User Tools

Site Tools


tsm:tsm_ssl

IBM Spectrum Protect V8.1.2 security updates

TSM server with SSL

Starting with Spectrum Protect v8.1.2, SSL connection for server to server is required, as well as TSM admin connection dsmadmc

Upgrade the server to V8.1.4 or later. Beginning with V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled “TSM Server SelfSigned SHA Key”. A copy of the new default certificate is stored in the cert256.arm file, which is located in the server instance directory.

Check the SHA certificate on TSM server

On the TSM server check in the folder of the instance in the cert DB cert.kdb, if the default certificate is set to TSM Server SelfSigned SHA Key, this is a requirement for SSL/TLS 1.2 used in TSM v8.1.2 and later

[root@prtsm01 tsmsrv1]# cd /tsm/tsminst1 
[root@prtsm01 tsmsinst1]# ls -l
total 2996
-rw-r--r--  1 tsmsrv1 tsmsrv    1257 29 janv.  2017 cert256.arm
-rw-r--r--  1 tsmsrv1 tsmsrv     904 29 janv.  2017 cert.arm
-rw-------  1 tsmsrv1 tsmsrv      80 29 janv.  2017 cert.crl
-rw-------  1 tsmsrv1 tsmsrv  150080 29 janv.  2017 cert.kdb
-rw-------  1 tsmsrv1 tsmsrv      80 29 janv.  2017 cert.rdb
-rw-------  1 tsmsrv1 tsmsrv     129 29 janv.  2017 cert.sth
......
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!	"Entrust.net Secure Server Certification Authority"
!	"Entrust.net Certification Authority (2048)"
...
!	"Thawte Personal Premium CA"
*-	"TSM Server SelfSigned Key"
-	"TSM Server SelfSigned SHA Key"

Here in the example, the default certificate used by TSM server is “TSM Server SelfSigned Key”, you have to change it:

[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -getdefault -db cert.kdb -stashed 
Label : TSM Server SelfSigned SHA Key
Key Size : 2048
Version : X509 V3
Serial : 2f367fe63a10f04a
Issuer : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Subject : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Not Before : January 28, 2017 3:02:01 PM GMT+01:00

Not After : January 27, 2027 3:02:01 PM GMT+01:00

Fingerprint : 
89cb285d829d54bcd1c147eee4cab54e
82216c5e

Now your default certificate is set to TSM Server SelfSigned SHA Key.

To read a specific certificate register into the database, use the label:

[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!	"Entrust.net Secure Server Certification Authority"
!	"Entrust.net Certification Authority (2048)"
...
!	"Thawte Personal Premium CA"
*-	"TSM Server SelfSigned Key"
-	"TSM Server SelfSigned SHA Key"
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -details -db dsmcert.kdb -stashed -label "TSM Server SelfSigned Key"
Label : "TSM Server SelfSigned Key"
Key Size : 1024
Version : X509 V3
Serial : 4aa858303f98bfef
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Not Before : May 1, 2015 9:44:26 AM GMT+02:00

Not After : April 29, 2025 9:44:26 AM GMT+02:00

Public Key
    30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
...

Validate the certicate file to deploy on clients

Check if the file cert256.arm correspond to your certificate register in the database cert.kdb

[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -details -file cert256.arm 
Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Key Size : 2048
Version : X509 V3
Serial : 2f367fe63a10f04a
Issuer : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Subject : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Not Before : January 28, 2017 3:02:01 PM GMT+01:00

Not After : January 27, 2027 3:02:01 PM GMT+01:00

Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
.....

If the file is not the right (not same date or serial), then move the cert256.arm to cert256.arm then stop your TSM server, and start it again, the file will be regenerate from TSM server based on information stored into cert.kdb

Update communication server to server by using SSL certificate

For server to server communication, you have to import cert256.arm from server TSM1 to TSM2 and vice versa

[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -add -db cert.kdb  -stashed -label "TSM2 server certificate" -file /tmp/cert256_tsm2.arm -format ascii

On both TSM server you have to set sslports for secure communication:

Protect: TSM01>q opt ssl*

Server Option                 Option Setting                     
-------------------------     -----------------------------------
SSLDisableLegacyTLS           Yes                                
SSLHideLegacyTLS              Yes                                
SSLInitTimeout                2                                  
SSLTCPPort                                                       
SSLTCPADMINPort                                                  
SSLTLS12                      Yes                                
SSLFIPSMODE                   No                                 

If specified SSLTCPADMINPort will be used for management and server to server communication, else SSLTCPPort (admin port will prevent clients from using TCPport for management and backups).

