Sslrequired
The sslrequired option specifies the conditions when SSL is or is not required when the client logs on to the Tivoli® Storage Manager server or storage agents. To actually enable SSL so client-to-server and client-to-storage-agent communications are secure, you must set the client ssl option to yes.
Supported Clients
This option is supported on all clients.
Options File
Place this option in the client options file or in the GUI, on the Communications tab. You cannot set this option on the command line.
Syntax
.-Default----. >>-SSLREQuired-+------------+---------------------------------->< +-Yes--------+ +-No---------+ '-SERVERonly-'
Parameters
- Default
- This setting indicates that SSL is required to secure communications between the client and server, and client and storage agents, if AUTHENTICATION=LDAP is set on the server. To secure communications by using SSL, you must also set ssl=yes on the client.
- If AUTHENTICATION=LOCAL is set on the server, this setting indicates that SSL is not required. Even though SSL is not required when AUTHENTICATION=LOCAL and sslrequired=default, you can still use SSL by setting the client ssl option to yes.
- Yes
- Indicates that SSL is always required to secure communications between the client and server, and between the client and storage agents. sslrequired=yes has no dependency on the server AUTHENTICATION option. If you set sslrequired=yes on the client, you must also set ssl=yes on the client.
- No
- Indicates that you do not require SSL to be used to secure communications between the client and server or between the client and storage agents. Choose this option only if you use a virtual private network or other method to secure your session communications. You can still enable SSL by setting ssl=yes on the client; but sslrequired=no specifies that SSL is not a prerequisite.
- SERVERonly
- Indicates that SSL is required for client-to-server communications and not for server-to-storage agent communications. To use SSL for client to server communications, set sslrequired=serveronly and ssl=yes. The server setting for the AUTHENTICATION option can be either LOCAL or LDAP.
- For client to storage agent communications, use the client lanfreessl option to enable SSL.
SSLREQUIRED option (server setting) |
sslrequired option (client setting) |
ssl option (client setting) |
Authentication success or failure |
---|---|---|---|
Yes | Yes | Yes | Authentication succeeds |
Yes | Yes | No | Authentication fails; the client rejects the session |
Yes | No | Yes | Authentication succeeds |
Yes | No | No | Authentication fails; the server rejects the session |
No | Yes | Yes | Authentication succeeds |
No | Yes | No | Authentication fails; the client rejects the session |
No | No | Yes | Authentication succeeds |
No | No | No | Authentication succeeds |
The following text describes how setting SSLREQUIRED=DEFAULT and SSLREQUIRED=SERVERONLY on the server affects the ssl option on the client.
If the server sets SSLREQUIRED=DEFAULT and AUTHENTICATION=LDAP, the client must set ssl=yes or authentication fails.
If the server sets SSLREQUIRED=DEFAULT and AUTHENTICATION=LOCAL, the client can set ssl=yes or ssl=no.
If the server sets SSLREQUIRED=SERVERONLY, you must set ssl=yes on the client. The client lanfreessl option can be set to yes, to secure communications with a storage agent, or to no if secure communications with storage agents is not needed.
Examples
- Options file:
-
sslrequired yes sslrequired no sslrequired default sslrequired serveronly
- Command line:
- Not applicable; you cannot set this option on the command line.