IBM Support

IBM Infosphere Guardium appliance root password management

Question & Answer


Question

How can I ensure my Guardium appliance's root password is secure? Who has access to it?

Cause

Guardium appliances are "black box" environments with the user only having access to limited access Operating System accounts, such as:
cli
guardcli1
guardcli2
guardcli3
guardcli4
guardcli5

The graphical user interface user accounts (for example admin and accessmgr) are not defined to the Appliance's operating system but are rather application IDs defined and managed via an application interfaces (accessmgr).



Being a secured server, root access is not readily available to anyone, but, is often required by Guardium support to gain access to the Guardium appliances to troubleshoot and resolve issues. Guardium support do not use sudo, or any other user ID other than root, to gain access to Guardium appliances.

Customers are not permitted to have the root password as this would cause a conflict of interest and likely result audit compliance failures, allowing customers to circumvent the security provided by IBM's Guardium Data Security software.

Answer

The root password is secured using a 'joint password' mechanism. Whereby the customer holds the keys to the appliance in the form of a eight digit numeric passkey. IBM holds the passkey decoder. Without having both, the passkey and passkey decoder, neither IBM nor the customer can readily access the appliance as root.

The passkey is governed by the customer via the cli interface. The customer can change the passkey at any time, without notifying IBM, by using the following cli command:


support reset-password root

The challenge access key is documented in the online Guardium documentation:

https://www.ibm.com/docs/en/guardium/11.4?topic=configuration-resetting-root-password
 

Anyone with cli access can retrieve the passkey for root by using the following cli command:


support show passkey root
 

When engaging Guardium support, on a remote desktop sharing session. The support analyst will request the root passkey from the Guardium appliance in question. Once the passkey has been decoded, support will use the resultant root password to gain access to the appliance as root. After the remote desktop sharing session terminates, the customer can change the passkey using the above cli command, thereby ensuring IBM no longer has the root password for this appliance.

Being an eight digit numeric key, the passkey has a range of 10000000 to 99999999. Thereby providing 89,999,999 possible passwords. All encoded passwords are hardened. They do not containing any common passwords, any dictionary words, their length varies and they contain national, special, alphabetic (upper and lowercase) and numeric characters.

Note that versions v10.1.4 and later have larger passkeys with dashes embedded - eg 1-1111-111-1-1-1

Access to the passkey decoder is restricted to a select few IBM employees, such as Guardium R&D, QA and support staff members. It is not generally available to IBM staff.

The cli user IDs mentioned above (cli, guardcli1, guardcli2, guardcli3, guardcli4, guardcli5) do not use the passkey mechanism and their passwords are 100% governed by the customer with IBM having no access to their passwords. For this reason, IBM do recommend keeping the root passkey in a password vault to ensure the appliance is accessible even if the cli account passwords have been forgotten or misplaced.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0JAAS","label":"APPLIANCE"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
07 October 2021

UID

swg21964342

Page Feedback