You can use a Transport Layer Security (TLS) certificate
if the client trusts the certificate authority (CA). Trust is established
when you add a signed certificate to the server key database and use
a root certificate for the CA in the client key database.
About this task
The Global Security Kit (GSKit) is included in the Tivoli® Storage
Manager server installation.
The backup-archive client and server communicate with TLS through services
that are provided by GSKit.
Procedure
Complete the following steps to add a certificate to
the key database by using GSKit:
- Obtain a signed, server key database certificate from your
CA.
- To receive the signed certificate and make it the default
for communicating with clients, issue the following command:
gsk8capicmd_64 -cert -receive -db cert.kdb
-pw password -stash -file cert_signed.arm -default_cert yes
The
server key database file name is cert.kdb.Important: If your client operating system is 32-bit, replace gsk8capicmd_64 with gsk8capicmd in
all GSKit commands.
- Restart the server.
- Transfer the root certificate (ca.arm)
to the client directory.
- To add the root certificate to the client key database, issue
the gsk8capicmd_64 -cert -add command. For
example:
gsk8capicmd_64 -cert -add -db dsmcert.kdb
-pw password -label "my CA"
-file ca.arm -format ascii
Tip: For this example,
the client key database name is dsmcert.kdb.
- To verify that the client can successfully connect, issue
the dsmc query session command.