Tape CLI commands

Edit online

Command line interface (CLI) commands are used to perform library management procedures. Many of these procedures cannot be run from the management GUI. These CLI commands are for the TS4500 and Diamondback tape library.

Security Considerations

Understanding and implementing proper security measures is critical when using the CLI tool to manage your tape library.

SSL Certificate Validation

IMPORTANT: By default, the TS4500 CLI tool operates in insecure mode with SSL certificate validation disabled. This configuration poses significant security risks in production environments.

Security Risks of Insecure Mode

When running without proper SSL certificate validation, the following security risks exist:

  • Credential Interception: Your administrative credentials can be intercepted by attackers on the network.
  • Man-in-the-Middle (MitM) Attacks: Connections are vulnerable to MitM attacks where malicious actors can intercept, read, or modify communications between the CLI and the library.
  • Data Exposure: Sensitive library configuration data and commands may be exposed to unauthorized parties.
  • Compliance Issues: Insecure connections may violate security compliance requirements in regulated environments.

Secure Configuration (Recommended)

For production environments, always use secure mode with proper SSL certificate validation. Use the following command syntax:

java -jar TS4500CLI.jar --host <hostname> --user <username> \
  --keystore <path-to-keystore> --storepass <keystore-password>

Parameters:

  • --keystore: Path to a Java KeyStore (JKS) file containing trusted certificates
  • --storepass: Password for the keystore file

Setting Up Secure Connections

Follow these steps to configure secure CLI connections:

Step 1: Obtain the Library's SSL Certificate

openssl s_client -connect <library-hostname>:443 -showcerts < /dev/null 2>/dev/null | \
  openssl x509 -outform PEM > library-cert.pem

Step 2: Create a Java KeyStore

keytool -import -alias ts4500-library -file library-cert.pem \
  -keystore ts4500-truststore.jks -storepass <your-password>

Step 3: Use the KeyStore with CLI

java -jar TS4500CLI.jar --host <hostname> --user <username> \
  --keystore ts4500-truststore.jks --storepass <your-password>

Self-Signed Certificates

If your TS4500 library uses a self-signed certificate, follow these steps:

  1. Export the self-signed certificate from the library's web interface
  2. Import it into your truststore using the keytool command
  3. Use the truststore with the --keystore parameter
Important: Self-signed certificates should only be used in development or isolated environments. For production, use certificates signed by a trusted Certificate Authority (CA).

Insecure Mode Warning

If you run the CLI without the --keystore parameter, you will see the following warning message:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️  SECURITY RISK: Running in Insecure Mode
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

SSL certificate validation is DISABLED
• Your credentials can be intercepted by attackers
• This connection is vulnerable to Man-in-the-Middle (MitM) attacks
• Sensitive data may be exposed to unauthorized parties

RECOMMENDED ACTION:
Enable secure connections using a trusted keystore:
  --keystore <path-to-keystore> --storepass <password>

For production environments, secure mode is STRONGLY RECOMMENDED.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Only proceed with insecure mode if:

  • You are in a completely isolated test environment
  • You understand and accept the security risks
  • You have documented approval from your security team

Best Practices

Follow these security best practices when using the CLI tool:

  1. Always use secure mode in production environments
  2. Rotate keystore passwords regularly
  3. Restrict access to keystore files using appropriate file permissions
  4. Use certificates from trusted Certificate Authorities when possible
  5. Monitor and log CLI access for security auditing
  6. Never share keystore files or passwords via insecure channels
  7. Keep the CLI tool updated to the latest version for security patches

Network Security Recommendations

In addition to using secure SSL connections, implement these network security measures:

  • Run CLI commands only from trusted, secured workstations
  • Use VPN or other secure network connections when accessing the library remotely
  • Implement network segmentation to isolate library management traffic
  • Enable and monitor audit logging on the TS4500 library
  • Follow your organization's security policies for privileged access management