As cloud container can be slow to destage data, it's recommended to use a cache on disk to hold daily backups.

The user and password are provided by S3 storage.

Here 2 connexion test, one is OK and second is failed:

Protect: ISP2>validate cloud CLOUDType=S3 CLOUDUrl=HTTPS://s3.local.lu:9021 IDenti=isp2-p-s3-admin PAssword=xxxxxxxxxxxxxxxxxxxxxx BUCKETName=isp2-p-arc3
ANR3557I The cloud service provider URL and credentials were verified.

Protect: ISP1>validate cloud CLOUDType=S3 CLOUDUrl=HTTPS://s3.local.lu:9021 IDenti=isp11-t-s3-admin PAssword=xxxxxxxxxxxxxxxxxxxxx BUCKETName=isp2-t-arc3
ANR3556E The server cannot connect to the cloud service provider with the specified cloud URL of HTTPS://s3.local.lu:9021 when using the cloud ID of
isp2-t-s3-admin and its password.
ANS8001I Return code 41.

Protect: isp2>def stgpool COS01 stgtype=cloud pooltype=primary cloudtype=S3 cloudlocation=onpremise CLOUDUrl=HTTPS://s3.local.lu:9021|HTTPS://s3_01.local.lu:9021|HTTPS://s3_02.local.lu:9021 IDenti=isp2-t-s3-admin PAssword=xxxxxxxxxxxxxxxxxxxxx CLOUDLocation=ONPREMISE bucketname=isp2-t-arc3 ACCess=READWrite encrypt=yes compress=yes CLOUDSTORAGEClass=Default

Protect: ISP2>q stg COS01 f=d

                     Storage Pool Name: COS01
                     Storage Pool Type: Primary
                     Device Class Name:
                          Storage Type: CLOUD
                            Cloud Type: S3
                             Cloud URL: HTTPS://s3.local.lu:9021|HTTPS://s3_01.local.lu:9021|HTTPS://s3_02.local.lu:9021
                        Cloud Identity: isp2-t-s3-admin
                        Cloud Location: ONPREMISE
                    Estimated Capacity:
                    Space Trigger Util:
                              Pct Util:
                              ...
            Cloud Space Allocated (MB): 0
             Cloud Space Utilized (MB): 0
                           Bucket Name: isp2-t-arc3
              Local Estimated Capacity: 0.0 G
                        Local Pct Util: 0.0
                     Local Pct Logical: 0.0
                   Cloud Storage Class: Default
Remove Restored Cpy Before End of Life:

It's highly recommended because S3 storage is slow

Protect: isp2>def stgpooldir COS01 /isp2/pool/COS0101

Protect: ISP2>q stg COS01 f=d
                     Storage Pool Name: COS01
                     ...
              Local Estimated Capacity: 15.0 G

2 ways to add a certificate:

• manually, you may lose it at every Spectrum upgrade
• put into a folder, will be checked at every Spetrum protect start, and add automatically in keystore

[root@isp2]/opt/tivoli/tsm/jre/lib/security # openssl s_client -showcerts -connect s3.local.lu:9021 < /dev/null
CONNECTED(00000003)
depth=0 CN = DataService
....
   i:/CN=DataService
-----BEGIN CERTIFICATE-----
GGf3hsS85DxXt6izIUQVdNxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
-----END CERTIFICATE-----
---
Server certificate
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384

Create a folder called certs in the SP home folder (homedir for user which owns the instance) For example :

mkdir /home/tsminst1/certs

Now put the S3 storage certificate into a file in this directory (you can have multiple files):

# cat /home/tsminst1/certs/s3_local_lu.crt
-----BEGIN CERTIFICATE-----
GGf3hsS85DxXt6izIUQVdNxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
-----END CERTIFICATE-----

If the folder is placed into the right place, a stop of TSM server and start will automatically import the certificates into the keystore into /opt/tivoli/tsm/jre/lib/security/cacerts

To manually import the certificates using command line, you have to ask “Y” to trust the certificate:

# /opt/tivoli/tsm/jre/bin/keytool -import -keystore /opt/tivoli/tsm/jre/lib/security/cacerts -alias S3_local_lu -file /home/tsminst1/certs/s3_local_lu.crt -storepass changeit
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

