You
can set up a storage agent and the Tivoli® Storage
Manager server to
use the SSL communication method. SSL is set up independently on both
the storage agent and the Tivoli Storage
Manager server.
Procedure
To set up the storage agent to use
SSL communication with the Tivoli Storage
Manager server and
client, complete the following steps:
- On the storage agent, issue the DSMSTA
SETSTORAGESERVER command to initialize the storage agent
and add communication information to the device configuration file
and the storage agent options file dsmsta.opt:
Hint: The following command is
entered on one line, but is displayed here on multiple lines to make
it easier to read.
dsmsta setstorageserver myname=sta
mypa=sta_password
myhla=ip_address
servername=server_name
serverpa=server_password
hla=ip_address
lla=ssl_port
STAKEYDBPW=password
ssl=yes
Requirement: - When you set the SSL=YES and STAKEYDBPW=password parameters,
a key database file is set up in the storage agent options file, dsmsta.opt.
All passwords are obfuscated in dsmsta.opt.
- To enable SSL communication, ensure that the Tivoli Storage
Manager LLA parameter
specifies the server SSLTCPADMIN port. If the SSLTCPADMIN is
not specified, use the SSLTCPPORT port instead.
Set the SSL parameter to YES.
- Import the Tivoli Storage
Manager server certificate, cert256.arm,
to the key database file for the storage agent. Ensure that the required
SSL certificates are in the key database file that belongs to each
storage agent that uses SSL communication. To import the SSL certificate,
switch to the storage agent directory and issue the following command:
gsk8capicmd_64 -cert -add -label server_example_name
-db cert.kdb -stashed -file cert256.arm -format ascii
- Specify the SSLTCPPORT and
the SSLTCPADMINPORT options in the dsmsta.opt options
file.
- Create the key database certificate and
default certificates by starting the storage agent.
Tip: To provide the new password to the storage
agent, you must change the key database password and then issue the
DSMSTA
SETSTORAGESERVER command.
- Open a command window and change the password by issuing the following
command:
gsk8capicmd_64 -keydb -changepw -db cert.kdb -pw oldpw -newpw newpw
- Rerun the DSMSTA SETSTORAGESERVER command and
specify the STAKEYDBPW=newpassword parameter.
- On the Tivoli Storage
Manager server,
issue the following command:
define server sta
hla=ip_address
lla=ssl_port
serverpa=password
ssl=yes
- Stop the storage agent.
- Stop the Tivoli Storage
Manager server.
- Import the cert256.arm certificate
from the storage agent to the key database file for the Tivoli Storage
Manager server.
Ensure that the required SSL certificates are in the key database
file that belongs to each server that uses SSL communication before
you restart the server. To import the SSL certificate from the storage
agent, issue the following command:
gsk8capicmd_64 -cert -add -label server_example_name
-db cert.kdb -stashed -file cert256.arm -format ascii
- Stop and restart the Tivoli Storage
Manager server.
- Restart the storage agent.
Results
When the
Tivoli Storage
Manager server and
storage agent initiate communication, SSL certificate information
is displayed to indicate that SSL is in use.