Protecting the Secure Sockets Layer digital certificate file

As part of the process of setting up IBM® Tivoli® Storage Manager to use Secure Sockets Layer (SSL) for client/server authentication, a digital certificate file, cert.kdb, is created.

The cert.kdb file includes the server's public key, which allows the client to encrypt data. The digital certificate file cannot be stored in the server database because the Global Security Kit (GSKit) requires a separate file in a certain format. The cert256.arm file is generated by the V6.3 server for distribution to the V6.3 clients.

Keep backup copies of the cert.kdb and cert256.arm file in a secure location. If both of the original files and any copies are lost or corrupted, you can generate a new certificate file.

Attention: If client data object encryption is in use and the encryption key is not available, data cannot be restored or retrieved under any circumstance. When you use ENABLECLIENTENCRYPTKEY for encryption, the encryption key is stored on the server database. For objects that use this method, the server database must exist and have the proper values for the objects for a proper restore operation. Ensure that you back up the server database frequently to prevent data loss.
Related concepts:
Using transparent encryption
Application managed encryption