Configure the server to accept SSL connections before you enable SSL communication from
the server to a client, a storage agent, or another server.
About this task
Use this procedure for manual configuration.
Procedure
-
Specify the port on which the server waits for client communications that are enabled for SSL
or accept the default port number. By default, the server is configured to accept
Transport Layer Security (TLS) connections by specifying the TCPPORT or
TCPADMINPORT options. To update TCPPORT or
TCPADMINPORT or both options, update the dsmserv.opt file in
the server instance directory. You can also configure the SSLTCPPORT and
SSLTCPADMINPORT options as SSL-only connections.
-
Create the server key database by starting the server. The server key database file,
cert.kdb, is stored in the server instance directory, and the default
certificate label is automatically set as
Tivoli Storage Manager Server SelfSigned SHA Key
.
The certificate is exported to the cert256.arm file.
-
If you are using the default self-signed certificate, the default self-signed certificate
(cert256.arm) file is needed when you connect to the server by using TLS. After you use the cert256.arm file to import the self-signed
certificate to the key database, the file is no longer needed.
-
If you are using a CA-signed certificate, each IBM Spectrum Protect server must send a unique
server certificate to a CA to be signed. The CA returns a signed server certificate. You can use the same CA certificate to connect to multiple servers. You can also
update the server certificates without needing to redistribute them to clients. To configure CA
certificates, complete the following steps for each IBM
Spectrum Protect server:
Note: If you are using a CA-signed certificate and want to use multiple IP addresses on the same
server, you must work with your certificate authority vendor to either configure your CA-signed
certificate to use multiple IP addresses or to use a wildcard SSL certificate. The configuration
steps vary depending on your CA vendor.
-
Import the root CA certificate for each IBM
Spectrum Protect server that enables SSL.
Log on to the
IBM
Spectrum Protect server system with
the instance user ID and issue the following example command from the instance directory:
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "CA cert" -file ca.crt
-
Import one or more intermediate CA certificates by issuing the following example command for
each intermediate certificate:
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Intermediate CA cert" -file intca.crt
-
The CA root and intermediate certificates (ca.crt and
intca.crt) are used to verify the CA-signed server
certificate.
The CA root and intermediate certificates must be installed in the key database
of all clients, storage agents, and servers that use TLS to communicate with the server.
-
On the server, create a certificate request for the CA to sign by issuing a command that is
similar to the following example:
gsk8capicmd_64 -certreq -create -db cert.kdb -stashed -label "CA signed cert"
-sigalg sha256 -size 2048 -ku "digitalSignature,keyEncipherment,keyAgreement"
-eku "clientAuth,serverAuth" -dn "CN=tucson.example.com,OU=Spectrum Protect,O=IBM"
-san_dnsname tucson.example.com -san_ipaddr 9.11.0.0 -file cert_request.csr
-
To receive the signed certificate and make it the default for communicating with clients, issue
the following example command:
gsk8capicmd_64 -cert -receive -db cert.kdb -stashed -file cert_signed.crt
-default_cert yes
The CA-signed server certificate does not need to be distributed to clients.
-
If you made any changes, restart the server.
What to do next
Enable SSL communication from a client, a storage agent, or another server to this server.
To complete the following tasks, you must have the server's certificate and the port number that is
defined for the server.
- To enable SSL communication from a client to this server, see Configuring IBM Spectrum Protect client/server communication
with Secure Sockets Layer.
- To enable SSL communication from another server to this server, see Configuring the server to connect to another server by using SSL.
- To enable SSL communication from a storage agent to this server, see Configuring a storage agent to use SSL.
- To enable SSL communication from the Operations Center to this server, see Configuring the Operations Center to connect to the hub server by using SSL.
- To enable SSL communication from the Data Protection for VMware vSphere GUI to this server, see Configuring the Data Protection for VMware vSphere GUI to communicate with the server by using SSL.