By default the path leading to the GSKit is not part of the %PATH% environment variable, so first it has to be added:
set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%
Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed. If so, the default certificate (indicated by a * on the left) is not named SHA Key, e.g.
T:\CONFIG>gsk8capicmd_64 -cert -list -db cert.kdb -stashed Zertifikate gefunden * Standard, - pers"nlich, ! zuverl"ssig, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ! "Entrust.net Client Certification Authority" ! "Entrust.net Global Client Certification Authority" ! "Entrust.net Global Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048) 29" ! "Entrust Root Certification Authority - EC1" ! "Entrust Root Certification Authority - EV" ! "Entrust Root Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority" ! "VeriSign Class 2 Public Primary Certification Authority" ! "VeriSign Class 3 Public Primary Certification Authority" ! "VeriSign Class 1 Public Primary Certification Authority - G2" ! "VeriSign Class 2 Public Primary Certification Authority - G2" ! "VeriSign Class 3 Public Primary Certification Authority - G2" ! "VeriSign Class 4 Public Primary Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority - G3" ! "VeriSign Class 2 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G5" ! "VeriSign Class 4 Public Primary Certification Authority - G3" ! "Thawte Primary Root CA" ! "Thawte Primary Root CA - G2 ECC" ! "Thawte Server CA" ! "Thawte Premium Server CA" ! "Thawte Personal Basic CA" ! "Thawte Personal Freemail CA" ! "Thawte Personal Premium CA" *- "TSM Server SelfSigned Key" - "TSM Server SelfSigned SHA Key"
Set the default to the SHA Key:
T:\CONFIG>gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
and check again:
T:\CONFIG>gsk8capicmd_64 -cert -list -db cert.kdb -stashed Zertifikate gefunden * Standard, - pers"nlich, ! zuverl"ssig, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ! "Entrust.net Client Certification Authority" ! "Entrust.net Global Client Certification Authority" ! "Entrust.net Global Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048) 29" ! "Entrust Root Certification Authority - EC1" ! "Entrust Root Certification Authority - EV" ! "Entrust Root Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority" ! "VeriSign Class 2 Public Primary Certification Authority" ! "VeriSign Class 3 Public Primary Certification Authority" ! "VeriSign Class 1 Public Primary Certification Authority - G2" ! "VeriSign Class 2 Public Primary Certification Authority - G2" ! "VeriSign Class 3 Public Primary Certification Authority - G2" ! "VeriSign Class 4 Public Primary Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority - G3" ! "VeriSign Class 2 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G5" ! "VeriSign Class 4 Public Primary Certification Authority - G3" ! "Thawte Primary Root CA" ! "Thawte Primary Root CA - G2 ECC" ! "Thawte Server CA" ! "Thawte Premium Server CA" ! "Thawte Personal Basic CA" ! "Thawte Personal Freemail CA" ! "Thawte Personal Premium CA" *- "TSM Server SelfSigned SHA Key"
add the following lines to dsmserv.opt
(Port numbers as you like)
SSLTCPPort 3111 SSLTCPADMINPort 5111 SSLDISABLELEGACYtls Yes SSLTLS12 Yes SSLFIPSMODE Yes
Copy the cert256.arm
file from the server configuration folder to a place accessable for the ISP client admins.
– will follow up soon
look at the client documentation