For enhanced security, you can verify the contents of a web server Secure Sockets Layer
(SSL) self-signed certificate produced by Data Protection for VMware against the equivalent certificate on the installed certification server.
About this task
When you are presented with the details of a web server SSL certificate the first time a
connection is established in the plug-in, you can accept or reject the certificate. At this point,
you might want to verify the contents of the certificate that you have received with the equivalent
certificate in the web server keystore. The following instructions are for a Liberty keystore. For
other web server-based certificate services, see the system documentation.
Procedure
To access and verify certificate details in the keystore:
-
On the workstation on which the Data Protection for VMware vSphere GUI is
installed, ensure that the
JAVA_HOME
environment variable is correctly set.
Complete the appropriate actions for your operating system:
-
Obtain the Java virtual machine version by going to the C:\Program Files\Common
Files\Tivoli\TSM directory and noting the value of the subdirectory
jvm
.
For example, if the directory name is "jvm80520
", note the numeric value
80520.
-
To set the environment variable, issue the following command:
set JAVA_HOME=C:\Program
Files\Common Files\Tivoli\TSM\jvm80520\jre
.
-
Run the following command:
export JAVA_HOME=/opt/tivoli/tsm/tdpvmware/common/jre/jre
-
Add the keytool to your path:
set PATH=%JAVA_HOME%\bin;%PATH%
export PATH=$JAVA_HOME/bin:$PATH
If the JAVA_HOME
and PATH
variables are correctly set, you can
now invoke the keytool.
-
At the command prompt, enter keytool and press
Enter.
If you receive the keytool help output, the tool is correctly configured.
If the Command not found
message is displayed, verify that the
JAVA_HOME
and PATH
variables were updated correctly.
-
Go to the location of the key store:
cd
C:\IBM\SpectrumProtect\webserver\usr\servers\veProfile\resources\security
cd
/opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile/resources/security
-
At the command prompt, list the directory contents. Verify that the certificate file
key.jks
is present in the directory listing.
-
Issue the following command:
keytool -list -keystore key.jks -v
-
When prompted for the password, press Enter.
The password is randomly generated and enables only the ability to verify the certificate details
that the prompt presents.
-
Compare the output from the keytool with that of the certificate prompt. The serial number and
fingerprints of the self-signed certificate and the equivalent certificate on the keystore must
match.
-
If the certificate details do not match, contact the administrator of the web server-based
certificate services.