Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:services:storage_services:backup:tsm:admin:tls_self [2018/10/23 11:16]
bnachtw [ISP-7.1.6 on SLES 12]
en:services:storage_services:backup:tsm:admin:tls_self [2019/02/19 10:28] (current)
bnachtw [ISP-7.1.6 on SLES 12]
Line 1: Line 1:
 +====== TLS: Using self signed certificates ======
 +===== ISP-8.1.3 on Windows =====
 +==== Preparation ====
 +By default the path leading to the GSKit is not part of the //%PATH%// environment variable, so first it has to be added:
 +  set PATH=C:​\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;​C:​\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;​%PATH%
 +==== Check on SHA / change default to SHA ====
 +Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed.
 +If so, the default certificate (indicated by a * on the left) is not named //SHA Key//, e.g.
 +  T:​\CONFIG>​gsk8capicmd_64 ​ -cert -list -db cert.kdb -stashed
 +  Zertifikate gefunden
 +  * Standard, - pers"​nlich,​ ! zuverl"​ssig,​ # secret key
 +  !       "​Entrust.net Secure Server Certification Authority"​
 +  !       "​Entrust.net Certification Authority (2048)"​
 +  !       "​Entrust.net Client Certification Authority"​
 +  !       "​Entrust.net Global Client Certification Authority"​
 +  !       "​Entrust.net Global Secure Server Certification Authority"​
 +  !       "​Entrust.net Certification Authority (2048) 29"
 +  !       "​Entrust Root Certification Authority - EC1"
 +  !       "​Entrust Root Certification Authority - EV"
 +  !       "​Entrust Root Certification Authority - G2"
 +  !       "​VeriSign Class 1 Public Primary Certification Authority"​
 +  !       "​VeriSign Class 2 Public Primary Certification Authority"​
 +  !       "​VeriSign Class 3 Public Primary Certification Authority"​
 +  !       "​VeriSign Class 1 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 2 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 3 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 4 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 1 Public Primary Certification Authority - G3"
 +  !       "​VeriSign Class 2 Public Primary Certification Authority - G3"
 +  !       "​VeriSign Class 3 Public Primary Certification Authority - G3"
 +  !       "​VeriSign Class 3 Public Primary Certification Authority - G5"
 +  !       "​VeriSign Class 4 Public Primary Certification Authority - G3"
 +  !       "​Thawte Primary Root CA"
 +  !       "​Thawte Primary Root CA - G2 ECC"
 +  !       "​Thawte Server CA"
 +  !       "​Thawte Premium Server CA"
 +  !       "​Thawte Personal Basic CA"
 +  !       "​Thawte Personal Freemail CA"
 +  !       "​Thawte Personal Premium CA"
 +  *-      "TSM Server SelfSigned Key"
 +  -       "​TSM Server SelfSigned SHA Key"
 +
 +Set the default to the SHA Key:
 +  T:​\CONFIG>​gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
 +
 +and check again:
 +  T:​\CONFIG>​gsk8capicmd_64 ​ -cert -list -db cert.kdb -stashed
 +  Zertifikate gefunden
 +  * Standard, - pers"​nlich,​ ! zuverl"​ssig,​ # secret key
 +  !       "​Entrust.net Secure Server Certification Authority"​
 +  !       "​Entrust.net Certification Authority (2048)"​
 +  !       "​Entrust.net Client Certification Authority"​
 +  !       "​Entrust.net Global Client Certification Authority"​
 +  !       "​Entrust.net Global Secure Server Certification Authority"​
 +  !       "​Entrust.net Certification Authority (2048) 29"
 +  !       "​Entrust Root Certification Authority - EC1"
 +  !       "​Entrust Root Certification Authority - EV"
 +  !       "​Entrust Root Certification Authority - G2"
 +  !       "​VeriSign Class 1 Public Primary Certification Authority"​
 +  !       "​VeriSign Class 2 Public Primary Certification Authority"​
 +  !       "​VeriSign Class 3 Public Primary Certification Authority"​
 +  !       "​VeriSign Class 1 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 2 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 3 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 4 Public Primary Certification Authority - G2"
 +  !       "​VeriSign Class 1 Public Primary Certification Authority - G3"
 +  !       "​VeriSign Class 2 Public Primary Certification Authority - G3"
 +  !       "​VeriSign Class 3 Public Primary Certification Authority - G3"
 +  !       "​VeriSign Class 3 Public Primary Certification Authority - G5"
 +  !       "​VeriSign Class 4 Public Primary Certification Authority - G3"
 +  !       "​Thawte Primary Root CA"
 +  !       "​Thawte Primary Root CA - G2 ECC"
 +  !       "​Thawte Server CA"
 +  !       "​Thawte Premium Server CA"
 +  !       "​Thawte Personal Basic CA"
 +  !       "​Thawte Personal Freemail CA"
 +  !       "​Thawte Personal Premium CA"
 +  *-      "TSM Server SelfSigned SHA Key"
 +
 +==== Extend dsmserv.opt ====
 +add the following lines to ''​dsmserv.opt''​ (Port numbers as you like)
 +  SSLTCPPort ​             3111
 +  SSLTCPADMINPort 5111
 +  SSLDISABLELEGACYtls ​    Yes
 +  SSLTLS12 ​               Yes
 +  SSLFIPSMODE ​            Yes
 +
 +==== make cetificate available ====
 +Copy the ''​cert256.arm''​ file from the server configuration folder to a place accessable for the ISP client admins.
 +
 +
 +
 +===== ISP-7.1.7 on SLES 12 =====
 +
 +
 +FIXME -- will follow up soon :-)
 +
 +====== Clients ======
 +look at the [[de:​services:​storage_services:​backup:​tsm:​anleitungen:​tls|client documentation]]