TLS: Using self signed certificates

ISP-8.1.3 on Windows

Preparation

By default the path leading to the GSKit is not part of the %PATH% environment variable, so first it has to be added:

set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%

Check on SHA / change default to SHA

Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed. If so, the default certificate (indicated by a * on the left) is not named SHA Key, e.g.

T:\CONFIG>gsk8capicmd_64  -cert -list -db cert.kdb -stashed
Zertifikate gefunden
* Standard, - pers"nlich, ! zuverl"ssig, # secret key
!       "Entrust.net Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048)"
!       "Entrust.net Client Certification Authority"
!       "Entrust.net Global Client Certification Authority"
!       "Entrust.net Global Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048) 29"
!       "Entrust Root Certification Authority - EC1"
!       "Entrust Root Certification Authority - EV"
!       "Entrust Root Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority"
!       "VeriSign Class 2 Public Primary Certification Authority"
!       "VeriSign Class 3 Public Primary Certification Authority"
!       "VeriSign Class 1 Public Primary Certification Authority - G2"
!       "VeriSign Class 2 Public Primary Certification Authority - G2"
!       "VeriSign Class 3 Public Primary Certification Authority - G2"
!       "VeriSign Class 4 Public Primary Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority - G3"
!       "VeriSign Class 2 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G5"
!       "VeriSign Class 4 Public Primary Certification Authority - G3"
!       "Thawte Primary Root CA"
!       "Thawte Primary Root CA - G2 ECC"
!       "Thawte Server CA"
!       "Thawte Premium Server CA"
!       "Thawte Personal Basic CA"
!       "Thawte Personal Freemail CA"
!       "Thawte Personal Premium CA"
*-      "TSM Server SelfSigned Key"
-       "TSM Server SelfSigned SHA Key"

Set the default to the SHA Key:

T:\CONFIG>gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

and check again:

T:\CONFIG>gsk8capicmd_64  -cert -list -db cert.kdb -stashed
Zertifikate gefunden
* Standard, - pers"nlich, ! zuverl"ssig, # secret key
!       "Entrust.net Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048)"
!       "Entrust.net Client Certification Authority"
!       "Entrust.net Global Client Certification Authority"
!       "Entrust.net Global Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048) 29"
!       "Entrust Root Certification Authority - EC1"
!       "Entrust Root Certification Authority - EV"
!       "Entrust Root Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority"
!       "VeriSign Class 2 Public Primary Certification Authority"
!       "VeriSign Class 3 Public Primary Certification Authority"
!       "VeriSign Class 1 Public Primary Certification Authority - G2"
!       "VeriSign Class 2 Public Primary Certification Authority - G2"
!       "VeriSign Class 3 Public Primary Certification Authority - G2"
!       "VeriSign Class 4 Public Primary Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority - G3"
!       "VeriSign Class 2 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G5"
!       "VeriSign Class 4 Public Primary Certification Authority - G3"
!       "Thawte Primary Root CA"
!       "Thawte Primary Root CA - G2 ECC"
!       "Thawte Server CA"
!       "Thawte Premium Server CA"
!       "Thawte Personal Basic CA"
!       "Thawte Personal Freemail CA"
!       "Thawte Personal Premium CA"
*-      "TSM Server SelfSigned SHA Key"

Extend dsmserv.opt

add the following lines to dsmserv.opt (Port numbers as you like)

SSLTCPPort              3111
SSLTCPADMINPort 	5111
SSLDISABLELEGACYtls     Yes
SSLTLS12                Yes
SSLFIPSMODE             Yes

make cetificate available

Copy the cert256.arm file from the server configuration folder to a place accessable for the ISP client admins.

ISP-7.1.7 on SLES 12

FIXME – will follow up soon :-)

Clients

look at the client documentation