Configuring without automatic certificate distribution
This scenario details the configuration options that impact the security of the data mover and VMCLI nodes when automatic distribution of certificates from the server is not acceptable. For example, automatic distribution of certificates from the server is not acceptable if the server is configured to use LDAP authentication or it is necessary that certificates are signed by a certificate authority (CA).
Options that affect session security
The options for security settings are the same as those described in Configuring by using the default security settings (fast path), with the exception that you must set the SSLACCEPTCERTFROMSERV option to No to ensure that the data mover node does not automatically accept a self-signed public certificate from the server when the node first connects to a V7.1.8 or V8.1.2 or later server.
Uses cases for configuring data mover nodes without automatic certificate distribution
If automatic certificate distribution is not possible or wanted, use the dsmcert utility to import the certificate. Obtain the necessary certificate from the IBM Spectrum Protect™ server or from a CA. The CA can be from a company such as VeriSign or Thawte, or an internal CA that is maintained within your company.
If the data mover and VMCLI nodes are on the same machine, only one certificate is required. If the nodes are on separate machines, a certificate is required one each machine.
- First, the server is upgraded to V7.1.8 or V8.1.2. Then, Data Protection for VMware is upgraded. The existing data mover nodes
are not using SSL communications:
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring Tivoli Storage Manager client/server communication with Secure Sockets Layer for configuration instructions.
- First, the server is upgraded to V7.1.8 or V8.1.2. Then, Data Protection for VMware is upgraded. The existing data mover nodes
are using SSL communications:
- No changes are required to the security options for the data mover nodes. If the nodes already have a server certificate for SSL communication, the SSLACCEPTCERTFROMSERV option does not apply.
- SSL communication with existing server public certificate continues to be used.
- SSL communication is automatically enhanced to use the TLS level that is required by the server.
- First, Data Protection for VMware is upgraded to V7.1.8 or
V8.1.2. Then, the server is upgraded later. The existing data mover nodes are not using SSL communications:
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Existing authentication protocol continues to be used to servers at levels earlier than V7.1.8 or V8.1.2.
- Before the data mover nodes connect to a V7.1.8 or V8.1.2 or later server:
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring Tivoli Storage Manager client/server communication with Secure Sockets Layer for configuration instructions.
- First, Data Protection for VMware is upgraded to V7.1.8 or
V8.1.2. Then, the server is upgraded later. The existing data mover nodes are using SSL communications
- No changes are required to the security options for the data mover nodes. If the nodes already have a server certificate for SSL communication, the SSLACCEPTCERTFROMSERV option does not apply.
- SSL communication with existing server public certificate continues to be used with servers at levels earlier than V7.1.8 or V8.1.2.
- SSL communication is automatically enhanced to use the TLS level that is required by the server after the server is updated to V7.1.8 or V8.1.2 or later.
- First, Data Protection for VMware is upgraded to V7.1.8 or
V8.1.2. Then, the data mover nodes connect to multiple servers. The servers are upgraded at
different times:
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Existing authentication protocol continues to be used to servers at levels earlier than V7.1.8 or V8.1.2.
- Before the data mover nodes connect to a V7.1.8 or V8.1.2 later server, or when SSL
communication is required at any server level:
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring Tivoli Storage Manager client/server communication with Secure Sockets Layer for configuration instructions.
- The data mover nodes use existing authentication and session security protocol to servers at versions earlier than V7.1.8 or V8.1.2, and automatically upgrade to use TLS authentication when initially connecting to a server at V7.1.8 or V8.1.2 or later. Session security is managed per server.
- New Data Protection for VMware installation, server is at
V7.1.8 or V8.1.2 or later:
- Configure Data Protection for VMware according to a new installation.
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring Tivoli Storage Manager client/server communication with Secure Sockets Layer for configuration instructions.
- Set the SSL parameter to the Yes value if encryption of all data transfers between the data mover and the server is required.
- New Data Protection for VMware installation, server is at a
version earlier than V7.1.8 or V8.1.2, SSL-encrypted sessions are required:
- Configure Data Protection for VMware according to a new installation.
- Set the SSL parameter to the Yes value.
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring Tivoli Storage Manager client/server communication with Secure Sockets Layer for configuration instructions.
- New Data Protection for VMware installation, server is at a
version earlier than V7.1.8 or V8.1.2, SSL-encrypted sessions are not required:
- Configure Data Protection for VMware according to a new installation.
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Non-SSL authentication protocol is used until the server is upgraded to V7.1.8 or V8.1.2 later.
- Before the data mover nodes connect to a V7.1.8 or V8.1.2 or later server:
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring Tivoli Storage Manager client/server communication with Secure Sockets Layer for configuration instructions.