You can set up secure communications by using a self-signed certificate with your object
storage system. In this situation, IBM Spectrum Protect™ uses
HTTPS instead of HTTP when it communicates with the object storage
system. The following steps provide a method for importing certificates.
About this task
Use a web browser to get a copy of the certificate used by the object storage system. The
following steps are specific to Firefox, but other browsers provide similar functions. Refer to your
preferred browser’s instructions on exporting certificates.
Procedure
- Get the certificate that is used by OpenStack Swift server or IBM® Cloud Object Storage.
- Type the URL for your object storage system in the browser Address bar and press
Enter. Use the keystone server URL for OpenStack, or the accesser node URL
for IBM Cloud Object Storage.
Tip: If you are using IBM Cloud Object Storage as your object storage system, log in to IBM Cloud Object Storage and click the
Security tab. In the dsNet Fingerprint section, click
dsNet certificate authority and copy the certificate information into a
certificate file for Part 2.
- Accept any warnings displayed by the browser.
- Click the lock icon in the browser Address bar.
- Select More Information in the pop-up window.
- Select View Certificate in the Page Info
window.
- Click the Details tab in the Certificate Viewer
page, and then select Export.
- Save the exported file to the location that you want.
- Add the certificate to the Java™ default keystore.
The following steps assume your client nodes are on Linux,
and your server is running on Linux. Because each IBM Cloud Object Storage accesser has its own
certificate by default, add the certificate for each accesser to the keystore, and use a different
alias for each certificate.
- Open a terminal and change directory to the jre/bin directory.
The default installation location is /opt/tivoli/tsm/jre/bin.
- Make a backup copy of the Java
cacerts file by running the following command: cp
../lib/security/cacerts ../lib/security/cacerts.original.
On a Windows system, the location of the Java
cacerts keystore is:
install_dir\jre\lib\security\, and the location of the
keytool is install_dir\jre\bin\.
- Import the saved certificate from the previous procedure by running the following command:
./keytool -import -keystore ../lib/security/cacerts -alias somealias
-file yourfile
where somealias is a unique alias for this certificate in the
keystore, which is important if you have more than one certificate, and
yourfile is the path and file name of the certificate from the
first step of these instructions.
- When you are asked for the password, type changeit. If you changed your
password from the default password, type your current password.
- When you are asked to trust this certificate, type yes.
The following message is shown when the certificate is added successfully: Certificate was
added to keystore. The default certificates have a short expiration. When they expire, you
might lose access to the object storage until you update the certificates. You can create your own
certificates and use them, but creating and installing these certificates on object storage systems
is outside the scope of this document.
- Restart the IBM
Spectrum Protect server.