IT42905: HOW TO RENEW AN IBM SPECTRUM PROTECT SERVER SSL CERTIFICATE

APAR status

Closed as documentation error.

Error description

The IBM Spectrum Protect server SSL certificate expires after 10
years.

A documentation is needed to explain how to renew the
certificate when the certificate expires, or better, before it
expires.
To verify when the server certificate will expire, the following
command must be run from the server instance directory:

gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM
Server SelfSigned SHA Key"

In the output, the line starting with Not After : shows when
the certificate will expire.

.....
Label : TSM Server SelfSigned SHA Key
Key Size : 2048
Version : X509 V3
Serial : aaabbbcccddd
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM
Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM
Network,O=TSM,C=US"
Not Before : November 15, 2012 11:16:40 AM GMT+01:00
Not After : November 14, 2022 11:16:40 AM GMT+01:00


IBM Spectrum Protect Versions Affected: All IBM Spectrum Protect
server versions 8.1.2.0 and higher

Additional Keywords: TS011301593 TLS

Local fix

Here are the steps to create and distribute a new self-signed
certificate (cert256.arm):


-Stop the IBM Spectrum Protect server
-Make a backup copy of existing certificates and key stores
present in the IBM Spectrum Protect server instance folder
 cert256.arm
 cert.kdb
 cert.sth
 cert.rdb
 cert.crl

-Delete only the cert256.arm file
-Delete the server's certificate from the key store via the
following command:
gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label "TSM
Server SelfSigned SHA Key"
-Start the IBM Spectrum Protect server.  On startup, the server
will generate a new certificate and store it in the key store
with label "TSM Server SelfSigned SHA Key".  A new cert256.arm
file will be created.

The following commands can be used to verify what is in cert.kdb
and what is in cert256.arm:
gsk8capicmd_64 -cert -details -file cert256.arm
gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM
Server SelfSigned SHA Key"

The  Not After :  date should be the same on both.

-For server to server communication, use the  update server
command with forcesync=yes to provide the new certificate.
-For backup-archive and API  client nodes, update the nodes to
sessionsecurity=transitional.

The next steps need to be done for each node including the
Spectrum Protect server host, because the client certificate on
Spectrum Protect server host are used for doing the server
backup db operation.

-At each node, make a backup copy of dsmcert.kdb,
dsmcert.idx, and dsmcert.sth and then delete the files.
These files are located in client install directory.  On Unix,
Linux and Mac systems, if client sessions were ever started from
 a non-root user, copies of the certificate can be located in
$HOME/IBM/SpectrumProtect/certs/ or in the directory pointed by
the PASSWORDDIR client option.
-If a node may connect to multiple servers, to avoid having to
redistribute certificate of the other servers to that node, it
may be preferable to just delete the certifcate for the affected
IBM Spectrum Protect server by doing:
  gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed ( note the
name of the affected server certificate and use it in delete
command below )
  gsk8capicmd_64 -cert -delete -db dsmcert.kdb -stashed -label
"<certificate name>"
-Backup and delete only the dsmcert.idx file
-Then, connect to the IBM Spectrum Protect server using the
backup-archive client node to get the new certificate.

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* All IBM Spectrum Protect server users.                       *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See error description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

Problem conclusion

In Problem Determination Guide, a topic is added with the
following title, which explains
how to renew and distribute the SSL/TLS certificate before it
expires or when it is expired:

"Renewing an SSL certificate of the IBM Spectrum Protect server"

This information is set to publish with the IBM Spectrum Protect
8.1.18 version's documentation release.


Affected platforms:  AIX, Linux, and Windows.

Temporary fix

Comments

APAR Information

APAR number
IT42905
Reported component name
TSM SERVER
Reported component ID
5698ISMSV
Reported release
81A
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-01-17
Closed date
2023-02-14
Last modified date
2023-03-09

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81A","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
09 March 2023

Tips

IT42905: HOW TO RENEW AN IBM SPECTRUM PROTECT SERVER SSL CERTIFICATE

Subscribe

APAR status

Closed as documentation error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

Document Information

Share your feedback

Need support?