IBM Tivoli Storage FlashCopy Manager for VMware, Version 4.1

GSKit configuration

IBM® Global Security Kit (GSKit) supports Federal Information Processing Standards (FIPS140-2) and is also certified to provide SP800-131 compliant encryption. GKit is automatically installed by Tivoli® Storage FlashCopy® Manager for VMware.

Tivoli Storage FlashCopy Manager for VMware uses the security suite IBM Global Security Kit (GSKit), for Secure Socket Layer (SSL) and Transport Layer Security (TLS) TCP/IP connections. GSKit is certified to provide SP800-131 compliant encryption and uses the SSL protocol TLS V1.2. To enforce SP800-131 encryption during the configuration of Tivoli Storage FlashCopy Manager for VMware, the ENFORCE_TLS12 parameter must be set to YES, otherwise the SSL protocol TLS version 1.0 and 1.1 is enabled.

The following files are essential for the correct operation of IBM GSKit:

A key database file, fcmcert.kdb, is in the installation directory.
The KDB file contains a new key pair and a self-signed certificate.

The root certificates for a number of trusted root certificates are stored in this database. You can import a certificate authority (CA) signed certificate and this certificate replaces the self-signed certificate in the database. This signed certificate must comply with the standard as defined by the National Institute of Standards and Technology (NIST) SP800-131 standard encryption. This standard requires longer key lengths and stronger cryptographic algorithms. This standard requires a minimum key size = 2048 and a bits signature algorithm = RSA with SHA224 or higher. Import the CA signed certificate to the key database on the production server.
Note: This requirement applies only when during the installation of Tivoli Storage FlashCopy Manager for VMware the ENFORCE_TLS12 parameter is set to YES.
A request database file, fcmcert.rdb, in the installation directory.
The request database file is used to store certificate requests that are associated with the key database and is automatically created when Tivoli Storage FlashCopy Manager for VMware creates a key database file. This file is created with the same name as the key database file, but with a .rdb extension.
An encrypted stash file, fcmcert.sth.
The password that is protecting the key database file is generated automatically and is stored in the encrypted stash file.
An ASCII encoded binary file, fcmselfcert.arm.
The file is used to export the public part of the self-signed certificate and import it to the backup and cloning servers. You must not delete this file unless you import a CA signed certificate to the key database fcmcert.kdb replacing the self-signed one.
A certificate revocation list file, fcmcert.crl.
The file contains a list of revoked certificates.

The .kdb, .rdb, .crl and the .sth files contain critical security parameters (CSP) and these parameters must be protected against unauthorized access by mechanisms that are provided by the operating system. The files are generated by the setup script. It is advisable to back up the key database files regularly, especially if you are using a CA signed certificate.

If you are using a CA signed certificate, you must use the GSKit command-line utilities to import the certificate to the server.

Feedback