Check if the certificate exists:

# /opt/tivoli/tsm/jre/bin/keytool -list -v -keystore /opt/tivoli/tsm/jre/lib/security/cacerts -storepass chan
Alias name: digicertassuredidrootca
Alias name: comodorsaca
...
Alias name: S3_local_lu

You have to stop and start TSM server

>>-DEFine STGpool--pool_name--STGType--=--CLoud----------------->

   .-POoltype--=--PRimary-.                                    
>--+----------------------+--+-----------------------------+---->
   '-POoltype--=--PRimary-'  '-DESCription--=--description-'   

   .-CLOUDType--=--SWift-------------.   
>--+---------------------------------+-------------------------->
   '-CLOUDType--=--+-AZure---------+-'   
                   +-S3------------+     
                   +-IBMCLoudswift-+     
                   +-SWift---------+     
                   '-V1Swift-------'     

                                                       (1)   
>--CLOUDUrl--=--cloud_url--IDentity--=--cloud_identity---------->

>--PAssword--=--password---------------------------------------->

   .-CLOUDLocation--=--OFfpremise-----.   
>--+----------------------------------+------------------------->
   '-CLOUDLocation--=--+-OFfpremise-+-'   
                       '-ONpremise--'     

>--+--------------------------------+--------------------------->
   |                            (2) |   
   '-BUCKETName--=--bucket_name-----'   

   .-ACCess--=--READWrite-------.   
>--+----------------------------+------------------------------->
   '-ACCess--=--+-READWrite---+-'   
                +-READOnly----+     
                '-UNAVailable-'     

   .-MAXWriters--=--NOLimit-------------.   
>--+------------------------------------+----------------------->
   '-MAXWriters--=--+-NOLimit---------+-'   
                    '-maximum_writers-'     

   .-REUsedelay--=--1----.  .-ENCRypt--=--Yes---------.   
>--+---------------------+--+-------------------------+--------->
   '-REUsedelay--=--days-'  |                     (3) |   
                            '-ENCRypt--=--+-Yes-+-----'   
                                          '-No--'         

   .-COMPRession--=--Yes-----.   
>--+-------------------------+---------------------------------><
   '-COMPRession--=--+-Yes-+-'   
                     '-No--'     

define stgpool cloudstg01 stgtype=cloud cloudtype=swift cloudurl=http://123.234.123.234:5000/v2.0 identity=admin:admin password=protect8991 maxwr=99 reusedelay=2

Define local storage for a cloud-container storage pool Create a storage pool directory that is named DIR3 in a cloud-container storage pool that is named CLOUDLOCALDISK1.

Protect> define stgpooldirectory cloudstg01 c:\storage\dir3

Lancer la trace

Protect: ISP1>trace disable *
Protect: ISP1>trace enable SDCLOUD SDCLOUDJ SDCLOUDDETAIL CLOUDDETAIL ADDMSG
Protect: ISP1>trace begin /tmp/trace.txt maxsize=4000

Check which protocol and algorithm is used by S3 storage:

#  nmap -p 443 -Pn 10.10.10.10 --script +ssl-enum-ciphers
Starting Nmap 6.40 ( http://nmap.org ) at 2022-01-13 14:41 CET
Nmap scan report for xxxxxxxxxxx (xxxxxxxxxx)
Host is up (0.00091s latency).
PORT     STATE SERVICE
443/tcp open  xxxxxxxxxxx
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

Tt returns “TLS_RSA_WITH_AES_128_CBC_SHA256” from TLSv1.2 Ciphers. this is the cipher was disabled in our v8.1.10, v8.1.11 and v8.1.12.0 code.

# for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
> for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
> openssl s_client -connect s3.local.lu:9021 \
> -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
> done
> done
tls1_2: DHE-RSA-AES256-GCM-SHA384
tls1_2: AES256-GCM-SHA384
tls1_2: AES256-SHA256
tls1_2: DHE-RSA-AES128-GCM-SHA256
tls1_2: AES128-GCM-SHA256
tls1_2: AES128-SHA256