• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Understanding Client Side Encryption - ISP 8.1.2

ILCattivo

ADSM.ORG Senior Member
#1
So I believe things have changed recently with the way Spectrum Protect 8.1.2 now handles client side encryption.

I have read various IBM KB's on the subject but still need to get my head around a few points..

If these are the settings within a client opt file... (Windows)

ENCRYPTKEY SAVE
ENCRYPTIONTYPE AES256
INCLUDE.ENCRYPT *:\...\*

  1. Does the encryption key file change each time a backup session is initiated (scheduled)?
  2. If I wanted to protect this encryption key file, what is it called (assuming it sits in the 'baclient' directory) and how often do I need to copy it off of the server where it currently resides? Am fully aware that losing an encryption key file due to a downed server can be catastrophic in terms of data recovery.

Thanks
 

marclant

ADSM.ORG Moderator
#2
Does the encryption key file change each time a backup session is initiated (scheduled)?
No because it's set to save, you are prompted the first time and it's saved in TSM.sth.
If I wanted to protect this encryption key file, what is it called (assuming it sits in the 'baclient' directory) and...
https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.2/client/c_secure_pwd.html

how often do I need to copy it off of the server where it currently resides?
If you lose the file, but know the encryption key, you can still restore without the file.
 

Trident

TSM noob with 10 years expirience
ADSM.ORG Moderator
#4
Just a small commecnt.

.sth is a stashed password file that unlocks a .kdb file, while .idx is a index file.
 

ILCattivo

ADSM.ORG Senior Member
#5
Just a small commecnt.

.sth is a stashed password file that unlocks a .kdb file, while .idx is a index file.
While the 'IBM 8.1.2' link provided by marclant specifies these files named as 'TSM.' having tested this today these files are nowhere to be found within the 'baclient' directory?

Instead all 3 are located here 'C:\ProgramData\Tivoli\TSM\baclient\Nodes\DEMO\ISPServer' <--- Protected by the OS & hidden.

Having applied the key password today, this morning - 10/11/2017 (British date format), only TSM.IDX & TSM.KDB have a modification date of the time I applied the key password. TSM.STH has a modification date of 2 days ago?

So consider the following scenario based on what I found above.. If the user who set the original key password forgets or mislays it. Will he\she require all 3 of these files within the above location in order to get to the encrypted data to restore it, in the event that a particular client server had to be rebuilt from scratch and the ISP 8.1.2 BA Client re-installed a fresh?
 

marclant

ADSM.ORG Moderator
#6
Unless they remember the encryption key they typed and the node password, the latter can be reset.

Also, not sure it will work to just copy the file of restoring from a different machine, ie different hostname which may be needed in some DR scenarios.

Worth testing
 

ILCattivo

ADSM.ORG Senior Member
#7
Unless they remember the encryption key they typed and the node password, the latter can be reset.

Also, not sure it will work to just copy the file of restoring from a different machine, ie different hostname which may be needed in some DR scenarios.

Worth testing
And these are exactly the questions I am being asked. These DR scenarios can be a bit of a faff to test when the actual production client server is still LIVE and thus changing NODE passwords restoring from a different host to test it will result in a mismatch of node passwords between the ISP Server and original prod client server.

Best probably to do this kind of testing in an isolated lab, doesn't help when a paranoid customer wants to test the scenario himself though.

Thanks marclant
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 8 21.6%
  • Keep using TSM for Spectrum Protect.

    Votes: 19 51.4%
  • Let's be formal and just say Spectrum Protect

    Votes: 6 16.2%
  • Other (please comement)

    Votes: 4 10.8%

Forum statistics

Threads
30,969
Messages
131,783
Members
21,226
Latest member
rocaflqu
Top