IBM Support

FAQ - Security updates in IBM Spectrum Protect

Question & Answer


Question

If I upgrade some of my servers and clients to V8.1.2+ or V7.1.8+, can they still connect to older versions of servers and clients?

Answer

Yes. V8.1.2+ and V7.1.8+ clients and servers will continue to authenticate with earlier versions when the SESSIONSECURITY parameter value is set to the TRANSITIONAL, which is the default. The SESSIONSECURITY parameter transitions to STRICT after a successful authentication that uses an upgraded client (V8.1.2+ and V7.1.8+). To take advantage of the latest security enhancements, update all IBM Spectrum Protect servers and backup-archive clients in your environment to the latest version.

Question

Do I need to manually configure each client to set up certificates and SSL (Secure Sockets Layer)?

Answer

No. The new SSL enhancements do not require option changes, and certificates are transferred to clients automatically upon first connection when the SESSIONSECURITY parameter is set to the TRANSITIONAL value (which is the default). The SESSIONSECURITY parameter value transitions to STRICT after a successful authentication that uses a newer version of the client (V8.1.2+ and V7.1.8+). If you are using a single administrator ID to access multiple systems, make sure the server's certificate is installed on each system before you install V8.1.2 or later or V7.1.8 or later software.

Question

Can I become locked out of my server if the SESSIONSECURITY parameter for all my administrator IDs is set to STRICT?

Answer

No. You can manually import the server’s public certificate to a client from which you run dsmadmc. Before you upgrade, identify all systems that the administrator account uses to log in for administration purposes. Then, ensure that the server's certificate is installed on each system before you install V8.1.2 or later or V7.1.8 or later software.

Question

Will using SSL slow down my backup and restore operations?

Answer

No. The new security protocol uses a combination of TCP/IP and SSL to secure communication between servers, clients, and storage agents. By default, SSL is used only to encrypt authentication and metadata, while TCP/IP is used for data transmission. Since SSL encryption is primarily used for authentication, performance for backup and restore operations is not affected.

[{"Type":"MASTER","Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"ARM Category":[{"code":"a8m3p000000hAa5AAE","label":"Server-\u003ESSL"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.1.2;and future releases"},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1.8;7.1.9","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Product Synonym

TSM

Document Information

Modified date:
15 September 2023

UID

ibm10718441

Page Feedback