Securing communications
Your data and passwords are more secure when they are protected by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), a form of SSL.
SSL and TLS are the standard technology for creating encrypted sessions between servers and clients. SSL and TLS provide a secure channel for servers and clients to communicate over open communication paths. With SSL and TLS, the identity of the server is verified by using digital certificates.
Starting with version 8.2.0, the communication between the IBM Storage Protect server and the Lightweight Directory Access Protocol (LDAP) server is secured by TLS version 1.3 by default. Both systems participating in the communication session must support TLS 1.3 to establish a TLS 1.3 connection. If either system supports only TLS 1.2, the session will automatically default to TLS 1.2.
Beginning with IBM Storage Protect 8.1.11, you can enable the TLS 1.3 protocol to secure communications between servers, clients, and storage agents. To use TLS 1.3, both parties in the communication session must use TLS 1.3. If either party uses TLS 1.2, both parties use TLS 1.2 by default.
- Beginning with IBM Storage Protect 8.1.4, you no longer have to manually configure certificates between storage agents, library clients, and library manager servers. Certificates are automatically configured.
- Beginning with IBM Storage Protect 8.1.2, SSL is enabled by default for authentication between version 8.1.2 and later servers and clients. You must manually configure version 8.1.2 storage agents to use SSL.
- Storage agents that use 7.1.8 or later software or 8.1.3 or later software are automatically
configured to use SSL.
Library clients and library manager servers automatically use SSL to communicate with storage agents that use 8.1.2 or later software or 7.1.8 or later software, but you must manually configure the certificates between them. A storage agent automatically exchanges certificates with its database server.
- Servers, storage agents, and clients that use IBM Storage Protect software versions earlier than 8.1.2 or Tivoli Storage Manager software versions earlier than 7.1.8 can only be configured to use SSL by following the manual procedure, even if the server or storage agent is using 8.1.3 or later software. For more information, see Configuring storage agents, servers, clients, and the Operations Center to connect to the server by using SSL.
TLS is used for all communication between the server, storage agent, and clients, except when sending or receiving object data. By default, object data is sent and received by using TCP/IP. To improve system performance, use TLS for authentication without encrypting object data. By choosing not to encrypt the object data, server performance is similar to communication over a TCP/IP session and the session is secure. To specify whether the server uses TLS for the entire session or only for authentication, see the SSL client option for client-to-server communication, and the SSL parameter in the UPDATE SERVER command for server-to-server communication. If you choose to use TLS to encrypt object data, consider adding more processor resources on the IBM Storage Protect server to manage the increased CPU load.
If you authenticate passwords with an LDAP directory server, TLS protects passwords between the IBM Storage Protect server and the LDAP server by encrypting all data exchanged between them. This ensures that sensitive information—such as credentials, tokens, configuration data, and LDAP queries—remains protected during transit. In addition to encryption, TLS also provides authentication. Each server validates the identity of the other using trusted X.509 certificates. For this purpose, the LDAP server’s certificate (or its issuing CA certificate) must be manually added to the Storage Protect server’s keystore database. Storage agent key databases do not require these certificates.