Both sides previous revisionPrevious revisionNext revision | Previous revision |
en:services:storage_services:backup:tsm:admin:tls_self [2018/05/02 14:00] – [Using self signed certificates with TSM / ISP] bnachtw | en:services:storage_services:backup:tsm:admin:tls_self [2019/02/19 10:28] (current) – [ISP-7.1.6 on SLES 12] bnachtw |
---|
| ====== TLS: Using self signed certificates ====== |
| ===== ISP-8.1.3 on Windows ===== |
| ==== Preparation ==== |
| By default the path leading to the GSKit is not part of the //%PATH%// environment variable, so first it has to be added: |
| set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\;C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64;%PATH% |
| ==== Check on SHA / change default to SHA ==== |
| Especially if an update has been done from an former version like ISP-7.1.6 or 8.1.0, the default certificate is MD5-signed. |
| If so, the default certificate (indicated by a * on the left) is not named //SHA Key//, e.g. |
| T:\CONFIG>gsk8capicmd_64 -cert -list -db cert.kdb -stashed |
| Zertifikate gefunden |
| * Standard, - pers"nlich, ! zuverl"ssig, # secret key |
| ! "Entrust.net Secure Server Certification Authority" |
| ! "Entrust.net Certification Authority (2048)" |
| ! "Entrust.net Client Certification Authority" |
| ! "Entrust.net Global Client Certification Authority" |
| ! "Entrust.net Global Secure Server Certification Authority" |
| ! "Entrust.net Certification Authority (2048) 29" |
| ! "Entrust Root Certification Authority - EC1" |
| ! "Entrust Root Certification Authority - EV" |
| ! "Entrust Root Certification Authority - G2" |
| ! "VeriSign Class 1 Public Primary Certification Authority" |
| ! "VeriSign Class 2 Public Primary Certification Authority" |
| ! "VeriSign Class 3 Public Primary Certification Authority" |
| ! "VeriSign Class 1 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 2 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 3 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 4 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 1 Public Primary Certification Authority - G3" |
| ! "VeriSign Class 2 Public Primary Certification Authority - G3" |
| ! "VeriSign Class 3 Public Primary Certification Authority - G3" |
| ! "VeriSign Class 3 Public Primary Certification Authority - G5" |
| ! "VeriSign Class 4 Public Primary Certification Authority - G3" |
| ! "Thawte Primary Root CA" |
| ! "Thawte Primary Root CA - G2 ECC" |
| ! "Thawte Server CA" |
| ! "Thawte Premium Server CA" |
| ! "Thawte Personal Basic CA" |
| ! "Thawte Personal Freemail CA" |
| ! "Thawte Personal Premium CA" |
| *- "TSM Server SelfSigned Key" |
| - "TSM Server SelfSigned SHA Key" |
| |
| Set the default to the SHA Key: |
| T:\CONFIG>gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key" |
| |
| and check again: |
| T:\CONFIG>gsk8capicmd_64 -cert -list -db cert.kdb -stashed |
| Zertifikate gefunden |
| * Standard, - pers"nlich, ! zuverl"ssig, # secret key |
| ! "Entrust.net Secure Server Certification Authority" |
| ! "Entrust.net Certification Authority (2048)" |
| ! "Entrust.net Client Certification Authority" |
| ! "Entrust.net Global Client Certification Authority" |
| ! "Entrust.net Global Secure Server Certification Authority" |
| ! "Entrust.net Certification Authority (2048) 29" |
| ! "Entrust Root Certification Authority - EC1" |
| ! "Entrust Root Certification Authority - EV" |
| ! "Entrust Root Certification Authority - G2" |
| ! "VeriSign Class 1 Public Primary Certification Authority" |
| ! "VeriSign Class 2 Public Primary Certification Authority" |
| ! "VeriSign Class 3 Public Primary Certification Authority" |
| ! "VeriSign Class 1 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 2 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 3 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 4 Public Primary Certification Authority - G2" |
| ! "VeriSign Class 1 Public Primary Certification Authority - G3" |
| ! "VeriSign Class 2 Public Primary Certification Authority - G3" |
| ! "VeriSign Class 3 Public Primary Certification Authority - G3" |
| ! "VeriSign Class 3 Public Primary Certification Authority - G5" |
| ! "VeriSign Class 4 Public Primary Certification Authority - G3" |
| ! "Thawte Primary Root CA" |
| ! "Thawte Primary Root CA - G2 ECC" |
| ! "Thawte Server CA" |
| ! "Thawte Premium Server CA" |
| ! "Thawte Personal Basic CA" |
| ! "Thawte Personal Freemail CA" |
| ! "Thawte Personal Premium CA" |
| *- "TSM Server SelfSigned SHA Key" |
| |
| ==== Extend dsmserv.opt ==== |
| add the following lines to ''dsmserv.opt'' (Port numbers as you like) |
| SSLTCPPort 3111 |
| SSLTCPADMINPort 5111 |
| SSLDISABLELEGACYtls Yes |
| SSLTLS12 Yes |
| SSLFIPSMODE Yes |
| |
| ==== make cetificate available ==== |
| Copy the ''cert256.arm'' file from the server configuration folder to a place accessable for the ISP client admins. |
| |
| |
| |
| ===== ISP-7.1.7 on SLES 12 ===== |
| |
| |
| FIXME -- will follow up soon :-) |
| |
| ====== Clients ====== |
| look at the [[de:services:storage_services:backup:tsm:anleitungen:tls|client documentation]] |
| |