Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
en:services:storage_services:backup:tsm:admin:tls_self [2018/10/23 11:16] – [ISP-7.1.6 on SLES 12] bnachtwen:services:storage_services:backup:tsm:admin:tls_self [2019/02/19 10:28] (current) – [ISP-7.1.6 on SLES 12] bnachtw
Line 1: Line 1:
 +====== TLS: Using self signed certificates ======
 +===== ISP-8.1.3 on Windows =====
 +==== Preparation ====
 +By default the path leading to the GSKit is not part of the //%PATH%// environment variable, so first it has to be added:
 +  set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%
 +==== Check on SHA / change default to SHA ====
 +Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed.
 +If so, the default certificate (indicated by a * on the left) is not named //SHA Key//, e.g.
 +  T:\CONFIG>gsk8capicmd_64  -cert -list -db cert.kdb -stashed
 +  Zertifikate gefunden
 +  * Standard, - pers"nlich, ! zuverl"ssig, # secret key
 +  !       "Entrust.net Secure Server Certification Authority"
 +  !       "Entrust.net Certification Authority (2048)"
 +  !       "Entrust.net Client Certification Authority"
 +  !       "Entrust.net Global Client Certification Authority"
 +  !       "Entrust.net Global Secure Server Certification Authority"
 +  !       "Entrust.net Certification Authority (2048) 29"
 +  !       "Entrust Root Certification Authority - EC1"
 +  !       "Entrust Root Certification Authority - EV"
 +  !       "Entrust Root Certification Authority - G2"
 +  !       "VeriSign Class 1 Public Primary Certification Authority"
 +  !       "VeriSign Class 2 Public Primary Certification Authority"
 +  !       "VeriSign Class 3 Public Primary Certification Authority"
 +  !       "VeriSign Class 1 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 2 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 3 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 4 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 1 Public Primary Certification Authority - G3"
 +  !       "VeriSign Class 2 Public Primary Certification Authority - G3"
 +  !       "VeriSign Class 3 Public Primary Certification Authority - G3"
 +  !       "VeriSign Class 3 Public Primary Certification Authority - G5"
 +  !       "VeriSign Class 4 Public Primary Certification Authority - G3"
 +  !       "Thawte Primary Root CA"
 +  !       "Thawte Primary Root CA - G2 ECC"
 +  !       "Thawte Server CA"
 +  !       "Thawte Premium Server CA"
 +  !       "Thawte Personal Basic CA"
 +  !       "Thawte Personal Freemail CA"
 +  !       "Thawte Personal Premium CA"
 +  *-      "TSM Server SelfSigned Key"
 +  -       "TSM Server SelfSigned SHA Key"
 +
 +Set the default to the SHA Key:
 +  T:\CONFIG>gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
 +
 +and check again:
 +  T:\CONFIG>gsk8capicmd_64  -cert -list -db cert.kdb -stashed
 +  Zertifikate gefunden
 +  * Standard, - pers"nlich, ! zuverl"ssig, # secret key
 +  !       "Entrust.net Secure Server Certification Authority"
 +  !       "Entrust.net Certification Authority (2048)"
 +  !       "Entrust.net Client Certification Authority"
 +  !       "Entrust.net Global Client Certification Authority"
 +  !       "Entrust.net Global Secure Server Certification Authority"
 +  !       "Entrust.net Certification Authority (2048) 29"
 +  !       "Entrust Root Certification Authority - EC1"
 +  !       "Entrust Root Certification Authority - EV"
 +  !       "Entrust Root Certification Authority - G2"
 +  !       "VeriSign Class 1 Public Primary Certification Authority"
 +  !       "VeriSign Class 2 Public Primary Certification Authority"
 +  !       "VeriSign Class 3 Public Primary Certification Authority"
 +  !       "VeriSign Class 1 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 2 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 3 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 4 Public Primary Certification Authority - G2"
 +  !       "VeriSign Class 1 Public Primary Certification Authority - G3"
 +  !       "VeriSign Class 2 Public Primary Certification Authority - G3"
 +  !       "VeriSign Class 3 Public Primary Certification Authority - G3"
 +  !       "VeriSign Class 3 Public Primary Certification Authority - G5"
 +  !       "VeriSign Class 4 Public Primary Certification Authority - G3"
 +  !       "Thawte Primary Root CA"
 +  !       "Thawte Primary Root CA - G2 ECC"
 +  !       "Thawte Server CA"
 +  !       "Thawte Premium Server CA"
 +  !       "Thawte Personal Basic CA"
 +  !       "Thawte Personal Freemail CA"
 +  !       "Thawte Personal Premium CA"
 +  *-      "TSM Server SelfSigned SHA Key"
 +
 +==== Extend dsmserv.opt ====
 +add the following lines to ''dsmserv.opt'' (Port numbers as you like)
 +  SSLTCPPort              3111
 +  SSLTCPADMINPort 5111
 +  SSLDISABLELEGACYtls     Yes
 +  SSLTLS12                Yes
 +  SSLFIPSMODE             Yes
 +
 +==== make cetificate available ====
 +Copy the ''cert256.arm'' file from the server configuration folder to a place accessable for the ISP client admins.
 +
 +
 +
 +===== ISP-7.1.7 on SLES 12 =====
 +
 +
 +FIXME -- will follow up soon :-)
 +
 +====== Clients ======
 +look at the [[de:services:storage_services:backup:tsm:anleitungen:tls|client documentation]]