Enabling secure communication from the recovery agent to the IBM Spectrum Protect server
If the IBM Spectrum Protect™ server is configured to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol, you can enable the recovery agent to communicate with the server by using the protocol.
Before you begin
Consider the following requirements before you begin configuration for secure communication to
the server:
- Each server that is enabled for SSL must have a unique certificate. The certificate can be one
of the following types:
- A certificate that is self-signed by the server.
- A certificate that is issued by a third-party certificate authority (CA) certificate. The CA certificate can be from a company such as Symantec or Thawte, or an internal certifcate that is maintained within your company.
- For performance reasons, use SSL or TLS only for sessions where security is required. Consider adding more processor resources on the server system to manage the increased requirements.
- For a client to connect to a server that is using TLS Version 1.2, the certificate signature algorithm must be Secure Hash Algorithm 1 (SHA-1) or later. If you are using a self-signed certificate to a server that is using TSL V1.2, you must use the cert256.arm certificate. Your IBM Spectrum Protect administrator might need to change the default certificate on the server.
- To disable security protocols that are less secure than TLS 1.2, add the SSLDISABLELEGACYtls yes option to the C:\windows\system32\fb.opt or C:\Windows\SysWOW64\fb.opt file. TLS 1.2 or later helps to prevent attacks by malicious programs.