Configuring for SSL communication between client management service and the Tivoli Storage Manager server

Answer

To use the Secure Sockets Layer (SSL) protocol to secure communications between the client management service and the Tivoli Storage Manager (TSM) server, you must add the SSL certificate of the TSM server to the truststore file of the client management service.

Before you begin

The server truststore of the client management service is a container for SSL certificates that the client management service can access. To set up the SSL communication between the client management service and the TSM server, you must create the server truststore file (or add certificates to it, if you have already created it for a different TSM server).

Procedure to create server truststore

To ensure that SSL ports are set on the TSM server, complete the following steps:

1. From the TSM command line, issue the following command on the TSM server:
   
   QUERY OPTION SSL*
   
   The results include four server options, as shown in the following example:
   
   Server Option   Option Setting
   ------------------------------
   SSLTCPPort      3700
   SSLTCPADMINPort 3800
   SSLTLS12        No
   SSLFIPSMODE     No
   
2. If the SSLTLS12 option is set to YES, copy the cert256.arm file to the client machine that you want to configure for SSL communications with the TSM server. Otherwise, copy the cert.arm file to the client machine.
   
3. On the client machine, open the IBM Key Management window by issuing the ikeyman command. You can find the tool in the directory where you ran the client management service installer. For example, execute the following: cmsInstaller/im64/jre_6.0.0.sr9_20110208_03/jre/bin/ikeyman.exe
   
4. Click Key Database File -> New to create a new truststore. Choose the key database type JKS. Specify svr-truststore.jks for the file name and specify the following path for the location:
   cmsInstallDir/cms/Liberty/usr/servers/cmsServer
   
   You are prompted for a password to protect the truststore. Choose a password that is meaningful to you -- you will need it if you want to add more certificates to the truststore later.
   
5. Choose Signer Certificates, then select Add. You are prompted for the file name of the certificate file that you want to add to the truststore. Select the certficate you copied from the TSM server (either cert.arm or cert256.arm).

1. From the TSM command line, issue the following command on the TSM server:
   
   QUERY OPTION SSL*
   
   The results include four server options, as shown in the following example:
   
   Server Option   Option Setting
   ------------------------------
   SSLTCPPort      3700
   SSLTCPADMINPort 3800
   SSLTLS12        No
   SSLFIPSMODE     No
   
2. If the SSLTLS12 option is set to YES, copy the cert256.arm file to the client machine that you want to configure for SSL communications with the TSM server. Otherwise, copy the cert.arm file to the client machine.
   
3. On the client machine, open the IBM Key Management window by issuing the ikeyman command. You can find the tool in the directory where you ran the client management service installer. For example, execute the following: cmsInstaller/im64/jre_6.0.0.sr9_20110208_03/jre/bin/ikeyman.exe
   
4. Instead of creating a new truststore, you must add certificates to an existing truststore. Click Key Database File -> Open and choose svr-truststore.jks for the client management service at the following location:
   cmsInstallDir/cms/Liberty/usr/servers/cmsServers
   
   You must enter the password you used when you created the truststore.
   
5. Choose Signer Certificates then select Add. You are prompted for the file name of the certificate file that you want to add to the truststore. Select the certficate you copied from the TSM server (either cert.arm or cert256.arm).