UPDATE ADMIN (Update an administrator)

Edit online

Use this command to change the password or contact information for an administrator. However, you cannot update the SERVER_CONSOLE administrator name.

Linux operating systemsAIX operating systemsPasswords for administrators must be changed after a length of time that is determined by the SET PASSEXP command. The SET PASSEXP command does not affect passwords that authenticate with a Lightweight Directory Access Protocol (LDAP) server.

Restriction: You cannot update the authentication method for your own user ID. If necessary, another administrator must make that change. Also, when you update a password with the UPDATE ADMIN command, you cannot use a wildcard with the admin_name parameter.

Administrators with the same name as a node can be created during a REGISTER NODE command. To keep the node and administrator with the same name synchronized, the authentication method and the SSLREQUIRED setting for the node are updated to match the administrator. If the administrator authentication method is changed from LOCAL to LDAP and a password is not provided, the node is put in LDAP pending status. A password is then requested at the next logon. Passwords between same-named nodes and administrators are kept in sync through any authentication change.

You must use the RENAME ADMIN command to change the name of a registered administrator.

For users of Lightweight Directory Access Protocol (LDAP) servers:
  • The information in this documentation applies to the LDAP authentication method that is preferred for IBM Storage Protect 7.1.7 or later servers. For instructions about using the previous LDAP authentication method, see Managing passwords and logon procedures.
  • If an administrative user ID matches a node name, do not update the authentication method to LDAP. If you do, you might see unexpected behavior because of automatic password changes that update the same password twice. As a result, the password might become unknown to the administrative user ID. Alternatively, the password update operation might fail.

Privilege class

To issue this command to change another administrator password or contact information, you must have system privilege. Any administrator can issue this command to update their own password or contact information.

Syntax

Read syntax diagramSkip visual syntax diagram UPDate Admin1 admin_name2 password PASSExp=daysCONtact=textFORCEPwreset=NoYesEMAILADdress=userID@nodeAUTHentication=LOcalLDapSYNCldapdelete=NoSYNCldapdelete=YesNoSSLrequired=4YesNoDEFaultSESSIONSECurity=TRANSitionalSESSIONSECurity=STRictTRANSitional5MFARequired=YesNo6SHAREDSecret=base32_stringRESETSHAREDSecret=YesNoCMDapprover=NoCMDapprover=YesNoALert=YesNo
Notes:
  • 1 You must specify at least one optional parameter on this command.
  • 2 Passwords are optional for this command, except when you are changing the authentication method from LDAP to LOCAL.
  • 3 The SYNCldapdelete parameter applies only if an administrator that is authenticating to an LDAP directory server reverts to local authentication.
  • 4 The SSLREQUIRED parameter is deprecated.
  • 5 If command approval is enabled, approval is required to specify MFAREQUIRED=NO. When you update your own administrator ID, you cannot specify MFAREQUIRED=NO.
  • 6 The SHAREDSECRET parameter can be specified only if you specified MFAREQUIRED=YES.

