Secure communicatiosn using SSL
https://www-01.ibm.com/support/docview.wss?uid=swg22004844
http://www-01.ibm.com/support/docview.wss?uid=swg22004844&acss=danl_4681_web
Starting with Spectrum Protect v8.1.2, SSL connection for server to server is required, as well as TSM admin connection dsmadmc
Upgrade the server to V8.1.4 or later. Beginning with V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled “TSM Server SelfSigned SHA Key”. A copy of the new default certificate is stored in the cert256.arm file, which is located in the server instance directory.
On the TSM server check in the folder of the instance in the cert DB cert.kdb, if the default certificate is set to TSM Server SelfSigned SHA Key, this is a requirement for SSL/TLS 1.2 used in TSM v8.1.2 and later
[root@prtsm01 tsmsrv1]# cd /tsm/tsminst1 [root@prtsm01 tsmsinst1]# ls -l total 2996 -rw-r--r-- 1 tsmsrv1 tsmsrv 1257 29 janv. 2017 cert256.arm -rw-r--r-- 1 tsmsrv1 tsmsrv 904 29 janv. 2017 cert.arm -rw------- 1 tsmsrv1 tsmsrv 80 29 janv. 2017 cert.crl -rw------- 1 tsmsrv1 tsmsrv 150080 29 janv. 2017 cert.kdb -rw------- 1 tsmsrv1 tsmsrv 80 29 janv. 2017 cert.rdb -rw------- 1 tsmsrv1 tsmsrv 129 29 janv. 2017 cert.sth ...... [root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -list -db cert.kdb -stashed Certificates found * default, - personal, ! trusted, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ... ! "Thawte Personal Premium CA" *- "TSM Server SelfSigned Key" - "TSM Server SelfSigned SHA Key"
Here in the example, the default certificate used by TSM server is “TSM Server SelfSigned Key”, you have to change it:
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key" [root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -getdefault -db cert.kdb -stashed Label : TSM Server SelfSigned SHA Key Key Size : 2048 Version : X509 V3 Serial : 2f367fe63a10f04a Issuer : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Subject : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Not Before : January 28, 2017 3:02:01 PM GMT+01:00 Not After : January 27, 2027 3:02:01 PM GMT+01:00 Fingerprint : 89cb285d829d54bcd1c147eee4cab54e 82216c5e
Now your default certificate is set to TSM Server SelfSigned SHA Key.
To read a specific certificate register into the database, use the label:
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -list -db cert.kdb -stashed Certificates found * default, - personal, ! trusted, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ... ! "Thawte Personal Premium CA" *- "TSM Server SelfSigned Key" - "TSM Server SelfSigned SHA Key" [root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -details -db dsmcert.kdb -stashed -label "TSM Server SelfSigned Key" Label : "TSM Server SelfSigned Key" Key Size : 1024 Version : X509 V3 Serial : 4aa858303f98bfef Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US" Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US" Not Before : May 1, 2015 9:44:26 AM GMT+02:00 Not After : April 29, 2025 9:44:26 AM GMT+02:00 Public Key 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 ...
Check if the file cert256.arm correspond to your certificate register in the database cert.kdb
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -details -file cert256.arm Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Key Size : 2048 Version : X509 V3 Serial : 2f367fe63a10f04a Issuer : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Subject : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Not Before : January 28, 2017 3:02:01 PM GMT+01:00 Not After : January 27, 2027 3:02:01 PM GMT+01:00 Public Key 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 .....
If the file is not the right (not same date or serial), then move the cert256.arm to cert256.arm then stop your TSM server, and start it again, the file will be regenerate from TSM server based on information stored into cert.kdb
For server to server communication, you have to import cert256.arm from server TSM1 to TSM2 and vice versa
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "TSM2 server certificate" -file /tmp/cert256_tsm2.arm -format ascii
On both TSM server you have to set sslports for secure communication:
Protect: TSM01>q opt ssl* Server Option Option Setting ------------------------- ----------------------------------- SSLDisableLegacyTLS Yes SSLHideLegacyTLS Yes SSLInitTimeout 2 SSLTCPPort SSLTCPADMINPort SSLTLS12 Yes SSLFIPSMODE No
If specified SSLTCPADMINPort will be used for management and server to server communication, else SSLTCPPort (admin port will prevent clients from using TCPport for management and backups).
