• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM Client Encryption functionality question

Nicke

ADSM.ORG Member
#1
Hi there!

Currently working with a new S.P/TSM 8.1.x PoC Cloud project with Linux servers and have a question:

The customer don't accept having the Encryption Certificates managed by the TSM Server (in the cloud side) and only by the client. (From doc's how it works now: .. one random encryption key is generated per session and it is stored on the Tivoli Storage Manager server)

And /etc/adsm/TSM.PWD file on the client server only seem to contain the encryption passwords and not the whole encryption certificate.

This is my current TSM client node stanza:
Servername TEST44
NODENAME TEST03
Resourceutilization 30
Passwordaccess Generate
TCPSERVERADDRESS *******
ENCRYPTKEY SAVE
ENABLECLIENTENCRYPTKEY YES
ENCRYPTIONTYPE AES256
INCLUDE.ENCRYPT /.../*


For the API there's this option: "DSM_ENCRYPT_CLIENTENCRKEY" but I can't see any other client B/A option like it than what I already have in the dsm.sys stanza.

Thanks for some insight how client encryption should be,
Kind Regards,
Nicke
 

Nicke

ADSM.ORG Member
#2
So now I've started trying to use these GSKit commands instead to see how it will work:

gsk8capicmd_64 -keydb -create -populate -db <filename>.kdb -pw <password> -stash
gsk8capicmd_64 -cert -create -db server.kdb -stashed -dn"CN=myserver,OU=mynetwork,O=mycompany,C=mycountry" -expire 7300 -label "My self-signedcertificate" -default_cert yes
gsk8capicmd_64 -cert -extract -db server.kdb -stashed -label "My self-signedcertificate" -format ascii -target mycert.arm
...

//nicke
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 9 20.5%
  • Keep using TSM for Spectrum Protect.

    Votes: 23 52.3%
  • Let's be formal and just say Spectrum Protect

    Votes: 8 18.2%
  • Other (please comement)

    Votes: 4 9.1%

Forum statistics

Threads
31,055
Messages
132,235
Members
21,274
Latest member
ctauber
Top