Default security settings for the client (fast path)

Fast path details the configuration options that impact the security of the client connection to the server and the behavior for various use cases when default values are accepted. This scenario minimizes the steps in the configuration process at endpoints. It automatically obtains certificates from the server when the client connects the first time, assuming that the IBM Spectrum Protect™ server 'SESSIONSECURITY' parameter is set to 'TRANSITIONAL', which is the default and recommended value. You can follow this scenario whether you first upgrade the IBM Spectrum Protect server to version 8.1.2 and then upgrade the client to version 8.1.2 or vice versa.

Attention: This scenario cannot be used if the IBM Spectrum Protect server is configured for LDAP authentication. If LDAP is used, you can manually import the certificates necessary by using the dsmcert utility. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for details.

Client options that affect session security

  1. SSLREQUIRED. The default value Default enables existing session-security connections to servers earlier than V8.1.2, and automatically configures the client to securely connect to a V8.1.2 or newer server by using TLS for authentication.
  2. SSLACCEPTCERTFROMSERV. The default value Yes enables the client to automatically accept a self-signed public certificate from the server, and to automatically configure the client to use that certificate when the client connects to a V8.1.2 or later server.
  3. SSL. The default value No indicates that encryption is not used when data is transferred between the client and a server earlier than V8.1.2. When the client connects to a V8.1.2 or later server, the default value No indicates that object data is not encrypted. All other information is encrypted, when the client communicates with the server. When the client connects to a V8.1.2 or later server, the value Yes indicates that SSL is used to encrypt all information, including object data, when the client communicates with the server.
  4. SSLFIPSMODE. The default value No indicates that a Federal Information Processing Standards (FIPS) certified SSL library is not needed.

In addition, the following options apply only when the client uses SSL connections to a server earlier than V8.1.2. They are ignored when the client connects to a V8.1.2 or later server.

  1. SSLDISABLELEGACYTLS. The default value No indicates that connections at TLS 1.1 and lower SSL protocols are allowed when the client communicates with a server V8.1.1 and earlier V8 levels, and V7.1.7 and earlier levels.
  2. LANFREESSL. Specifies whether the client uses SSL communication with the Storage Agent when LAN-free data transfer is configured.
  3. REPLSSLPORT. Specifies the TCP/IP port address that is enabled for SSL when the client communicates with the replication target server.

Uses cases for default security settings for the client (fast path)

  1. First, the server is upgraded to V8.1.2. Then, the client is upgraded. The existing client is not using SSL communications:
    • No changes are needed to the client security options.
    • The client configuration is automatically updated to use TLS when the client authenticates with the server.
  2. First, the server is upgraded to V8.1.2. Then, the client is upgraded. The existing client is using SSL communications:
    • No changes are needed to the client security options.
    • SSL communication with existing server public certificate continues to be used.
    • SSL communication is automatically enhanced to use the TLS level that is needed by the server.
  3. First, the client is upgraded to V8.1.2. Then, the server is upgraded later. The existing client is not using SSL communications:
    • No changes are needed to the client security options.
    • Existing authentication protocol continues to be used to servers at levels earlier than V8.1.2.
    • The client configuration is automatically updated to use TLS when the client authenticates with the server after the server is updated to V8.1.2 or later.
  4. First, the client is upgraded to V8.1.2. Then, the server is upgraded later. The existing client is using SSL communications:
    • No changes are needed to the client security options.
    • SSL communication with existing server public certificate continues to be used with servers at levels earlier than V8.1.2.
    • SSL communication is automatically enhanced to use the TLS level that is needed by the server after the server is updated to V8.1.2 or later.
  5. First, the client is upgraded to V8.1.2. Then, the client connects to multiple servers. The servers are upgraded to V8.1.2 at different times:
    • No changes are needed to the client security options.
    • The client uses existing authentication and session security protocol to servers at versions earlier than V8.1.2, and automatically upgrades to use TLS authentication when initially connecting to a server at V8.1.2 or later. Session security is managed per server.
  6. New client installation, server is at V8.1.2 or later:
    • Configure the client according to a new client installation.
    • Default values for the client security options automatically configure the client for TLS-encrypted session authentication.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is needed.
  7. New client installation, server is at a version earlier than V8.1.2:
    • Configure the client according to a new client installation.
    • Accept the default values for client session-security parameters if SSL encryption of all data transfers is not needed.
      • Non-SSL authentication protocol is used until the server is upgraded to V8.1.2 or later.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is needed, and proceed with the manual client configuration for SSL.
Related reference:
Sslrequired
Sslacceptcertfromserv
Ssl
Sslfipsmode
Ssldisablelegacytls
Lanfreessl
Replsslport