Configuring the server to accept SSL connections

Configure the server to accept SSL connections before you enable SSL communication from the server to a client, a storage agent, or another server.

Procedure

  1. Specify the port on which the server waits for client communications that are enabled for SSL or accept the default port number. Optionally, update the dsmserv.opt file in the server instance directory by specifying the TCPPORT or TCPADMINPORT options, or both. The SSLTCPPORT and SSLTCPADMINPORT options can be used for SSL-only connections.
  2. Create the server key database by starting the server. The server key database file, cert.kdb, is stored in the server instance directory, and the default certificate label is automatically set as "TSM Server SelfSigned SHA Key". The certificate is exported to the cert256.arm file.
  3. If you are using the default self-signed certificate, the default self-signed certificate (cert256.arm) file is needed when you connect to the server by using TLS.
  4. If you are importing a CA signed certificate, complete the following steps:
    1. Import a unique certificate that is signed by a CA on each server that enables SSL. You can import both a root and intermediate CA signed certificate. The same CA-signed certificate is used for each server. Log on to the IBM Spectrum Protect™ server system with the instance user ID and issue the following example command from the instance directory: 
      gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "CA cert" -file ca.crt
    2. To import an intermediate CA signed certificate, issue the following example command: 
      gsk8capicmd_64 -cert -add -db cert.kdb -stashed 
-label "Intermediate CA cert" -file intca.crt
    3. The root and intermediate certificates (ca.crt and intca.crt) are needed when you connect the server by using TLS.
    4. On the server, create a certificate request for the CA to sign by issuing a command that is similar to the following example: 
      gsk8capicmd_64 -certreq -create -db cert.kdb -stashed -label "CA cert" 
-sigalg sha256 -size 2048 -ku "digitalSignature,keyEncipherment,keyAgreement" 
-eku "clientAuth,serverAuth" -dn "CN=tucson.example.com,OU=Spectrum Protect,O=IBM" 
-san_dnsname tucson.example.com -san_ipaddr 9.11.0.0 -file cert_request.csr
    5. To receive the signed certificate and make it the default for communicating with clients, issue the following example command: 
      gsk8capicmd_64 -cert -receive -db cert.kdb -stashed -file cert_signed.crt 
-default_cert yes
  5. If you made any changes, restart the server.

What to do next

Enable SSL communication from a client, a storage agent, or another server to this server. To complete the following tasks, you must have the server's certificate and the port number that is defined for the server.
  1. To enable SSL communication from a client to this server, see Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer.
  2. To enable SSL communication from another server to this server, see Configuring the server to connect to another server by using SSL.
  3. To enable SSL communication from a storage agent to this server, see Configuring a storage agent to use SSL.
  4. To enable SSL communication from the Operations Center to this server, see Configuring the Operations Center to connect to the hub server by using SSL.
Related reference:
TCPPORT
TCPADMINPORT
QUERY SESSION (Query client sessions)