The sslrequired option specifies the
conditions
when SSL is or is not required when the client logs on to the Tivoli® Storage Manager server
or storage agents. To actually enable SSL so client-to-server and
client-to-storage-agent communications are secure, you must set the
client ssl option to yes.
Supported Clients
This
option
is supported on all clients.
Options
File
Place this option in the client
options file or in the GUI, on the Communications tab. You cannot
set this option on the command line.
Syntax
.-Default----.
>>-SSLREQuired-+------------+----------------------------------><
+-Yes--------+
+-No---------+
'-SERVERonly-'
Parameters
- Default
- This setting indicates
that SSL is required to secure communications
between the client and server, and client and storage agents, if AUTHENTICATION=LDAP is
set on the server. To secure communications by using SSL, you must
also set ssl=yes on the client.
- If AUTHENTICATION=LOCAL is
set on the server,
this setting indicates that SSL is not required. Even though SSL is
not required when AUTHENTICATION=LOCAL and sslrequired=default,
you can still use SSL by setting the client ssl option
to yes.
- Yes
- Indicates that SSL is always required to secure communications
between the client and server, and between the client and storage
agents. sslrequired=yes has no dependency on the
server AUTHENTICATION option. If you set sslrequired=yes on
the client, you must also set ssl=yes on the client.
- No
- Indicates that you do not require SSL to be used
to secure communications between the client and server or between
the client and storage agents. Choose this option only if you use
a virtual private network or other method to secure your session communications.
You can still enable SSL by setting ssl=yes on the
client; but sslrequired=no specifies that SSL is
not a prerequisite.
- SERVERonly
- Indicates that SSL
is required for client-to-server communications
and not for server-to-storage agent communications. To use SSL for
client to server communications, set sslrequired=serveronly and ssl=yes.
The server setting for the AUTHENTICATION option
can be either LOCAL or LDAP.
- For
client to storage agent communications, use the client lanfreessl option
to enable SSL.
The following table describes
the situations
under which authentication succeeds or fails, depending on the settings
of the
SSLREQUIRED option on the server, and
client, and the setting of the
ssl option on
the client. The table results assume that valid credentials are supplied.
Table 1. Effects of server and client SSL settings on success or failure
of login attemptsSSLREQUIRED option
(server
setting)
|
sslrequired option
(client
setting)
|
ssl option
(client
setting)
|
Authentication success
or failure
|
Yes |
Yes |
Yes |
Authentication succeeds
|
Yes |
Yes |
No |
Authentication
fails; the client rejects
the session
|
Yes |
No |
Yes |
Authentication succeeds
|
Yes |
No |
No |
Authentication fails;
the server rejects
the session
|
No |
Yes |
Yes |
Authentication succeeds
|
No |
Yes |
No |
Authentication fails;
the client rejects
the session
|
No |
No |
Yes |
Authentication succeeds
|
No |
No |
No |
Authentication succeeds
|
The following
text describes how setting SSLREQUIRED=DEFAULT and SSLREQUIRED=SERVERONLY on
the server affects the ssl option on the client.
If the server sets SSLREQUIRED=DEFAULT and AUTHENTICATION=LDAP,
the client must set ssl=yes or authentication fails.
If the server sets SSLREQUIRED=DEFAULT and AUTHENTICATION=LOCAL,
the client can set ssl=yes or ssl=no.
If the server sets SSLREQUIRED=SERVERONLY,
you must set ssl=yes on the client. The client lanfreessl option
can be set to yes, to secure communications with
a storage agent, or to no if secure communications
with storage agents is not needed.
Examples
- Options file:
-
sslrequired yes
sslrequired no
sslrequired default
sslrequired serveronly
- Command
line:
- Not applicable; you cannot set this option on the command
line.