Securing Communication using TLS

PREDATAR Control23

tried IP same message

Here is what I did:

1. Installed TSM and OpsCenter 8.1.9
2. Tested OpsCenter and all were working fine
3. Installed TSM Self Signed Certificate on Server, for Ops Center and Client
4. Everything works fine
5. Enabled SSL YES and SSL on Server. Connection works fine. Ops Cntr works fine. COnnection uses TLS 1.2
However it uses self signed certificate.
6. Obtained Root CA and Intermediate CA and installed them in Server. Generated CSR and had it signed and installed on server in instance folder. Verified Signed CA is default.

The above actions did this:
1. Ops Center stopped working even though I have not touched the gui-truststore.jks and it still has the default cert256.arm file.
2. Clients complain of SSL connectivity error.
 
PREDATAR Control23

OpsCenter " The certificate that is needed in order to connect to the hub server expired or was not found in the truststore file. "
 
PREDATAR Control23

On Server:

gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Root CA"
! "Company CA"
- "TSM Server SelfSigned SHA Key"
*- TSM_Server_CA

TEST: openssl s_client -connect localhost:1500
CONNECTED(00000003)
140257202833296:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584443108
Timeout : 300 (sec)
Verify return code: 0 (ok)




On Client:

gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Thawte Primary Root CA"
! "Thawte Primary Root CA - G2 ECC"
! "Thawte Server CA"
! "Thawte Premium Server CA"
! "Thawte Personal Basic CA"
! "Thawte Personal Freemail CA"
! "Thawte Personal Premium CA"
! TSM_Server_CA

(Yes i tried to set it as default but there is no * next to the TSM_Server_CA)

TEST: openssl s_client -tls1_2 -showcerts -trusted_first -connect <IP of TSM Server>:1500
CONNECTED(00000003)
140225484797840:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1584448362
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
 
PREDATAR Control23

Cant even access the console now:


03/17/2020 06:09:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 06:29:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 06:29:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 06:29:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 06:49:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 06:49:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 06:49:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 07:09:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 07:09:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 07:09:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 07:29:12 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 07:29:12 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 07:29:12 ANS1029E Communication with the IBM Spectrum Protect server is lost.
03/17/2020 07:40:01 ANS1579E GSKit function gsk_secure_soc_init failed with 420: GSK_ERROR_SOCKET_CLOSED
03/17/2020 07:40:01 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
03/17/2020 07:40:01 ANS1592E Failed to initialize SSL protocol.
03/17/2020 07:40:01 ANS8023E Unable to establish session with server.
 
PREDATAR Control23

that was the first thing I did before starting on this adventure
 
PREDATAR Control23

changed the default certificate to "TSM Server SelfSigned SHA Key" and now I am able to access opscenter and admin console. However, I need to use CA certs.

Now the client says "ANS1692E The certificate is not trusted."
 
PREDATAR Control23

adding the CA certificate is what is causing the problem. I changed all the certificates back to self signed and it works fine.
 
PREDATAR Control23

i think i corrupted cert.kdb and now the password does not work
 
PREDATAR Control23

Reinstalled TSM, configured using cert256 self signed cert and everything works fine.
Installed root ca, inter ca and server ca, validated all three and now all communications are broken. have sev 1 open with IBM but support is very slow and its been 5 days now.
 
PREDATAR Control23

i fixed it. I wish IBM had better documentation. It is what it is - Instructions just spread around everywhere. Unless you have at least 3 years experience you wont know what to look for: And that is the issue with IBm documentation.

A customer is not looking for information of something they already know. They are looking for information about something they dont and that information is not in one place.
 
PREDATAR Control23

Hi,

When you change the certificate serverside you need to add the new root ca cert to the clients.

Make sure that the TCPS entry in dsm.sys/opt matches the server certificate name. Otherwise, the client will not connect.
 
PREDATAR Control23

Thanks a lot Trident.

By certificate name you mean the certificate label that appears on the "gsk.... -list cert.kdb" command or the certificate CN content ?

Also, i got the self signed now set as default on server, CA roots and signed cert to server (not default), and imported CA certs to client. is there any way to connect to 1500 using the CA certificate to test (and not the default) ? wanna make sure its working before changing the default
 
PREDATAR Control23

Thanks a lot Trident.

By certificate name you mean the certificate label that appears on the "gsk.... -list cert.kdb" command or the certificate CN content ?

Also, i got the self signed now set as default on server, CA roots and signed cert to server (not default), and imported CA certs to client. is there any way to connect to 1500 using the CA certificate to test (and not the default) ? wanna make sure its working before changing the default

Hi,
The important name is the CN part. The list cert is only whatever name you gave it.

For a test, from a linux host.

openssl s_client -connect tsm.server.com:1500
 
Top