• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

TSM Webclient security

heada

ADSM.ORG Moderator
Joined
Sep 23, 2002
Messages
2,560
Reaction score
168
Points
0
Location
Indiana
Does anyone know if the TSM 5.5 client supports https for the webclient? I gave the TSM 5.5 client manual a quick once-over but did not find the answer.

Our security group does daily penetration tests for all web-type ports that they find and it is starting to fill my error logs. Https would prevent them from probing the webclient (as well as secure user names and passwords for those people that are allowed to perform restores)

-Aaron
 

heada

ADSM.ORG Moderator
Joined
Sep 23, 2002
Messages
2,560
Reaction score
168
Points
0
Location
Indiana
Looking into stunnel it does look very nice and I think I have a few projects that could benefit from it, thanks. I think it wouldn't solve all the issues I'm having with the TSM client though. I would still need to maintain the http(port 1581) service available and so the port scan that corp security is doing will still find it. Once found, they probe it to find vulnerabilities which creates lots of entries in the client error log.(35MB of text in the error log every day)

I may just have to remove all the http clients and force the people performing restores to use the full GUI via remote desktop.

-Aaron
 

admin

ADSM.ORG Admin
ADSM.ORG Moderator
Joined
Jul 21, 2002
Messages
83
Reaction score
14
Points
18
Location
Virginia
stunnel works with TCP Wrapper. Allowing socket connections for only explicitly specified hosts and ports.
 

heada

ADSM.ORG Moderator
Joined
Sep 23, 2002
Messages
2,560
Reaction score
168
Points
0
Location
Indiana
After looking further into the 5.5 Windows Client manual (http://publibfp.boulder.ibm.com/epubs/pdf/c3201461.pdf) I found that there is native support for SSL connections for almost everything EXCEPT the WebClient.

Thus sayeth the manual
Secure socket layer (SSL) allows industry standard SSL-based secure communications between the Tivoli Storage Manager client and server. The following client components support SSL: v Command-line client v Administrative command-line client v Backup-archive client GUI v Client API Only outgoing client-server connections support SSL. Incoming connections (for example, CAD, server-initiated schedule connections) do not support SSL. Client-to-client communications and Web GUI do not support SSL.
So, if all outbound interfaces support SSL, how hard would it be to add it to the WebClient? They really baffle me at times.

Out of the 500 or so clients there are only 3 or 4 that need to have people connect to on a regular basis. Rather than implement (and support) something I'm just going to pull all WebGUI interfaces and force them to use the full GUI via remote desktop.

Thanks for the help.

-Aaron
 

kopsy

Newcomer
Joined
Aug 30, 2011
Messages
1
Reaction score
0
Points
0
Hello,

I try to secure the TSM web client by implementing HTTPS. It seems that it is not available in version 5.5.1 of the client.

Does anyone have success running the web client through stunnel. I managed to run the adminserver without any worries, but the web client I still presents problems, because it is java. I appreciate a feedback from one of you if possible. Thank you in advance. (sorry for my badEnglish)
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 19 19.0%
  • Keep using TSM for Spectrum Protect.

    Votes: 61 61.0%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.0%
  • Other (please comement)

    Votes: 8 8.0%

Forum statistics

Threads
31,773
Messages
135,485
Members
21,761
Latest member
bastischubert
Top