How to exchange SSL certificate for TSM server to server communication(IBM Spectrum Protect)

This is how to exchange certificate between TSM servers both source and target. When defining TSM (IBM Spectrum Protect) server to server communication for the node replication type of work, Often, you can find the below errors even after DEFINE SERVER command successfully completed on the source TSM server.

Protect: SRCTSM01> tgttsm01: q status
ANR1699I Resolved TGTTSM01 to 1 server(s) - issuing command Q STATUS against server(s).
ANR1696E Server SRCTSM01 attempted to process command ' Q STATUS' but encountered errors.
ANR1697I Command 'Q STATUS' processed by 1 server(s): 0 successful, 0 with warnings, and 1 with errors.
ANS8001I Return code 25.
Protect: SRCTSM01>

DEFINE SERVER command completes as long as it can reach out to target TSM server IP address with the given TCP port 1500. However, when you run the TSM command from source to target TSM server, you might notice that it fails as above message. Below is the event messages that can be found from QUERY ACTLOG. It’s a SSL certificate error. Both TSM servers requires the certificates to be exchanged.

Messages from Source TSM server

ANR8583E An SSL socket-initialization error occurred on session 12.  The GSKit return code is 414 GSK_ERROR_BAD_CERT.
ANR8592I Session 13 connection is using protocol TLSV13, cipher specification TLS_AES_256_GCM_SHA384, certificate TSM Self-Signed Certificate.
ANR1696E Server TGTTSM01 attempted to process command ' Q STATUS' but encountered errors.

Messages from Target TSM server

ANR8599W The connection with srctsm01.mydomain.com:45274 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.

This is new requirement from TSM server version 8 which implements SSL certificates on both ends. This not only strengthen a security posture for TSM server and client communication but also TSM server to server communication. If you had been running node replication successfully before version 8, However, after version upgrade, now you might notice the entire node replication failure due to SSL certificate error. No worries! Here’re the steps to exchange and properly install TSM server certificates on both source and target TSM servers.

Steps of exchanging SSL certificates between source and target TSM Server

Step1

Find TSM server certificate (cert256.arm) of both source and target TSM servers, then copy it to the local of its partner TSM server. Usually, the certificate is located under TSM instance user’s home directory. Below is the example of how you can copy (scp) cert256.arm from source to target and target to source TSM server. Please note its full path of cert256.arm.

srctsm01:/opt/tivoli/srctsm01/cert256.arm  ---> tgttsm01:/tmp/cert256.arm
tgttsm01:/opt/tivoli/tgttsm01/cert256.arm  ---> srctsm01:/tmp/cert256.arm

Copy it to the local of its partner TSM where TSM server instance can reach. Be careful not to overwrite the one that partner TSM server has. You can simply copy it to /tmp folder since it has the permission for other users to write. That way, you don’t do any mistake overwriting.

Step2

Install certificate on both Source and TSM server. You don’t need to shutdown TSM server instance. It’s the command gsk8capicmd_64 which should run by TSM server instance user, not by root. See below screen showing that it entered via TSM instance user before executing gsk8capicmd_64.

Run on Source TSM server

su - srctsm01   
gsk8capicmd_64 -cert -add -label 192.168.1.12  -db cert.kdb -stashed -file /tmp/cert256.arm
                               --------------                              ----------------
			      Target TSM Server IP                     Certificate copied from Target TSM Server

Run on Target TSM server

su - tgttsm01   
gsk8capicmd_64 -cert -add -label 192.168.1.11  -db cert.kdb -stashed -file /tmp/cert256.arm
                               --------------                              ----------------
			      Source TSM Server IP                    Certificate copied from Source TSM Server
Step3

Restart both source and target TSM server instance.

Validation

Use below commands on both source and target TSM servers to validate if the certificate successfully installed.

Source TSM server: Note the IP address that appeared as 192.168.0.12 which is target TSM server’s IP

su - srctsm01
gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       192.168.1.12
*-      "TSM Server SelfSigned SHA Key"
srctsm01:[srctsm01]/opt/tivoli/srctsm01>

Target TSM server: Note the IP address that appeared as 192.168.0.11 which is source TSM server’s IP

su - tgttsm01
gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       192.168.1.11
*-      "TSM Server SelfSigned SHA Key"
Related Posts:
  1. TSM Node Replication Steps (IBM Spectrum Protect)

1 thought on “How to exchange SSL certificate for TSM server to server communication(IBM Spectrum Protect)”

  1. Pingback: TSM Node Replication Steps (IBM Spectrum Protect) - TechNote101

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top