ARCHIVED: Configuring SSL communications on a TSM Backup-Archive client
At Indiana University, compliance with the Security of Information Technology Resources policy (IT-12) requires that university organizational units manage technology resources securely. To comply with IT-12, the Storage and Virtualization team recommends that server administrators configure 256-bit SSL communications on their TSM clients so that data in flight to the TSM server is encrypted. When a backup file is written to the TSM storage subsystem, it is encrypted at rest on the virtual tape disk array.
To gain both the security and the response time advantages of having backups stored on virtual tape, client servers must not send data to the TSM server that has already been encrypted or compressed by the legacy TSM client configuration before being sent. The key to success with disk versus tape is to limit the resources required to perform backups using technology to reduce the footprint of data stored. The technologies involved are typically compression and data deduplication. The success of compression and deduplication are controlled by the population of inbound data (i.e., if data is "dedupe friendly").
TSM client-based encryption must be replaced with dedupe-friendly encryption to achieve the benefit of deduplication. The new architecture yields better recovery point objective (RPO) and decreased recovery time objective (RTO), while still achieving necessary encryption controls. Clients currently configured to leverage legacy TSM client-based encryption and compression must properly remove it from their server before installing and configuring SSL.
For instructions on removing legacy TSM client-based encryption and/or compression, see ARCHIVED: At IU, how do I remove client-based encryption and/or compression on a TSM client node?
To configure SSL communications on a TSM Backup-Archive client, follow the appropriate instructions for your operating system:
Windows TSM clients
- Obtain the SSL CA signed certificate from IUware ( ). The certificate is the same regardless of the
TSM server your client backs up to. After you have downloaded the
certificate, copy it to the following directory:
C:\Program Files\Tivoli\TSM\baclient
- You must provide an arbitrary password, which will be used to
encrypt the key database. The password is automatically stored
encrypted in the stash file (
dsmcert.sth
). The stash file is used by the TSM client to retrieve the key database password. - Use the password you created to complete the following steps:
- For Windows 32-bit clients:
- Open a command-line window as administrator and enter the
following:
cd C:\Program Files\Tivoli\TSM\baclient\ set PATH=C:\Program Files\Common Files\Tivoli\TSM\api\gsk8\bin;C:\Program Files\Common Files\Tivoli\TSM\api\gsk8\lib;%PATH% gsk8capicmd -keydb -create -populate -db dsmcert.kdb -pw password -stash gsk8capicmd -cert -add -db dsmcert.kdb -label "TSM Server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -stashed -format ascii -trust enable
- To confirm that
TSM Server Comodo CA Trust
appears in thedsmcert.kdb
file, on the command line, enter:gsk8capicmd -cert -list all -db dsmcert.kdb -stashed
- To ensure you can successfully open a session with the TSM server,
on the command line, enter:
dsmc q se
- Open a command-line window as administrator and enter the
following:
- For Windows 64-bit clients:
- Open a command-line window as administrator and enter the
following:
cd \Program Files\Tivoli\TSM\baclient set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH% gsk8capicmd_64 -keydb -create -populate -db dsmcert.kdb -pw password -stash gsk8capicmd_64 -cert -add -db dsmcert.kdb -label "TSM Server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -stashed -format ascii -trust enable
- To confirm that
TSM Server Comodo CA Trust
appears in thedsmcert.kdb
file, on the command line, enter:gsk8capicmd_64 -cert -list all -db dsmcert.kdb -stashed
- To ensure you can successfully open a session with the TSM server,
on the command line, enter:
dsmc q se
- Open a command-line window as administrator and enter the
following:
- For Windows 32-bit clients:
- Open the
dsm.opt
file in Notepad; on the command line, enter:notepad C:\Program Files\Tivoli\TSM\baclient\dsm.opt
- Make these changes to
dsm.opt
:- Add these lines:
SSL YES SSLFIPSMODE YES
Note:For TSM clients running on TSM client versions 6.2.4 and below, or clients running on Mac OS X, do not add theSSLFIPSMODE YES
option todsm.opt
. - Change
TCPPORT 1500
toTCPPORT 1542
.
- Add these lines:
- Stop and start the TSM Client Acceptor Service. If it won't start,
see
dsmwebcl.log
for error messages. - Open the TSM Backup-archive command line; on the command line,
enter:
q se
The output should include a line that looks like:
SSL Information.........: TLSv1.1 AES-256
Unix/Linux TSM clients
- Obtain the SSL CA signed certificate from IUware ( ). The certificate is the same regardless of the
TSM server your client backs up to. After you have downloaded the
certificate, copy it to the following directory:
/opt/tivoli/tsm/client/ba/bin
- Set the permissions of the certificate so it is owned by
root.root
. - If you normally permit those without
root
permissions to restore their own data, you will need to grant them read access to thedsmcert
files; on the command line, enter:chmod go+r dsmcert.*
- You must provide an arbitrary password, which will be used to
encrypt the key database. The password is automatically stored
encrypted in the stash file (
dsmcert.sth
). The stash file is used by the Tivoli Storage Manager client to retrieve the key database password. - Use the password you created to complete the following steps:
- For 32-bit Unix/Linux platforms:
- Run these commands as
root
:cd /opt/tivoli/tsm/client/ba/bin gsk8capicmd -keydb -create -db dsmcert.kdb -pw password -stash gsk8capicmd -cert -add -db dsmcert.kdb -pw password -label "TSM server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -format ascii -trust enable
- To confirm that
TSM Server Comodo CA Trust
appears in thedsmcert.kdb
file, on the command line, enter:gsk8capicmd -cert -list all -db dsmcert.kdb -stashed
To ensure you can successfully open a session with the TSM server, on the command line, enter:dsmc q se
- Run these commands as
- For 64-bit Unix/Linux platforms:
- Run these commands as
root
:cd /opt/tivoli/tsm/client/ba/bin gsk8capicmd_64 -keydb -create -db dsmcert.kdb -pw password -stash gsk8capicmd_64 -cert -add -db dsmcert.kdb -label "TSM server Comodo CA Trust" -file ComodoAddTrustExternalCARoot.cer -stashed -format ascii -trust enable
- To confirm that
TSM Server Comodo CA Trust
appears in thedsmcert.kdb
file, on the command line, enter:gsk8capicmd_64 -cert -list all -db dsmcert.kdb -stashed
- To ensure you can successfully open a session with the TSM server,
on the command line, enter:
dsmc q se
- Run these commands as
- For 32-bit Unix/Linux platforms:
- Edit the
/opt/tivoli/tsm/client/ba/bin/dsm.sys
file; make the following changes:- Add these lines:
SSL YES SSLFIPSMODE YES
Note:For TSM clients running on TSM client versions 6.2.4 and below, or clients running on Mac OS X, do not add theSSLFIPSMODE YES
option todsm.sys
. - Change
TCPPORT 1500
toTCPPORT 1542
.
- Add these lines:
- Stop and start the TSM Client Acceptor daemon. If it won't start,
see
dsmwebcl.log
for error messages. - From a command line, enter:
dsmc q se
The output should include a line that looks like:
SSL Information.........: TLSv1.1 AES-256
This is document bctc in the Knowledge Base.
Last modified on 2018-01-18 17:11:17.