I go one step farther, in never storing the password itself on disk, but instead storing an encrypted form of it. The key is stored in a separate location. The script decrypts it each time it uses it, and never stores it. When I change the password, I change the key too. It's kind of like requiring two passwords. All this is only stored on/running on a root account.
I agree that somehow implementing password generate for the dsmadmc command would be better. Or, what if it simply did not require a password if it was running on root? If the unix root user is compromised, what does TSM have left to hide? Roger Deschner University of Illinois at Chicago [EMAIL PROTECTED] ============== Remember, UNIX spelled backwards is XINU. =============== On Tue, 23 Apr 2002, Seay, Paul wrote: >I have semi-solved this problem. I have placed the dsmadmc command in a >execute only script file. The key is automatically changing the password >often in case it gets exposed. So, I wrote a script that creates random >passwords and changes the password often. I run this script under root or a >userid that is the only one that has access to read/write the dsmadmc script >file. > >I know we need a password generate function for server directed dsmadmc >commands, but there is not a real good way to do this. > >-----Original Message----- >From: Glass, Peter [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, April 23, 2002 6:45 PM >To: [EMAIL PROTECTED] >Subject: unix trigger for TSM Server processes? > > >What is the best way to have unix trigger a TSM backup storagepool process? >We need to start this process immediately upon completion of a client's DB2 >backup. We can't very well schedule this, because the completion time of the >backup varies widely, from one backup to the next. We can afford to begin >the tape copy process neither too soon, nor too late. One idea might be to >have a DB2 script invoke unix to start something via /usr/bin/dsmadmc >-id=admin -pass=password, et cetera, but this would mean hardcoding the >password with the -pass= parameter, which would present a security exposure. >Any suggestions on how we might accomplish this would be greatly appreciated >(both the client and server platforms are AIX 4.3.3; TSM is at V4 R2). >Thanks, in advance. > >Peter Glass >Distributed Storage Management (DSM) >Wells Fargo Services Company >