Question & Answer
How can I ensure my Guardium appliance's root password is secure? Who has access to it?
Guardium appliances are "black box" environments with the end user only having access to limited access Operating System accounts, such as:
The Graphical User Interface user accounts (for example admin and accessmgr) are not defined to the Appliance's operating system but are rather application IDs defined and managed via an application interfaces (accessmgr).
Being a secured server, root access is not readily available to anyone, but, is often required by Guardium support to gain access to the Guardium appliances to troubleshoot and resolve issues. Guardium support do not use sudo, or any other userid other than root, to gain access to Guardium appliances.
Customers are not permitted to have the root password as this would cause a conflict of interest and likely result audit compliance failures, allowing customers to circumvent the security provided by IBM's Guardium Data Security software.
The root password is secured using a 'joint password' mechanism. Whereby the customer holds the keys to the appliance in the form of a eight digit numeric passkey. IBM on the other hand holds the passkey decoder. Without having both, the passkey and passkey decoder, neither IBM nor the customer can readily access the appliance as root.
The passkey is governed by the customer via the cli interface. The customer can change the passkey at any time, without notifying IBM, by using the following cli command:
support reset-password root
The challenge access key is documented in the online Guardium InfoCenter:
Anyone with cli access can retrieve the passkey for root by using the following cli command:
support show passkey root
When engaging Guardium support, on a remote desktop sharing session. The support analyst will request the root passkey from the Guardium appliance in question. Once the passkey has been decoded, support will use the resultant root password to gain access to the appliance as root. After the remote desktop sharing session terminates, the customer can change the passkey using the above cli command, thereby ensuring IBM no longer has the root password for this appliance.
Being an eight digit numeric key, the passkey has a range of 10000000 to 99999999. Thereby providing 89,999,999 possible passwords. All encoded passwords are hardened. They do not containing any common passwords, any dictionary words, their length varies and they contain national, special, alphabetic (upper and lower case) and/or numeric characters.
Note that versions v10.1.4 and later have larger passkeys with dashes embedded - eg 1-1111-111-1-1-1
Access to the passkey decoder is restricted to a select few IBM employees, such as Guardium R&D, QA and support staff members. It is not generally available to IBM staff.
The cli userids mentioned above (cli, guardcli1, guardcli2, guardcli3, guardcli4, guardcli5) do not use the passkey mechanism and their passwords are 100% governed by the customer with IBM having no access to their passwords. For this reason, IBM do recommend keeping the root passkey in a password vault to ensure the appliance is accessible even if the cli account passwords have been forgotten or misplaced.
Internal Use Only
This technote was generated by Technote Kickstart 126.96.36.199 based on Information Management PMR 81118,082,000.
View the associated PMR's text via Wellspring at: http://eclient.lenexa.ibm.com:9082/DocFetcher/source/PMR/81118.082.000%20O15/07/07
16 June 2018