Update also servers definition on each TSM server
Protect: TSM01>q server TSM02 f=d Server Name: TSM02 Comm. Method: TCPIP Transfer Method: TCPIP High-level Address: 10.10.10.12 Low-level Address: 1500 ... Invalid Sign-on Count for Virtual Volume Node: 0 Validate Protocol: No Version: 8 Release: 1 Level: 0.0 Role(s): Replication SSL: No
If SSLADMINPORT is set to 3750 on TSM02, then update using:
Protect: TSM01>update server TSM02 ssl=yes lladdress=3750 forcesync=yes
Then you can test communication on both TSM servers:
Protect: TSM01>TSM02: q se ANR1699I Resolved TSM02 to 1 server(s) - issuing command Q SE against server(s). ANR1687I Output for command 'Q SE' issued against server TSM02 follows: Sess N Comm. Sess S Wait T Bytes S Bytes R Sess Ty Platform Client Name umber Method tate ime ent ecvd pe ------ ------ ------ ------ ------- ------- ------- -------- ------------------ 82 424 Tcp/Ip Run 0 S 4.6 M 143 Admin WinNT TSMM 99 677 Tcp/Ip Run 0 S 162 243 Admin Linux/x8 TOTO 6_64 ANR1688I Output for command 'Q SE' issued against server PRTSM02 completed. ANR1694I Server TSM02 processed command 'Q SE' and completed successfully. ANR1697I Command 'Q SE' processed by 1 server(s): 1 successful, 0 with warnings, and 0 with errors.
Do not suppress required certificates, only additional added certificates, use:
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label "FCM server certificate"
Starting with TSM v8.1.2 you must use secure connection to the server for administration.
Commands are the same for Windows and UNIX, just paths change
First copy the file cert256.arm form TSM01 server (located in instance home path) to the client (Windows or UNIX)
Using command line, add the server TSM01 certificate to the client, start CMD run as administrator :
Check the validity of a file:
C:\Program Files\ibm\gsk8\lib64> "C:\Program Files\ibm\gsk8\bin\gsk8capicmd_64.exe" -cert -details -file "C:\keys\TSM01\cert256.arm" Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Key Size : 2048 Version : X509 V3 Serial : 1327061fd3612122 Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US" Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US" Not Before : May 1, 2018 9:44:27 AM GMT+02:00 Not After : April 29, 2028 9:44:27 AM GMT+02:00 Public Key 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 9A 61 EC 0C A3 27 1F C7 0B 02 E9 CD A0 FB ED ...
Register keys manually into TSM client
C:\Windows\system32> cd c:\Program Files\Tivoli\TSM\baclient c:\Program Files\Tivoli\TSM\baclient>dsmcert -add -server TSM01 -file C:\keys\TSM01\cert256.arm IBM Spectrum Protect dsmcert utility dsmcert Version 8, Release 1, Level 2.0 dsmcert date/time: 09/27/2017 17:51:31 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved. Result : Success c:\Program Files\Tivoli\TSM\baclient> cd C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64 C:\>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db "c:\Program Files\Tivoli\TSM\baclient\dsmcert.kdb" -stashed Certificates found * default, - personal, ! trusted, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ! "Entrust.net Client Certification Authority" ! "Entrust.net Global Client Certification Authority" ! "Entrust.net Global Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048) 29" ! "Entrust Root Certification Authority - EC1" ! "Entrust Root Certification Authority - EV" ! "Entrust Root Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority" ! "VeriSign Class 2 Public Primary Certification Authority" ! "VeriSign Class 3 Public Primary Certification Authority" ! "VeriSign Class 1 Public Primary Certification Authority - G2" ! "VeriSign Class 2 Public Primary Certification Authority - G2" ! "VeriSign Class 3 Public Primary Certification Authority - G2" ! "VeriSign Class 4 Public Primary Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority - G3" ! "VeriSign Class 2 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G5" ! "VeriSign Class 4 Public Primary Certification Authority - G3" ! "Thawte Primary Root CA" ! "Thawte Primary Root CA - G2 ECC" ! "Thawte Server CA" ! "Thawte Premium Server CA" ! "Thawte Personal Basic CA" ! "Thawte Personal Freemail CA" ! "Thawte Personal Premium CA" ! TSM01
If the file dsmcert.kdb corresponding to the certificate database doesn't exist, create it using:
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -keydb -create -populate -db dsmcert.kdb -pw password -stash
