Configuring by using the default security settings (fast path)

Fast path details the configuration options that impact the security of the client connection to the server and the behavior for various use cases when default values are accepted. The fast path scenario minimizes the steps in the configuration process at endpoints.

This scenario automatically obtains certificates from the server when the client connects the first time, assuming that the Tivoli® Storage Manager server SESSIONSECURITY parameter is set to TRANSITIONAL, which is the default value at first connection. You can follow this scenario whether you first upgrade the Tivoli Storage Manager server to V7.1.8 and later V7 levels, or V8.1.2 and later V8 levels, and then upgrade the client to these levels, or vice versa.

Attention: This scenario cannot be used if the Tivoli Storage Manager server is configured for LDAP authentication. If LDAP is used, you can manually import the certificates necessary by using the dsmcert utility. For more information, see Configuring without automatic certificate distribution.

Client options that affect session security

The following dsmc options specify security settings for the client. For more information about these options, see Client options reference.
  • SSLREQUIRED. The default value Default enables existing session-security connections to servers earlier than V7.1.8 or V8.1.2, and automatically configures the client to securely connect to a V7.1.8 or V8.1.2 or later server by using TLS for authentication.
  • SSLACCEPTCERTFROMSERV. The default value Yes enables the client to automatically accept a self-signed public certificate from the server, and to automatically configure the client to use that certificate when the client connects to a V7.1.8 or V8.1.2 or later server.
  • SSL. The default value No indicates that encryption is not used when data is transferred between the client and a server earlier than V7.1.8 or V8.1.2. When the client connects to a V7.1.8 or V8.1.2 or later server, the default value No indicates that object data is not encrypted. All other information is encrypted, when the client communicates with the server. The value Yes indicates that TLS is used to encrypt all information, including object data, when the client communicates with the server.
  • SSLFIPSMODE. The default value No indicates that a Federal Information Processing Standards (FIPS) certified TLS library is not required.
In addition, the following options apply only when the client uses TLS connection to a server earlier than V7.1.8 or V8.1.2. They are ignored when the client connects to a later server.
  • SSLDISABLELEGACYTLS. A value of No indicates that the client does not require TLS 1.2 for SSL sessions. It allows connection at TLS 1.1 and lower SSL protocols. When the client communicates with a Tivoli Storage Manager server that is V7.1.7 or V8.1.1 or earlier, No is the default.
  • LANFREESSL. The default value No indicates that the client does not use TLS when communicating with the Storage Agent when LAN-free data transfer is configured.
  • REPLSSLPORT. Specifies the TCP/IP port address that is enabled for TLS when the client communicates with the replication target server.

Uses cases for default security settings

  • First, the server is upgraded to V7.1.8 or V8.1.2 or later. Then, the client is upgraded. The existing client is not using SSL communications:
    • No changes are required to the security options for the client.
    • The configuration is automatically updated to use TLS when the client authenticates with the server.
  • First, the server is upgraded to V7.1.8 or V8.1.2 or later. Then, the client is upgraded. The existing client is using SSL communications:
    • No changes are required to the security options for the client.
    • SSL communication with existing server public certificate continues to be used.
    • SSL communication is automatically enhanced to use the TLS level that is required by the server.
  • First, the client is upgraded to V7.1.8 or V8.1.2 or later. Then, the server is upgraded later. The existing client is not using SSL communications:
    • No changes are required to the security options for the client.
    • Existing authentication protocol continues to be used to servers at levels earlier than V7.1.8 or V8.1.2 .
    • The configuration is automatically updated to use TLS when the client authenticate with the server after the server is updated to V7.1.8 or V8.1.2 or later.
  • First, the client is upgraded to V7.1.8 or V8.1.2 or later. Then, the server is upgraded later. The existing client is using SSL communications:
    • No changes are required to the security options for the client.
    • SSL communication with existing server public certificate continues to be used with servers at levels earlier than V7.1.8 or V8.1.2.
    • SSL communication is automatically enhanced to use the TLS level that is required by the server after the server is updated to V7.1.8 or V8.1.2 or later.
  • First, the client is upgraded to V7.1.8 or V8.1.2 or later. Then, the client connects to multiple servers. The servers are upgraded at different times:
    • No changes are required to the security options for the client.
    • The client uses existing authentication and session security protocol to servers at versions earlier than V7.1.8 or V8.1.2 , and automatically upgrade to use TLS authentication when initially connecting to a server at V7.1.8 or V8.1.2 or later. Session security is managed per server.
  • New client installation, server is at V7.1.8 or V8.1.2 or later:
    • Configure the client according to a new installation.
    • Default values for the security options automatically configure the client for TLS-encrypted session authentication.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is required.
  • New client installation, server is at a version earlier than V7.1.8 or V8.1.2 :
    • Configure the client according to a new client installation.
    • Accept the default values for client session-security parameters if SSL encryption of all data transfers is not required.
      • Non-SSL authentication protocol is used until the server is upgraded to V7.1.8 or V8.1.2 or later.
    • Set the SSL parameter to the Yes value if encryption of all data transfers between the client and the server is required, and proceed with the manual configuration for SSL.