The IBM Spectrum Protect server SSL certificate expires after 10 years.
A documentation is needed to explain how to renew the certificate when the certificate expires, or better, before it expires.
To verify when the server certificate will expire, the following command must be run from the server instance directory:
gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
In the output, the line starting with Not After : shows when the certificate will expire.
.....
Label : TSM Server SelfSigned SHA Key
Key Size : 2048
Version : X509 V3
Serial : aaabbbcccddd
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM
Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM
Network,O=TSM,C=US"
Not Before : November 15, 2012 11:16:40 AM GMT+01:00
Not After : November 14, 2022 11:16:40 AM GMT+01:00
Here are the steps to create and distribute a new self-signed certificate (cert256.arm):
-Stop the IBM Spectrum Protect server.
-Make a backup copy of existing certificates and key stores present in the IBM Spectrum Protect server instance folder
cert256.arm
cert.kdb
cert.sth
cert.rdb
cert.crl
-Delete only the cert256.arm file
-Delete the server's certificate from the key store via the following command:
gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
-Start the IBM Spectrum Protect server. On startup, the server will generate a new certificate and store it in the key store with label "TSM Server SelfSigned SHA Key".
A new cert256.arm file will be created.
The following commands can be used to verify what is in cert.kdb and what is in cert256.arm:
gsk8capicmd_64 -cert -details -file cert256.arm
gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
The Not After : date should be the same on both.
-For server to server communication, use the update server command with forcesync=yes to provide the new certificate.
-For backup-archive and API client nodes, update the nodes to sessionsecurity=transitional.
-At each node, make a backup copy of dsmcert.kdb, dsmcert.idx, and dsmcert.sth and then delete the files.
-If a node may connect to multiple servers, to avoid having to redistribute certificate of the other servers to that node, it may be preferable to just delete the certifcate for the affected IBM Spectrum Protect server by doing:
gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed
( note the name of the affected server certificate and use it in delete command below )
gsk8capicmd_64 -cert -delete -db dsmcert.kdb -stashed -label "<certificate name>"
-Then, connect to the IBM Spectrum Protect server using the backup-archive client node to get the new certificate.
The above is from the following APAR.
www.ibm.com
A documentation is needed to explain how to renew the certificate when the certificate expires, or better, before it expires.
To verify when the server certificate will expire, the following command must be run from the server instance directory:
gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
In the output, the line starting with Not After : shows when the certificate will expire.
.....
Label : TSM Server SelfSigned SHA Key
Key Size : 2048
Version : X509 V3
Serial : aaabbbcccddd
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM
Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM
Network,O=TSM,C=US"
Not Before : November 15, 2012 11:16:40 AM GMT+01:00
Not After : November 14, 2022 11:16:40 AM GMT+01:00
Here are the steps to create and distribute a new self-signed certificate (cert256.arm):
-Stop the IBM Spectrum Protect server.
-Make a backup copy of existing certificates and key stores present in the IBM Spectrum Protect server instance folder
cert256.arm
cert.kdb
cert.sth
cert.rdb
cert.crl
-Delete only the cert256.arm file
-Delete the server's certificate from the key store via the following command:
gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
-Start the IBM Spectrum Protect server. On startup, the server will generate a new certificate and store it in the key store with label "TSM Server SelfSigned SHA Key".
A new cert256.arm file will be created.
The following commands can be used to verify what is in cert.kdb and what is in cert256.arm:
gsk8capicmd_64 -cert -details -file cert256.arm
gsk8capicmd_64 -cert -details -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
The Not After : date should be the same on both.
-For server to server communication, use the update server command with forcesync=yes to provide the new certificate.
-For backup-archive and API client nodes, update the nodes to sessionsecurity=transitional.
-At each node, make a backup copy of dsmcert.kdb, dsmcert.idx, and dsmcert.sth and then delete the files.
-If a node may connect to multiple servers, to avoid having to redistribute certificate of the other servers to that node, it may be preferable to just delete the certifcate for the affected IBM Spectrum Protect server by doing:
gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed
( note the name of the affected server certificate and use it in delete command below )
gsk8capicmd_64 -cert -delete -db dsmcert.kdb -stashed -label "<certificate name>"
-Then, connect to the IBM Spectrum Protect server using the backup-archive client node to get the new certificate.
The above is from the following APAR.
IT42905: HOW TO RENEW AN IBM SPECTRUM PROTECT SERVER SSL CERTIFICATE
The IBM Spectrum Protect server SSL certificate expires after 10 years.
