Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000198715

PowerProtect DP Series: Protection Storage: Data Domain: Security Officer Account Resolution Path

Summary: PowerProtect DP Series: Protection Storage or Data Domain: Security Officer Account Resolution Path

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Instructions

What is Security Officer?

  • A Security Role user, who may be referred to as a Security Officer, can manage other Security Officers, authorize procedures that require security officer approval, provide data destruction oversight, and perform all tasks that are supported for Security Role users.
  • The Security Role is provided to comply with the Write-Once-Read-Many (WORM) regulation. This regulation requires electronically stored corporate data be kept in an unaltered, original state for purposes such as e-Discovery, auditing, and logging.
  • In a typical scenario, an admin role user issues a command and, if Security Officer approval is required, the system displays a prompt for approval. The Security Officer must enter their username and password on the same console at which the command was run to proceed with the original task.
  • If the system recognizes the Security Officer credentials, the procedure is authorized. If not, a security alert is generated. 

Purpose:
Due to compliance regulations, most command options for administering sensitive operations require Security Officer (SO) credentials and authorization.

Below are a few examples of the same:
  • SO credentials are required to get into SE Mode (There are multiple Operations that can be performed in SE Mode only, such as registry changes. For More details on SE Mode commands, see Solve Desktop.)
  • Encryption
  • Retention Lock
  • System Passphrase 
  • Enabling FIPS
  • Filesystem Destroy
  • Cloud Tier Destroy, and so forth
For more details on operations that require Security Credentials, see the DD OS Administration guide for the respective operating system from Solve Desktop.


How to create Security Officer:
  • To create the first Security Officer (SO) account, follow the below Dell KB article 198128 to have the account created from ACM:

PowerProtect DP Series: Protection Storage: Alert: Security officer user account must be created.


Guidelines:

  • If the Security Officer is created from Data Domain directly and not from ACM, then security authorization is not enabled automatically.
  • To enable the authorization policy, a Security Officer must log in or SSH to Data Domain and enable the authorization policy as below.
Sec_Officer01@dd4400>authorization policy show 
Sec_Officer01@dd4400>authorization policy set security-officer enabled
Sec_Officer01@dd4400>authorization policy show
  • After the first Security Officer is created, only a Security Officer can create another Security Officer account.


Having trouble with Security Officer Account:

  • In instances where Security Officer user exists but is unable to log in due to security user account that is locked or password that is lost, forgotten, or expired, then the below steps must be attempted in sequence.

 

Option 1:

Log in to DDR with user account that has admin privileges such as "sysadmin" and run below command to know the correct Security Role username first:

# user show list

 

Open another SSH session to Data Domain and log in using Security Officer (SO) user, if the password has expired, it automatically asks to set a new password.

 

Option 2:

If above is not the case, you may attempt to log in using a default or common password for IDPA.
If that is what was set while creating the Security Officer user, then it would work.
Note: From IDPA 2.7, there is hard requirement to not set sSecurity Officer password same as common password. However, the above can be attempted for earlier releases.

 

Option 3:

If issue persists, verify if any other Security Officer user exists from the output of "user show list" command that was run earlier. Only another security user, if it exists, has the permission to change or unlock the locked Security Officer account.

If another Security Officer (SO) account exists, do the below as per requirement:

  • If requirement is to change password:

Log in or SSH to Data Domain using that second SO username and use below command to change password:

# user change password [< SO username>]

 

  • If requirement is to only unlock account:
Contact Dell Support if the account is locked due to too many failed attempts to log in. 

Note:

  • Security Officer user account is locked after three failed login attempts. This is in compliance with STIG.
  • Once Security Officer user account is locked, user MUST wait for unlock-timeout (default 120 seconds) to log in again.
sysadmin@DD# adminaccess option show
Option                 Value
--------------------   --------
login-unlock-timeout   120
login-max-attempts     3
..
…..
--------------------   --------

 

  • Important: Keep the Security Officer credentials safe and change the password before it expires as only another Security Officer (if existing) has the permission to change or reset a Security Officer account. Only an existing Security Officer can create another Security Officer account.

Article Properties

Affected Product

Data Domain, PowerProtect Data Protection Appliance

Last Published Date

24 May 2023

Version

9

Article Type

How To

Back to Top