Configuring the server to accept SSL connections
Configure the server to accept SSL connections before you enable SSL communication from the server to a client, a storage agent, or another server.
Use this procedure for manual configuration.
About this task
- Specify the port on which the server waits for client communications that are enabled for SSL or accept the default port number. By default, the server is configured to accept Transport Layer Security (TLS) connections by specifying the TCPPORT or TCPADMINPORT options. To update TCPPORT or TCPADMINPORT or both options, update the dsmserv.opt file in the server instance directory. You can also configure the SSLTCPPORT and SSLTCPADMINPORT options as SSL-only connections.
Create the server key database by starting the server. The server key database file,
cert.kdb, is stored in the server instance directory, and the default
certificate label is automatically set as
Tivoli Storage Manager Server SelfSigned SHA Key. The certificate is exported to the cert256.arm file.
- If you are using the default self-signed certificate, the default self-signed certificate (cert256.arm) file is needed when you connect to the server by using TLS. After you use the cert256.arm file to import the self-signed certificate to the key database, the file is no longer needed.
If you are using a CA-signed certificate, each IBM Spectrum Protect server must send a unique
server certificate to a CA to be signed. The CA returns a signed server certificate. You can use the same CA certificate to connect to multiple servers. You can also
update the server certificates without needing to redistribute them to clients. To configure CA
certificates, complete the following steps for each IBM
Spectrum Protect server:
Note: If you are using a CA-signed certificate and want to use multiple IP addresses on the same server, you must work with your certificate authority vendor to either configure your CA-signed certificate to use multiple IP addresses or to use a wildcard SSL certificate. The configuration steps vary depending on your CA vendor.
Import the root CA certificate for each IBM
Spectrum Protect server that enables SSL.
Log on to the IBM Spectrum Protect server system with the instance user ID and issue the following example command from the instance directory:
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "CA cert" -file ca.crt
Import one or more intermediate CA certificates by issuing the following example command for
each intermediate certificate:
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Intermediate CA cert" -file intca.crt
- The CA root and intermediate certificates (ca.crt and intca.crt) are used to verify the CA-signed server certificate. The CA root and intermediate certificates must be installed in the key database of all clients, storage agents, and servers that use TLS to communicate with the server.
On the server, create a certificate request for the CA to sign by issuing a command that is
similar to the following example:
gsk8capicmd_64 -certreq -create -db cert.kdb -stashed -label "CA signed cert" -sigalg sha256 -size 2048 -ku "digitalSignature,keyEncipherment,keyAgreement" -eku "clientAuth,serverAuth" -dn "CN=tucson.example.com,OU=Spectrum Protect,O=IBM" -san_dnsname tucson.example.com -san_ipaddr 188.8.131.52 -file cert_request.csr
To receive the signed certificate and make it the default for communicating with clients, issue
the following example command:
The CA-signed server certificate does not need to be distributed to clients.
gsk8capicmd_64 -cert -receive -db cert.kdb -stashed -file cert_signed.crt -default_cert yes
- Import the root CA certificate for each IBM Spectrum Protect server that enables SSL.
- If you made any changes, restart the server.
Enable SSL communication from a client, a storage agent, or another server to this server. To complete the following tasks, you must have the server's certificate and the port number that is defined for the server.
What to do next
- To enable SSL communication from a client to this server, see Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer.
- To enable SSL communication from another server to this server, see Configuring the server to connect to another server by using SSL.
- To enable SSL communication from a storage agent to this server, see Configuring a storage agent to use SSL.
- To enable SSL communication from the Operations Center to this server, see Configuring the Operations Center to connect to the hub server by using SSL.
- To enable SSL communication from the Data Protection for VMware vSphere GUI to this server, see Configuring the Data Protection for VMware vSphere GUI to communicate with the server by using SSL.