Troubleshooting the certificate key database

Backup copies of the cert.kdb file ensure that Transport Layer Security (TLS) starts when you restore the Tivoli® Storage Manager server. If you have a backup copy, you can restore the file and restart the server.

Procedure

To create a backup copy of the certificate key database, cert.kdb, complete the following steps:

  1. Issue the DELETE KEYRING server command to delete the password information in the Tivoli Storage Manager key database.
  2. Delete all remaining cert.* files.
  3. Shut down the server.
  4. Start the server. The server automatically creates a new cert.kdb file and a corresponding entry in the Tivoli Storage Manager database. If you do not issue the DELETE KEYRING command, the server attempts, on startup, to create the key database with the previous password.
  5. Redistribute the new .arm file to all backup-archive clients that are using TLS. If you are using TLS 1.2, use the cert256.arm file. Use the cert.arm file if the TLS protocol you use earlier than 1.2. Reinstall any third-party certificates on the backup-archive client. If you are using an LDAP directory server to authenticate passwords, add the root certificate that was used to sign the LDAP server’s certificate. If the root certificate is already a default trusted certificate, you do not have to add it again.

What to do next

If the cert.kdb key database file does not exist, the server creates it. One or both of the SSLTCPPORT and SSLTCPADMINPORT options must be in the server options file when the server is started. The server generates a changeable password and also generates a self-signed certificate that can be extracted for clients and IBM business partners servers to use. If the cert.kdb file exists and the server did not create it, an out-of-sync condition occurs, preventing the server from setting up SSL communications.