Update also servers definition on each TSM server

Protect: TSM01>q server TSM02 f=d

                                  Server Name: TSM02
                                 Comm. Method: TCPIP
                              Transfer Method: TCPIP
                           High-level Address: 10.10.10.12
                            Low-level Address: 1500
...
Invalid Sign-on Count for Virtual Volume Node: 0
                            Validate Protocol: No
                                      Version: 8
                                      Release: 1
                                        Level: 0.0
                                      Role(s): Replication
                                          SSL: No

If SSLADMINPORT is set to 3750 on TSM02, then update using:

Protect: TSM01>update server TSM02 ssl=yes lladdress=3750 forcesync=yes

Then you can test communication on both TSM servers:

Protect: TSM01>TSM02: q se
ANR1699I Resolved TSM02 to 1 server(s) - issuing command Q SE against server(s).
ANR1687I Output for command 'Q SE' issued against server TSM02 follows:

Sess N     Comm.      Sess S     Wait T     Bytes S     Bytes R     Sess Ty     Platform     Client Name       
 umber     Method     tate          ime         ent        ecvd     pe                       
------     ------     ------     ------     -------     -------     -------     --------     ------------------
82 424     Tcp/Ip     Run          0 S        4.6 M         143     Admin       WinNT        TSMM              
99 677     Tcp/Ip     Run          0 S          162         243     Admin       Linux/x8     TOTO            
                                                                                 6_64                          
ANR1688I Output for command 'Q SE' issued against server PRTSM02 completed.
ANR1694I Server TSM02 processed command 'Q SE' and completed successfully.
ANR1697I Command 'Q SE' processed by 1 server(s):  1 successful, 0 with warnings, and 0 with errors.

Delete unused certificates

Do not suppress required certificates, only additional added certificates, use:

[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -delete -db cert.kdb  -stashed -label "FCM server certificate"

Using admin command line with SSL

Starting with TSM v8.1.2 you must use secure connection to the server for administration.

Commands are the same for Windows and UNIX, just paths change

First copy the file cert256.arm form TSM01 server (located in instance home path) to the client (Windows or UNIX)

Using command line, add the server TSM01 certificate to the client, start CMD run as administrator :

Check the validity of a file:

C:\Program Files\ibm\gsk8\lib64> "C:\Program Files\ibm\gsk8\bin\gsk8capicmd_64.exe" -cert  -details -file "C:\keys\TSM01\cert256.arm"
Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Key Size : 2048
Version : X509 V3
Serial : 1327061fd3612122
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Not Before : May 1, 2018 9:44:27 AM GMT+02:00

Not After : April 29, 2028 9:44:27 AM GMT+02:00

Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
    00 9A 61 EC 0C A3 27 1F C7 0B 02 E9 CD A0 FB ED
    ...
 

Register keys manually into TSM client

C:\Windows\system32> cd c:\Program Files\Tivoli\TSM\baclient

c:\Program Files\Tivoli\TSM\baclient>dsmcert -add -server TSM01 -file C:\keys\TSM01\cert256.arm
IBM Spectrum Protect
dsmcert utility
  dsmcert Version 8, Release 1, Level 2.0
  dsmcert date/time: 09/27/2017 17:51:31
 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.

Result : Success

c:\Program Files\Tivoli\TSM\baclient> cd C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64

C:\>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db  "c:\Program Files\Tivoli\TSM\baclient\dsmcert.kdb" -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       "Entrust.net Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048)"
!       "Entrust.net Client Certification Authority"
!       "Entrust.net Global Client Certification Authority"
!       "Entrust.net Global Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048) 29"
!       "Entrust Root Certification Authority - EC1"
!       "Entrust Root Certification Authority - EV"
!       "Entrust Root Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority"
!       "VeriSign Class 2 Public Primary Certification Authority"
!       "VeriSign Class 3 Public Primary Certification Authority"
!       "VeriSign Class 1 Public Primary Certification Authority - G2"
!       "VeriSign Class 2 Public Primary Certification Authority - G2"
!       "VeriSign Class 3 Public Primary Certification Authority - G2"
!       "VeriSign Class 4 Public Primary Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority - G3"
!       "VeriSign Class 2 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G5"
!       "VeriSign Class 4 Public Primary Certification Authority - G3"
!       "Thawte Primary Root CA"
!       "Thawte Primary Root CA - G2 ECC"
!       "Thawte Server CA"
!       "Thawte Premium Server CA"
!       "Thawte Personal Basic CA"
!       "Thawte Personal Freemail CA"
!       "Thawte Personal Premium CA"
!       TSM01

If the file dsmcert.kdb corresponding to the certificate database doesn't exist, create it using:

