1. Please help support our sponsors by considering their products and services.
    Our sponsors enable us to maintain high-speed Internet connection and fast webservers.
    They support this free information and knowledge exchange forum service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions

Understanding Client Side Encryption - ISP 8.1.2

Discussion in 'TSM Security and Regulatory Compliance' started by ILCattivo, Nov 9, 2017.

  1. ILCattivo

    ILCattivo ADSM.ORG Member

    Joined:
    Jul 9, 2013
    Messages:
    91
    Likes Received:
    2
    Location:
    Oxford, United Kingdom
    So I believe things have changed recently with the way Spectrum Protect 8.1.2 now handles client side encryption.

    I have read various IBM KB's on the subject but still need to get my head around a few points..

    If these are the settings within a client opt file... (Windows)

    ENCRYPTKEY SAVE
    ENCRYPTIONTYPE AES256
    INCLUDE.ENCRYPT *:\...\*

    1. Does the encryption key file change each time a backup session is initiated (scheduled)?
    2. If I wanted to protect this encryption key file, what is it called (assuming it sits in the 'baclient' directory) and how often do I need to copy it off of the server where it currently resides? Am fully aware that losing an encryption key file due to a downed server can be catastrophic in terms of data recovery.

    Thanks
     
  2.  
  3. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,606
    Likes Received:
    370
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    No because it's set to save, you are prompted the first time and it's saved in TSM.sth.
    https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.2/client/c_secure_pwd.html

    If you lose the file, but know the encryption key, you can still restore without the file.
     
    Trident and ILCattivo like this.
  4. ILCattivo

    ILCattivo ADSM.ORG Member

    Joined:
    Jul 9, 2013
    Messages:
    91
    Likes Received:
    2
    Location:
    Oxford, United Kingdom
  5. Trident

    Trident TSM noob with 10 years expirience ADSM.ORG Moderator

    Joined:
    Apr 2, 2007
    Messages:
    356
    Likes Received:
    34
    Occupation:
    IT operations
    Location:
    Oslo, Norway
    Just a small commecnt.

    .sth is a stashed password file that unlocks a .kdb file, while .idx is a index file.
     
  6. ILCattivo

    ILCattivo ADSM.ORG Member

    Joined:
    Jul 9, 2013
    Messages:
    91
    Likes Received:
    2
    Location:
    Oxford, United Kingdom
    While the 'IBM 8.1.2' link provided by marclant specifies these files named as 'TSM.' having tested this today these files are nowhere to be found within the 'baclient' directory?

    Instead all 3 are located here 'C:\ProgramData\Tivoli\TSM\baclient\Nodes\DEMO\ISPServer' <--- Protected by the OS & hidden.

    Having applied the key password today, this morning - 10/11/2017 (British date format), only TSM.IDX & TSM.KDB have a modification date of the time I applied the key password. TSM.STH has a modification date of 2 days ago?

    So consider the following scenario based on what I found above.. If the user who set the original key password forgets or mislays it. Will he\she require all 3 of these files within the above location in order to get to the encrypted data to restore it, in the event that a particular client server had to be rebuilt from scratch and the ISP 8.1.2 BA Client re-installed a fresh?
     
  7. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,606
    Likes Received:
    370
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    Unless they remember the encryption key they typed and the node password, the latter can be reset.

    Also, not sure it will work to just copy the file of restoring from a different machine, ie different hostname which may be needed in some DR scenarios.

    Worth testing
     
  8. ILCattivo

    ILCattivo ADSM.ORG Member

    Joined:
    Jul 9, 2013
    Messages:
    91
    Likes Received:
    2
    Location:
    Oxford, United Kingdom
    And these are exactly the questions I am being asked. These DR scenarios can be a bit of a faff to test when the actual production client server is still LIVE and thus changing NODE passwords restoring from a different host to test it will result in a mismatch of node passwords between the ISP Server and original prod client server.

    Best probably to do this kind of testing in an isolated lab, doesn't help when a paranoid customer wants to test the scenario himself though.

    Thanks marclant
     

Share This Page