• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Securing Communication using TLS

illllm

ADSM.ORG Member
#1
Hey Everyone!

Good day and hope everyone is safe from the Virus!

Quick question:

I have a TSM Server version 8.1.8
Client 8.1.8

I am trying to secure communications:

I created a CSR, sent it to our CA server, got back a root CA cert and a production CA cert.

I installed them on the server

I copied them to the client and installed them using dsmcert command

I added SSL YES option in DSM.sys on the client

I added SSLTSL12 YES in the dsmserv.opt on the server

I am getting an error ANS1592E Failed to initialize SSL

If I comment out SSL YES and sent the connection on the server to transitional, it works.

However, I need to enable SSLTLS and its not working. Would you know what the causes are?
 

Trident

TSM noob with 12 years expirience
ADSM.ORG Moderator
#4
Hi,
Can you print out the content from your server cert.kdb?
gsk8capicmd_64 -cert -list -db cert.kdb -stashed

On the clients, you only need to add the CA certificate, unless it is there by default.

-= Trident =-
 

illllm

ADSM.ORG Member
#5
CA is installed on the client.

On the server, if i enable CompanyCA.crt as default, OpsCenter fails to work. It only works if I use cert256.arm.
 

illllm

ADSM.ORG Member
#7
Maybe I am doing something wrong here so starting from basic:

1. How do I create a CSR in TSM for securing client/server communications?

I tried using ikeyman to generate a CSR but I am not able to receive the signed CA back into ikeyman.
 

Trident

TSM noob with 12 years expirience
ADSM.ORG Moderator
#8
Hi,

Add trusted root certificates.

gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Root CA" -file root.crt -trust enable
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Sub CA" -file subca.crt -trust enable

Create certificate request
gsk8capicmd_64 -certreq -create -db cert.kdb -stashed -label DescriptiveName -sigalg sha256 -size 2048 -ku "digitalSignature,keyEncipherment,keyAgreement" -eku "clientAuth,serverAuth" -dn "CN=tsmname.domain.com,OU=backup,O=YourOrg,C=US" -file wildcard.csr

Send file (wildcard.csr) away to be signed

Rename returned file, in this case, rename your returned file (the certificate) to wildcard.crt

gsk8capicmd_64 -cert -receive -db cert.kdb -stashed -file wildcard.crt -default_cert yes

List certificates in your store, the default certificate will be marked

gsk8capicmd_64 -cert -list -db cert.kdb -stashed

Restart SP server

Check certificate:
openssl s_client -connect tsm12.domain.com:1500

All above is based on unix/aix envir. Same for windows, but a tad more stuff about path settings.

-= Trident =-
 

Trident

TSM noob with 12 years expirience
ADSM.ORG Moderator
#10
Hi,

Dsmcad does not transmit any data. It only starts dsmc schedule to find the next schedule.
 

illllm

ADSM.ORG Member
#14
Certificates found
* default, - personal, ! trusted, # secret key
! "Root CA"
! "Company CA"
! "TSM Server CA
*- "TSM Server SelfSigned SHA Key"


I see the problem now.

How do I change the default one to TSM Server CA ?
 

illllm

ADSM.ORG Member
#17
On Server
1. Installed root CA
2. Installed Intrim CA
3. generated CSR
4. Received signed CSR
5. Imported signed CER into server
6. Copied CER to client and imported into DB
7. Set CER on client as default


Client dsm.sys file

servername test
COMMMethod TCPip
TCPPort 1500
HTTPPORT 1585
* WEBPORTS 1586
ssldisablelegacytls yes
TCPServeraddress xxx
RESOURCEUTIL 2
PASSWORDACCESS generate
TCPBUFFSIZE 32
TCPWINDOWSIZE 64
TXNBYTELIMIT 2048
TCPNODELAY yes
COMPRESSION no
MANAGEDSERVICES schedule webclient
NODENAME test
SSL YES
 

illllm

ADSM.ORG Member
#18
openssl s_client -connect x.x.x.x:1500
CONNECTED(00000003)
140170456819600:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584380182
Timeout : 300 (sec)
Verify return code: 0 (ok)
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 18.6%
  • Keep using TSM for Spectrum Protect.

    Votes: 59 60.8%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.4%
  • Other (please comement)

    Votes: 8 8.2%

Forum statistics

Threads
31,665
Messages
134,993
Members
21,694
Latest member
jifangming
Top