Secure communication between components
User IDs and passwords sent between Tivoli® Management Services components are encrypted by default. To secure other communications, use SPIPE (IP:SPIPE, IP6:SPIPE) as the protocol when you configure communication between the Tivoli Enterprise Portal Server and the hub Tivoli Enterprise Monitoring Server, between hub and remote monitoring servers, and between agents and monitoring servers.
- The integrated browser in the Tivoli Enterprise Portal desktop client provides HTTPS support on the client side; for the server, consider using a web server that supports HTTPS, such as the IBM® HTTP Server. For more information on using web servers, see the IBM Tivoli Monitoring: Installation and Setup Guide. For information about disabling an HTTPS server, see Disabling the HTTPS or HTTP server.
- Internet Inter-ORB Protocol (IIOP) is used to secure the communications between the portal server and client.
SSL uses public key cryptography. Tivoli Monitoring includes the Global Security Toolkit (GSKit) for SSL processing. GSKit is installed by default with all distributed components, and its utilities are used to create and manage the encryption of data between components through the use of digital certificates.
On z/OS® systems, GSKit is known as the Integrated Cryptographic Service Facility, or ICSF. If ICSF is not installed on the z/OS system, the monitoring server uses an alternative, less secure encryption scheme. Because both components must be using the same scheme, if the hub system does not use ICSF, you must configure the Tivoli Enterprise Portal to use the less secure scheme (EGG1) as well. For more information, see the IBM Tivoli Monitoring: Installation and Setup Guide.
A default certificate and key are provided with GSKit at installation. A stash file provides the database password for unattended operation. You can also use the key management facility (iKeyMan) in GSKit to generate your own certificates.