TSM Operations Center - self signed certificate replacement

S

skentzle

ADSM.ORG Member
Joined
May 25, 2009
Messages
42
Reaction score
0
Points
0
Location
Berlin
A short description howto prevent from certificate warning when opening TSM OC
 
skentzle said:
A short description howto prevent from certificate warning when opening TSM OC
Click to expand...

A short description howto prevent from certificate warning when opening TSM OC:
After a fresh installation of TSM OC and configuration of server(s) always a certificate warning occurs because of a self signed web server certificate (localhost, guiserver, ...). I didn't find any documentation howto replace the certificate, so I tried it yesterday on my own risk. Here are the steps (my TSM OC is running on SLES - there may be different paths on other platforms):
1. login as root user and stop the guiserver /etc/init.d/opscenter.rc stop
2. make a backup of your server (dsmc i) to backup the gui-truststore.jks file (I made a simple copy) if something goes wrong
3. start ikeyman and open the gui-truststore.jks database (remember the password you used at installation time) - the file is located in /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer
4. create a new certificate request and provide all the necessary information (this depends on your hostname and CA requirements) - name the key label (e.g. IBM TSM OC), choose a key length of 2048 and sha1withrsa algorithm
5. the request is saved as /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer/certreq.arm - use this and send to your CA
6. when you received your certificate copy the file to your OC server and open ikeyman
7. rename the default entry to something different you want e.g. default old
8. choose receive - provide the correct path and file name to your CA signed certificate file
9. rename the new received official certificate entry (in my case IBM TSM OC) to default
10. execute /etc/init.d/opscenter.rc start
11. open your preferred browser and be happy with "no certificate errors"
 

Attachments

  • tsmoc_certificate.png
    tsmoc_certificate.png
    941.7 KB · Views: 37
Hi Skentzle,

Thanks for the detailed write up. Can you post instructions on how to update or replace an expired SSL self-signed cert for TSM OC?

Thanks!
 
DavidDiepUSC said:
Hi Skentzle,

Thanks for the detailed write up. Can you post instructions on how to update or replace an expired SSL self-signed cert for TSM OC?

Thanks!
Click to expand...
Hi David,

you can follow this Technote http://www-01.ibm.com/support/docview.wss?uid=swg21045925. You'll need your password for the truststore. Create new selfsigned certificate, (extract for fallback) delete the old default entry and rename your new selfsigned to default. Restart your OC service. That's it. If you've any further questions please post here.

Greeting from Germany
Sebastian
 
Hi Sebastian,

Thanks for replying to your 4 year old post! Anyways, I figured it out and its actually a lot easier. Here are the steps I took to create a new self-signed cert for the TSM OC HTTPS server:

  1. If applicable, start VNC Server and assign the VNC password
  2. Log into VNC server (this is for ikeyman)
  3. Navigate to /opt/tivoli/tsm/ui/jre/bin
  4. Invoke the IBM Key management tool
ikeyman
  • Open the key database - It will prompt you a password. This is the instance password when OC was first installed.
  • Create a backup of the existing key database
Click on “Export/Import…”
Create a directory 'backup' under
installation_dir/ui/Liberty/usr/servers/guiServer
Export the backup kdb there
  • Delete the existing ‘default’ personal certificate
  • Create a new self signed certificate with the exact same attributes as the previous personal certificate. Use the same CN, O, OU, Signature Algorithm, Key Size, Label.... etc
  • Once complete, restart the TSM Operations Center service
 
DavidDiepUSC said:
Hi Sebastian,

Thanks for replying to your 4 year old post! Anyways, I figured it out and its actually a lot easier. Here are the steps I took to create a new self-signed cert for the TSM OC HTTPS server:

  1. If applicable, start VNC Server and assign the VNC password
  2. Log into VNC server (this is for ikeyman)
  3. Navigate to /opt/tivoli/tsm/ui/jre/bin
  4. Invoke the IBM Key management tool
ikeyman
  • Open the key database - It will prompt you a password. This is the instance password when OC was first installed.
  • Create a backup of the existing key database
Click on “Export/Import…”
Create a directory 'backup' under
installation_dir/ui/Liberty/usr/servers/guiServer
Export the backup kdb there
  • Delete the existing ‘default’ personal certificate
  • Create a new self signed certificate with the exact same attributes as the previous personal certificate. Use the same CN, O, OU, Signature Algorithm, Key Size, Label.... etc
  • Once complete, restart the TSM Operations Center service
Click to expand...
Hi David,
it's a possible way. The better way for me is to use CA signed certificates. Thanks for your description.
Sebastian
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,434
Members
21,947
Latest member
dylbrawn
Back
Top