Sslrequired

The sslrequired option specifies the conditions when SSL is or is not required when the client logs on to the Tivoli® Storage Manager server or storage agents. To actually enable SSL so client-to-server and client-to-storage-agent communications are secure, you must set the client ssl option to yes.

Supported Clients

This option is supported on all clients.

Options File

Place this option in the client options file or in the GUI, on the Communications tab. You cannot set this option on the command line.

Syntax


               .-Default----.   
>>-SSLREQuired-+------------+----------------------------------><
               +-Yes--------+   
               +-No---------+   
               '-SERVERonly-'

Parameters

Default: This setting indicates that SSL is required to secure communications between the client and server, and client and storage agents, if AUTHENTICATION=LDAP is set on the server. To secure communications by using SSL, you must also set ssl=yes on the client.; If AUTHENTICATION=LOCAL is set on the server, this setting indicates that SSL is not required. Even though SSL is not required when AUTHENTICATION=LOCAL and sslrequired=default, you can still use SSL by setting the client ssl option to yes.

Yes: Indicates that SSL is always required to secure communications between the client and server, and between the client and storage agents. sslrequired=yes has no dependency on the server AUTHENTICATION option. If you set sslrequired=yes on the client, you must also set ssl=yes on the client.

No: Indicates that you do not require SSL to be used to secure communications between the client and server or between the client and storage agents. Choose this option only if you use a virtual private network or other method to secure your session communications. You can still enable SSL by setting ssl=yes on the client; but sslrequired=no specifies that SSL is not a prerequisite.

SERVERonly: Indicates that SSL is required for client-to-server communications and not for server-to-storage agent communications. To use SSL for client to server communications, set sslrequired=serveronly and ssl=yes. The server setting for the AUTHENTICATION option can be either LOCAL or LDAP.; For client to storage agent communications, use the client lanfreessl option to enable SSL.

The following table describes the situations under which authentication succeeds or fails, depending on the settings of the SSLREQUIRED option on the server, and client, and the setting of the ssl option on the client. The table results assume that valid credentials are supplied.

Table 1. Effects of server and client SSL settings on success or failure of login attempts
SSLREQUIRED option (server setting)	sslrequired option (client setting)	ssl option (client setting)	Authentication success or failure
Yes	Yes	Yes	Authentication succeeds
Yes	Yes	No	Authentication fails; the client rejects the session
Yes	No	Yes	Authentication succeeds
Yes	No	No	Authentication fails; the server rejects the session
No	Yes	Yes	Authentication succeeds
No	Yes	No	Authentication fails; the client rejects the session
No	No	Yes	Authentication succeeds
No	No	No	Authentication succeeds

The following text describes how setting SSLREQUIRED=DEFAULT and SSLREQUIRED=SERVERONLY on the server affects the ssl option on the client.

If the server sets SSLREQUIRED=DEFAULT and AUTHENTICATION=LDAP, the client must set ssl=yes or authentication fails.

If the server sets SSLREQUIRED=DEFAULT and AUTHENTICATION=LOCAL, the client can set ssl=yes or ssl=no.

If the server sets SSLREQUIRED=SERVERONLY, you must set ssl=yes on the client. The client lanfreessl option can be set to yes, to secure communications with a storage agent, or to no if secure communications with storage agents is not needed.

Examples

Options file:

sslrequired yes
sslrequired no
sslrequired default
sslrequired serveronly

Command line:

Not applicable; you cannot set this option on the command line.