Secure Sockets Layer and Transport Layer Security communication
You can use the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol to provide transport layer security for a secure connection between Tivoli® Storage Manager servers, clients, and storage agents. If you send data between the server, client, and storage agent, use SSL or TLS to encrypt the data.
SSL and TLS are provided by the Global Security Kit (GSKit) that is installed with the Tivoli Storage Manager server that the server, client, and storage agent use. The Operations Center and Reporting agent do not use GSKit.
Each Tivoli Storage Manager server, client, or storage agent that enables SSL must use a trusted self-signed certificate or obtain a unique certificate that is signed by a certificate authority (CA). You can use your own certificates or purchase certificates from a CA. Either certificate can be installed and added to the key database on the Tivoli Storage Manager server, client, or storage agent.
If you use a root certificate from a CA, you must install it on each key database for the client, server, and storage agent that initiates SSL communication. A root certificate is certificate that identifies the Root Certificate Authority. The certificate is verified by the SSL client or server that requests or initiates the SSL communication.
Configure SSL or TLS independently on the Tivoli Storage Manager server, client, and storage agent.
The Tivoli Storage Manager server, client, or storage agent can serve as SSL clients during communication. An SSL client is the component that initiates communication and verifies the certificate for an SSL server. For example, if the Tivoli Storage Manager client initiates the SSL communication with the Tivoli Storage Manager server, the Tivoli Storage Manager client is the SSL client and the server is the SSL server.
| SSL client | SSL server | Scenario |
|---|---|---|
| Client | Server | The Tivoli Storage Manager client initiates a communication request with the Tivoli Storage Manager server. The client verifies the certificate. The server provides the certificate. |
| Server (such as a source server) | Server (such as a target server) | The Tivoli Storage
Manager source server
initiates a communication request with the Tivoli Storage
Manager
target server. The source server acts as an SSL client and verifies the certificate that the target
server provides. This type of communication is common during replication processing. |
| Client through a storage agent | Server | The client verifies each certificate when it initiates SSL
communication separately with the Tivoli Storage
Manager server
and the storage agent. When the storage agent communicates with the server by using the SSL communication protocol, the storage agent acts as an SSL client and verifies the certificate that the server provides. The storage agent can be the SSL client and the SSL provider at the same time. |
| Server | LDAP server | The Tivoli Storage Manager server initiates a communication request with the LDAP server. The Tivoli Storage Manager server acts as the SSL client and verifies the certificate that the LDAP server provides. |
| Operations Center | Server | The Operations Center initiates a communication request with the Tivoli Storage Manager server. The Operations Center acts as the SSL client and verifies the certificate that the Tivoli Storage Manager server provides. |
| Reporting | Server | The reporting agent initiates a communication request with the Tivoli Storage Manager server. The Reporting feature acts as the SSL client and verifies the certificate that the Tivoli Storage Manager server provides. |