SSLDISABLELEGACYTLS

The SSLDISABLELEGACYTLS option specifies whether to use protocols earlier than Transport Layer Security (TLS) 1.2 for Secure Sockets Layer (SSL) sessions between the server and the backup-archive client or storage agent.

To prevent the use of Secure Sockets Layer (SSL) protocols earlier than TLS 1.2, use the SSLDISABLELEGACYTLS option.

Syntax

Read syntax diagramSkip visual syntax diagram
   .-SSLDISABLELEGACYTLS--No------.   
>>-+------------------------------+----------------------------><
   '-SSLDISABLELEGACYTLS--+-No--+-'   
                          '-Yes-'     

Parameters

Yes
Specifies that the server uses the TLS 1.2 or later protocol for SSL sessions.

The SSLDISABLELEGACYTLS option overrides the SSLTLS12=NO option and enforces the rejection of SSL connection attempts that use levels earlier than TLS 1.2.

Requirements: Before you use TLS 1.2, ensure that the following settings are correct:
  • For the server and storage agent, if you use self-signed certificates, you must set the default label in the key database to "TSM Server SelfSigned SHA Key".
  • For backup-archive clients, if you use self-signed certificates, you must import the cert256.arm file.
No
Specifies that the server rejects the TLS 1.1 and earlier protocol for SSL sessions. The default is No.

If you specify the SSLTLS12=YES option and do not specify the SSLDISABLELEGACYTLS option, TLS 1.2 is used.

Examples

Specify that the server uses the TLS 1.2 or later protocol for SSL sessions:

ssldisablelegacytls yes

Specify that the server rejects the TLS 1.1 and earlier protocol for SSL sessions:

ssldisablelegacytls no
Related reference:
SSLTLS12