IBM Spectrum Protect 8.1.14 Multi Factor Authentication – OC Demo скачать в хорошем качестве

IBM Spectrum Protect 8.1.14 Multi Factor Authentication – OC Demo

Multi factor authentication (MFA) provides additional logon security for Spectrum Protect administrators. This Operations Center demo will show how to setup MFA for another admin. How to logon for the first time and register the shared secret with an app that generates 6 digit, time based tokens. It shows how to scan the QR code or how to generate a URI. It also covers resetting the shared secret and sharing the shared secret. Check out the MFA demo using the Command Line:    • IBM Spectrum Protect 8.1.14 Multi Factor A...   register admin admin-name admin-password mfarequired=yes (sharedsecret=secret) update admin admin-name mfarequired=yes/no (sharedsecret=secret) (resetsharedsecret=yes) Shared secret can be optionally specified, if not specified, one is automatically generated Resetsharedsecret can be optionally used if admin requires the generation of a new shared secret query admin admin_name format=detailed ”Multi-Factor Authentication Required” No: not required / Yes: required / Transitional: required but not yet enrolled MFA requires the Hub and Spoke servers be at 8.1.14+. It requires providing the shared secret to security app with RFC 6238, TOTP, SHA1, 6 digits, 30 second interval. It also requires all devices used for authentication and SP 8.1.14+ servers are in sync with current time. MFA can only be turned on for other admins by an admin with system privileges (all admins can turn their own mfa on) Admin can not turn off their OWN MFA – only another admin can do this Admin can issue their own udpdate admin resetsharedsecret=yes If command approval is on, and only if the admin in question is currently in transitional or strict MFA state, update admin MFAREQUIRED=NO must be approved by another admin If using command routing, the admins on each server must have the same shared secret If using enterprise configuration, and the admin is registered to a profile the subscribed managed server(s)’ matching admin will automatically receive the shared secret Export will export the MFA settings and shared secrets to the importing server MFA is only for interactive admin sessions For unattended operations or automation, don’t use an Admin with MFA If using the same ID for both interactive and unattended sessions, register a new ID to use for the unattended ops using a strong, complex password known only to the automation Client (backup/archive, etc) isn't affected by MFA EXCEPT if you login using administrator credentials (say for a help desk) If the admin is required to use MFA, append the TOTP token end of the password just like with dsmadmc Thank you to Evan Gubler for running this demo.