Configuring for SSL communication between the hub server and a spoke server
To secure communications between the hub server and a spoke server by using the Secure Sockets Layer (SSL) protocol, you must define the SSL certificate of the spoke server to the hub server. You must also configure the Tivoli® Storage Manager to monitor the spoke server.
Procedure
- To ensure that SSL ports are correctly set on the
hub server and each spoke server, complete the following steps:
- From a Tivoli Storage
Manager command
line, issue the following command to each server:
The results include the server options that are shown in the following example:QUERY OPTION SSL*
Server Option Option Setting ------------------------------------- SSLTCPPort 3700 SSLTCPADMINPort 3800 SSLTLS12 Yes SSLFIPSMODE No
- Ensure the following:
- The SSLTCPPORT and SSLTCPADMINPORT options have values in the Option Setting column.
- The SSLTLS12 option is set to YES so that the Transport Layer Security (TLS) protocol version 1.2 is used for communication.
- From a Tivoli Storage
Manager command
line, issue the following command to each server:
- On the spoke server, change to the directory of the spoke server instance.
- Specify the required cert256.arm certificate
as the default certificate in the key database file of the spoke
server. Issue the following command:
gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
- Verify the certificates in the key database file
of the spoke server. Issue the following command:
The command generates output that is similar to the following example:gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found * default, - personal, ! trusted ! Entrust.net Secure Server Certification Authority ! Entrust.net Certification Authority (2048) ! Entrust.net Client Certification Authority ! Entrust.net Global Client Certification Authority ! Entrust.net Global Secure Server Certification Authority ! VeriSign Class 1 Public Primary Certification Authority ! VeriSign Class 2 Public Primary Certification Authority ! VeriSign Class 3 Public Primary Certification Authority ! VeriSign Class 1 Public Primary Certification Authority - G2 ! VeriSign Class 2 Public Primary Certification Authority - G2 ! VeriSign Class 3 Public Primary Certification Authority - G2 ! VeriSign Class 4 Public Primary Certification Authority - G2 ! VeriSign Class 1 Public Primary Certification Authority - G3 ! VeriSign Class 2 Public Primary Certification Authority - G3 ! VeriSign Class 3 Public Primary Certification Authority - G3 ! VeriSign Class 3 Public Primary Certification Authority - G5 ! VeriSign Class 4 Public Primary Certification Authority - G3 ! VeriSign Class 3 Secure Server CA ! Thawte Primary Root CA ! Thawte Primary Root CA - G2 ECC ! Thawte Server CA ! Thawte Premium Server CA ! Thawte Personal Basic CA ! Thawte Personal Freemail CA ! Thawte Personal Premium CA - TSM Server SelfSigned Key *- TSM Server SelfSigned SHA Key
- Securely transfer the cert256.arm file of the spoke server to the hub server.
- On the hub server, change to the directory of the hub server instance.
- Define the spoke server SSL certificate to the hub
server. Issue the following command from the hub server instance
directory, where spoke_servername is the name of
the spoke server, and spoke_cert256.arm is
the file name of the spoke server SSL certificate:
The spoke server does not require the hub server SSL certificate for hub-to-spoke communication. However, other Tivoli Storage Manager server configurations that require cross-defined servers do require the spoke server to have the hub server SSL certificate.gsk8capicmd_64 -cert -add -db cert.kdb -stashed -format ascii -label spoke_servername -file spoke_cert256.arm
Tip: From each server, you can view the certificates in the key database file by issuing the following command:gsk8capicmd_64 -cert -list -db cert.kdb -stashed
- Restart the hub server and the spoke server.
- For the hub server, issue the DEFINE SERVER command,
according to the following example:
DEFINE SERVER spoke_servername HLA=spoke_address LLA=spoke_SSLTCPADMINPort SERVERPA=spoke_serverpassword SSL=YES
- On the Operations Center menu bar,
click Servers.
In the table on the Servers page, the spoke server that you defined in 9 should have a status of "Unmonitored." Depending on the setting for the status refresh interval, you might not see the spoke server immediately.
- Click the spoke server to highlight it, and in the table menu bar, click Monitor Spoke.