Configuring by using the default security settings (fast path)

Fast path details the configuration options that impact the security of the client connection to the server and the behavior for various use cases when default values are accepted. The fast path scenario minimizes the steps in the configuration process at endpoints.

This scenario automatically obtains certificates from the server when the client connects the first time, assuming that the IBM Spectrum Protect server SESSIONSECURITY parameter is set to TRANSITIONAL, which is the default value at first connection. You can follow this scenario whether you first upgrade the IBM Spectrum Protect server to V8.1.2 and later V8 levels, and then upgrade the client to these levels, or vice versa.

Note: If a client connects to the IBM Spectrum Protect server by using V8.1.6 or later V8 levels, and is using either Shared Memory or Named Pipes for communication, the SESSIONSECURITY parameter value for the client transitions to STRICT. In this case, if you want to use TCP/IP for communication instead of Shared Memory or Named Pipes, and the client does not already have the server's certificate, then first reset the SESSIONSECURITY parameter to TRANSITIONAL. You must then connect to the server to automatically obtain the certificates.
Attention: This scenario cannot be used if the IBM Spectrum Protect server is configured for LDAP authentication. If LDAP is used, you can manually import the certificates necessary by using the dsmcert utility. For more information, see Configuring without automatic certificate distribution.

Client options that affect session security

The following client options specify security settings for the client. For more information about these options, see Client options reference.
  • SSLREQUIRED. The default value Default enables existing session-security connections to servers earlier than V8.1.2, and automatically configures the client to securely connect to a V8.1.2 or later server by using TLS for authentication.
  • SSLACCEPTCERTFROMSERV. The default value Yes enables the client to automatically accept a self-signed public certificate from the server, and to automatically configure the client to use that certificate when the client connects to a V8.1.2 or later server.
  • SSL. The default value No indicates that encryption is not used when data is transferred between the client and a server earlier than V8.1.2. When the client connects to a V8.1.2 or later server, the default value No indicates that object data is not encrypted. All other information is encrypted, when the client communicates with the server. The value Yes indicates that SSL is used to encrypt all information, including object data, when the client communicates with the server.
  • SSLFIPSMODE. The default value No indicates that a Federal Information Processing Standards (FIPS) certified SSL library is not required.

In addition, the following options apply only when the client uses SSL connections to a server earlier than V8.1.2. They are ignored when the client connects to a later server.

  • SSLDISABLELEGACYTLS. A value of No indicates that the client does not require TLS 1.2 for SSL sessions. It allows connection at TLS 1.1 and lower SSL protocols. When the client communicates with a IBM Spectrum Protect server that is V8.1.1 or earlier, No is the default.
  • LANFREESSL. The default value No indicates that the client does not use SSL when communicating with the Storage Agent when LAN-free data transfer is configured.
  • REPLSSLPORT. Specifies the TCP/IP port address that is enabled for SSL when the client communicates with the replication target server.

Uses cases for default security settings

  • First, the server is upgraded to V8.1.2 or later. Then, the client is upgraded. The existing client is not using SSL communications:
    • No changes are required to the security options for the client.
    • The configuration is automatically updated to use TLS when the client authenticates with the server.
  • First, the server is upgraded to V8.1.2 or later. Then, the client is upgraded. The existing client is using SSL communications:
    • No changes are required to the security options for the client.
    • SSL communication with existing server public certificate continues to be used.
    • SSL communication is automatically enhanced to use the TLS level that is required by the server.
  • First, the client is upgraded to V8.1.2 or later. Then, the server is upgraded later. The existing client is not using SSL communications:
    • No changes are required to the security options for the client.
    • Existing authentication protocol continues to be used to servers at levels earlier than V8.1.2.
    • The configuration is automatically updated to use TLS when the client authenticate with the server after the server is updated to V8.1.2 or later.
  • First, the client is upgraded to V8.1.2 or later. Then, the server is upgraded later. The existing client is using SSL communications:
    • No changes are required to the security options for the client.
    • SSL communication with existing server public certificate continues to be used with servers at levels earlier than V8.1.2.
    • SSL communication is automatically enhanced to use the TLS level that is required by the server after the server is updated to V8.1.2 or later.
  • First, the client is upgraded to V8.1.2 or later. Then, the client connects to multiple servers. The servers are upgraded at different times:
    • No changes are required to the security options for the client.
    • The client uses existing authentication and session security protocol to servers at versions earlier than V8.1.2 , and automatically upgrade to use TLS authentication when initially connecting to a server at V8.1.2 or later. Session security is managed per server.
  • New client installation, server is at V8.1.2 or later:
    • Configure the client according to a new installation.
    • Default values for the security options automatically configure the client for TLS-encrypted session authentication.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is required.
  • New client installation, server is at a version earlier than V8.1.2 :
    • Configure the client according to a new client installation.
    • Accept the default values for client session-security parameters if SSL encryption of all data transfers is not required.
      • Non-SSL authentication protocol is used until the server is upgraded to V8.1.2 or later.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is required, and proceed with the manual configuration for SSL.