Contribuciones matemáticas de Johann Bernoulli. …

To use the Secure Sockets Layer (SSL) protocol to secure communications between the Operations Center and the hub server, you must add the SSL certificate of the hub server to the truststore file of the Operations Center.

Before you begin

The truststore file of the Operations Center is a container for SSL certificates that the Operations Center can access. The truststore file contains the SSL certificate that the Operations Center uses for HTTPS communication with web browsers.

During the installation of the Operations Center, you create a password for the truststore file. To set up SSL communication between the Operations Center and the hub server, you must use the same password to add the SSL certificate of the hub server to the truststore file. If you do not remember this password, you can reset it. See “Resetting the password for the Operations Center truststore file” on page 127.

Procedure

1. To ensure that SSL ports are set on the hub server, complete the following steps:

a. From a Tivoli Storage Manager command line, issue the following command to the hub server:

QUERY OPTION SSL*

The results include four server options, as shown in the following example:

Server Option Option Setting ---SSLTCPPort 3700

SSLTCPADMINPort 3800 SSLTLS12 Yes SSLFIPSMODE No

b. Ensure that the SSLTCPPORT option has a value in the Option Setting column. Also, ensure that the SSLTLS12 option is set to YES so that the Transport Layer Security (TLS) protocol version 1.2 is used for

communication. To update the values of these options, edit the dsmserv.opt file of the hub server, and restart the hub server.

2. Specify the cert256.arm certificate as the default certificate in the key database file of the hub server.

The cert256.arm certificate must be used for SSL connections to the hub server if the SSLTLS12 option is set to YES. To specify cert256.arm as the default certificate, complete the following steps:

a. Issue the following command from the hub server instance directory:

gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

b. Restart the hub server so that it can receive the changes to the key database file.

3. To verify that the cert256.arm certificate is set as the default certificate in the key database file of the hub server, issue the following command:

gsk8capicmd_64 -cert -list -db cert.kdb -stashed 4. Stop the Operations Center web server.

5. Go to the command line of the operating system on which the Operations Center is installed.

6. Add the SSL certificate to the truststore file of the Operations Center by using the iKeycmd command or the iKeyman command. The iKeyman command opens the IBM Key Management graphical user interface, and iKeycmd is a command line interface.

To add the SSL certificate by using the command line interface, complete the following step:

a. From the command line, issue the iKeycmd command to add the

cert256.armcertificate as the default certificate in the key database file of the hub server:

ikeycmd -cert -add

-db /installation_dir/Liberty/usr/servers/guiServer/gui-truststore.jks -file /fvt/comfrey/srv/cert256.arm

-label ’label description’

-pw ’password’ -type jks -format ascii -trust enable where:

installation_dir

The directory in which the Operations Center is installed.

label description

The description that you assign to the label.

password

The password that you created when you installed the Operations Center. To reset the password, uninstall the Operations Center, delete the .jks file, and reinstall the Operations Center.

To add the SSL certificate by using the IBM Key Management window, complete the following steps:

a. Go to the following directory, where installation_dir represents the directory in which the Operations Center is installed:

v installation_dir/ui/jre/bin

b. Open the IBM Key Management window by issuing the following command:

ikeyman

c. Click Key Database File > Open.

d. In the Open window, click Browse, and go to the following directory, where installation_dirrepresents the directory in which the Operations Center is installed:

v installation_dir/ui/Liberty/usr/servers/guiServer e. In the guiServer directory, select the gui-truststore.jks file.

f. Click Open, and click OK.

g. Enter the password for the truststore file, and click OK.

h. In the Key database content area of the IBM Key Management window, click the arrow, and select Signer Certificates from the list.

|

i. Click Add.

j. In the Open window, click Browse, and go to the hub server instance directory, as shown in the following example:

v /opt/tivoli/tsm/server/bin

The directory contains the following SSL certificates:

v cert.arm v cert256.arm

If you cannot access the hub server instance directory from the Open window, complete the following steps:

1) Use FTP or another file-transfer method to copy the cert256.arm files from the hub server to the following directory on the computer where the Operations Center is installed:

v installation_dir/ui/Liberty/usr/servers/guiServer 2) In the Open window, go to the guiServer directory.

k. Because the SSLTLS12 server option is set to YES, select the cert256.arm certificate as the SSL certificate.

Tip: The certificate that you choose must be set as the default certificate in the key database file of the hub server. For more information, see step 2 on page 123 and 3 on page 124.

l. Click Open, and click OK.

m. Enter a label for the certificate. For example, enter the name of the hub server.

n. Click OK. The SSL certificate of the hub server is added to the truststore file, and the label is displayed in the Key database content area of the IBM Key Management window.

o. Close the IBM Key Management window.

7. Start the Operations Center web server.

8. To configure the Operations Center, complete the following steps in the login window of the configuration wizard:

a. In the Connect to field, enter the value of one of the following server options as the port number:

v SSLTCPPORT v SSLTCPADMINPORT

Tip: If the SSLTCPADMINPORT option has a value, use that value. Otherwise, use the value of the SSLTCPPORT option.

b. Select the Use SSL option.

If the Operations Center was previously configured, you can review the contents of the serverConnection.properties file to verify the connection information. The serverConnection.properties file is in the following directory on the computer where the Operations Center is installed:

v installation_dir/ui/Liberty/usr/servers/guiServer

What to do next

To set up SSL communication between the hub server and a spoke server, see

“Configuring for SSL communication between the hub server and a spoke server”

on page 126.

Configuring for SSL communication between the hub server