Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring for SSL communication between client management service and the Tivoli Storage Manager server

Configuring for SSL communication between client management service and the Tivoli Storage Manager server

by  LED888  Posted    (Edited  )
Question
How do I configure Client Management Service to communicate to TSM Servers using SSL?
Cause
The client management service is used by the Tivoli Storage Manager Operations Center to collect log information from backup-archive client computer systems. In order to function, it must be configured to authenticate to the Tivoli Storage Manager server hosting the client node. In the event that the server is configured for SSL client communications, there are some manual steps required to configure the client management service.

Answer
To use the Secure Sockets Layer (SSL) protocol to secure communications between the client management service and the Tivoli Storage Manager (TSM) server, you must add the SSL certificate of the TSM server to the truststore file of the client management service.

Before you begin

The server truststore of the client management service is a container for SSL certificates that the client management service can access. To set up the SSL communication between the client management service and the TSM server, you must create the server truststore file (or add certificates to it, if you have already created it for a different TSM server).

Procedure to create server truststore

To ensure that SSL ports are set on the TSM server, complete the following steps:
From the TSM command line, issue the following command on the TSM server:
QUERY OPTION SSL*
The results include four server options, as shown in the following example:
Server Option Option Setting
------------------------------
SSLTCPPort 3700
SSLTCPADMINPort 3800
SSLTLS12 No
SSLFIPSMODE No

If the SSLTLS12 option is set to YES, copy the cert256.arm file to the client machine that you want to configure for SSL communications with the TSM server. Otherwise, copy the cert.arm file to the client machine.

On the client machine, open the IBM Key Management window by issuing the ikeyman command. You can find the tool in the directory where you ran the client management service installer. For example, execute the following: cmsInstaller/im64/jre_6.0.0.sr9_20110208_03/jre/bin/ikeyman.exe

Click Key Database File -> New to create a new truststore. Choose the key database type JKS. Specify svr-truststore.jks for the file name and specify the following path for the location:

cmsInstallDir/cms/Liberty/usr/servers/cmsServer

You are prompted for a password to protect the truststore. Choose a password that is meaningful to you -- you will need it if you want to add more certificates to the truststore later.

Choose Signer Certificates, then select Add. You are prompted for the file name of the certificate file that you want to add to the truststore. Select the certficate you copied from the TSM server (either cert.arm or cert256.arm).
Procedure to add certificates to an existing server truststore
Adding certificates to an existing truststore is similar to creating a new truststore.

From the TSM command line, issue the following command on the TSM server:

QUERY OPTION SSL*

The results include four server options, as shown in the following example:
Server Option Option Setting
------------------------------
SSLTCPPort 3700
SSLTCPADMINPort 3800
SSLTLS12 No
SSLFIPSMODE No

If the SSLTLS12 option is set to YES, copy the cert256.arm file to the client machine that you want to configure for SSL communications with the TSM server. Otherwise, copy the cert.arm file to the client machine.

On the client machine, open the IBM Key Management window by issuing the ikeyman command. You can find the tool in the directory where you ran the client management service installer. For example, execute the following:

cmsInstaller/im64/jre_6.0.0.sr9_20110208_03/jre/bin/ikeyman.exe

Instead of creating a new truststore, you must add certificates to an existing truststore. Click Key Database File -> Open and choose svr-truststore.jks for the client management service at the following location:

cmsInstallDir/cms/Liberty/usr/servers/cmsServers

You must enter the password you used when you created the truststore.
Choose Signer Certificates then select Add. You are prompted for the file name of the certificate file that you want to add to the truststore. Select the certficate you copied from the TSM server (either cert.arm or cert256.arm).
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top