Depends on your situation... one solution:
We created an admin account (ex. QUERY), that is granted no authority. Which means it can do queries, but can't change anything. For scripts that just do queries, we use that admin id and don't sweat whether it's hackable. Now in theory somebody could find out the password and SUBMIT A BIG QUERY that ties up your server, but really, so what.... not in my list of Worst Things to Worry About. another solution: For scripts that do more than queries, put the userid and password in a file that is protected so only root can read it. Then have the script (assume you are running it via cron) read the id and password from that file and plug it in. If you're rally paranoid, encrypt the file that has the userid and password in it. But if your root password is compromised.... TSM won't be the Worst Thing to Worry About... -----Original Message----- From: Justin Bleistein [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: Re: Clear text passwords. Was: Automating dsmserv any alternatives to running: "dsmserv" via batch mode with the: dsmadmc -id=login -pass=password syntax... I mean it's passwords in clear text so all someone has to do is cat that file and your exposed... Any ideas on how to automate the client-server interface (dsmadmc) without displaying the password anywhere?. Thanks!. --Justin Richard Bleistein Unix/TSM Systems Administrator (Sungard eSourcing) Desk: (856) 566 - 3485 Cell: (856) 912 - 0861 Email: [EMAIL PROTECTED] "Stapleton, Mark" <[EMAIL PROTECTED] To: [EMAIL PROTECTED] COM> cc: Sent by: "ADSM: Subject: Re: Clear text passwords. Was: Automating dsmserv Dist Stor Manager" <[EMAIL PROTECTED] .EDU> 05/27/2003 12:08 PM Please respond to "ADSM: Dist Stor Manager" From: Thomas A. La Porte [mailto:[EMAIL PROTECTED] > Since this topic of clear text passwords has arisen, I wonder if > anybody knows whether or not there is/are any outstanding > requirements or enhancement requests for Kerberos support within > TSM. This would be handy both in the situation discussed below, > and for general administrative and node access to the server. > > If there isn't an outstanding request, I'll probably go ahead and > ask that one be made. One of the nice things about how Tivoli has handled TSM is that the authentication system is *exactly* the same, no matter what the server and client OS platforms may be. The same can be said for the interfaces and the way administration is performed. Inserting something like Kerberos into the mix would mean you'd have to make it work for all platforms that the TSM server supports--including MVS, OS/400, and <shudder> Windows. There are ways of scripting TSM tasks that can sidestep the clear text stuff, much the same as the ways you script FTP sessions without putting passwords where users can gefingerpoken. -- Mark Stapleton ([EMAIL PROTECTED]) Berbee Information Networks Office 262.521.5627
