AIX operating systemsLinux operating systemsWindows operating systems

Configuring for SSL communication between the hub server and a spoke server

To secure communications between the hub server and a spoke server by using the Secure Sockets Layer (SSL) protocol, you must define the SSL certificate of the spoke server to the hub server. You must also configure the Tivoli® Storage Manager to monitor the spoke server.

Procedure

  1. To ensure that SSL ports are correctly set on the hub server and each spoke server, complete the following steps:
    1. From a Tivoli Storage Manager command line, issue the following command to each server: 
      QUERY OPTION SSL*
      The results include the server options that are shown in the following example: 
      Server Option          Option Setting
-------------------------------------
SSLTCPPort             3700
SSLTCPADMINPort        3800
SSLTLS12               Yes
SSLFIPSMODE            No
    2. Ensure the following:
      • The SSLTCPPORT and SSLTCPADMINPORT options have values in the Option Setting column.
      • The SSLTLS12 option is set to YES so that the Transport Layer Security (TLS) protocol version 1.2 is used for communication.
      To update the values of these options, edit the dsmserv.opt file of the respective server, and restart that server.
  2. On the spoke server, change to the directory of the spoke server instance.
  3. Specify the required cert256.arm certificate as the default certificate in the key database file of the spoke server. Issue the following command: 
    gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed
 -label "TSM Server SelfSigned SHA Key"
  4. Verify the certificates in the key database file of the spoke server. Issue the following command: 
    gsk8capicmd_64 -cert -list -db cert.kdb -stashed
    The command generates output that is similar to the following example: 
    Certificates found
* default, - personal, ! trusted
!       Entrust.net Secure Server Certification Authority
!       Entrust.net Certification Authority (2048)
!       Entrust.net Client Certification Authority
!       Entrust.net Global Client Certification Authority
!       Entrust.net Global Secure Server Certification Authority
!       VeriSign Class 1 Public Primary Certification Authority
!       VeriSign Class 2 Public Primary Certification Authority
!       VeriSign Class 3 Public Primary Certification Authority
!       VeriSign Class 1 Public Primary Certification Authority - G2
!       VeriSign Class 2 Public Primary Certification Authority - G2
!       VeriSign Class 3 Public Primary Certification Authority - G2
!       VeriSign Class 4 Public Primary Certification Authority - G2
!       VeriSign Class 1 Public Primary Certification Authority - G3
!       VeriSign Class 2 Public Primary Certification Authority - G3
!       VeriSign Class 3 Public Primary Certification Authority - G3
!       VeriSign Class 3 Public Primary Certification Authority - G5
!       VeriSign Class 4 Public Primary Certification Authority - G3
!       VeriSign Class 3 Secure Server CA
!       Thawte Primary Root CA
!       Thawte Primary Root CA - G2 ECC
!       Thawte Server CA
!       Thawte Premium Server CA
!       Thawte Personal Basic CA
!       Thawte Personal Freemail CA
!       Thawte Personal Premium CA
-       TSM Server SelfSigned Key
*-      TSM Server SelfSigned SHA Key
  5. Securely transfer the cert256.arm file of the spoke server to the hub server.
  6. On the hub server, change to the directory of the hub server instance.
  7. Define the spoke server SSL certificate to the hub server. Issue the following command from the hub server instance directory, where spoke_servername is the name of the spoke server, and spoke_cert256.arm is the file name of the spoke server SSL certificate: 
    gsk8capicmd_64 -cert -add -db cert.kdb -stashed -format ascii
 -label spoke_servername -file spoke_cert256.arm
    The spoke server does not require the hub server SSL certificate for hub-to-spoke communication. However, other Tivoli Storage Manager server configurations that require cross-defined servers do require the spoke server to have the hub server SSL certificate.
    Tip: From each server, you can view the certificates in the key database file by issuing the following command: 
    gsk8capicmd_64 -cert -list -db cert.kdb -stashed
  8. Restart the hub server and the spoke server.
  9. For the hub server, issue the DEFINE SERVER command, according to the following example: 
    DEFINE SERVER spoke_servername HLA=spoke_address
 LLA=spoke_SSLTCPADMINPort SERVERPA=spoke_serverpassword SSL=YES
  10. On the Operations Center menu bar, click Servers.

    In the table on the Servers page, the spoke server that you defined in 9 should have a status of "Unmonitored." Depending on the setting for the status refresh interval, you might not see the spoke server immediately.

  11. Click the spoke server to highlight it, and in the table menu bar, click Monitor Spoke.
Related reference:
DEFINE SERVER (Define a server for server-to-server communications)
QUERY OPTION (Query server options)