• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Securing Communication using TLS

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
Hey Everyone!

Good day and hope everyone is safe from the Virus!

Quick question:

I have a TSM Server version 8.1.8
Client 8.1.8

I am trying to secure communications:

I created a CSR, sent it to our CA server, got back a root CA cert and a production CA cert.

I installed them on the server

I copied them to the client and installed them using dsmcert command

I added SSL YES option in DSM.sys on the client

I added SSLTSL12 YES in the dsmserv.opt on the server

I am getting an error ANS1592E Failed to initialize SSL

If I comment out SSL YES and sent the connection on the server to transitional, it works.

However, I need to enable SSLTLS and its not working. Would you know what the causes are?
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
I tried that. I need it to use the CA signed certificate as default. I am not able to do that.
 

Trident

TSM/Storge dude
ADSM.ORG Moderator
Joined
Apr 2, 2007
Messages
525
Reaction score
58
Points
0
Location
Oslo, Norway
Website
www.basefarm.no
Hi,
Can you print out the content from your server cert.kdb?
gsk8capicmd_64 -cert -list -db cert.kdb -stashed

On the clients, you only need to add the CA certificate, unless it is there by default.

-= Trident =-
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
CA is installed on the client.

On the server, if i enable CompanyCA.crt as default, OpsCenter fails to work. It only works if I use cert256.arm.
 

Trident

TSM/Storge dude
ADSM.ORG Moderator
Joined
Apr 2, 2007
Messages
525
Reaction score
58
Points
0
Location
Oslo, Norway
Website
www.basefarm.no

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
Maybe I am doing something wrong here so starting from basic:

1. How do I create a CSR in TSM for securing client/server communications?

I tried using ikeyman to generate a CSR but I am not able to receive the signed CA back into ikeyman.
 

Trident

TSM/Storge dude
ADSM.ORG Moderator
Joined
Apr 2, 2007
Messages
525
Reaction score
58
Points
0
Location
Oslo, Norway
Website
www.basefarm.no
Hi,

Add trusted root certificates.

gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Root CA" -file root.crt -trust enable
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Sub CA" -file subca.crt -trust enable

Create certificate request
gsk8capicmd_64 -certreq -create -db cert.kdb -stashed -label DescriptiveName -sigalg sha256 -size 2048 -ku "digitalSignature,keyEncipherment,keyAgreement" -eku "clientAuth,serverAuth" -dn "CN=tsmname.domain.com,OU=backup,O=YourOrg,C=US" -file wildcard.csr

Send file (wildcard.csr) away to be signed

Rename returned file, in this case, rename your returned file (the certificate) to wildcard.crt

gsk8capicmd_64 -cert -receive -db cert.kdb -stashed -file wildcard.crt -default_cert yes

List certificates in your store, the default certificate will be marked

gsk8capicmd_64 -cert -list -db cert.kdb -stashed

Restart SP server

Check certificate:
openssl s_client -connect tsm12.domain.com:1500

All above is based on unix/aix envir. Same for windows, but a tad more stuff about path settings.

-= Trident =-
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
security scanning shows a node name listening on a port used by TSM scheduler service.
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
Trident , thank you so much! Your explanation is better than the IBM documentation.
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
Certificates found
* default, - personal, ! trusted, # secret key
! "Root CA"
! "Company CA"
! "TSM Server CA
*- "TSM Server SelfSigned SHA Key"


I see the problem now.

How do I change the default one to TSM Server CA ?
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
openssl s_client -connect <server>.com:1500
getaddrinfo: Name or service not known
connect:errno=2
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
On Server
1. Installed root CA
2. Installed Intrim CA
3. generated CSR
4. Received signed CSR
5. Imported signed CER into server
6. Copied CER to client and imported into DB
7. Set CER on client as default


Client dsm.sys file

servername test
COMMMethod TCPip
TCPPort 1500
HTTPPORT 1585
* WEBPORTS 1586
ssldisablelegacytls yes
TCPServeraddress xxx
RESOURCEUTIL 2
PASSWORDACCESS generate
TCPBUFFSIZE 32
TCPWINDOWSIZE 64
TXNBYTELIMIT 2048
TCPNODELAY yes
COMPRESSION no
MANAGEDSERVICES schedule webclient
NODENAME test
SSL YES
 

illllm

ADSM.ORG Member
Joined
Jan 9, 2018
Messages
153
Reaction score
2
Points
0
openssl s_client -connect x.x.x.x:1500
CONNECTED(00000003)
140170456819600:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584380182
Timeout : 300 (sec)
Verify return code: 0 (ok)
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 18.4%
  • Keep using TSM for Spectrum Protect.

    Votes: 60 61.2%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.2%
  • Other (please comement)

    Votes: 8 8.2%

Forum statistics

Threads
31,734
Messages
135,284
Members
21,733
Latest member
valdemiroalves
Top