Backup copies of the cert.kdb file
ensure that Transport Layer Security (TLS) starts when you restore
the Tivoli® Storage
Manager server.
If you have a backup copy, you can restore the file and restart the
server.
Procedure
To create a backup copy of the certificate key database, cert.kdb,
complete the following steps:
- Issue the DELETE KEYRING server command
to delete the password information in the Tivoli Storage
Manager key database.
- Delete all remaining cert.* files.
- Shut down the server.
- Start the server. The server automatically creates a new cert.kdb file
and a corresponding entry in the Tivoli Storage
Manager database.
If you do not issue the DELETE KEYRING command,
the server attempts, on startup, to create the key database with the
previous password.
- Redistribute the new .arm file to
all backup-archive clients that are using TLS. If you are using TLS
1.2, use the cert256.arm file. Use the cert.arm file
if the TLS protocol you use earlier than 1.2. Reinstall any third-party
certificates on the backup-archive client. If you are using an LDAP
directory server to authenticate passwords, add the root certificate
that was used to sign the LDAP server’s certificate. If the root certificate
is already a default trusted certificate, you do not have to add it
again.
What to do next
If the
cert.kdb key database
file does not exist, the server creates it. One or both of the
SSLTCPPORT and
SSLTCPADMINPORT options
must be in the server options file when the
Tivoli Storage
Manager server is
started. The server generates a changeable password and also generates
a self-signed certificate that can be extracted for clients and
IBM business
partners servers to use. If the
cert.kdb file
exists and the server did not create it, an out-of-sync condition
occurs, preventing the server from setting up SSL communications.