Question
How do I configure Client Management Service to communicate to TSM Servers using SSL?
Cause
The client management service is used by the Tivoli Storage Manager Operations Center to collect log information from backup-archive client computer systems. In order to function, it must be configured to authenticate to the Tivoli Storage Manager server hosting the client node. In the event that the server is configured for SSL client communications, there are some manual steps required to configure the client management service.
Answer
To use the Secure Sockets Layer (SSL) protocol to secure communications between the client management service and the Tivoli Storage Manager (TSM) server, you must add the SSL certificate of the TSM server to the truststore file of the client management service.
Before you begin
The server truststore of the client management service is a container for SSL certificates that the client management service can access. To set up the SSL communication between the client management service and the TSM server, you must create the server truststore file (or add certificates to it, if you have already created it for a different TSM server).
Procedure to create server truststore
To ensure that SSL ports are set on the TSM server, complete the following steps:
From the TSM command line, issue the following command on the TSM server:
QUERY OPTION SSL*
The results include four server options, as shown in the following example:
Server Option Option Setting
------------------------------
SSLTCPPort 3700
SSLTCPADMINPort 3800
SSLTLS12 No
SSLFIPSMODE No
If the SSLTLS12 option is set to YES, copy the cert256.arm file to the client machine that you want to configure for SSL communications with the TSM server. Otherwise, copy the cert.arm file to the client machine.
On the client machine, open the IBM Key Management window by issuing the ikeyman command. You can find the tool in the directory where you ran the client management service installer. For example, execute the following: cmsInstaller/im64/jre_6.0.0.sr9_20110208_03/jre/bin/ikeyman.exe
Click Key Database File -> New to create a new truststore. Choose the key database type JKS. Specify svr-truststore.jks for the file name and specify the following path for the location:
cmsInstallDir/cms/Liberty/usr/servers/cmsServer
You are prompted for a password to protect the truststore. Choose a password that is meaningful to you -- you will need it if you want to add more certificates to the truststore later.
Choose Signer Certificates, then select Add. You are prompted for the file name of the certificate file that you want to add to the truststore. Select the certficate you copied from the TSM server (either cert.arm or cert256.arm).
Procedure to add certificates to an existing server truststore
Adding certificates to an existing truststore is similar to creating a new truststore.
From the TSM command line, issue the following command on the TSM server:
QUERY OPTION SSL*
The results include four server options, as shown in the following example:
Server Option Option Setting
------------------------------
SSLTCPPort 3700
SSLTCPADMINPort 3800
SSLTLS12 No
SSLFIPSMODE No
If the SSLTLS12 option is set to YES, copy the cert256.arm file to the client machine that you want to configure for SSL communications with the TSM server. Otherwise, copy the cert.arm file to the client machine.
On the client machine, open the IBM Key Management window by issuing the ikeyman command. You can find the tool in the directory where you ran the client management service installer. For example, execute the following:
Instead of creating a new truststore, you must add certificates to an existing truststore. Click Key Database File -> Open and choose svr-truststore.jks for the client management service at the following location:
cmsInstallDir/cms/Liberty/usr/servers/cmsServers
You must enter the password you used when you created the truststore.
Choose Signer Certificates then select Add. You are prompted for the file name of the certificate file that you want to add to the truststore. Select the certficate you copied from the TSM server (either cert.arm or cert256.arm).
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.