Resetting the root password

To reset your root password on the appliance, use your own private passkey and run the support reset-password root CLI command.

Save the passkey used in your documentation to allow future Technical Support root accessibility. To see the current pass key, use the following CLI command:

support show passkey root 

Questions - How secure is the Guardium system root password? Who has access to it?

For Guardium appliances, end users can use limited access operating system accounts, such as cli and guardcli1 to guardcli5.

The GUI user accounts (such as admin and accessmgr) are not defined by the Guardium system's operating system, but are application IDs defined and managed from the accessmgr application interface.

Being a secured server, root access is not readily available to anyone. Root access is often required by Guardium support to gain access to the Guardium appliances to troubleshoot and resolve issues. Guardium support does not use sudo, or any other user ID other than root, to gain access to Guardium appliances.

The root password is secured by using a "joint password" mechanism. Your site holds the keys to the appliance in the form of an encoded numeric passkey. IBM holds the passkey decoder. For either you or IBM to access the appliance as root, both the passkey and passkey decoder are required.

You can manage the passkey from the CLI interface. You can change the passkey at any time, without notifying IBM, by using the following CLI command:

support reset-password root

Anyone with CLI access can retrieve the passkey for root by using the following CLI command:

support show passkey root

If you need to work with Guardium support on a remote desktop sharing session, the support analyst requests the root passkey for the Guardium appliance in question. After the passkey is decoded, Guardium support uses the root password to gain access to the appliance as root. After the remote desktop session ends, be sure to change the passkey (by using support reset-password root) to ensure that IBM no longer has the root password for this appliance.

All encoded passwords are hardened. They do not contain any common passwords or dictionary words, their length varies and they might contain national, special, and alphanumeric characters.

Access to the passkey decoder is restricted to a select few IBM Guardium employees, such as Guardium R&D, Guardium QA, and Guardium support staff members. It is not available to IBM staff.

The CLI user IDs (cli, guardcli1 to guardcli5) do not use the passkey mechanism. Their passwords are entirely governed by your organization and IBM does not have access to their passwords. IBM recommends that you keep the root passkey in a password vault. This action ensures that you can access the appliance even if users at your site leave or misplace the CLI account passwords.