TSM Webclient security

[heada]

Does anyone know if the TSM 5.5 client supports https for the webclient? I gave the TSM 5.5 client manual a quick once-over but did not find the answer.

Our security group does daily penetration tests for all web-type ports that they find and it is starting to fill my error logs. Https would prevent them from probing the webclient (as well as secure user names and passwords for those people that are allowed to perform restores)

-Aaron

 

[admin]

I have had good experience with stunnel http://www.stunnel.org/examples/ enabling SSL for many unencrypted TCP services.

 

[heada]

Looking into stunnel it does look very nice and I think I have a few projects that could benefit from it, thanks. I think it wouldn't solve all the issues I'm having with the TSM client though. I would still need to maintain the http(port 1581) service available and so the port scan that corp security is doing will still find it. Once found, they probe it to find vulnerabilities which creates lots of entries in the client error log.(35MB of text in the error log every day)

I may just have to remove all the http clients and force the people performing restores to use the full GUI via remote desktop.

-Aaron

 

[admin]

stunnel works with TCP Wrapper. Allowing socket connections for only explicitly specified hosts and ports.

 

[heada]

After looking further into the 5.5 Windows Client manual (http://publibfp.boulder.ibm.com/epubs/pdf/c3201461.pdf) I found that there is native support for SSL connections for almost everything EXCEPT the WebClient.

Thus sayeth the manual

Secure socket layer (SSL) allows industry standard SSL-based secure communications between the Tivoli Storage Manager client and server. The following client components support SSL: v Command-line client v Administrative command-line client v Backup-archive client GUI v Client API Only outgoing client-server connections support SSL. Incoming connections (for example, CAD, server-initiated schedule connections) do not support SSL. Client-to-client communications and Web GUI do not support SSL.

So, if all outbound interfaces support SSL, how hard would it be to add it to the WebClient? They really baffle me at times.

Out of the 500 or so clients there are only 3 or 4 that need to have people connect to on a regular basis. Rather than implement (and support) something I'm just going to pull all WebGUI interfaces and force them to use the full GUI via remote desktop.

Thanks for the help.

-Aaron

 

[kopsy]

Hello,

I try to secure the TSM web client by implementing HTTPS. It seems that it is not available in version 5.5.1 of the client.

Does anyone have success running the web client through stunnel. I managed to run the adminserver without any worries, but the web client I still presents problems, because it is java. I appreciate a feedback from one of you if possible. Thank you in advance. (sorry for my badEnglish)