Parameters

admin_name (Required)
Specifies the name of the administrator to be updated.
password
Specifies the administrator's password. The minimum length of the password is 15 characters unless a different value is specified by using the SET MINPWLENGTH command. The maximum length of the password is 64 characters.
You can specify if the password of an administrator must contain any alphabetical, numerical, and special characters. The passwords are case-sensitive for the SESSIONSECURITY=STRICT administrator accounts and are case-insensitive for the administrator accounts that are in TRANSITIONAL state. The minimum length of these characters can be set by using the SET MINPWCHARALPHABETIC, SET MINPWCHARUPPER, SET MINPWCHARLOWER, SET MINPWCHARNUMERIC, and SET MINPWCHARSPECIAL commands.
This parameter is optional in most cases. If the administrator authentication method is changed from LDAP to LOCAL, a password is required. If an LDAP server is used to authenticate administrators, do not specify a password by using the UPDATE ADMIN command.
PASSExp
Specifies the number of days the password remains valid. You can set the password expiration period in the range 0 - 9999. A value of 0 means that the password never expires. This parameter is optional. If you do not specify this parameter, the password expiration period is unchanged. This parameter does not apply to passwords that are stored on an LDAP directory server.
CONtact
Specifies a text string that identifies the administrator. This parameter is optional. Enclose the text string in quotation marks if it contains any blanks. To remove previously defined contact information, specify a null string ().
FORCEPwreset
Specifies whether the administrator is required to change or reset the password. This parameter is optional.
No
Specifies that the administrator does not need to change or reset the password while they are attempting to sign on to the server. The password expiration period is set by the SET PASSEXP command.
Yes
Specifies that the administrator's password expires at the next sign-on. The administrator must change or reset the password then. If a password is not specified, you receive a syntax error.
Restrictions:
  • For administrative user IDs that authenticate with an LDAP server, password expiration is set by using LDAP server utilities. For this reason, do not specify FORCEPWRESET=YES if you plan to specify AUTHENTICATION=LDAP.
  • If you plan to update an administrative user ID to authenticate with an LDAP server, and you specified FORCEPWRESET=YES, you must change the password before you can specify FORCEPWRESET=NO and AUTHENTICATION=LDAP.
EMAILADdress
This parameter is used for more contact information. The information that is specified by this parameter is not acted upon by IBM Storage Protect.
AUTHentication
This parameter determines the password authentication method that the administrator ID uses; either LDAP or LOCAL.
LOcal
Specifies that the administrator uses the local IBM Storage Protect server database to store passwords for authentication.
LDap
Specifies that the administrator uses an LDAP directory server for password authentication.
SYNCldapdelete
This parameter applies only if an administrator who authenticates to an LDAP server wants to revert to local authentication.
Yes
Specifies that the administrator is deleted from the LDAP server.
Restriction: Do not specify a value of YES. (The value of YES is appropriate only for users of the previous LDAP authentication method, which is described in Managing passwords and logon procedures.)
No
Specifies that the administrator is not deleted from the LDAP server. This value is the default.
SSLrequired (deprecated)

Specifies whether the administrator user ID must use the Secure Sockets Layer (SSL) protocol to communicate between the IBM Storage Protect server and the backup-archive client. When you authenticate passwords with an LDAP directory server, you must protect the sessions by using SSL or another network security method.

Important: Beginning with IBM Storage Protect 8.1.2 software and Tivoli Storage Manager 7.1.8 software, this parameter is deprecated. Validation that was enabled by this parameter is replaced by the TLS protocol, which is enforced by the SESSIONSECURITY parameter. The SSLREQUIRED parameter is ignored. Update your configuration to use the SESSIONSECURITY parameter.
SESSIONSECurity
Specifies whether the administrator must use the most secure settings to communicate with an IBM Storage Protect server. This parameter is optional.

You can specify one of the following values:

STRict
Specifies that the strictest security settings are enforced for the administrator. This is the default value. The TLS protocol is used for SSL sessions between the server and the administrator. To specify whether the server uses TLS for the entire session or only for authentication, see the SSL client option.
Tip: Beginning with IBM Storage Protect 8.1.11, you can enable the TLS 1.3 protocol to secure communications between servers, clients, and storage agents. To use TLS 1.3, both parties in the communication session must use TLS 1.3. If either party uses TLS 1.2, then both parties use TLS 1.2 by default.
To use the STRICT value, the following requirements must be met to ensure that the administrator can authenticate with the server:
  • Both the administrator and server must be using IBM Storage Protect software that supports the SESSIONSECURITY parameter.
  • The administrator must be configured to use TLS 1.2 or later for SSL sessions between the server and the administrator.
Administrators that are set to STRICT and do not meet these requirements are unable to authenticate with the server.
TRANSitional
Specifies that the existing security settings are enforced for the administrator. This value is intended to be used temporarily while you update your security settings to meet the requirements for the STRICT value.

If SESSIONSECURITY=TRANSITIONAL and the administrator has never met the requirements for the STRICT value, the administrator continues to authenticate by using the TRANSITIONAL value. However, after an administrator meets the requirements for the STRICT value, the SESSIONSECURITY parameter value automatically updates from TRANSITIONAL to STRICT. Then, the administrator can no longer authenticate on the same server by using a version of the client or an SSL/TLS protocol that does not meet the requirements for STRICT. In addition, after an administrator successfully authenticates by using a more secure communication protocol, the administrator can no longer authenticate by using a less secure protocol. For example, if an administrator that is not using SSL is updated and successfully authenticates by using TLS 1.2, the administrator can no longer authenticate by using no SSL protocol or TLS 1.1. This restriction also applies when you use functions such as command routing or server-to-server export, when the administrator authenticates to the IBM Storage Protect server as an administrator from another server.

