ARCHIVED: At IU, how do I remove client-based encryption and/or compression on a TSM client node?
At Indiana University, compliance with the Security of Information Technology Resources policy (IT-12) requires that university organizational units manage technology resources securely. To comply with IT-12, the Storage and Virtualization team recommends that server administrators configure 256-bit SSL communications on their TSM clients so that data in flight to the TSM server is encrypted. When a backup file is written to the TSM storage subsystem, it is encrypted at rest on the virtual tape disk array.
To gain both the security and the response time advantages of having backups stored on virtual tape, client servers must not send data to the TSM server that has already been encrypted or compressed by the legacy TSM client configuration before being sent. The key to success with disk versus tape is to limit the resources required to perform backups using technology to reduce the footprint of data stored. The technologies involved are typically compression and data deduplication. The success of compression and deduplication are controlled by the population of inbound data (i.e., if data is "dedupe friendly").
TSM client-based encryption must be replaced with dedupe-friendly encryption to achieve the benefit of deduplication. The new architecture yields better recovery point objective (RPO) and decreased recovery time objective (RTO), while still achieving necessary encryption controls. Clients currently configured to leverage legacy TSM client-based encryption and compression must properly remove it from their server before installing and configuring SSL.
You will be prompted to enter your encryption password when you attempt to restore files that were stored on TSM using client-based encryption; this is the same password you used when you originally configured client-based encryption.
To remove client-based encryption and/or compression from your TSM configuration files, follow the appropriate instructions for your operating system:
Linux
- Make a copy of the current
dsm.opt
anddsm.sys
files in case you need to revert to them. - Remove these lines from the
dsm.sys
file:encryptiontype aes128 encryptkey save compression yes
Save your changes. - Remove this statement from the
dsm.opt
file:compressalways no
Save your changes. - Remove this statement from the
/etc/adsm.inclexcl
file:include.encrypt "/.../*"
Then, remove anyexclude.compress
statements from the/etc/adsm.inclexcl
file.Save your changes.
- From a terminal session, run
dsmc q se
to confirm no syntax errors were introduced to the files.
Windows
- Make a copy of the current
dsm.opt
file in case you need to revert to it. - Remove these lines from the
dsm.opt
file:encryptiontype aes128 encryptkey save include.encrypt "*\...\*" compression yes compressalways no
- Remove any
exclude.compress
statements from thedsm.opt
file.Save your changes.
- From the TSM Backup-Archive command line, run
q se
to confirm no syntax errors were introduced to the files.
This is document bctd in the Knowledge Base.
Last modified on 2018-01-18 17:11:19.