You can set up SSL or TLS on the Tivoli® Storage
Manager server,
backup-archive client, and storage agent to ensure that your data
is encrypted during communication. You can use an SSL certificate
to verify an SSL communication request between the server, client,
and storage agent.
Procedure
To configure Tivoli Storage
Manager servers
and clients for SSL or TLS, complete the following steps:
- Specify the TCP/IP port on
which the server waits for client communications that are enabled
for SSL or TLS. You can use the SSLTCPADMINPORT option
or SSLTCPPORT option, or both, to specify TLS port
numbers. The options are stored in the dsmserv.opt file.
- Create the key database file
if it does not exist. Complete the following steps to create the key
database file for the server, client, and storage agent:
- Use one of the following
certificates for SSL or TLS communication:
- Self-signed certificate
- You must import a .arm file for the server,
backup-archive client, and storage agent according to the default
label that is used for the server self-signed certificate. The following
table shows you which file to import:
Table 1. Determining the .arm file
to useDefault label in the key database |
Import this file for clients |
Import this file for server-server communication |
Import this file for storage agent-server communication |
"TSM Server SelfSigned Key" |
cert.arm |
cert256.arm |
cert256.arm |
"TSM Server SelfSigned SHA Key" |
cert256.arm |
cert256.arm |
cert256.arm |
Important: To use TLS 1.2, the
default label must be "TSM Server SelfSigned SHA key". You must
specify the SSLTLS12 YES server option in the
server options file and the storage agent options file, if necessary.
- CA-signed certificate
- You must obtain a unique certificate that is signed by a CA or
use a trusted self-signed certificate for each server that enables
SSL or TLS. Backup-archive clients use the cert.kdb or cert256.arm files
to import the self-signed certificates, which the server automatically
generates.
- Manually transfer the appropriate Tivoli Storage
Manager server .arm file
to the client computers. If you transfer the cert256.arm file,
you must first change the default certificate in the cert.kdb file
to the "TSM Server SelfSigned SHA Key" label. To change the default
certificate, issue the following command from the server instance
directory:
gsk8capicmd_64 -cert -setdefault -db cert.kdb
-stashed -label "TSM Server SelfSigned SHA Key"
- Using a backup-archive client
user ID, specify the ssl yes and tcpport options
in the client options file:
The server is normally set up for SSL or TLS connections on a
different port. If you use an SSL or TLS connection, two ports are
open on the server. One port accepts regular non-SSL or non-TLS client
connections and the other port accepts SSL or TLS connections only.
- If you want to use a certificate that is
issued by a certificate authority (CA), you do not need to complete
steps 4 and 5. Install the CA root certificate
on all clients. A set of default root certificates are preinstalled if
you specified the -populate parameter in the command
when you created the key database file.