Question & Answer
Question
Cause
cli
guardcli1
guardcli2
guardcli3
guardcli4
guardcli5
The graphical user interface user accounts (for example admin and accessmgr) are not defined to the Appliance's operating system but are rather application IDs defined and managed via an application interfaces (accessmgr).
Being a secured server, root access is not readily available to anyone, but, is often required by Guardium support to gain access to the Guardium appliances to troubleshoot and resolve issues. Guardium support do not use sudo, or any other user ID other than root, to gain access to Guardium appliances.
Customers are not permitted to have the root password as this would cause a conflict of interest and likely result audit compliance failures, allowing customers to circumvent the security provided by IBM's Guardium Data Security software.
Answer
The passkey is governed by the customer via the cli interface. The customer can change the passkey at any time, without notifying IBM, by using the following cli command:
support reset-password root
The challenge access key is documented in the online Guardium documentation:
Anyone with cli access can retrieve the passkey for root by using the following cli command:
support show passkey root
When engaging Guardium support, on a remote desktop sharing session. The support analyst will request the root passkey from the Guardium appliance in question. Once the passkey has been decoded, support will use the resultant root password to gain access to the appliance as root. After the remote desktop sharing session terminates, the customer can change the passkey using the above cli command, thereby ensuring IBM no longer has the root password for this appliance.
Being an eight digit numeric key, the passkey has a range of 10000000 to 99999999. Thereby providing 89,999,999 possible passwords. All encoded passwords are hardened. They do not containing any common passwords, any dictionary words, their length varies and they contain national, special, alphabetic (upper and lowercase) and numeric characters.
Note that versions v10.1.4 and later have larger passkeys with dashes embedded - eg 1-1111-111-1-1-1
Access to the passkey decoder is restricted to a select few IBM employees, such as Guardium R&D, QA and support staff members. It is not generally available to IBM staff.
The cli user IDs mentioned above (cli, guardcli1, guardcli2, guardcli3, guardcli4, guardcli5) do not use the passkey mechanism and their passwords are 100% governed by the customer with IBM having no access to their passwords. For this reason, IBM do recommend keeping the root passkey in a password vault to ensure the appliance is accessible even if the cli account passwords have been forgotten or misplaced.
Was this topic helpful?
Document Information
Modified date:
07 October 2021
UID
swg21964342