If the IBM Spectrum Protect™ server is
using a self-signed certificate, you must obtain a copy of that certificate from the server
administrator and configure the recovery agent to
communicate with the server by using the SSL or TLS protocol.
About this task
Each server generates its own certificate. Version 6.3 and later servers generate files that are
named cert256.arm if the server is using TLS 1.2 or later or
cert.arm if the server is using an earlier version of SSL or TLS. Server
versions earlier than V6.3 generate files that are named cert.arm regardless of
the protocol. You must choose the certificate that is set as the default on the server.
The certificate file is stored on the server workstation in the server instance directory. For
example, C:\IBM\tivoli\tsm\server\bin\cert256.arm. If the certificate file does
not exist, the certificate file is created when you restart the server with these options set.
Procedure
To enable SSL or TLS communication from the recovery agent to the server by using a
self-signed certificate:
- Append the GSKit binary path and library path to the PATH environment variable on the client. For example:
set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%
- If you are configuring SSL or TLS on the client for the first time, you must create the client
local key database dsmcert.kdb. From the C:\Windows\SysWOW64 directory, run the
gsk8capicmd_64 command as shown in the following
example:
gsk8capicmd_64 -keydb -create -populate -db dsmcert.kdb -pw password -stash
The password that you provide is used to encrypt the key database. The password is
automatically stored encrypted in the stash file (dsmcert.sth). The stash file is used by the client
to retrieve the key database password.
- Obtain the server self-signed certificate.
- Import the certificate in to the dsmcert.kdb database. You must import the certificate for each
client in to the dsmcert.kdb. From the C:\Windows\SysWOW64 directory, run the
gsk8capicmd_64 command as shown in the following
example:
gsk8capicmd_64 -cert -add -db dsmcert.kdb -stashed -label "Server server_name self-signed key"
-file path_to_certificate -format ascii -trust enable
Multiple server certificates can be added to the dsmcert.kdb database so that the client can
connect to different servers. Different certificates must have different labels. Use meaningful
names for the labels. Important: For a disaster recovery of the server, if the certificate has been lost, the
server automatically generates a new certificate. Each client must then import the new
certificate.
- After the server certificate is added to the dsmcert.kdb database, add the ssl
yes option to the C:\Windows\SysWOW64\fb.opt file and update the value
of the tcpport option.
Important: The server is normally set up for SSL and TLS connections on a different port than non-SSL and
TLS connections. Do not specify a non-SSL or TLS port number for the tcpport value.
If the value of tcpport is incorrect, the recovery agent cannot connect to the
server.
You cannot connect to a non-SSL or TLS port with a recovery agent that is enabled for SSL or TLS
or connect a SSL or TLS port to a recovery agent that is not enabled for SSL or TLS.
- Set the correct SSL or TLS ports in the following recovery agent configuration files:
- C:\ProgramData\Tivoli\TSM\RecoveryAgent\mount\RecoveryAgent.conf
- C:\ProgramData\Tivoli\TSM\RecoveryAgent\mount\RecoveryAgentDMNodes.conf