following error:

ANR1888W Session session number for node node name (client platform) 
refused - client requires SSL connection with this server.

To determine whether the administrator ID requires local or LDAP authentication, enter the following command on the hub server:

query admin admin_ID format=detailed

The Authentication field in the command output indicates whether local or LDAP authentication is required for this ID.

Depending on the cause of the authentication failure, you can use the following procedures to help diagnose and resolve the issue:

Determine whether the hub server is configured for LDAP or local authentication

Complete the following steps by using an account that can log in to the Operations Center:

On the Servers page, select the hub server, and click Details.
In the details notebook, click the Properties tab.

Determine whether the Operations Center is configured for secure communications

Complete the following steps by using an account that can log in to the Operations Center:

In the Operations Center menu bar, hover over the Help icon and click About Operations Center.
In the about window, click Installation Details.
Click the Connections tab.

For more information about configuring secure communications, see the IBM Spectrum Protect documentation.

Verify LDAP, authentication, and encryption settings for the hub server

Issue the following command on the hub server: QUERY STATUS

The following server parameter settings can affect login capability:

Authentication:
Password Expiration Period:
Invalid Sign-on Attempt Limit:
Minimum Password Length:
Inbound Sessions Disabled:
Outbound Sessions Disabled:
Encryption Strength:
LDAP User:
LDAP Password Set:
Default Authentication:

For more information about using IBM Spectrum Protect commands, see the IBM Spectrum Protect documentation.