1. Please help support our sponsors by considering their products and services.
    Our sponsors enable us to maintain high-speed Internet connection and fast webservers.
    They support this free information and knowledge exchange forum service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions

More SSL fun stuff

Discussion in 'TSM Operation' started by Mita201, Feb 7, 2018.

  1. Mita201

    Mita201 ADSM.ORG Senior Member

    Joined:
    Apr 20, 2006
    Messages:
    533
    Likes Received:
    12
    Occupation:
    System Engineer
    Location:
    Beograd, Serbia
    I have noticed that since SSL is mandatory for ISP client server communication (8.1.4 or 7.1.8) if you have two ISP servers that replicates, and if you want to shut down primary and to test if (new) client can communicate with other server for restore - it can't. You need to manually import SSL certificate of other server to client keystore first.
    Which is not very clever solution.
    Not a question, just noticing....
     
  2.  
  3. ILCattivo

    ILCattivo ADSM.ORG Senior Member

    Joined:
    Jul 9, 2013
    Messages:
    136
    Likes Received:
    6
    Location:
    Oxford, United Kingdom
    Hi Mita201,

    Have you tested that scenario with a variety of client versions?

    What about clients which are pre- v7.1.8, that communicate to a replicating server environment at v7.1.8 & 8.1.2 and above, which connect via TCP/IP?
     
  4. Mita201

    Mita201 ADSM.ORG Senior Member

    Joined:
    Apr 20, 2006
    Messages:
    533
    Likes Received:
    12
    Occupation:
    System Engineer
    Location:
    Beograd, Serbia
    Older clients are ok, since they are not forced to use SSL. Clients 8.1.2 and newer, and 7.1.8 are clients with problems. Actually, these new clients (at least 8.1.x) will do certificate exchange with primary server without intervention, and they will update their dsm.opt (or dsm.sys) with address of the secondary server as alternative, but once they need to access it, they will not be able to, nor they will import SSL cert of the secondary server automatically.
     
  5. ILCattivo

    ILCattivo ADSM.ORG Senior Member

    Joined:
    Jul 9, 2013
    Messages:
    136
    Likes Received:
    6
    Location:
    Oxford, United Kingdom
    Hmmm, thanks for the info.

    That certainly doesn't sound good or has not been thought out very well from a DR standpoint since the intro of 7.1.8 & 8.1.2.

    I can see many admins now rushing around their newer client versions, importing the cert for the secondary server to avoid this issue in the event of DR.

    Oh, well.. things like this keep us all in a job I guess.. ;0)
     
    Mita201 likes this.
  6. RecoveryOne

    RecoveryOne ADSM.ORG Member

    Joined:
    Mar 15, 2017
    Messages:
    73
    Likes Received:
    7
    Mita,
    Thanks for the info. Something to look forward to whenever I bite the bullet and go up a level.
     

Share This Page