How to Recertify SSL Certificate on TSM Client after Machine Change or DR Process

Are you seeing below TSM error message when you run dsmc command on TSM client?

my_tsmsvr01:[root]/tsm>dsmc query session  
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 11.0
  Client date/time: 07/13/2021 13:50:32
(c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved.

Node Name: MYTSMCLIENT01
ANS1695E The certificate is not valid. <-- TSM Client SSL Error Message

From TSM Server, you can find the message as below.

ANR8599W The connection with 192.168.11.23:62245 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow

This situation typically arises when there is a change in the TSM client machine, such as during a DR (Disaster Recovery) process, resulting in the loss of the initial SSL certificate. TSM server then prompts and inquires about the whereabouts of the SSL certificate. Basically asking “Hey TSM client, where’s the SSL certificate that I provided before?” To resolve this, you will need to perform a recertification process by installing the certificate. This certificate should be copied from the TSM server. Below is the procedure.

Step 1. Copy “cert256.arm” from TSM Server to TSM Client machine.

Yes, cert256.arm is the SSL certificate that you’re looking for. It resides on TSM server’s home instance user directory where TSM instance has been created. Below example is that I created TSM server instance and its home user directory under /opt/tivoli/tsmsvr01. Run scp it to TSM client machine’s /tmp folder.

scp tsmsvr01:/opt/tivoli/tsmsvr01/cert256.arm  my_tsmclient01:/tmp 
Step 2. Recertify SSL certificate on TSM client machine

Below is the syntax how to recertify SSL certificate on TSM client machine.

dsmcert -add -server <servername>     -file </path/cert256.arm>
                     ------------           ------------------
		 TSM Server Instance       Full path of cert256.arm

Now refer to the output below how it failed running dsmc query session command and then recertify and resolved the SSL certificate error. Again. cert256.arm must be copied from TSM server to TSM client prior to recertification. Below is the output after certificate(cert256.arm) copied from TSM server.

my_tsmclient01:/# dsmc query session
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 11.0
  Client date/time: 06/18/21   11:43:44
(c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved.

Node Name: TSMCLIENT01
ANS1592E Failed to initialize SSL protocol.

my_tsmclient01:/#
my_tsmclient01:/#
my_tsmclient01:/# dsmcert -add -server tsmsvr01 -file /tmp/cert256.arm
IBM Spectrum Protect
dsmcert utility
  dsmcert Version 8, Release 1, Level 11.0
  dsmcert date/time: 06/18/21   11:46:25
 (c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved.

Result : Success
my_tsmclient01:/#
my_tsmclient01:/#
my_tsmclient01:/# dsmc query session
IBM Spectrum Protect
Command Line Backup-Archive Client Interface
  Client Version 8, Release 1, Level 11.0
  Client date/time: 06/18/21   11:46:47
(c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved.

Node Name: TSMCLIENT01
Session established with server TSMSVR01: Linux/x86_64
  Server Version 8, Release 1, Level 11.000
  Server date/time: 06/18/21   11:46:48  Last access: 06/09/21   10:31:06

IBM Spectrum Protect Server Connection Information

Home Server Name........: SERVER_A
Server Type.............: Linux/x86_64
Archive Retain Protect..: "No"
Server Version..........: Ver. 8, Rel. 1, Lev. 11.0
Last Access Date........: 06/09/21   10:31:06
Delete Backup Files.....: "No"
Delete Archive Files....: "Yes"
Deduplication...........: "Server Only"

Node Name...............: TSMCLIENT01
User Name...............: root

SSL Information.........: TLSv1.3 TLS_AES_256_GCM_SHA384

my_tsmclient01:/#

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top