IBM Tivoli Storage Manager, Version 7.1

Setting up SSL

You can set up SSL or TLS on the Tivoli® Storage Manager server, backup-archive client, and storage agent to ensure that your data is encrypted during communication. You can use an SSL certificate to verify an SSL communication request between the server, client, and storage agent.


To configure Tivoli Storage Manager servers and clients for SSL or TLS, complete the following steps:

  1. Specify the TCP/IP port on which the server waits for client communications that are enabled for SSL or TLS. You can use the SSLTCPADMINPORT option or SSLTCPPORT option, or both, to specify TLS port numbers. The options are stored in the dsmserv.opt file.
  2. Create the key database file if it does not exist. Complete the following steps to create the key database file for the server, client, and storage agent:
    • For Tivoli Storage Manager V6.3.3 and later servers, the cert256.arm file and other files that are related to SSL or TLS are created when the server is first started. Tivoli Storage Manager automatically creates the server key database file, cert.kdb. If a password exists for the server database, it is reused for the cert.kdb key database. After you create the database, the key database access password is generated and stored.
    • To create the key database file for the storage agent, issue the DSMSTA SETSTORAGESERVER command and specify the SSL=YES and STAKEYDBPW=password parameters.
    • To create the key database file, dsmcert.kdb, for the client, issue the following command in the bin directory on the client:
      gsk8capicmd_64 -keydb -create -populate
      -db dsmcert.kdb -pw password -stash
  3. Use one of the following certificates for SSL or TLS communication:
    Self-signed certificate
    You must import a .arm file for the server, backup-archive client, and storage agent according to the default label that is used for the server self-signed certificate. The following table shows you which file to import:
    Table 1. Determining the .arm file to use
    Default label in the key database Import this file for clients Import this file for server-server communication Import this file for storage agent-server communication
    "TSM Server SelfSigned Key" cert.arm cert256.arm cert256.arm
    "TSM Server SelfSigned SHA Key" cert256.arm cert256.arm cert256.arm
    Important: To use TLS 1.2, the default label must be "TSM Server SelfSigned SHA key". You must specify the SSLTLS12 YES server option in the server options file and the storage agent options file, if necessary.
    CA-signed certificate
    You must obtain a unique certificate that is signed by a CA or use a trusted self-signed certificate for each server that enables SSL or TLS. Backup-archive clients use the cert.kdb or cert256.arm files to import the self-signed certificates, which the server automatically generates.
  4. Manually transfer the appropriate Tivoli Storage Manager server .arm file to the client computers. If you transfer the cert256.arm file, you must first change the default certificate in the cert.kdb file to the "TSM Server SelfSigned SHA Key" label. To change the default certificate, issue the following command from the server instance directory:
    gsk8capicmd_64 -cert -setdefault -db cert.kdb 
    -stashed -label "TSM Server SelfSigned SHA Key"
  5. Using a backup-archive client user ID, specify the ssl yes and tcpport options in the client options file:
    • AIX operating systems HP-UX operating systems Linux operating systems Oracle Solaris operating systems dsm.sys
    • Windows operating systems dsm.opt
    The server is normally set up for SSL or TLS connections on a different port. If you use an SSL or TLS connection, two ports are open on the server. One port accepts regular non-SSL or non-TLS client connections and the other port accepts SSL or TLS connections only.
  6. If you want to use a certificate that is issued by a certificate authority (CA), you do not need to complete steps 4 and 5. Install the CA root certificate on all clients. A set of default root certificates are preinstalled if you specified the -populate parameter in the command when you created the key database file.