Security concepts
You can protect IBM Spectrum Protect from security risks by using communication protocols, securing passwords, and providing different access levels for administrators.
Transport Layer Security
You can use the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol to provide transport layer security for a secure connection between servers, clients, and storage agents. If you send data between the server, client, and storage agent, use SSL or TLS to encrypt the data.
SSL is provided by the Global Security Kit (GSKit) that is installed with the IBM Spectrum Protect server that the server, client, and storage agent use.
Each server, client, or storage agent that enables SSL must use a trusted self-signed certificate or obtain a unique certificate that is signed by a certificate authority (CA). You can use your own certificates or purchase certificates from a CA. Either certificate must be installed and added to the key database on the IBM Spectrum Protect server, client, or storage agent. The certificate is verified by the SSL client or server that requests or initiates the SSL communication. Some CA certificates are preinstalled in the key databases, by default.
SSL is set up independently on the IBM Spectrum Protect server, client, and storage agent.
Authority levels
With each IBM Spectrum Protect server, different administrative authority levels are available that determine the tasks that an administrator can complete.
After registration, an administrator must be granted authority by being assigned one or more administrative authority levels. An administrator with system authority can complete any task with the server and assign authority levels to other administrators by using the GRANT AUTHORITY command. Administrators with policy, storage, or operator authority can complete subsets of tasks.
An administrator can register other administrator IDs, grant levels of authority to them, rename IDs, remove IDs, and lock and unlock them from the server.
An administrator can control access to specific client nodes for root user IDs and non-root user IDs. By default, a non-root user ID cannot back up data on the node. Use the UPDATE NODE command to change the node settings to enable backup.
Passwords
By default, the server automatically uses password authentication. With password authentication, all users must enter a password when they access the server.
Use Lightweight Directory Access Protocol (LDAP) to apply stricter requirements for passwords. For more information, see Authenticating users by using an LDAP server.
| Characteristic | More information |
|---|---|
| Case-sensitivity | Not case-sensitive. |
| Default password expiration | 90 days. The expiration period begins when an administrator ID or client node is first registered to the server. If the password is not changed within this period, the password must be changed the next time that the user accesses the server. |
| Invalid password attempts | You can set a limit on consecutive invalid password attempts for all client nodes. When the limit is exceeded, the server locks the node. |
| Default password length | 8 characters. The administrator can specify a minimum length. Beginning with Version 8.1.4, the default minimum length for server passwords changed from 0 to 8 characters. |
Session security
Session security is the level of security that is used for communication among IBM Spectrum Protect client nodes, administrative clients, and servers and is set by using the SESSIONSECURITY parameter.
- The STRICT value enforces the highest level of security for communication between IBM Spectrum Protect servers, nodes, and administrators.
- The TRANSITIONAL value specifies that the existing communication protocol is
used while you update your IBM Spectrum Protect software to
V8.1.2 or later. This is the default. When SESSIONSECURITY=TRANSITIONAL,
stricter security settings are automatically enforced as higher versions of the TLS protocol are
used and as the software is updated to V8.1.2 or later. After a node, administrator, or server meets
the requirements for the STRICT value, session security is automatically updated to
the STRICT value, and the entity can no longer authenticate by using a previous
version of the client or earlier TLS protocols. Note: You are not required to update backup-archive clients to V8.1.2 or later before you upgrade servers. After you upgrade a server to V8.1.2 or later, nodes and administrators that are using earlier versions of the software will continue to communicate with the server by using the TRANSITIONAL value until the entity meets the requirements for the STRICT value. Similarly, you can upgrade backup-archive clients to V8.1.2 or later before you upgrade your IBM Spectrum Protect servers, but you are not required to upgrade servers first. Communication between servers and clients is not interrupted.
| Entity | Command |
|---|---|
| Client nodes |
|
| Administrators |
|
| Servers |
|
- Ensure that all IBM Spectrum Protect software that the administrator account uses to log on is upgraded to V8.1.2 or later. If an administrator account logs on from multiple systems, ensure that the server's certificate is installed on each system.
- After an administrator successfully authenticates with the server by using V8.1.2 or later software or V7.1.8 or later software, the administrator can no longer authenticate with that server using client or server versions earlier than V8.1.2 or V7.1.8. An administrator command can be issued from any system.
- If necessary, create a separate administrator account to use only with clients and servers that are using V8.1.1 or earlier software.
Enforce the highest level of security for communication with the IBM Spectrum Protect server by ensuring that all nodes, administrators, and servers use STRICT session security. You can use the SELECT command to determine which servers, nodes, and administrators are using TRANSITIONAL session security and should be updated to use STRICT session security.