ARCHIVED: Configuring SSL communications on a TSM Backup-Archive client

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

At Indiana University, compliance with the Security of Information Technology Resources policy (IT-12) requires that university organizational units manage technology resources securely. To comply with IT-12, the Storage and Virtualization team recommends that server administrators configure 256-bit SSL communications on their TSM clients so that data in flight to the TSM server is encrypted. When a backup file is written to the TSM storage subsystem, it is encrypted at rest on the virtual tape disk array.

To gain both the security and the response time advantages of having backups stored on virtual tape, client servers must not send data to the TSM server that has already been encrypted or compressed by the legacy TSM client configuration before being sent. The key to success with disk versus tape is to limit the resources required to perform backups using technology to reduce the footprint of data stored. The technologies involved are typically compression and data deduplication. The success of compression and deduplication are controlled by the population of inbound data (i.e., if data is "dedupe friendly").

TSM client-based encryption must be replaced with dedupe-friendly encryption to achieve the benefit of deduplication. The new architecture yields better recovery point objective (RPO) and decreased recovery time objective (RTO), while still achieving necessary encryption controls. Clients currently configured to leverage legacy TSM client-based encryption and compression must properly remove it from their server before installing and configuring SSL.

For instructions on removing legacy TSM client-based encryption and/or compression, see ARCHIVED: At IU, how do I remove client-based encryption and/or compression on a TSM client node?

To configure SSL communications on a TSM Backup-Archive client, follow the appropriate instructions for your operating system:

Windows TSM clients

  1. Obtain the SSL CA signed certificate from IUware (Utilities > TSM). The certificate is the same regardless of the TSM server your client backs up to. After you have downloaded the certificate, copy it to the following directory: 
    C:\Program Files\Tivoli\TSM\baclient
  2. You must provide an arbitrary password, which will be used to encrypt the key database. The password is automatically stored encrypted in the stash file (dsmcert.sth). The stash file is used by the TSM client to retrieve the key database password.
  3. Use the password you created to complete the following steps:
    • For Windows 32-bit clients:
      1. Open a command-line window as administrator and enter the following: 
        cd C:\Program Files\Tivoli\TSM\baclient\

set PATH=C:\Program Files\Common Files\Tivoli\TSM\api\gsk8\bin;C:\Program Files\Common Files\Tivoli\TSM\api\gsk8\lib;%PATH%

gsk8capicmd -keydb -create -populate -db dsmcert.kdb -pw password -stash

gsk8capicmd -cert -add -db dsmcert.kdb -label "TSM Server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -stashed -format ascii -trust enable
      2. To confirm that TSM Server Comodo CA Trust appears in the dsmcert.kdb file, on the command line, enter: 
        gsk8capicmd -cert -list all -db dsmcert.kdb -stashed
      3. To ensure you can successfully open a session with the TSM server, on the command line, enter: 
        dsmc q se
    • For Windows 64-bit clients:
      1. Open a command-line window as administrator and enter the following: 
        cd \Program Files\Tivoli\TSM\baclient

set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%

gsk8capicmd_64 -keydb -create -populate -db dsmcert.kdb -pw password -stash

gsk8capicmd_64 -cert -add -db dsmcert.kdb -label "TSM Server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -stashed -format ascii -trust enable
      2. To confirm that TSM Server Comodo CA Trust appears in the dsmcert.kdb file, on the command line, enter: 
        gsk8capicmd_64 -cert -list all -db dsmcert.kdb -stashed
      3. To ensure you can successfully open a session with the TSM server, on the command line, enter: 
        dsmc q se
  4. Open the dsm.opt file in Notepad; on the command line, enter: 
    notepad C:\Program Files\Tivoli\TSM\baclient\dsm.opt
  5. Make these changes to dsm.opt:
    • Add these lines: 
      SSL YES
SSLFIPSMODE YES
      Note:
      For TSM clients running on TSM client versions 6.2.4 and below, or clients running on Mac OS X, do not add the SSLFIPSMODE YES option to dsm.opt.
    • Change TCPPORT 1500 to TCPPORT 1542.
  6. Stop and start the TSM Client Acceptor Service. If it won't start, see dsmwebcl.log for error messages.
  7. Open the TSM Backup-archive command line; on the command line, enter: 
    q se

    The output should include a line that looks like:

    SSL Information.........: TLSv1.1 AES-256

Unix/Linux TSM clients

  1. Obtain the SSL CA signed certificate from IUware (Utilities > TSM). The certificate is the same regardless of the TSM server your client backs up to. After you have downloaded the certificate, copy it to the following directory: 
    /opt/tivoli/tsm/client/ba/bin
  2. Set the permissions of the certificate so it is owned by root.root.
  3. If you normally permit those without root permissions to restore their own data, you will need to grant them read access to the dsmcert files; on the command line, enter: 
    chmod go+r dsmcert.*
  4. You must provide an arbitrary password, which will be used to encrypt the key database. The password is automatically stored encrypted in the stash file (dsmcert.sth). The stash file is used by the Tivoli Storage Manager client to retrieve the key database password.
  5. Use the password you created to complete the following steps:
    • For 32-bit Unix/Linux platforms:
      1. Run these commands as root: 
        cd /opt/tivoli/tsm/client/ba/bin

gsk8capicmd -keydb -create -db dsmcert.kdb -pw password -stash

gsk8capicmd -cert -add -db dsmcert.kdb -pw password -label "TSM server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -format ascii -trust enable
      2. To confirm that TSM Server Comodo CA Trust appears in the dsmcert.kdb file, on the command line, enter: 
        gsk8capicmd -cert -list all -db dsmcert.kdb -stashed
        To ensure you can successfully open a session with the TSM server, on the command line, enter: 
        dsmc q se
    • For 64-bit Unix/Linux platforms:
      1. Run these commands as root: 
        cd /opt/tivoli/tsm/client/ba/bin

gsk8capicmd_64 -keydb -create -db dsmcert.kdb -pw password -stash

gsk8capicmd_64 -cert -add -db dsmcert.kdb -label "TSM server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -stashed -format ascii -trust enable
      2. To confirm that TSM Server Comodo CA Trust appears in the dsmcert.kdb file, on the command line, enter: 
        gsk8capicmd_64 -cert -list all -db dsmcert.kdb -stashed
      3. To ensure you can successfully open a session with the TSM server, on the command line, enter: 
        dsmc q se
  6. Edit the /opt/tivoli/tsm/client/ba/bin/dsm.sys file; make the following changes:
    • Add these lines: 
      SSL YES
SSLFIPSMODE YES
      Note:
      For TSM clients running on TSM client versions 6.2.4 and below, or clients running on Mac OS X, do not add the SSLFIPSMODE YES option to dsm.sys.
    • Change TCPPORT 1500 to TCPPORT 1542.
  7. Stop and start the TSM Client Acceptor daemon. If it won't start, see dsmwebcl.log for error messages.
  8. From a command line, enter: 
    dsmc q se

    The output should include a line that looks like:

    SSL Information.........: TLSv1.1 AES-256
Note:
For more on TSM, see the TSM 6.4 Information Center. In the left pane, click IBM Tivoli Storage Manager backup-archive clients.

This is document bctc in the Knowledge Base.
Last modified on 2018-01-18 17:11:17.