Automating the distribution of IBM Storage Protect server certificate to clients
Self-signed SSL/TLS certificate that is generated by the IBM® Storage Protect server expires after 10 years. You can renew the
certificate when it is expired or before it expires. Here an utility is provided, which helps
automate the distribution of new certificate generated on IBM®
Storage Protect Server to various IBM Storage Protect
Clients (including BA Client, HSM, VE, various types of TDP clients etc.) This automation utility is
available in the form of a script that runs on the administrative client. Several schedules, with
action=command
are defined in this process of distribution and associated with
nodes (clients) registered on the IBM Storage Protect
server. These schedules are responsible for sending the certificate to the client, when the client
scheduler runs those. The new certificate is then added into the client certificate database.
Enabling the clients to trust the new certificate from IBM Storage Protect, for further communications, after the IBM Storage Protect switches over to the new certificate.
Before you begin
- The administrative client (dsmadmc) must be configured to connect with the IBM Storage Protect server.
- The client scheduler must be configured for the clients. For the details on client scheduler, refer to IBM Storage Protect scheduler overview.
- You must load and configure the utilities before the execution.
- Loading Utility
- The process of automation to distribute certificate to clients initiates from the administrative
client (dsmadmc), which can be on the same machine where server is installed or
on a separate machine.
To download the tar package, click here. You must extract the package on the administrative client machine.
After the extraction, you must change the directory to cert_distribute.- After changing the directory, you must set directory to windows or linux-aix based on the platform of the admin client machine.
- You must use the cert_distribute.sh
BASH script on Linux®, AIX® or other UNIX kernel
based admin clients.Remember: You must ensure that the BASH shell is installed on AIX-based admin clients before distributing the certificate by using cert_distribute.sh script.
- You must use the cert_distribute.ps1 Microsoft Windows powershell script on Microsoft Windows based admin client.
- Configuring Utility
- You must place the configurations file cert_distribute.ini in the same directory where the script is present. The configuration file contains parameters needed by utility to execute. You must also set appropriate values to these parameters in the configuration file.
Note: The IBM Storage Protect clients registered with type = OBJECTCLIENT or NAS are not covered with this utility
IBM Storage Protect Components | Minimum Version |
---|---|
IBM Storage Protect Server | 8.1.19 |
IBM Storage Protect Client | 8.1.2 |
About this task
- IBM Storage Protect server generated self signed certificate.
- Certificate Authority (CA) provided root and intermediate certificates. The root certificate must be distributed followed by intermediate certificate when you use the CA signed certificate for communications with IBM Storage Protect server. For more details, refer Configuring the server to accept SSL connections
- IBM GSkit (gsk8capicmd_64) is not
installed or located in the default location.
You must refer to the following default location for GSkit binary on different platforms:
Platform Default Installation Directory AIX /usr/opt/ibm/gsk8_64/bin/gsk8capicmd_64 Linux /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 MAC /Library/ibm/gsk8/bin/gsk8capicmd Windows C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64 - Client certificate keystore file dsmcert.kdb path is not found in default
set of locations, including client installation path.
You must refer to the following default paths for BA client installation or binaries is:
Platform Default BA Client Installation Directory AIX /usr/tivoli/tsm/client/ba/bin Linux /opt/tivoli/tsm/client/ba/bin MAC /Library/Application\ Support/tivoli/tsm/client/ba/bin Windows C:\Program Files\Tivoli\TSM\baclient If the client is not installed in above default paths, then the script looks for the client's certificate key store file under the path defined with environment variable DSM_DIR.
Other than above mentioned paths, you can also find the client's certificate key store file in the path mentioned by environment variables such as PASSWORDDIR, or in ~/IBM/StorageProtect/certs on Unix based systems and C:\Users\user\IBM\StorageProtect\certs on Windows system.
In addition to the above cases, the automated certificate renewal utility does not provide the new certificate to other IBM Storage Protect servers that communicate with the server being updated, or the administrative clients configured to connect with the server being updated, or to the Operations Center. In such cases, you must refer to the manual procedure documented under Renewing an SSL certificate of the IBM Storage Protect server.
Procedure
To automate the distribution of the IBM Storage Protect server certificate to clients, complete the following steps: