• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM Operations Center - self signed certificate replacement

skentzle

ADSM.ORG Member
#2
A short description howto prevent from certificate warning when opening TSM OC
A short description howto prevent from certificate warning when opening TSM OC:
After a fresh installation of TSM OC and configuration of server(s) always a certificate warning occurs because of a self signed web server certificate (localhost, guiserver, ...). I didn't find any documentation howto replace the certificate, so I tried it yesterday on my own risk. Here are the steps (my TSM OC is running on SLES - there may be different paths on other platforms):
1. login as root user and stop the guiserver /etc/init.d/opscenter.rc stop
2. make a backup of your server (dsmc i) to backup the gui-truststore.jks file (I made a simple copy) if something goes wrong
3. start ikeyman and open the gui-truststore.jks database (remember the password you used at installation time) - the file is located in /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer
4. create a new certificate request and provide all the necessary information (this depends on your hostname and CA requirements) - name the key label (e.g. IBM TSM OC), choose a key length of 2048 and sha1withrsa algorithm
5. the request is saved as /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer/certreq.arm - use this and send to your CA
6. when you received your certificate copy the file to your OC server and open ikeyman
7. rename the default entry to something different you want e.g. default old
8. choose receive - provide the correct path and file name to your CA signed certificate file
9. rename the new received official certificate entry (in my case IBM TSM OC) to default
10. execute /etc/init.d/opscenter.rc start
11. open your preferred browser and be happy with "no certificate errors"
 

Attachments

DavidDiepUSC

Active Newcomer
#3
Hi Skentzle,

Thanks for the detailed write up. Can you post instructions on how to update or replace an expired SSL self-signed cert for TSM OC?

Thanks!
 

skentzle

ADSM.ORG Member
#4
Hi Skentzle,

Thanks for the detailed write up. Can you post instructions on how to update or replace an expired SSL self-signed cert for TSM OC?

Thanks!
Hi David,

you can follow this Technote http://www-01.ibm.com/support/docview.wss?uid=swg21045925. You'll need your password for the truststore. Create new selfsigned certificate, (extract for fallback) delete the old default entry and rename your new selfsigned to default. Restart your OC service. That's it. If you've any further questions please post here.

Greeting from Germany
Sebastian
 

DavidDiepUSC

Active Newcomer
#5
Hi Sebastian,

Thanks for replying to your 4 year old post! Anyways, I figured it out and its actually a lot easier. Here are the steps I took to create a new self-signed cert for the TSM OC HTTPS server:

  1. If applicable, start VNC Server and assign the VNC password
  2. Log into VNC server (this is for ikeyman)
  3. Navigate to /opt/tivoli/tsm/ui/jre/bin
  4. Invoke the IBM Key management tool
ikeyman
  • Open the key database - It will prompt you a password. This is the instance password when OC was first installed.
  • Create a backup of the existing key database
Click on “Export/Import…”
Create a directory 'backup' under
installation_dir/ui/Liberty/usr/servers/guiServer
Export the backup kdb there
  • Delete the existing ‘default’ personal certificate
  • Create a new self signed certificate with the exact same attributes as the previous personal certificate. Use the same CN, O, OU, Signature Algorithm, Key Size, Label.... etc
  • Once complete, restart the TSM Operations Center service
 

skentzle

ADSM.ORG Member
#6
Hi Sebastian,

Thanks for replying to your 4 year old post! Anyways, I figured it out and its actually a lot easier. Here are the steps I took to create a new self-signed cert for the TSM OC HTTPS server:

  1. If applicable, start VNC Server and assign the VNC password
  2. Log into VNC server (this is for ikeyman)
  3. Navigate to /opt/tivoli/tsm/ui/jre/bin
  4. Invoke the IBM Key management tool
ikeyman
  • Open the key database - It will prompt you a password. This is the instance password when OC was first installed.
  • Create a backup of the existing key database
Click on “Export/Import…”
Create a directory 'backup' under
installation_dir/ui/Liberty/usr/servers/guiServer
Export the backup kdb there
  • Delete the existing ‘default’ personal certificate
  • Create a new self signed certificate with the exact same attributes as the previous personal certificate. Use the same CN, O, OU, Signature Algorithm, Key Size, Label.... etc
  • Once complete, restart the TSM Operations Center service
Hi David,
it's a possible way. The better way for me is to use CA signed certificates. Thanks for your description.
Sebastian
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 16 18.8%
  • Keep using TSM for Spectrum Protect.

    Votes: 52 61.2%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 11.8%
  • Other (please comement)

    Votes: 7 8.2%

Forum statistics

Threads
31,448
Messages
133,971
Members
21,548
Latest member
cburns
Top