TSM Server Certification Issue - dsmc or dsmamdc clients cant connect


Jul 5, 2016
Reaction score
PREDATAR Control23

All TSM 7.1.9 Server on aIX
Step 1. My clients connect via SSL without ay interverntion but older 7.1.2 client coudl not (only TCP/IP)
Step 2. Attempted to change the Server (self signed) cert and import it to the client
Note there *APPEAR* to be 2 tools at 7.1.9
First is called "dsmcert" at
Second is called "gsk8capicmd_64"
I ran this command not as root but as the instance owner tsminst1

gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

Check it:
$ gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2
*- "TSM Server SelfSigned SHA Key"

Step 3. I notice the database is updated but yikes datestamp on certs are unchanged???? Jan17 was the date why do these all show Jan 4 2016 date of server upgrade?????????????
This includes the cert256.arm with old datestamp
ls -l c*
-rw------- 1 tsminst1 tsmsrvrs 80 Jan 4 2016 cert.crl
-rw------- 1 tsminst1 tsmsrvrs 130080 Jan 17 16:01 cert.kdb
-rw------- 1 tsminst1 tsmsrvrs 80 Jan 4 2016 cert.rdb
-rw------- 1 tsminst1 tsmsrvrs 129 Jan 4 2016 cert.sth
-rw------- 1 tsminst1 tsmsrvrs 1164 Jan 4 2016 cert256.arm
-rw------- 1 tsminst1 tsmsrvrs 0 Jan 4 2016 cit.log
-rw------- 1 tsminst1 tsmsrvrs 11661 Jan 4 2016 citScanOutput.xml

Also There are 2 cert.kdb; if i want to access the admin client from the server do I need 2 databases for one for the client and also one for the server????

(iaptsma03:root) / --># ls -l /home/tsminst1/IBM/SpectrumProtect/certs/dsmcert.kdb
-rw-r--r-- 1 tsminst1 tsmsrvrs 1366 Jan 17 15:06 /home/tsminst1/IBM/SpectrumProtect/certs/dsmcert.kdb
(iaptsma03:root) / --># ls -l /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb
-rw-r--r-- 1 root system 2574 Jan 17 13:45 /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb

Not sure how to import the certificate for the dsmamdc client on the SAME machien as the server?
All other clients are linux and aIX - help please

Step 4 Admin ID sessionsecurity was updated back to transitional - shown from server prompt
q admin admin f=d
ANR2017I Administrator SERVER_CONSOLE issued command: QUERY ADMIN admin f=d

Administrator Name: ADMIN
Last Access Date/Time: 01/18/20 11:03:53
Days Since Last Access: 2
Password Set Date/Time: 08/18/16 16:58:46
Days Since Password Set: 1,250
Invalid Sign-on Count: 0
Locked?: No
System Privilege: Yes
Policy Privilege: ** Included with system privilege **
Storage Privilege: ** Included with system privilege **
Operator Privilege: ** Included with system privilege **
Client Access Privilege: ** Included with system privilege **
Client Owner Privilege: ** Included with system privilege **
Registration Date/Time: 08/18/16 16:57:15
Registering Administrator: TSTEVENS
Managing profile:
Password Expiration Period: 0 Day(s)
Email Address:
Email Alerts: No
Authentication: Local
SSL Required: Default
Session Security: Transitional
Transport Method: (?)

Step 5 From the server attempting to use dsmadmc I still get the error:
Start client:
IBM Tivoli Storage Manager
Command Line Administrative Interface - Version 7, Release 1, Level 8.6
(c) Copyright by IBM Corporation and other(s) 1990, 2019. All Rights Reserved.

Enter your user id: admin

ANS1695E The certificate is not valid.
ANS8023E Unable to establish session with server.

ANS8002I Highest return code was -370.

Server log:
ANR8599W The connection with iaptsma03:33419 failed due to an untrusted server certificate. An
attempt to reconnect and establish certificate trust might follow.
PREDATAR Control23

For anyone having the same issue, I fixed this by removing "dsmcert.*" from baclient directory, and then setting sessionsecurity to transitional for that admin. Just changing the sessionsecurity did not help.