Securing Communication using TLS

[illllm]

Hey Everyone!

Good day and hope everyone is safe from the Virus!

Quick question:

I have a TSM Server version 8.1.8
Client 8.1.8

I am trying to secure communications:

I created a CSR, sent it to our CA server, got back a root CA cert and a production CA cert.

I installed them on the server

I copied them to the client and installed them using dsmcert command

I added SSL YES option in DSM.sys on the client

I added SSLTSL12 YES in the dsmserv.opt on the server

I am getting an error ANS1592E Failed to initialize SSL

If I comment out SSL YES and sent the connection on the server to transitional, it works.

However, I need to enable SSLTLS and its not working. Would you know what the causes are?

 

[Trident]

Hi,

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.9/srv.admin/t_ssl_srvcfg_srv.html

You also need to set the new certificate to default

gsk8capicmd_64 -cert -setdefault -label NameOfCertificate -db cert.kdb -stashed

-= Trident =-

 

[illllm]

I tried that. I need it to use the CA signed certificate as default. I am not able to do that.

 

[Trident]

Hi,
Can you print out the content from your server cert.kdb?
gsk8capicmd_64 -cert -list -db cert.kdb -stashed

On the clients, you only need to add the CA certificate, unless it is there by default.

-= Trident =-

 

[illllm]

CA is installed on the client.

On the server, if i enable CompanyCA.crt as default, OpsCenter fails to work. It only works if I use cert256.arm.

 

[Trident]

Hi,

Things will break when you switch certificates.

I am not sure what CompanyCA.crt containes. But, if that is the cet request you got signed, then you need to restablish your opcenter SSL. It too need to have the ca certificate installed.

https://www.ibm.com/support/knowled...rv.install/t_oc_inst_ssl_configure_ochub.html

-= Trident =-

 

[illllm]

Maybe I am doing something wrong here so starting from basic:

1. How do I create a CSR in TSM for securing client/server communications?

I tried using ikeyman to generate a CSR but I am not able to receive the signed CA back into ikeyman.

 

[Trident]

Hi,

Add trusted root certificates.

gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Root CA" -file root.crt -trust enable
gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "Sub CA" -file subca.crt -trust enable

Create certificate request
gsk8capicmd_64 -certreq -create -db cert.kdb -stashed -label DescriptiveName -sigalg sha256 -size 2048 -ku "digitalSignature,keyEncipherment,keyAgreement" -eku "clientAuth,serverAuth" -dn "CN=tsmname.domain.com,OU=backup,O=YourOrg,C=US" -file wildcard.csr

Send file (wildcard.csr) away to be signed

Rename returned file, in this case, rename your returned file (the certificate) to wildcard.crt

gsk8capicmd_64 -cert -receive -db cert.kdb -stashed -file wildcard.crt -default_cert yes

List certificates in your store, the default certificate will be marked

gsk8capicmd_64 -cert -list -db cert.kdb -stashed

Restart SP server

Check certificate:
openssl s_client -connect tsm12.domain.com:1500

All above is based on unix/aix envir. Same for windows, but a tad more stuff about path settings.

-= Trident =-

 

[illllm]

I found this statement in the documentation:

Incoming connections (for example, client acceptor, server-initiated schedule connections) do not support SSL.

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.9/client/t_cfg_ssl.html

What does this mean or is it obvious that DSMCAD services do not support SSL / TLS ?

 

[Trident]

Hi,

Dsmcad does not transmit any data. It only starts dsmc schedule to find the next schedule.

 

[illllm]

security scanning shows a node name listening on a port used by TSM scheduler service.

 

[Trident]

Hi,
Can you paste your client dsm.sys/opt files here.

 

[illllm]

Trident , thank you so much! Your explanation is better than the IBM documentation.

 

[illllm]

Certificates found
* default, - personal, ! trusted, # secret key
! "Root CA"
! "Company CA"
! "TSM Server CA
*- "TSM Server SelfSigned SHA Key"


I see the problem now.

How do I change the default one to TSM Server CA ?

 

[illllm]

never mind! the command does it!

 

[illllm]

openssl s_client -connect <server>.com:1500
getaddrinfo: Name or service not known
connect:errno=2

 

[illllm]

On Server
1. Installed root CA
2. Installed Intrim CA
3. generated CSR
4. Received signed CSR
5. Imported signed CER into server
6. Copied CER to client and imported into DB
7. Set CER on client as default


Client dsm.sys file

servername test
COMMMethod TCPip
TCPPort 1500
HTTPPORT 1585
* WEBPORTS 1586
ssldisablelegacytls yes
TCPServeraddress xxx
RESOURCEUTIL 2
PASSWORDACCESS generate
TCPBUFFSIZE 32
TCPWINDOWSIZE 64
TXNBYTELIMIT 2048
TCPNODELAY yes
COMPRESSION no
MANAGEDSERVICES schedule webclient
NODENAME test
SSL YES

 

[illllm]

openssl s_client -connect x.x.x.x:1500
CONNECTED(00000003)
140170456819600:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584380182
Timeout : 300 (sec)
Verify return code: 0 (ok)

 

[Trident]

openssl s_client -connect <server>.com:1500
getaddrinfo: Name or service not known
connect:errno=2

Try replacing hostname with an ip. Some dns lookups is not working.

 

[Trident]

Hi,
Did you get things up and running?