• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.


    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM Server Certification Issue - dsmc or dsmamdc clients cant connect


Jul 5, 2016
Reaction score
All TSM 7.1.9 Server on aIX
Step 1. My clients connect via SSL without ay interverntion but older 7.1.2 client coudl not (only TCP/IP)
Step 2. Attempted to change the Server (self signed) cert and import it to the client
Note there *APPEAR* to be 2 tools at 7.1.9
First is called "dsmcert" at
Second is called "gsk8capicmd_64"
I ran this command not as root but as the instance owner tsminst1

gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

Check it:
$ gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2
*- "TSM Server SelfSigned SHA Key"

Step 3. I notice the database is updated but yikes datestamp on certs are unchanged???? Jan17 was the date why do these all show Jan 4 2016 date of server upgrade?????????????
This includes the cert256.arm with old datestamp
ls -l c*
-rw------- 1 tsminst1 tsmsrvrs 80 Jan 4 2016 cert.crl
-rw------- 1 tsminst1 tsmsrvrs 130080 Jan 17 16:01 cert.kdb
-rw------- 1 tsminst1 tsmsrvrs 80 Jan 4 2016 cert.rdb
-rw------- 1 tsminst1 tsmsrvrs 129 Jan 4 2016 cert.sth
-rw------- 1 tsminst1 tsmsrvrs 1164 Jan 4 2016 cert256.arm
-rw------- 1 tsminst1 tsmsrvrs 0 Jan 4 2016 cit.log
-rw------- 1 tsminst1 tsmsrvrs 11661 Jan 4 2016 citScanOutput.xml

Also There are 2 cert.kdb; if i want to access the admin client from the server do I need 2 databases for one for the client and also one for the server????

(iaptsma03:root) / --># ls -l /home/tsminst1/IBM/SpectrumProtect/certs/dsmcert.kdb
-rw-r--r-- 1 tsminst1 tsmsrvrs 1366 Jan 17 15:06 /home/tsminst1/IBM/SpectrumProtect/certs/dsmcert.kdb
(iaptsma03:root) / --># ls -l /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb
-rw-r--r-- 1 root system 2574 Jan 17 13:45 /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb

Not sure how to import the certificate for the dsmamdc client on the SAME machien as the server?
All other clients are linux and aIX - help please

Step 4 Admin ID sessionsecurity was updated back to transitional - shown from server prompt
q admin admin f=d
ANR2017I Administrator SERVER_CONSOLE issued command: QUERY ADMIN admin f=d

Administrator Name: ADMIN
Last Access Date/Time: 01/18/20 11:03:53
Days Since Last Access: 2
Password Set Date/Time: 08/18/16 16:58:46
Days Since Password Set: 1,250
Invalid Sign-on Count: 0
Locked?: No
System Privilege: Yes
Policy Privilege: ** Included with system privilege **
Storage Privilege: ** Included with system privilege **
Operator Privilege: ** Included with system privilege **
Client Access Privilege: ** Included with system privilege **
Client Owner Privilege: ** Included with system privilege **
Registration Date/Time: 08/18/16 16:57:15
Registering Administrator: TSTEVENS
Managing profile:
Password Expiration Period: 0 Day(s)
Email Address:
Email Alerts: No
Authentication: Local
SSL Required: Default
Session Security: Transitional
Transport Method: (?)

Step 5 From the server attempting to use dsmadmc I still get the error:
Start client:
IBM Tivoli Storage Manager
Command Line Administrative Interface - Version 7, Release 1, Level 8.6
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Enter your user id: admin

ANS1695E The certificate is not valid.
ANS8023E Unable to establish session with server.

ANS8002I Highest return code was -370.

Server log:
ANR8599W The connection with iaptsma03:33419 failed due to an untrusted server certificate. An
attempt to reconnect and establish certificate trust might follow.


Mar 28, 2014
Reaction score
For anyone having the same issue, I fixed this by removing "dsmcert.*" from baclient directory, and then setting sessionsecurity to transitional for that admin. Just changing the sessionsecurity did not help.

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

DigitalOcean $100 Credit

Support ADSM.ORG and get DigitalOcean FREE credit. DigitalOcean currently offer a $100, 60-day Free Credit for new accounts. Sign-up here:

DigitalOcean Referral Badge

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 20 18.3%
  • Keep using TSM for Spectrum Protect.

    Votes: 65 59.6%
  • Let's be formal and just say Spectrum Protect

    Votes: 15 13.8%
  • Other (please comement)

    Votes: 9 8.3%

Forum statistics

Latest member