====== TLS: Using self signed certificates ======
===== ISP-8.1.3 on Windows =====
==== Preparation ====
By default the path leading to the GSKit is not part of the //%PATH%// environment variable, so first it has to be added:
  set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%
==== Check on SHA / change default to SHA ====
Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed.
If so, the default certificate (indicated by a * on the left) is not named //SHA Key//, e.g.
  T:\CONFIG>gsk8capicmd_64  -cert -list -db cert.kdb -stashed
  Zertifikate gefunden
  * Standard, - pers"nlich, ! zuverl"ssig, # secret key
  !       "Entrust.net Secure Server Certification Authority"
  !       "Entrust.net Certification Authority (2048)"
  !       "Entrust.net Client Certification Authority"
  !       "Entrust.net Global Client Certification Authority"
  !       "Entrust.net Global Secure Server Certification Authority"
  !       "Entrust.net Certification Authority (2048) 29"
  !       "Entrust Root Certification Authority - EC1"
  !       "Entrust Root Certification Authority - EV"
  !       "Entrust Root Certification Authority - G2"
  !       "VeriSign Class 1 Public Primary Certification Authority"
  !       "VeriSign Class 2 Public Primary Certification Authority"
  !       "VeriSign Class 3 Public Primary Certification Authority"
  !       "VeriSign Class 1 Public Primary Certification Authority - G2"
  !       "VeriSign Class 2 Public Primary Certification Authority - G2"
  !       "VeriSign Class 3 Public Primary Certification Authority - G2"
  !       "VeriSign Class 4 Public Primary Certification Authority - G2"
  !       "VeriSign Class 1 Public Primary Certification Authority - G3"
  !       "VeriSign Class 2 Public Primary Certification Authority - G3"
  !       "VeriSign Class 3 Public Primary Certification Authority - G3"
  !       "VeriSign Class 3 Public Primary Certification Authority - G5"
  !       "VeriSign Class 4 Public Primary Certification Authority - G3"
  !       "Thawte Primary Root CA"
  !       "Thawte Primary Root CA - G2 ECC"
  !       "Thawte Server CA"
  !       "Thawte Premium Server CA"
  !       "Thawte Personal Basic CA"
  !       "Thawte Personal Freemail CA"
  !       "Thawte Personal Premium CA"
  *-      "TSM Server SelfSigned Key"
  -       "TSM Server SelfSigned SHA Key"

Set the default to the SHA Key:
  T:\CONFIG>gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

and check again:
  T:\CONFIG>gsk8capicmd_64  -cert -list -db cert.kdb -stashed
  Zertifikate gefunden
  * Standard, - pers"nlich, ! zuverl"ssig, # secret key
  !       "Entrust.net Secure Server Certification Authority"
  !       "Entrust.net Certification Authority (2048)"
  !       "Entrust.net Client Certification Authority"
  !       "Entrust.net Global Client Certification Authority"
  !       "Entrust.net Global Secure Server Certification Authority"
  !       "Entrust.net Certification Authority (2048) 29"
  !       "Entrust Root Certification Authority - EC1"
  !       "Entrust Root Certification Authority - EV"
  !       "Entrust Root Certification Authority - G2"
  !       "VeriSign Class 1 Public Primary Certification Authority"
  !       "VeriSign Class 2 Public Primary Certification Authority"
  !       "VeriSign Class 3 Public Primary Certification Authority"
  !       "VeriSign Class 1 Public Primary Certification Authority - G2"
  !       "VeriSign Class 2 Public Primary Certification Authority - G2"
  !       "VeriSign Class 3 Public Primary Certification Authority - G2"
  !       "VeriSign Class 4 Public Primary Certification Authority - G2"
  !       "VeriSign Class 1 Public Primary Certification Authority - G3"
  !       "VeriSign Class 2 Public Primary Certification Authority - G3"
  !       "VeriSign Class 3 Public Primary Certification Authority - G3"
  !       "VeriSign Class 3 Public Primary Certification Authority - G5"
  !       "VeriSign Class 4 Public Primary Certification Authority - G3"
  !       "Thawte Primary Root CA"
  !       "Thawte Primary Root CA - G2 ECC"
  !       "Thawte Server CA"
  !       "Thawte Premium Server CA"
  !       "Thawte Personal Basic CA"
  !       "Thawte Personal Freemail CA"
  !       "Thawte Personal Premium CA"
  *-      "TSM Server SelfSigned SHA Key"

==== Extend dsmserv.opt ====
add the following lines to ''dsmserv.opt'' (Port numbers as you like)
  SSLTCPPort              3111
  SSLTCPADMINPort 	5111
  SSLDISABLELEGACYtls     Yes
  SSLTLS12                Yes
  SSLFIPSMODE             Yes

==== make cetificate available ====
Copy the ''cert256.arm'' file from the server configuration folder to a place accessable for the ISP client admins.



===== ISP-7.1.7 on SLES 12 =====


FIXME -- will follow up soon :-)

====== Clients ======
look at the [[de:services:storage_services:backup:tsm:anleitungen:tls|client documentation]]