ARCHIVED: At IU, how do I remove client-based encryption and/or compression on a TSM client node?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

At Indiana University, compliance with the Security of Information Technology Resources policy (IT-12) requires that university organizational units manage technology resources securely. To comply with IT-12, the Storage and Virtualization team recommends that server administrators configure 256-bit SSL communications on their TSM clients so that data in flight to the TSM server is encrypted. When a backup file is written to the TSM storage subsystem, it is encrypted at rest on the virtual tape disk array.

To gain both the security and the response time advantages of having backups stored on virtual tape, client servers must not send data to the TSM server that has already been encrypted or compressed by the legacy TSM client configuration before being sent. The key to success with disk versus tape is to limit the resources required to perform backups using technology to reduce the footprint of data stored. The technologies involved are typically compression and data deduplication. The success of compression and deduplication are controlled by the population of inbound data (i.e., if data is "dedupe friendly").

TSM client-based encryption must be replaced with dedupe-friendly encryption to achieve the benefit of deduplication. The new architecture yields better recovery point objective (RPO) and decreased recovery time objective (RTO), while still achieving necessary encryption controls. Clients currently configured to leverage legacy TSM client-based encryption and compression must properly remove it from their server before installing and configuring SSL.

You will be prompted to enter your encryption password when you attempt to restore files that were stored on TSM using client-based encryption; this is the same password you used when you originally configured client-based encryption.

To remove client-based encryption and/or compression from your TSM configuration files, follow the appropriate instructions for your operating system:

Linux

  1. Make a copy of the current dsm.opt and dsm.sys files in case you need to revert to them.
  2. Remove these lines from the dsm.sys file: 
      encryptiontype aes128
  encryptkey save
  compression yes
    Save your changes.
  3. Remove this statement from the dsm.opt file: 
      compressalways no
    Save your changes.
  4. Remove this statement from the /etc/adsm.inclexcl file: 
      include.encrypt "/.../*"
    Then, remove any exclude.compress statements from the /etc/adsm.inclexcl file.

    Save your changes.

  5. From a terminal session, run dsmc q se to confirm no syntax errors were introduced to the files.

Windows

  1. Make a copy of the current dsm.opt file in case you need to revert to it.
  2. Remove these lines from the dsm.opt file: 
      encryptiontype aes128
  encryptkey save
  include.encrypt "*\...\*"
  compression yes
  compressalways no
  3. Remove any exclude.compress statements from the dsm.opt file.

    Save your changes.

  4. From the TSM Backup-Archive command line, run q se to confirm no syntax errors were introduced to the files.
Note:
For more on TSM, see the TSM 6.4 Information Center. In the left pane, click IBM Tivoli Storage Manager backup-archive clients.

This is document bctd in the Knowledge Base.
Last modified on 2018-01-18 17:11:19.