Now update the file dsm.opt or dsm.sys on UNIX to set the TCPADMINPORT (or if not used the TCPPORT)
c:\Program Files\Tivoli\TSM\baclient>more dsm_tsm01.opt SErvername tsm01ssl TCPSErveraddress tsm01 COMMmethod TCPIP TCPADMINPORT 3750 ssl yes c:\Program Files\Tivoli\TSM\baclient>dsmadmc -optfile=dsm_tsm01.opt IBM Spectrum Protect Command Line Administrative Interface - Version 8, Release 1, Level 2.0 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved. Enter your user id: admin
To use SSL on TSMManager, client TSM v8.1.2 must be used
First copy the key to TSMManager server (here example for TSM22)
copy tsm22:/tsminst1/cert256.arm on TSMmanager server in C:\keys\cert256_tsm22.arm
On TSMManager server put this key to the right directory with filename cert256.arm
C:\Program Files (x86)\JamoDat\TSMMgr_serv\TSM22\
Go to TSMManger Viewer
Configuration TSM/ISP servers you have to adapt the TSM server port to admin SSL Ex 3350 for TSM22 and select Use SSL communication, and validate Then on the button **SSL certicate handling** Select the server TSM22, and show certificate details, if nothing, then Add a certificate for server Else you can delete it
You can also set the certificate using command line, start CMD run as administrator :
C:\Windows\system32> cd C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64 C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb" -stashed Certificates found * default, - personal, ! trusted, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ! "Entrust.net Client Certification Authority" ! "Entrust.net Global Client Certification Authority" ! "Entrust.net Global Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048) 29" ! "Entrust Root Certification Authority - EC1" ! "Entrust Root Certification Authority - EV" ! "Entrust Root Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority" ! "VeriSign Class 2 Public Primary Certification Authority" ! "VeriSign Class 3 Public Primary Certification Authority" ! "VeriSign Class 1 Public Primary Certification Authority - G2" ! "VeriSign Class 2 Public Primary Certification Authority - G2" ! "VeriSign Class 3 Public Primary Certification Authority - G2" ! "VeriSign Class 4 Public Primary Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority - G3" ! "VeriSign Class 2 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G5" ! "VeriSign Class 4 Public Primary Certification Authority - G3" ! "Thawte Primary Root CA" ! "Thawte Primary Root CA - G2 ECC" ! "Thawte Server CA" ! "Thawte Premium Server CA" ! "Thawte Personal Basic CA" ! "Thawte Personal Freemail CA" ! "Thawte Personal Premium CA" ! TSMM_1_TSM11 ! 10.10.15.25:1550 ! TSMM_1_TSM22 C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -delete -db "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb" -stashed -label "TSMM_1_TSM22"
Check the validity of a file:
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -details -file "C:\Program Files (x86)\JamoDat\TSMMgr_serv\TSM22\cert256.arm" Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US Key Size : 2048 Version : X509 V3 Serial : 1327061fd3612122 Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US" Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US" Not Before : May 1, 2018 9:44:27 AM GMT+02:00 Not After : April 29, 2028 9:44:27 AM GMT+02:00 Public Key 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 9A 61 EC 0C A3 27 1F C7 0B 02 E9 CD A0 FB ED ...
After initiating a connection using dsmadmc command, and register keys manually into TSM client
c:\Program Files\Tivoli\TSM\baclient>dsmcert -add -server 10.10.10.123 -file C:\keys\cert256_tsm22.arm IBM Spectrum Protect dsmcert utility dsmcert Version 8, Release 1, Level 2.0 dsmcert date/time: 09/27/2017 17:51:31 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved. Result : Success c:\Program Files\Tivoli\TSM\baclient>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb" -stashed c:\Program Files\Tivoli\TSM\baclient>more dsm_tsm22.opt SErvername tsm22ssl TCPSErveraddress tsm22 COMMmethod TCPIP TCPADMINPORT 3350 ssl yes c:\Program Files\Tivoli\TSM\baclient>dsmadmc -optfile=dsm_tsm22.opt IBM Spectrum Protect Command Line Administrative Interface - Version 8, Release 1, Level 2.0 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved. Enter your user id: admin
Now TSMManager is green !!! Strange