• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM Server Certification Issue - dsmc or dsmamdc clients cant connect

Aldini

ADSM.ORG Member
#1
All TSM 7.1.9 Server on aIX 7.1.4.4
Step 1. My 7.1.8.6 clients connect via SSL without ay interverntion but older 7.1.2 client coudl not (only TCP/IP)
Step 2. Attempted to change the Server (self signed) cert and import it to the client
Note there *APPEAR* to be 2 tools at 7.1.9
First is called "dsmcert" at
/usr/tivoli/tsm/client/ba/bin64/dsmcert
Second is called "gsk8capicmd_64"
/usr/opt/ibm/gsk8_64/bin/gsk8capicmd_64
I ran this command not as root but as the instance owner tsminst1

gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

Check it:
$ gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2
! 10.162.8.11:1500:0
*- "TSM Server SelfSigned SHA Key"

Step 3. I notice the database is updated but yikes datestamp on certs are unchanged???? Jan17 was the date why do these all show Jan 4 2016 date of server upgrade?????????????
This includes the cert256.arm with old datestamp
ls -l c*
-rw------- 1 tsminst1 tsmsrvrs 80 Jan 4 2016 cert.crl
-rw------- 1 tsminst1 tsmsrvrs 130080 Jan 17 16:01 cert.kdb
-rw------- 1 tsminst1 tsmsrvrs 80 Jan 4 2016 cert.rdb
-rw------- 1 tsminst1 tsmsrvrs 129 Jan 4 2016 cert.sth
-rw------- 1 tsminst1 tsmsrvrs 1164 Jan 4 2016 cert256.arm
-rw------- 1 tsminst1 tsmsrvrs 0 Jan 4 2016 cit.log
-rw------- 1 tsminst1 tsmsrvrs 11661 Jan 4 2016 citScanOutput.xml


Also There are 2 cert.kdb; if i want to access the admin client from the server do I need 2 databases for one for the client and also one for the server????

(iaptsma03:root) / --># ls -l /home/tsminst1/IBM/SpectrumProtect/certs/dsmcert.kdb
-rw-r--r-- 1 tsminst1 tsmsrvrs 1366 Jan 17 15:06 /home/tsminst1/IBM/SpectrumProtect/certs/dsmcert.kdb
(iaptsma03:root) / --># ls -l /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb
-rw-r--r-- 1 root system 2574 Jan 17 13:45 /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb

Not sure how to import the certificate for the dsmamdc client on the SAME machien as the server?
All other clients are linux and aIX - help please


Step 4 Admin ID sessionsecurity was updated back to transitional - shown from server prompt
q admin admin f=d
ANR2017I Administrator SERVER_CONSOLE issued command: QUERY ADMIN admin f=d

Administrator Name: ADMIN
Last Access Date/Time: 01/18/20 11:03:53
Days Since Last Access: 2
Password Set Date/Time: 08/18/16 16:58:46
Days Since Password Set: 1,250
Invalid Sign-on Count: 0
Locked?: No
Contact:
System Privilege: Yes
Policy Privilege: ** Included with system privilege **
Storage Privilege: ** Included with system privilege **
Operator Privilege: ** Included with system privilege **
Client Access Privilege: ** Included with system privilege **
Client Owner Privilege: ** Included with system privilege **
Registration Date/Time: 08/18/16 16:57:15
Registering Administrator: TSTEVENS
Managing profile:
Password Expiration Period: 0 Day(s)
Email Address:
Email Alerts: No
Authentication: Local
SSL Required: Default
Session Security: Transitional
Transport Method: (?)


Step 5 From the server attempting to use 7.8.1.6 dsmadmc I still get the error:
Start client:
dsmadmc
IBM Tivoli Storage Manager
Command Line Administrative Interface - Version 7, Release 1, Level 8.6
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Enter your user id: admin

ANS1695E The certificate is not valid.
ANS8023E Unable to establish session with server.

ANS8002I Highest return code was -370.

Server log:
TSM:ORD2TSM3>
ANR8599W The connection with iaptsma03:33419 failed due to an untrusted server certificate. An
attempt to reconnect and establish certificate trust might follow.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 19.6%
  • Keep using TSM for Spectrum Protect.

    Votes: 57 62.0%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 10.9%
  • Other (please comement)

    Votes: 7 7.6%

Forum statistics

Threads
31,548
Messages
134,467
Members
21,616
Latest member
Jonasgo
Top