• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Securing Communication using TLS

illllm

ADSM.ORG Member
#21
tried IP same message

Here is what I did:

1. Installed TSM and OpsCenter 8.1.9
2. Tested OpsCenter and all were working fine
3. Installed TSM Self Signed Certificate on Server, for Ops Center and Client
4. Everything works fine
5. Enabled SSL YES and SSL on Server. Connection works fine. Ops Cntr works fine. COnnection uses TLS 1.2
However it uses self signed certificate.
6. Obtained Root CA and Intermediate CA and installed them in Server. Generated CSR and had it signed and installed on server in instance folder. Verified Signed CA is default.

The above actions did this:
1. Ops Center stopped working even though I have not touched the gui-truststore.jks and it still has the default cert256.arm file.
2. Clients complain of SSL connectivity error.
 

illllm

ADSM.ORG Member
#22
OpsCenter " The certificate that is needed in order to connect to the hub server expired or was not found in the truststore file. "
 

illllm

ADSM.ORG Member
#23
On Server:

gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Root CA"
! "Company CA"
- "TSM Server SelfSigned SHA Key"
*- TSM_Server_CA

TEST: openssl s_client -connect localhost:1500
CONNECTED(00000003)
140257202833296:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584443108
Timeout : 300 (sec)
Verify return code: 0 (ok)




On Client:

gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Thawte Primary Root CA"
! "Thawte Primary Root CA - G2 ECC"
! "Thawte Server CA"
! "Thawte Premium Server CA"
! "Thawte Personal Basic CA"
! "Thawte Personal Freemail CA"
! "Thawte Personal Premium CA"
! TSM_Server_CA

(Yes i tried to set it as default but there is no * next to the TSM_Server_CA)

TEST: openssl s_client -tls1_2 -showcerts -trusted_first -connect <IP of TSM Server>:1500
CONNECTED(00000003)
140225484797840:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584448362
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
 

illllm

ADSM.ORG Member
#24
Cant even access the console now:


03/17/2020 06:09:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 06:29:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 06:29:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 06:29:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 06:49:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 06:49:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 06:49:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 07:09:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 07:09:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 07:09:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 07:29:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 07:29:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 07:29:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 07:40:01 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 07:40:01 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 07:40:01 ANS1592E Failed to initialize SSL protocol.
03/17/2020 07:40:01 ANS8023E Unable to establish session with server.
 

illllm

ADSM.ORG Member
#27
changed the default certificate to "TSM Server SelfSigned SHA Key" and now I am able to access opscenter and admin console. However, I need to use CA certs.

Now the client says "ANS1692E The certificate is not trusted."
 

illllm

ADSM.ORG Member
#30
Reinstalled TSM, configured using cert256 self signed cert and everything works fine.
Installed root ca, inter ca and server ca, validated all three and now all communications are broken. have sev 1 open with IBM but support is very slow and its been 5 days now.
 

illllm

ADSM.ORG Member
#31
i fixed it. I wish IBM had better documentation. It is what it is - Instructions just spread around everywhere. Unless you have at least 3 years experience you wont know what to look for: And that is the issue with IBm documentation.

A customer is not looking for information of something they already know. They are looking for information about something they dont and that information is not in one place.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 19.6%
  • Keep using TSM for Spectrum Protect.

    Votes: 57 62.0%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 10.9%
  • Other (please comement)

    Votes: 7 7.6%

Forum statistics

Threads
31,583
Messages
134,647
Members
21,649
Latest member
worblehat
Top