Table of Contents
TLS: Using self signed certificates
ISP-8.1.3 on Windows
Preparation
By default the path leading to the GSKit is not part of the %PATH% environment variable, so first it has to be added:
set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH%
Check on SHA / change default to SHA
Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed. If so, the default certificate (indicated by a * on the left) is not named SHA Key, e.g.
T:\CONFIG>gsk8capicmd_64 -cert -list -db cert.kdb -stashed Zertifikate gefunden * Standard, - pers"nlich, ! zuverl"ssig, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ! "Entrust.net Client Certification Authority" ! "Entrust.net Global Client Certification Authority" ! "Entrust.net Global Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048) 29" ! "Entrust Root Certification Authority - EC1" ! "Entrust Root Certification Authority - EV" ! "Entrust Root Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority" ! "VeriSign Class 2 Public Primary Certification Authority" ! "VeriSign Class 3 Public Primary Certification Authority" ! "VeriSign Class 1 Public Primary Certification Authority - G2" ! "VeriSign Class 2 Public Primary Certification Authority - G2" ! "VeriSign Class 3 Public Primary Certification Authority - G2" ! "VeriSign Class 4 Public Primary Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority - G3" ! "VeriSign Class 2 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G5" ! "VeriSign Class 4 Public Primary Certification Authority - G3" ! "Thawte Primary Root CA" ! "Thawte Primary Root CA - G2 ECC" ! "Thawte Server CA" ! "Thawte Premium Server CA" ! "Thawte Personal Basic CA" ! "Thawte Personal Freemail CA" ! "Thawte Personal Premium CA" *- "TSM Server SelfSigned Key" - "TSM Server SelfSigned SHA Key"
Set the default to the SHA Key:
T:\CONFIG>gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
and check again:
T:\CONFIG>gsk8capicmd_64 -cert -list -db cert.kdb -stashed Zertifikate gefunden * Standard, - pers"nlich, ! zuverl"ssig, # secret key ! "Entrust.net Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048)" ! "Entrust.net Client Certification Authority" ! "Entrust.net Global Client Certification Authority" ! "Entrust.net Global Secure Server Certification Authority" ! "Entrust.net Certification Authority (2048) 29" ! "Entrust Root Certification Authority - EC1" ! "Entrust Root Certification Authority - EV" ! "Entrust Root Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority" ! "VeriSign Class 2 Public Primary Certification Authority" ! "VeriSign Class 3 Public Primary Certification Authority" ! "VeriSign Class 1 Public Primary Certification Authority - G2" ! "VeriSign Class 2 Public Primary Certification Authority - G2" ! "VeriSign Class 3 Public Primary Certification Authority - G2" ! "VeriSign Class 4 Public Primary Certification Authority - G2" ! "VeriSign Class 1 Public Primary Certification Authority - G3" ! "VeriSign Class 2 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G3" ! "VeriSign Class 3 Public Primary Certification Authority - G5" ! "VeriSign Class 4 Public Primary Certification Authority - G3" ! "Thawte Primary Root CA" ! "Thawte Primary Root CA - G2 ECC" ! "Thawte Server CA" ! "Thawte Premium Server CA" ! "Thawte Personal Basic CA" ! "Thawte Personal Freemail CA" ! "Thawte Personal Premium CA" *- "TSM Server SelfSigned SHA Key"
Extend dsmserv.opt
add the following lines to dsmserv.opt
(Port numbers as you like)
SSLTCPPort 3111 SSLTCPADMINPort 5111 SSLDISABLELEGACYtls Yes SSLTLS12 Yes SSLFIPSMODE Yes
make cetificate available
Copy the cert256.arm
file from the server configuration folder to a place accessable for the ISP client admins.
ISP-7.1.7 on SLES 12
– will follow up soon
Clients
look at the client documentation