Securing communications

Your data and passwords are more secure when they are protected by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), a form of SSL.

SSL and TLS are the standard technology for creating encrypted sessions between servers and clients. SSL and TLS provide a secure channel for servers and clients to communicate over open communication paths. With SSL and TLS, the identity of the server is verified by using digital certificates.

To protect your storage environment from security threats, servers, clients, and storage agents that use IBM Spectrum® Protect Version 8.1.4 or later software are automatically configured to communicate with each other by using the TLS 1.2 or later, and self-signed certificates are distributed automatically.
Restrictions pertaining to earlier releases:
  • Beginning with IBM Spectrum Protect V8.1.2, SSL is enabled by default for authentication between V8.1.2 and later servers and clients. You must manually configure V8.1.2 storage agents to use SSL.
  • Storage agents that use V7.1.8 or later software or V8.1.3 or later software are automatically configured to use SSL.

    Library clients and library manager servers automatically use SSL to communicate with storage agents that use V8.1.2 or later software or V7.1.8 or later software, but you must manually configure the certificates between them. A storage agent automatically exchanges certificates with its database server.

  • Beginning with IBM Spectrum Protect Version 8.1.4, you no longer have to manually configure certificates between storage agents, library clients, and library manager servers. Certificates are automatically configured.
  • Servers, storage agents, and clients that use IBM Spectrum Protect software versions earlier than V8.1.2 or Tivoli® Storage Manager software versions earlier than V7.1.8 can only be configured to use SSL by following the manual procedure, even if the server or storage agent is using V8.1.3 or later software. For information, see Configuring storage agents, servers, clients, and the Operations Center to connect to the server by using SSL.

TLS is used for all communication between the server, storage agent, and clients, except when sending or receiving object data. By default, object data is sent and received by using TCP/IP. To improve system performance, use TLS for authentication without encrypting object data. By choosing not to encrypt the object data, server performance is similar to communication over a TCP/IP session and the session is secure. To specify whether the server uses TLS for the entire session or only for authentication, see the SSL client option for client-to-server communication, and the SSL parameter in the UPDATE SERVER command for server-to-server communication. If you choose to use TLS to encrypt object data, consider adding more processor resources on the IBM Spectrum Protect server to manage the increased CPU load.

If you authenticate passwords with an LDAP directory server, TLS protects passwords between the IBM Spectrum Protect server and the LDAP server. TLS is required for all LDAP password communications. Certificates for LDAP directory servers must be manually configured and added to the server key databases. You do not need to add the certificates to storage agent key databases.

Beginning with IBM Spectrum Protect V8.1.11, you can enable the TLS 1.3 protocol to secure communications between servers, clients, and storage agents. To use TLS 1.3, both parties in the communication session must use TLS 1.3. If either party uses TLS 1.2, then both parties use TLS 1.2 by default.