A single indestructibility protection mechanism protects all indestructible protection policies and snapshots on the cluster. The mechanism is locked by default and must be unlocked by a secure procedure in order to perform various protected tasks, such as deleting indestructible snapshots.
A dedicated password is used in the procedure for unlocking the indestructibility mechanism. The password has a default value and can be changed only after unlocking the indestructibility mechanism. It is recommended to change the password from its default value as soon as possible after installation or upgrade of the cluster and before setting any snapshots or policies as indestructible.
If the password is forgotten, it can be restored to its default value. In order to ensure that an attacker cannot do this easily, there is an automatic delay whenever a password restore request is made. The password is not restored until after the password restore delay period, which is one day by default.
Only specially authorized users can unlock the indestructibility mechanism and change the indestructibility password. For the initial steps for establishing authorized users and setting the password for the first time see Required First Steps.
The Indestructibility settings page of the VAST Web UI displays Locked or Unlocked, so that you can easily see the current status.
The following VAST CLI commands display details of the indestructibility configuration: indestructibility show, indestructibility list
This procedure unlocks the indestructibility system and therefore enables VMS users to delete and modify indestructible snapshots and/or protection policies. It can be done only by personnel previously enrolled by VAST Support as users authorized to unlock the indestructibility mechanism.
The indestructibility mechanism remains unlocked for 60 minutes. During that time, VMS users can:
-
Modify an indestructible protection policy, including changing the snapshot schedule and shortening the retention period for snapshots.
-
Modify a protected path that points to an indestructible protection policy, including pausing the path.
-
Delete indestructible snapshots.
-
Shorten the expiration time of indestructible snapshots.
-
Change the indestructibility password.
-
Change the indestructibility password restore delay.
-
In the VAST Web UI, select Settings from the left navigation menu and then select Indestructibility.
-
Enter the Indestructibility Password in the field provided.
-
Contact VAST Support using your pre-authorized user account. Request a support token for unlocking the mechanism.
You will be asked to provide a VMS generated token and additional information for verifying your identity.
-
Click Generate Token. VMS generates a token. The VMS-generated token is displayed in the Generated Token field.
The token is valid for one hour.
-
Provide the token to support. The support agent will seek additional authorization and provide the support token.
-
Enter the support token into the Support Token field.
-
Click Unlock System.
The indestructibility mechanism will now be unlocked. The status displayed at the top right of the Indestructibility settings page changes to Unlocked.
The indestructibility mechanism will automatically lock again one hour after it was unlocked.
-
Contact VAST Support using your pre-authorized user account. Request a support token for unlocking the mechanism. You will be asked to provide the VMS generated token and additional information for verifying your identity.
-
Run the indestructibility generate-token command to generate a VMS token.
-
Provide the VMS token to Support. The support agent will seek additional authorization and provide the support token.
-
Run the indestructibility unlock command to unlock the system using the token provided by support.
Changing the password requires unlocking the indestructibility mechanism.
-
In the Indestructibility settings page, in the Settings area, enter the old indestructibility password into the Old Indestructibility Password field.
-
Enter a new password into the New Indestructibility Password field. The password must have at least eight characters.
-
Re-enter the same new password into the Confirm Password field.
-
Click Modify and then click Yes to confirm the change.
-
Run the indestructibility modify command with the
--new-indestructibility-passwdoption.Note
You can change the password reset delay with the same command in the same command line.
In case of a forgotten indestructibility password, it is possible to restore the default password and then change it again to a new secure password.
When you restore the password to default, there is a delay until the password restore takes effect. The delay provides additional security in case of a rogue admin using VMS to restore the password. Throughout the duration of the password restore delay period, an alarm is raised. The alarm is raised to alert you that a password restore was initiated in case it was initiated by an unauthorized user. In case you suspect that a rogue admin has initiated a reset, please contact VAST Support and we will assist you.
The delay is one day by default and can be changed while the indestructibility mechanism is unlocked.
-
In the VAST Web UI, select Settings from the left navigation menu and then select Indestructibility.
-
Click Restore Password and then click Yes to confirm the action.
A count down now begins towards restoring the password to its default value. A counter is displayed in the Indestructibility settings page to enable you to track the time remaining until password restore is done.
Run the indestructibility reset-passwd command.
The delay is one day by default. The password restore delay can be changed while the indestructibility mechanism is unlocked. The minimum delay is one minute.
-
Select Settings from the left navigation menu and then select Indestructibility.
-
In the Settings area, enter your chosen delay time in the Password restore delay field as an integer followed by m for minutes, h for hours or d for days. For example: enter 5d to set the delay to five days.
-
Click Modify and then click Yes to confirm the change.
Run the indestructibility modify command with the --passwd-delay option.
Comments
0 comments
Article is closed for comments.