Configuring the client without automatic certificate distribution

This scenario details the configuration options that impact the security of the client when automatic distribution of certificates from the server is not acceptable. Automatic distribution of certificates from the server is not acceptable if the server is configured to use LDAP authentication or it is necessary that certificates are signed by a certificate authority.

Note: In this scenario, you can accept the default values for most of the session-security options, except for the SSLACCEPTCERTFROMSERV option.

Client options that affect session security

  1. SSLREQUIRED. The default value Default enables existing session-security connections to servers earlier than V8.1.2, and automatically configures the client to securely connect to a V8.1.2 or newer server by using TLS for authentication.
  2. SSLACCEPTCERTFROMSERV. Set this value to No to ensure that the client does not automatically accept a self-signed public certificate from the server when the client first connects to a V8.1.2 or later server.
  3. SSL. The default value No indicates that encryption is not used when data is transferred between the client and a server earlier than V8.1.2. When the client connects to a V8.1.2 or later server, the default value No indicates that object data is not encrypted. All other information is encrypted, when the client communicates with the server. When the client connects to a V8.1.2 or later server, the value Yes indicates that SSL is used to encrypt all information, including object data, when the client communicates with the server.
  4. SSLFIPSMODE. The default value No indicates that a Federal Information Processing Standards (FIPS) certified SSL library is not needed.

In addition, the following options apply only when the client uses SSL connections to a server earlier than V8.1.2. They are ignored when the client connects to a V8.1.2 or later server.

  1. SSLDISABLELEGACYTLS. The default value No indicates that connections at TLS 1.1 and lower SSL protocols are allowed when the client communicates with a server V8.1.1 and earlier V8 levels, and V7.1.7 and earlier levels.
  2. LANFREESSL. Specifies whether the client uses SSL communication with the Storage Agent when LAN-free data transfer is configured.
  3. REPLSSLPORT. Specifies the TCP/IP port address that is enabled for SSL when the client communicates with the replication target server.

Uses cases for configuring the client without automatic certificate distribution

  1. First, the server is upgraded to V8.1.2. Then, the client is upgraded. The existing client is not using SSL communications:
  2. First, the server is upgraded to V8.1.2. Then, the client is upgraded. The existing client is using SSL communications:
    • No changes are needed to the client security options. If the client already has a server certificate for SSL communication, the SSLACCEPTCERTFROMSERV option does not apply.
    • SSL communication with existing server public certificate continues to be used.
    • SSL communication is automatically enhanced to use the TLS level that is needed by the server.
  3. First, the client is upgraded to V8.1.2. Then, the server is upgraded later. The existing client is not using SSL communications:
    • Use the client configuration wizard to set the SSLACCEPTCERTFROMSERV option with the value No.
    • Existing authentication protocol continues to be used to servers at levels earlier than V8.1.2.
    • Before the client connects to an 8.1.2 or later server:
  4. First, the client is upgraded to V8.1.2. Then, the server is upgraded later. The existing client is using SSL communications:
    • No changes are needed to the client security options. If the client already has a server certificate for SSL communication, the SSLACCEPTCERTFROMSERV option does not apply.
    • SSL communication with existing server public certificate continues to be used with servers at levels earlier than V8.1.2.
    • SSL communication is automatically enhanced to use the TLS level that is needed by the server after the server is updated to V8.1.2 or later.
  5. First, the client is upgraded to V8.1.2. Then, the client connects to multiple servers. The servers are upgraded to V8.1.2 at different times:
    • Use the client configuration wizard to set the SSLACCEPTCERTFROMSERV option with the value No.
    • Existing authentication protocol continues to be used to servers at levels earlier than V8.1.2.
    • Before the client connects to an 8.1.2 or later server, or when SSL communication is needed at any server level:
    • The client uses existing authentication and session security protocol to servers at versions earlier than V8.1.2, and automatically upgrades to use TLS authentication when initially connecting to a server at V8.1.2 or later. Session security is managed per server.
  6. New client installation, server is at V8.1.2 or later:
    • Configure the client according to a new client installation.
    • Use the client configuration wizard to set the SSLACCEPTCERTFROMSERV option with the value No.
    • Obtain the necessary certificate from a trusted source.
    • Use the dsmcert utility to import the certificate for client use. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for details.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is needed.
  7. New client installation, server is at a version earlier than V8.1.2, SSL-encrypted sessions are needed:
  8. New client installation, server is at a version earlier than V8.1.2, SSL-encrypted sessions are not needed:
    • Configure the client according to a new client installation.
    • Use the client configuration wizard to set the SSLACCEPTCERTFROMSERV option with the value No.
      • Non-SSL authentication protocol is used until the server is upgraded to V8.1.2 or later.
    • Before the client connects to an 8.1.2 or later server:
Related reference:
Sslrequired
Sslacceptcertfromserv
Ssl
Sslfipsmode
Ssldisablelegacytls
Lanfreessl
Replsslport