C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -keydb -create -populate -db dsmcert.kdb -pw password -stash

Now update the file dsm.opt or dsm.sys on UNIX to set the TCPADMINPORT (or if not used the TCPPORT)

c:\Program Files\Tivoli\TSM\baclient>more dsm_tsm01.opt
SErvername tsm01ssl
TCPSErveraddress tsm01
COMMmethod      TCPIP
TCPADMINPORT     3750
ssl yes

c:\Program Files\Tivoli\TSM\baclient>dsmadmc -optfile=dsm_tsm01.opt
IBM Spectrum Protect
Command Line Administrative Interface - Version 8, Release 1, Level 2.0
(c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.

Enter your user id:  admin

TSMManager and SSL

To use SSL on TSMManager, client TSM v8.1.2 must be used

First copy the key to TSMManager server (here example for TSM22)

copy tsm22:/tsminst1/cert256.arm  on TSMmanager server in C:\keys\cert256_tsm22.arm

On TSMManager server put this key to the right directory with filename cert256.arm

C:\Program Files (x86)\JamoDat\TSMMgr_serv\TSM22\

Go to TSMManger Viewer

Configuration
  TSM/ISP servers
    you have to adapt the TSM server port to admin SSL Ex 3350 for TSM22
    and select Use SSL communication, and validate
  Then on the button **SSL certicate handling**
    Select the server TSM22, and show certificate details, if nothing, then Add a certificate for server
    Else you can delete it

You can also set the certificate using command line, start CMD run as administrator :

C:\Windows\system32> cd C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db  "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb"  -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       "Entrust.net Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048)"
!       "Entrust.net Client Certification Authority"
!       "Entrust.net Global Client Certification Authority"
!       "Entrust.net Global Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048) 29"
!       "Entrust Root Certification Authority - EC1"
!       "Entrust Root Certification Authority - EV"
!       "Entrust Root Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority"
!       "VeriSign Class 2 Public Primary Certification Authority"
!       "VeriSign Class 3 Public Primary Certification Authority"
!       "VeriSign Class 1 Public Primary Certification Authority - G2"
!       "VeriSign Class 2 Public Primary Certification Authority - G2"
!       "VeriSign Class 3 Public Primary Certification Authority - G2"
!       "VeriSign Class 4 Public Primary Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority - G3"
!       "VeriSign Class 2 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G5"
!       "VeriSign Class 4 Public Primary Certification Authority - G3"
!       "Thawte Primary Root CA"
!       "Thawte Primary Root CA - G2 ECC"
!       "Thawte Server CA"
!       "Thawte Premium Server CA"
!       "Thawte Personal Basic CA"
!       "Thawte Personal Freemail CA"
!       "Thawte Personal Premium CA"
!       TSMM_1_TSM11
!       10.10.15.25:1550
!       TSMM_1_TSM22

C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -delete -db  "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb"  -stashed -label "TSMM_1_TSM22"

Check the validity of a file:

C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert  -details -file "C:\Program Files (x86)\JamoDat\TSMMgr_serv\TSM22\cert256.arm"
Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Key Size : 2048
Version : X509 V3
Serial : 1327061fd3612122
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Not Before : May 1, 2018 9:44:27 AM GMT+02:00

Not After : April 29, 2028 9:44:27 AM GMT+02:00

Public Key
    30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
    01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
    00 9A 61 EC 0C A3 27 1F C7 0B 02 E9 CD A0 FB ED
    ...
 

After initiating a connection using dsmadmc command, and register keys manually into TSM client

c:\Program Files\Tivoli\TSM\baclient>dsmcert -add -server 10.10.10.123 -file C:\keys\cert256_tsm22.arm
IBM Spectrum Protect
dsmcert utility
  dsmcert Version 8, Release 1, Level 2.0
  dsmcert date/time: 09/27/2017 17:51:31
 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.

Result : Success

c:\Program Files\Tivoli\TSM\baclient>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db  "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb"  -stashed

c:\Program Files\Tivoli\TSM\baclient>more dsm_tsm22.opt
SErvername tsm22ssl
TCPSErveraddress tsm22
COMMmethod      TCPIP
TCPADMINPORT     3350
ssl yes

c:\Program Files\Tivoli\TSM\baclient>dsmadmc -optfile=dsm_tsm22.opt
IBM Spectrum Protect
Command Line Administrative Interface - Version 8, Release 1, Level 2.0
(c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.

Enter your user id:  admin
 

Now TSMManager is green !!! Strange

tsm/tsm_ssl.txt · Last modified: 2021/01/01 21:25 (external edit)