Secure Sockets Layer and Transport Layer Security communication
The Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocol is used to provide transport layer security for a secure connection between IBM Spectrum® Protect servers, clients, storage agents, and the Operations Center. If you send data between the server, client, and storage agent, SSL is used to encrypt the session.
ANS1694E The certificate identity could not be verified
A signed certificate must have the server’s correct DNS name and IP address or authentication attempts are rejected. If those entries are incorrect, the same ANS1694E error is reported.
Capability |
IBM Spectrum Protect self-signed certificates |
CA-signed certificates |
---|---|---|
Enables secure authentication between end points | ||
Enables strong encryption for data transmission | ||
Automatic distribution of public keys to clients | 1 | |
Automatic handling of expired certificates | ||
Common certificate used on clients for several servers | ||
Central location for managing certificates and revoking certificates | ||
|
- The IBM Spectrum Protect server accepts CA-signed certificates that use the SHA-256 or earlier Secure Hash Algorithm encryption method. SHA-256 certificates are designed to improve security and comply with National Institute of Standards and Technology (NIST) requirements. For this reason, the preferred method is to use SHA-256 certificates for communications between the server and Operations Center.
- If a server has an MD5-signed certificate that is labeled
Tivoli® Storage Manager Server SelfSigned Key
set as the default when you upgrade to version 8.1.4 or later, the default certificate is automatically updated to use a certificate with a SHA signature. In releases earlier than version 7.1.8, the default certificate was labeledTSM Server SelfSigned Key
and had an MD5 signature, which does not support the TLS 1.2 protocol that is required by default for version 8.1.2 or later clients and the Operations Center. Beginning with version 8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeledTSM Server SelfSigned SHA Key
. A copy of the certificate is stored in the cert256.arm file, which is located in the server instance directory. If you have clients using versions earlier than 7.1.8 or 8.1.2 that used an MD5-signed certificate, you must manually configure them to use the certificate from the cert256.arm file.Tip: Before you update the server to use the new default certificate with a SHA signature, distribute the cert256.arm file to clients to prevent client backup failures. Each client must obtain and import the new certificate before they can connect to a server that is using the new default SHA certificate. You do not need to remove previous certificates.
An IBM Spectrum Protect server, client, or storage agent can serve as an SSL client during communication. An SSL client is the component that initiates communication and verifies the certificate for an SSL server. For example, if the IBM Spectrum Protect client initiates the SSL communication with the IBM Spectrum Protect server, the IBM Spectrum Protect client is the SSL client and the server is the SSL server.
SSL client | SSL server | Scenario |
---|---|---|
Client | Server | The IBM Spectrum Protect client initiates a communication request with the IBM Spectrum Protect server. The client verifies the certificate. The server provides the certificate. |
Server (such as a source server) | Server (such as a target server) | The IBM Spectrum Protect source server
initiates a communication request with the IBM Spectrum Protect
target server. The source server acts as an SSL client and verifies the certificate that the target
server provides. This type of communication is common during replication processing. |
Client through a storage agent | Server | The client verifies each certificate when it initiates SSL communication
separately with the IBM Spectrum Protect server and the storage
agent. When the storage agent communicates with the server by using the SSL communication protocol, the storage agent acts as an SSL client and verifies the certificate that the server provides. The storage agent can be the SSL client and the SSL server at the same time. The client must use the same communication protocol (either SSL or TCP/IP) to communicate with both the server and the storage agent. |
Server | LDAP server | The IBM Spectrum Protect server initiates a communication request with the LDAP server. The IBM Spectrum Protect server acts as the SSL client and verifies the certificate that the LDAP server provides. |
Operations Center | Server | The Operations Center initiates a communication request with the IBM Spectrum Protect server. The Operations Center acts as the SSL client and verifies the certificate that the IBM Spectrum Protect server provides. |
Reporting | Server | The reporting agent initiates a communication request with the IBM Spectrum Protect server. The Reporting feature acts as the SSL client and verifies the certificate that the IBM Spectrum Protect server provides. |