Specifying communication ports

The Tivoli® Storage Manager server can be configured to listen on four TCP/IP ports: two for regular protocols and two for the Transport Layer Security (TLS) protocols.

If you authenticate passwords with an LDAP directory server, the connection between the LDAP directory server and the Tivoli Storage Manager server must be protected. The connection between a Tivoli Storage Manager server and an LDAP directory server defaults to port 389. You do not have to use this port number and can define the port by setting the LDAPURL option.

For IPv4 or IPv6, the COMMMETHOD server option must specify either TCPIP or V6TCPIP. The server options for TLS communications are SSLTCPPORT, SSLTCPADMINPORT, SSLTLS12, and SSLDISABLELEGACYTLS. The server can listen on separate ports for the following communications:
  • Backup-archive clients that use the regular protocol
  • Administrator IDs that use the regular protocol
  • Backup-archive clients that use the TLS protocol
  • Administrator IDs that use the TLS protocol
Use the TCPADMINPORT and SSLTCPADMINPORT options to separate administrative client traffic from regular client traffic that uses the TCPPORT and SSLTCPPORT options. If the TCPADMINPORT and SSLTCPADMINPORT options are not used, administrative traffic and regular traffic both flow on client ports.
You can use the following components with TLS:
  • Command-line client
  • Administrative command-line client
  • Backup-archive client graphical user interface (GUI)
  • Client API

If the ADMINONCLIENTPORT option is set to NO, TLS administrative client sessions require that you specify the SSLTCPADMINPORT option with a port number other than the one specified by the SSLTCPPORT option. The SSLTCPPORT and SSLTCPADMINPORT options do not affect the TCPPORT or TCPADMINPORT options and their interaction with the ADMINONCLIENTPORT option. To enable TLS 1.2, specify the SSLTLS12 or SSLDISABLELEGACYTLS option. For server and storage agent communication, if SSLDISABLELEGACYTLS is specified, TLS sessions must connect at a minimum level of TLS 1.2 or they are rejected.

The backup-archive client user decides which protocol to use and which port to specify in the dsmserv.opt file for the SSLTCPADMINPORT option. If the backup-archive client requires TLS authentication but the server is not in TLS mode, the session fails.

Related tasks:
Configuring Tivoli Directory Server for TLS on the iKeyman GUI
Configuring Tivoli Directory Server for TLS on the command line
Related reference:
ADMINONCLIENTPORT
COMMMETHOD
LDAPURL
SSLTCPADMINPORT
SSLTCPPORT
TCPADMINPORT
TCPPORT
Configuring Windows Active Directory for TLS/SSL