Configuring without automatic certificate distribution
This scenario details the configuration options that impact the security of the client when automatic distribution of certificates from the server is not acceptable. For example, automatic distribution of certificates from the server is not acceptable if the server is configured to use LDAP authentication or it is necessary that certificates are signed by a certificate authority (CA).
Options that affect session security
The options for security settings are the same as those described in Configuring by using the default security settings (fast path), with the exception that you must set the SSLACCEPTCERTFROMSERV option to No to ensure that the client does not automatically accept a self-signed public certificate from the server when the client first connects to a V8.1.2 or later server.
Uses cases for configuring the client without automatic certificate distribution
If automatic certificate distribution is not possible or wanted, use the dsmcert utility to import the certificate. Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA. The CA can be from a company such as VeriSign or Thawte, or an internal CA that is maintained within your company.
- First, the server is upgraded to V8.1.2. Then, the client is upgraded. The existing client is
not using SSL communications:
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for configuration instructions.
- First, the server is upgraded to V8.1.2 or later. Then, the client is upgraded. The existing
client is using SSL communications:
- No changes are required to the security options for the client. If the client already has a server certificate for SSL communication, the SSLACCEPTCERTFROMSERV option does not apply.
- SSL communication with existing server public certificate continues to be used.
- SSL communication is automatically enhanced to use the TLS level that is required by the server.
- First, the client is upgraded to V8.1.2 or later. Then, the server is upgraded later. The
existing client is not using SSL communications:
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Existing authentication protocol continues to be used to servers at levels earlier than V8.1.2.
- Before the client connects to a V8.1.2 or later server:
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for configuration instructions.
- First, the client is upgraded to V8.1.2 or later. Then, the server is upgraded later. The
existing client is using SSL communications
- No changes are required to the security options for the client. If the client already has a server certificate for SSL communication, the SSLACCEPTCERTFROMSERV option does not apply.
- SSL communication with existing server public certificate continues to be used with servers at levels earlier than V8.1.2.
- SSL communication is automatically enhanced to use the TLS level that is required by the server after the server is updated to V8.1.2 or later.
- First, the client is upgraded to V8.1.2 or later. Then, the client connects to multiple servers.
The servers are upgraded at different times:
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Existing authentication protocol continues to be used to servers at levels earlier than V8.1.2.
- Before the client connects to a V8.1.2 or later server, or when SSL communication is required at
any server level:
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for configuration instructions.
- The client uses existing authentication and session security protocol to servers at versions earlier than V8.1.2, and automatically upgrade to use TLS authentication when initially connecting to a server at V8.1.2 or later. Session security is managed per server.
- New client installation, server is at V8.1.2 or later:
- Configure the client according to a new installation.
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for configuration instructions.
- Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is required.
- New client installation, server is at a version earlier than V8.1.2, SSL-encrypted sessions
are required:
- Configure the client according to a new installation.
- Set the SSL parameter to the Yes value.
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for configuration instructions.
- New client installation, server is at a version earlier than V8.1.2, SSL-encrypted sessions
are not required:
- Configure the client according to a new installation.
- Set the SSLACCEPTCERTFROMSERV option with the value No.
- Non-SSL authentication protocol is used until the server is upgraded to V8.1.2 or later.
- Before the client connects to a V8.1.2 or later server:
- Obtain the necessary certificate from the IBM Spectrum Protect server or from a CA and use the dsmcert utility to import the certificate. See Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer for configuration instructions.