Tip: Beginning with IBM Storage Protect 8.1.7, you can also use the UPDATE ADMIN command to modify the SESSIONSECURITY parameter value of an administrator ID on a managed server.
MFARequired
Specifies whether the administrator is required to use multiple authentication factors when the administrator signs on to the server. This parameter is optional.
No
Specifies that only one authentication factor, a password, is required when the administrator signs on to the server.
Yes
Specifies that more than one authentication factor must be provided during server sign-on. The first authentication factor is the administrator’s password. The second authentication factor is a time-based, one-time token that is obtained from an authentication application that is configured with the administrator’s shared secret.
SHAREDSecret
Specifies the shared secret that is used to generate a time-based, one-time token. The administrator uses the generated token as a second authentication factor when they sign in to the server. This parameter is optional. If a shared secret is not specified, the server generates a random string to use as the administrator’s shared secret. The shared secret is specified in the following format:
base32-string
Specifies the base32 encoded shared secret.
RESETSHAREDSecret
Specifies that any shared secret that is associated with the administrator is removed and replaced with a new shared secret. This parameter is optional.
No
Specifies that the administrator’s shared secret is not reset.
Yes
Specifies that the administrator’s shared secret is reset. If the SHAREDSECRET parameter is specified, that value is used. If the SHAREDSECRET parameter is not specified, the server generates a random string to use as the administrator’s new shared secret.
CMDapprover
Specifies whether an administrator is designated as an approval administrator. When the SET COMMANDAPPROVAL command is set to ON, approval administrators can approve or reject restricted commands that are pending approval.
Yes
Specifies that the administrator is designated as an approval administrator.
Tip: If you disable command approval, the value of the CMDAPPROVER parameter is not reset to the default value of No. An administrator remains designated as an approval administrator until you issue the UPDATE ADMIN command and specify the CMDAPPROVER=NO parameter value.
No
Specifies that the administrator is not an approval administrator. This value is the default.
ALert
Specifies whether alerts are sent to an administrators email address.
Yes
Specifies that alerts are sent to the specified administrators email address.
No
Specifies that alerts are not sent to the specified administrators email address. This value is the default.
Tip: Alert monitoring must be enabled, and email settings must be correctly defined to successfully receive alerts by email. To view the current settings, issue the QUERY MONITORSETTINGS command.

Example: Update a password and password expiration period

Update the administrator LARRY to have the password SECRETWORD and a password expiration period of 120 days. The administrator in this example is authenticated to the IBM Storage Protect server.
update admin larry secretword passexp=120

Example: Update all administrators to communicate with a server by using strict session security

Update all administrators to use the strictest security settings to authenticate with the server.

update admin * sessionsecurity=strict

Example: Update the session security value for an administrator ID

Modify the SESSIONSECURITY parameter value for administrator LARRY.
update admin larry sessionsecurity=transitional
or
update admin larry sessionsecurity=strict

Example: Designate an administrator as an approval administrator

Modify the CMDAPPROVER parameter value for administrator Fred.
update admin fred cmdapprover=yes

Related commands

Table 1. Commands related to UPDATE ADMIN
Command Description
GENERATE SECRET Generates a shared secret to use for configuring multifactor authentication.
QUERY ADMIN Displays information about one or more IBM Storage Protect administrators.
QUERY STATUS Displays the settings of server parameters, such as those selected by the SET commands.
QUERY MONITORSETTINGS (Query the configuration settings for monitoring alerts and server status) Displays information about monitoring alerts and server status settings.
REGISTER ADMIN Defines a new administrator.
REGISTER NODE Defines a client node to the server and sets options for that user.
RENAME ADMIN Changes an IBM Storage Protect administrator’s name.
SET MINPWCHARUPPER Sets the minimum number of upper-case alphabetic characters that are required to be in administrator passwords.
SET MINPWCHARNUMERIC Sets the minimum number of numeric characters that are required to be in administrator passwords.
SET MINPWCHARSPECIAL Sets the minimum number of special characters that are required to be in administrator passwords.
SET MINPWLENGTH Sets the minimum length for client passwords.
SET PASSEXP Specifies the number of days after which a password is expired and must be changed.
UPDATE NODE Changes the attributes that are associated with a client node.