To secure communications between the Operations Center and the hub server by using the Secure Sockets Layer
(SSL) protocol, add the SSL certificate of the hub server to the truststore file of the Operations Center.
Before you begin
The truststore file of the
Operations Center is a container for SSL certificates that the
Operations Center can access. It contains the SSL certificate that the
Operations Center uses for HTTPS communication with web
browsers.
During the installation of the Operations Center,
you create a password for the truststore file. To set up SSL communication between the Operations Center and the hub server, you must use the same password to
add the SSL certificate of the hub server to the truststore file. If you do not remember this
password, you can reset it.
The following figure illustrates the components for setting up SSL
between the
Operations Center and the hub server.
About this task
This procedure provides steps to implement secure communications by using
self-signed certificates. To use certificate authority (CA) certificates, follow the instructions in
Configuring SSL and TLS by using CA-signed certificates.
Procedure
To set up SSL communication by using self-signed certificates, complete the following
steps.
- Specify the cert256.arm certificate as the default certificate in the key
database file of the hub server:
- Issue the following command from the hub server instance directory:
gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed
-label "TSM Server SelfSigned SHA Key"
- Restart the hub server so that it can receive the changes to the key database file.
- Verify that the cert256.arm certificate is set as the default. Issue the
following command:
gsk8capicmd_64 -cert -list -db cert.kdb -stashed
- Stop the Operations Center web server.
- Open the operating system command line on the system where the Operations Center is installed, and change to the following
directory:
- installation_dir/ui/jre/bin
- installation_dir\ui\jre\bin
Where installation_dir represents the directory in which the Operations Center is installed.
- Open the IBM® Key Management window by issuing the
following command:
ikeyman
- Click .
- Click Browse, and go to the following directory, where
installation_dir represents the directory in which the Operations Center is installed:
- installation_dir/ui/Liberty/usr/servers/guiServer
- installation_dir\ui\Liberty\usr\servers\guiServer
- In the guiServer directory, select the
gui-truststore.jks file.
- Click Open, and click OK.
- Enter the password for the truststore file, and click OK.
- In the Key database content area of the IBM Key
Management window, click the arrow, and select Signer Certificates from the
list. Click Add.
- In the Open window, click Browse, and go to the hub server instance
directory:
- /opt/tivoli/tsm/server/bin
- c:\Program Files\Tivoli\TSM\server1
The directory contains the following SSL
certificates:cert.arm
cert256.arm
If you cannot access the hub server instance
directory from the Open window, complete the following steps:- Use FTP or another file-transfer method to copy the cert256.arm files from
the hub server to the following directory on the computer where the Operations Center is installed:
- installation_dir/ui/Liberty/usr/servers/guiServer
- installation_dir\ui\Liberty\usr\servers\guiServer
- In the Open window, go to the guiServer directory.
- Select the cert256.arm certificate as the SSL certificate.
- Click Open, and click OK.
- Enter a label for the certificate. For example, enter the name of the hub server.
- Click OK. The SSL certificate of the hub server is added to the
truststore file, and the label is displayed in the Key database content area of the IBM Key Management window.
- Close the IBM Key Management window.
- Start the Operations Center web server.
- Complete the following steps in the login window of the configuration wizard:
- In the Connect to field, enter the value of the
SSLTCPADMINPORT server option as the port number.
- Select Use SSL.