Secure Sockets Layer and Transport Layer Security communication

The Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol is used to provide transport layer security for a secure connection between IBM Spectrum® Protect servers, clients, storage agents, and the Operations Center. If you send data between the server, client, and storage agent, SSL is used to encrypt the session.

The image is a graphical depiction of SSL communications between the IBM Spectrum Protect server, Operations Center, backup-archive client, storage agent, hub server, and spoke servers.
Restriction: Do not use the SSL protocol for communications with an IBM® Db2® database instance that is used by the IBM Spectrum Protect server.
Each server or storage agent has a unique private key and a unique signed certificate that is used to allow SSL connections. The self-signed certificate for each server or storage agent is automatically distributed to all the clients, storage agents, and servers that use SSL to communicate with it. The certificates are verified by the SSL client or server that requests or initiates the SSL communication.
Note: Automatic certificate exchange occurs only on the first connection to a server. If the SESSIONSECURITY parameter for a node or administrator has not updated to the STRICT value, the server automatically distributes both self-signed and CA-signed certificates to the client node during the first connection. After the first connection by a node or administrator that is using a V8.1.2 or V7.1.8 or later client and server, certificates must be distributed manually.
Instead of using self-signed certificates, you can use certificates that are signed by a certificate authority (CA). If you use CA-signed certificates, each IBM Spectrum Protect server and storage agent must send a unique server certificate to a CA to be signed. The CA returns a signed server certificate, which must be added to the server key database, along with the root CA certificate and any intermediate CA certificates. The CA-signed server certificate does not need to be distributed to clients, but you must install the CA root and intermediate certificates in the key database of all clients, storage agents, and servers that use SSL to communicate with the server or storage agent. The CA root and intermediate certificates are used to verify the CA-signed server certificate. If the CA root and intermediate certificates are not installed on a client, authentication attempts result in the following error: 
ANS1694E The certificate identity could not be verified

A signed certificate must have the server’s correct DNS name and IP address or authentication attempts are rejected. If those entries are incorrect, the same ANS1694E error is reported.

Table 1. Self-signed versus certificate authority signed certificates
Capability

IBM Spectrum Protect self-signed certificates

CA-signed certificates
Enables secure authentication between end points Yes. Yes.
Enables strong encryption for data transmission Yes. Yes.
Automatic distribution of public keys to clients Yes. Yes.1
Automatic handling of expired certificates    
Common certificate used on clients for several servers   Yes.
Central location for managing certificates and revoking certificates   Yes.
  1. Server certificate is not stored on the clients. CA root and intermediate certificates need to be installed on client systems.
 
Notes:
  • The IBM Spectrum Protect server accepts CA-signed certificates that use the SHA-256 or earlier Secure Hash Algorithm encryption method. SHA-256 certificates are designed to improve security and comply with National Institute of Standards and Technology (NIST) requirements. For this reason, the preferred method is to use SHA-256 certificates for communications between the server and Operations Center.
  • If a server has an MD5-signed certificate that is labeled Tivoli Storage Manager Server SelfSigned Key set as the default when you upgrade to V8.1.4 or later, the default certificate is automatically updated to use a certificate with a SHA signature. In releases earlier than V7.1.8, the default certificate was labeled TSM Server SelfSigned Key and had an MD5 signature, which does not support the TLS 1.2 protocol that is required by default for V8.1.2 or later clients and the Operations Center. Beginning with V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled TSM Server SelfSigned SHA Key. A copy of the certificate is stored in the cert256.arm file, which is located in the server instance directory. If you have clients using versions earlier than V7.1.8 or V8.1.2 that used an MD5-signed certificate, you must manually configure them to use the certificate from the cert256.arm file.
    Tip: Before you update the server to use the new default certificate with a SHA signature, distribute the cert256.arm file to clients to prevent client backup failures. Each client must obtain and import the new certificate before they can connect to a server that is using the new default SHA certificate. You do not need to remove previous certificates.

An IBM Spectrum Protect server, client, or storage agent can serve as an SSL client during communication. An SSL client is the component that initiates communication and verifies the certificate for an SSL server. For example, if the IBM Spectrum Protect client initiates the SSL communication with the IBM Spectrum Protect server, the IBM Spectrum Protect client is the SSL client and the server is the SSL server.

Table 2 lists the components that can be an SSL client or SSL server.
Table 2. SSL clients and servers in the IBM Spectrum Protect environment
SSL client SSL server Scenario
Client Server The IBM Spectrum Protect client initiates a communication request with the IBM Spectrum Protect server. The client verifies the certificate. The server provides the certificate.
Server (such as a source server) Server (such as a target server) The IBM Spectrum Protect source server initiates a communication request with the IBM Spectrum Protect target server. The source server acts as an SSL client and verifies the certificate that the target server provides.

This type of communication is common during replication processing.
Client through a storage agent Server The client verifies each certificate when it initiates SSL communication separately with the IBM Spectrum Protect server and the storage agent.

When the storage agent communicates with the server by using the SSL communication protocol, the storage agent acts as an SSL client and verifies the certificate that the server provides.

The storage agent can be the SSL client and the SSL server at the same time.

The client must use the same communication protocol (either SSL or TCP/IP) to communicate with both the server and the storage agent.
Server LDAP server The IBM Spectrum Protect server initiates a communication request with the LDAP server. The IBM Spectrum Protect server acts as the SSL client and verifies the certificate that the LDAP server provides.
Operations Center Server The Operations Center initiates a communication request with the IBM Spectrum Protect server. The Operations Center acts as the SSL client and verifies the certificate that the IBM Spectrum Protect server provides.
Reporting Server The reporting agent initiates a communication request with the IBM Spectrum Protect server. The Reporting feature acts as the SSL client and verifies the certificate that the IBM Spectrum Protect server provides.