Configuring the server to connect to another server by using SSL

To ensure that data is encrypted for server-to-server communication, configure servers to communicate with servers by using the SSL protocol.

Before you begin

You must have the certificate and the port number for the server that you are connecting to. For more information, see Configuring the server to accept SSL connections.

About this task

Tip: If both servers are using IBM Spectrum Protect™ V8.1.2 or later software, SSL is automatically configured. Manual configuration is recommended but not required. If either the server or the storage agent is using IBM Spectrum Protect software earlier than V8.1.2, you must manually configure SSL.
In the procedure, the following server addresses are used as examples:
  • ServerA (the server you are connecting to) is at bfa.tucson.example.com
  • ServerB is at bfb.tucson.example.com

Procedure

  1. Create the server key database by starting the server. The server key database file, cert.kdb, is stored in the server instance directory.
  2. For each server, import the other server's cert256.arm or CA-certificate files: 
    gsk8capicmd_64 -cert -add -label server_ip_address -db cert.kdb -stashed 
-file cert256.arm
    Tip: Use the IP address of the server as the label name.
  3. From each server, you can view the certificates in the key database by issuing the following command: 
    gsk8capicmd_64 -cert -list -db cert.kdb -stashed
  4. Restart the servers.
  5. Issue the DEFINE SERVER command.
    1. For ServerA, issue the following command: 
      DEFINE SERVER BFB hla=bfb.tucson.example.com lla=1542 
serverpa=passwordforbfb SSL=YES
    2. For ServerB, issue the following command: 
      DEFINE SERVER BFA hla=bfa.tucson.example.com lla=1542 
serverpa=passwordforbfa SSL=YES
Related reference:
QUERY SESSION (Query client sessions)
TCPPORT
TCPADMINPORT
DEFINE SERVER (Define a server for server-to-server communications)