You can set up Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) on the Tivoli® Storage
Manager server,
backup-archive client, and storage agent to ensure that data is encrypted
during communication. You can use an SSL certificate to verify an
SSL communication request between the server, client, and storage
agent.
Before you begin
You can restrict SSL communication
to use TLS 1.2 and prevent the use of previous TLS protocol levels,
which are less secure.
To use TLS 1.2, you must specify the
SSLTLS12
YES server option in the server options file and the storage
agent options file, if necessary. If you want to ensure that a minimum
TLS protocol level of 1.2 is enforced, set the
SSLDISABLELEGACYtls server
option to YES. For successful TLS communication, the target server
or storage agent must also be configured to use TLS 1.2. If you use
self-signed certificates, the default label in the key database must
be set to
"TSM Server SelfSigned SHA key".
Procedure
To configure Tivoli Storage
Manager servers
and clients for SSL or TLS, complete the following steps:
- Specify the TCP/IP port on which the server
waits for client communications that are enabled for SSL or TLS. You
can use the SSLTCPADMINPORT option or SSLTCPPORT option,
or both, to specify TLS port numbers. The options are stored in the dsmserv.opt file.
- Create the key database file if it does not
exist. Complete the following steps to create the key database file
for the server, client, and storage agent:
- Use one of the following certificates for
SSL or TLS communication:
- Self-signed certificate
- You must import a .arm file for the server,
backup-archive client, and storage agent according to the default
label that is used for the server self-signed certificate. The following
table shows you which file to import:
Table 1. Determining the .arm file
to use.| Default label in the key database |
Import this file for clients |
Import this file for server-server communication |
Import this file for storage agent-server communication |
|---|
| "TSM Server SelfSigned Key" |
cert.arm |
cert256.arm |
cert256.arm |
| "TSM Server SelfSigned SHA Key" |
cert256.arm |
cert256.arm |
cert256.arm |
Important: To use TLS 1.2, the default label must
be "TSM Server SelfSigned SHA key". You must specify the SSLTLS12
YES server option in the server options file and the storage
agent options file, if necessary.
- CA-signed certificate
- You must obtain a unique certificate that is signed by a CA or
use a trusted self-signed certificate for each server that enables
SSL or TLS. Backup-archive clients use the cert.kdb or cert256.arm files
to import the self-signed certificates, which the server automatically
generates.
- Manually transfer the appropriate Tivoli Storage
Manager server .arm file
to the client computers. If you transfer the cert256.arm file,
you must first change the default certificate in the cert.kdb key
ring database file to the "TSM Server SelfSigned SHA Key" label.
To change the default certificate, issue the following command from
the server instance directory:
gsk8capicmd_64 -cert -setdefault -db cert.kdb
-stashed -label "TSM Server SelfSigned SHA Key"
- Using a backup-archive client user ID, specify
the ssl yes and tcpport options
in the client options file:
The server is normally set up for SSL or TLS connections on a
different port. If you use an SSL or TLS connection, two ports are
open on the server. One port accepts regular non-SSL or non-TLS client
connections and the other port accepts SSL or TLS connections only.
- If you want to use a certificate that is issued by a certificate
authority (CA), you do not need to complete steps 4 and 5. Install the CA root certificate
on all clients. If you specified the -populate parameter
in the command when you created the key database file, a set of default
root certificates are preinstalled.
dsm.sys
dsm.opt