ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: unix trigger for TSM Server processes?

2002-04-24 01:00:01
Subject: Re: unix trigger for TSM Server processes?
From: Roger Deschner <rogerd AT UIC DOT EDU>
Date: Wed, 24 Apr 2002 00:00:18 -0500 
I go one step farther, in never storing the password itself on disk, but
instead storing an encrypted form of it. The key is stored in a separate
location. The script decrypts it each time it uses it, and never stores
it. When I change the password, I change the key too. It's kind of like
requiring two passwords. All this is only stored on/running on a root
account.

I agree that somehow implementing password generate for the dsmadmc
command would be better. Or, what if it simply did not require a
password if it was running on root? If the unix root user is
compromised, what does TSM have left to hide?

Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT edu
============== Remember, UNIX spelled backwards is XINU. ===============


On Tue, 23 Apr 2002, Seay, Paul wrote:

>I have semi-solved this problem.  I have placed the dsmadmc command in a
>execute only script file.  The key is automatically changing the password
>often in case it gets exposed.  So, I wrote a script that creates random
>passwords and changes the password often.  I run this script under root or a
>userid that is the only one that has access to read/write the dsmadmc script
>file.
>
>I know we need a password generate function for server directed dsmadmc
>commands, but there is not a real good way to do this.
>
>-----Original Message-----
>From: Glass, Peter [mailto:Peter.K.Glass AT WELLSFARGO DOT COM]
>Sent: Tuesday, April 23, 2002 6:45 PM
>To: ADSM-L AT VM.MARIST DOT EDU
>Subject: unix trigger for TSM Server processes?
>
>
>What is the best way to have unix trigger a TSM backup storagepool process?
>We need to start this process immediately upon completion of a client's DB2
>backup. We can't very well schedule this, because the completion time of the
>backup varies widely, from one backup to the next. We can afford to begin
>the tape copy process neither too soon, nor too late. One idea might be to
>have a DB2 script invoke unix to start something via /usr/bin/dsmadmc
>-id=admin -pass=password, et cetera, but this would mean hardcoding the
>password with the -pass= parameter, which would present a security exposure.
>Any suggestions on how we might accomplish this would be greatly appreciated
>(both the client and server platforms are AIX 4.3.3; TSM is at V4 R2).
>Thanks, in advance.
>
>Peter Glass
>Distributed Storage Management (DSM)
>Wells Fargo Services Company
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: TDP for NDMP, Thomas A. La Porte
Next by Date:  LTO and backupsets, slow restore, Radoslav Bendik
Previous by Thread:  Re: unix trigger for TSM Server processes?, Seay, Paul
Next by Thread:  Re: unix trigger for TSM Server processes?, Martin, Jon R.
Indexes:  [Date] [Thread] [Top] [All Lists]