Are you seeing below TSM error message when you run dsmc command on TSM client?
my_tsmsvr01:[root]/tsm>dsmc query session IBM Spectrum Protect Command Line Backup-Archive Client Interface Client Version 8, Release 1, Level 11.0 Client date/time: 07/13/2021 13:50:32 (c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved. Node Name: MYTSMCLIENT01ANS1695E The certificate is not valid. <-- TSM Client SSL Error Message
From TSM Server, you can find the message as below.
ANR8599W The connection with 192.168.11.23:62245 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow
This situation typically arises when there is a change in the TSM client machine, such as during a DR (Disaster Recovery) process, resulting in the loss of the initial SSL certificate. TSM server then prompts and inquires about the whereabouts of the SSL certificate. Basically asking “Hey TSM client, where’s the SSL certificate that I provided before?” To resolve this, you will need to perform a recertification process by installing the certificate. This certificate should be copied from the TSM server. Below is the procedure.
Step 1. Copy “cert256.arm” from TSM Server to TSM Client machine.
Yes, cert256.arm is the SSL certificate that you’re looking for. It resides on TSM server’s home instance user directory where TSM instance has been created. Below example is that I created TSM server instance and its home user directory under /opt/tivoli/tsmsvr01. Run scp it to TSM client machine’s /tmp folder.
scp tsmsvr01:/opt/tivoli/tsmsvr01/cert256.arm my_tsmclient01:/tmp
Step 2. Recertify SSL certificate on TSM client machine
Below is the syntax how to recertify SSL certificate on TSM client machine.
dsmcert -add -server <servername> -file </path/cert256.arm> ------------ ------------------ TSM Server Instance Full path of cert256.arm
Now refer to the output below how it failed running dsmc query session command and then recertify and resolved the SSL certificate error. Again. cert256.arm must be copied from TSM server to TSM client prior to recertification. Below is the output after certificate(cert256.arm) copied from TSM server.
my_tsmclient01:/# dsmc query session IBM Spectrum Protect Command Line Backup-Archive Client Interface Client Version 8, Release 1, Level 11.0 Client date/time: 06/18/21 11:43:44 (c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved. Node Name: TSMCLIENT01 ANS1592E Failed to initialize SSL protocol. my_tsmclient01:/# my_tsmclient01:/# my_tsmclient01:/# dsmcert -add -server tsmsvr01 -file /tmp/cert256.arm IBM Spectrum Protect dsmcert utility dsmcert Version 8, Release 1, Level 11.0 dsmcert date/time: 06/18/21 11:46:25 (c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved. Result : Success my_tsmclient01:/# my_tsmclient01:/# my_tsmclient01:/# dsmc query session IBM Spectrum Protect Command Line Backup-Archive Client Interface Client Version 8, Release 1, Level 11.0 Client date/time: 06/18/21 11:46:47 (c) Copyright by IBM Corporation and other(s) 1990, 2020. All Rights Reserved. Node Name: TSMCLIENT01 Session established with server TSMSVR01: Linux/x86_64 Server Version 8, Release 1, Level 11.000 Server date/time: 06/18/21 11:46:48 Last access: 06/09/21 10:31:06 IBM Spectrum Protect Server Connection Information Home Server Name........: SERVER_A Server Type.............: Linux/x86_64 Archive Retain Protect..: "No" Server Version..........: Ver. 8, Rel. 1, Lev. 11.0 Last Access Date........: 06/09/21 10:31:06 Delete Backup Files.....: "No" Delete Archive Files....: "Yes" Deduplication...........: "Server Only" Node Name...............: TSMCLIENT01 User Name...............: root SSL Information.........: TLSv1.3 TLS_AES_256_GCM_SHA384 my_tsmclient01:/#