Renewing an SSL certificate of the IBM Storage Protect server

Edit online

Self-signed SSL/TLS certificate that is generated by the IBM Storage Protect server expires after 10 years. You can renew the certificate when it is expired or before it expires.

Before you begin

To verify the SSL/TLS certificate expiration details, issue the following command from the server instance directory:
gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
The output is similar to the following example and the line starting with Not After shows the certificate expiration date.
          Label : TSM Server SelfSigned SHA Key
       Key Size : 2048
        Version : X509 V3
         Serial : aaabbbcccddd
         Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
        Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
     Not Before : November 15, 2012 11:16:40 AM GMT+01:00
      Not After : November 14, 2022 11:16:40 AM GMT+01:00

Procedure

To create and distribute a new SSL/TLS certificate (cert256.arm), complete the following steps:

  1. Stop the IBM Storage Protect server.
  2. Make a backup copy of the following certificates and key stores present in the IBM Storage Protect server instance directory.

    cert256.arm

    cert.kdb

    cert.sth

    cert.rdb

    cert.crl

  3. Delete only the cert256.arm file from the server instance directory.
  4. Delete the server's certificate from the key store by issuing the following command: 
    gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
  5. Start the IBM Storage Protect server. On startup, the server generates a new certificate and stores it in the key store with label "TSM Server SelfSigned SHA Key". Also, a new cert256.arm file is created.
  6. Check the cert.kdb and cert256.arm files for more information, by issuing the following commands: 
    gsk8capicmd_64 -cert -details -file cert256.arm
    gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

    In the output, expiration date in the line starting with Not After must be the same in both the files. Verify that the expiration date is 10 years in the future.

  7. To provide the new certificate to other servers that communicate with the server being updated, issue the UPDATE SERVER command on each of the other servers by specifying the FORCESYNC=YES and CERTFINGERPRINT="" parameters. This action forces the server to update its local copy by synchronizing with the updated server's certificate.
  8. To provide the new certificate to backup-archive and API clients, issue the UPDATE NODE command for each client node by specifying the SESSIONSECURITY=TRANSITIONAL parameter to change the node's SESSIONSECURITY state to TRANSITIONAL.
    Important: You must do this step for each node including the IBM Storage Protect server host itself, because the client certificate on IBM Storage Protect server host are used for doing the server database backup operation.
    1. At each node, make a backup copy of dsmcert.kdb, dsmcert.idx, and dsmcert.sth.
      Tip: These files are located in client installation directory. On Unix, Linux® and Mac systems, if client sessions were ever started from a non-root user, copies of the certificate can be located in $HOME/IBM/StorageProtect/certs/ or in the directory determined by the PASSWORDDIR client option.
    2. If a node is set to connect multiple servers, it is possible that the redistribution of the other server's certificates to that node. To avoid redistribution of certificates from other servers to that node, you can delete the certificate for only the affected IBM Storage Protect server by completing the following steps:
      1. List the certificates stored in the keystore by issuing the following command:
        gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed

        Note the affected server certificate name and use it in the next step.

      2. To delete the affected certificate, issue the following delete command:
        gsk8capicmd_64 -cert -delete -db dsmcert.kdb -stashed -label certificate_name
      If only one certificate is listed for the server that is being updated, you can simply delete all the following files: dsmcert.kdb, dsmcert.sth, and dsmcert.idx
      Important: You must delete dsmcert.idx in any case, whether you delete the entire key store or you delete a single certificate from the key store.
    3. Connect to the IBM Storage Protect server by using the backup-archive or API client to get the new certificate.
  9. To provide the new certificate to administrative clients, issue the UPDATE ADMIN command for each client administrator by specifying the SESSIONSECURITY=TRANSITIONAL parameter to change the administrator's SESSIONSECURITY state to TRANSITIONAL.
    On each system from which an administrator uses the command line administrative client (dsmadmc) to connect to the server, complete the following actions:
    1. Make a backup copy of dsmcert.kdb, dsmcert.sth, and dsmcert.idx.
      Tip: These files are located in client installation directory. On Unix, Linux and Mac systems, if client sessions were ever started from a non-root user, copies of the certificate can be located in $HOME/IBM/StorageProtect/certs/ or in the directory determined by the PASSWORDDIR client option.
    2. List the certificates stored in the keystore by issuing the following command:
      gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed

      Note the affected server certificate name and use it in the next step.

    3. If dsmadmc is used to connect the multiple servers from this system, issue the following command to delete only the certificate for the server whose certificate is expired.
      gsk8capicmd_64 -cert -delete -db dsmcert.kdb -stashed -label certificate_name
      If only one certificate is listed for the server that is being updated, you can simply delete all the following files: dsmcert.kdb, dsmcert.sth, and dsmcert.idx
      Important: You must delete dsmcert.idx in any case, whether you delete the entire key store or you delete a single certificate from the key store.
    4. Connect to the IBM Storage Protect server by using dsmadmc to get the new certificate.
  10. To provide the new certificate to Operations Center, complete the following steps:
    1. Stop the Operations Center service.
    2. On the hub server, cancel any sessions between the Operations Center and the hub server.
    3. Issue the UPDATE ADMIN command for the following administrators by specifying the SESSIONSECURITY=TRANSITIONAL parameter to change the administrator's SESSIONSECURITY state to TRANSITIONAL:
      1. Any administrator who logs into the Operations Center
      2. The Operations Center monitoring admin: IBM-OC-hub_server_name, where hub_server_name is the server name of the IBM Storage Protect server hub
    4. Start the Operations Center service.
    5. Log in to the Operations Center with an administrator that is specified in step 10.c.i.