Configuring a storage agent and server to use SSL

You can set up a storage agent and the Tivoli® Storage Manager server to use the SSL communication method. SSL is set up independently on both the storage agent and the Tivoli Storage Manager server.

Procedure

To set up the storage agent to use SSL communication with the Tivoli Storage Manager server and client, complete the following steps:

  1. On the storage agent, issue the DSMSTA SETSTORAGESERVER command to initialize the storage agent and add communication information to the device configuration file and the storage agent options file dsmsta.opt:
    Hint: The following command is entered on one line, but is displayed here on multiple lines to make it easier to read.
    dsmsta setstorageserver myname=sta
    mypa=sta_password
    myhla=ip_address
    servername=server_name
    serverpa=server_password
    hla=ip_address
    lla=ssl_port
    STAKEYDBPW=password
    ssl=yes
    Requirement:
    • When you set the SSL=YES and STAKEYDBPW=password parameters, a key database file is set up in the storage agent options file, dsmsta.opt. All passwords are obfuscated in dsmsta.opt.
    • To enable SSL communication, ensure that the Tivoli Storage Manager LLA parameter specifies the server SSLTCPADMIN port. If the SSLTCPADMIN is not specified, use the SSLTCPPORT port instead. Set the SSL parameter to YES.
  2. Import the Tivoli Storage Manager server certificate, cert256.arm, to the key database file for the storage agent. Ensure that the required SSL certificates are in the key database file that belongs to each storage agent that uses SSL communication. To import the SSL certificate, switch to the storage agent directory and issue the following command:
    gsk8capicmd_64 -cert -add -label server_example_name
    -db cert.kdb -stashed -file cert256.arm -format ascii
  3. Specify the SSLTCPPORT and the SSLTCPADMINPORT options in the dsmsta.opt options file.
  4. Create the key database certificate and default certificates by starting the storage agent.
    Tip: To provide the new password to the storage agent, you must change the key database password and then issue the DSMSTA SETSTORAGESERVER command.
    1. Open a command window and change the password by issuing the following command:
      gsk8capicmd_64 -keydb -changepw -db cert.kdb -pw oldpw -newpw newpw 
    2. Rerun the DSMSTA SETSTORAGESERVER command and specify the STAKEYDBPW=newpassword parameter.
  5. On the Tivoli Storage Manager server, issue the following command:
    define server sta
    hla=ip_address
    lla=ssl_port
    serverpa=password
    ssl=yes
  6. Stop the storage agent.
  7. Stop the Tivoli Storage Manager server.
  8. Import the cert256.arm certificate from the storage agent to the key database file for the Tivoli Storage Manager server. Ensure that the required SSL certificates are in the key database file that belongs to each server that uses SSL communication before you restart the server. To import the SSL certificate from the storage agent, issue the following command:
    gsk8capicmd_64 -cert -add -label server_example_name
    -db cert.kdb -stashed -file cert256.arm -format ascii
  9. Stop and restart the Tivoli Storage Manager server.
  10. Restart the storage agent.

Results

When the Tivoli Storage Manager server and storage agent initiate communication, SSL certificate information is displayed to indicate that SSL is in use.