Teilen Sie diesen Inhalt:

       

TSM Server und Client – TLS12 – SSL Kommunikation

29.06.2016

Die aktuellen Einstellungen für eine sichere SSL Kommunikation sind:

TSM Server Options:

SSLDISABLELEGACYTLS Yes  
SSLHIDELEGACYTLS No (default) 
SSLFIPSMODE YES  
SSLINITTIMEout 1 
SSLTLS12 YES
SSLTCPPORT xxx 
SSLTCPADMINPORT xxx

TSM Client Options:

tcpport xxx 
tcpadminport xxx
SSL yes 
SSLREQUIRED yes 
SSLDISABLELEGACYTLS yes 
SSLFIPSMODE yes

und kopieren und importieren der cert256.arm auf den Client:

gsk8capicmd_64 -keydb -create -populate -db dsmcert.kdb -pw PASSWORD -stash 
gsk8capicmd_64 -cert -add -db dsmcert.kdb -stashed -label "TSM server NAME self-signed key" -file /.../cert256.arm -format ascii

Das PASSWORD und der NAME kann frei gewählt werden.

Der Serverversion sollte dabei > 6.3 und die Clients höher 6.1 sein.

Wichtig ist dabei, dass der Server den richtigen Standardkennsatz benutzt.

Die Startmeldung dafür ist:

ANR3339I Default Label in key data base is TSM Server SelfSigned SHA Key.

Falsch ist z.B.:

ANR3339I Default Label in key data base is TSM Server SelfSigned Key.

Die zugehörige Fehlermeldung ist dann:

Server: ANR8583E An SSL socket-initialization error occurred on session 1.  The GSKit return code is 447.

Wenn der Standardkennsatz geändert werden muss, ist der Weg dieser:

1. Password ermitteln (kann in dem Zuge auch geändert werden/update sslkeyringpw):

tsm: TSM>Query SSLKEYRINGPW
KEYRING FILE PASSWORD
----------------------- 
XXX...XXX

2. Server stoppen

3. Standard wechseln und kontrollieren

tsm@sles-tsm:/tsm1/tsminst1> gsk8capicmd_64 -cert -list -db cert.kdb 
Source database password : xxx...xxx

Certificates found * default, - personal, ! trusted, # secret key 
!       "Entrust.net Secure Server Certification Authority" 
!       "Entrust.net Certification Authority (2048)" 
!       "Entrust.net Client Certification Authority" 
!       "Entrust.net Global Client Certification Authority" 
!       "Entrust.net Global Secure Server Certification Authority" 
!       "VeriSign Class 1 Public Primary Certification Authority" 
!       "VeriSign Class 2 Public Primary Certification Authority" 
!       "VeriSign Class 3 Public Primary Certification Authority" 
!       "VeriSign Class 1 Public Primary Certification Authority - G2" 
!       "VeriSign Class 2 Public Primary Certification Authority - G2" 
!       "VeriSign Class 3 Public Primary Certification Authority - G2" 
!       "VeriSign Class 4 Public Primary Certification Authority - G2" 
!       "VeriSign Class 1 Public Primary Certification Authority - G3" 
!       "VeriSign Class 2 Public Primary Certification Authority - G3" 
!       "VeriSign Class 3 Public Primary Certification Authority - G3" 
!       "VeriSign Class 3 Public Primary Certification Authority - G5" 
!       "VeriSign Class 4 Public Primary Certification Authority - G3" 
!       "VeriSign Class 3 Secure Server CA" 
!       "Thawte Server CA" 
!       "Thawte Premium Server CA" 
!       "Thawte Personal Basic CA" 
!       "Thawte Personal Freemail CA" 
!       "Thawte Personal Premium CA" 
*-      "TSM Server SelfSigned Key" 
-       "TSM Server SelfSigned SHA Key"

tsm@sles-tsm:/tsm1/tsminst1> gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

tsm@sles-tsm:/tsm1/tsminst1> gsk8capicmd_64 -cert -list -db cert.kdb Source database 
password : xxx...xxx 

Certificates found * default, - personal, ! trusted, # secret key 
!       "Entrust.net Secure Server Certification Authority" 
!       "Entrust.net Certification Authority (2048)" 
!       "Entrust.net Client Certification Authority" 
!       "Entrust.net Global Client Certification Authority" 
!       "Entrust.net Global Secure Server Certification Authority" 
!       "VeriSign Class 1 Public Primary Certification Authority" 
!       "VeriSign Class 2 Public Primary Certification Authority" 
!       "VeriSign Class 3 Public Primary Certification Authority" 
!       "VeriSign Class 1 Public Primary Certification Authority - G2" 
!       "VeriSign Class 2 Public Primary Certification Authority - G2" 
!       "VeriSign Class 3 Public Primary Certification Authority - G2" 
!       "VeriSign Class 4 Public Primary Certification Authority - G2" 
!       "VeriSign Class 1 Public Primary Certification Authority - G3" 
!       "VeriSign Class 2 Public Primary Certification Authority - G3" 
!       "VeriSign Class 3 Public Primary Certification Authority - G3" 
!       "VeriSign Class 3 Public Primary Certification Authority - G5" 
!       "VeriSign Class 4 Public Primary Certification Authority - G3" 
!       "VeriSign Class 3 Secure Server CA" 
!       "Thawte Server CA" 
!       "Thawte Premium Server CA" 
!       "Thawte Personal Basic CA" 
!       "Thawte Personal Freemail CA" 
!       "Thawte Personal Premium CA" 
-       "TSM Server SelfSigned Key" 
*-      "TSM Server SelfSigned SHA Key"

4. Server starten

Kontrolle der Verschlüsselung:

Meldungen Session Aufbau in actlog

ANR8592I Session 1 connection is using SSL version TLSV12, cipher specification AES-256-GCM certificate serial number xx:xx:xx:xx:xx:xx:xx:xx.

Ausgabe bei query session

tsm: TSM1>q sess
Sess    Comm.      Sess        Wait      Sess        Platform     Client Name 
Number  Method     State       Time      Type 
----------------------------------------------------------------------------------      
1       SSL        Run          0 S       Admin       Linux x86-64       CARUS
2       SSL        IdleW       15 S       Node        Linux x86-64       CLIENT

Ausgabe auf den Client

tsm> q sess 

TSM Server Connection Information
Server Version..........: Ver. 7, Rel. 1, Lev. 6.0

SSL Information.........: TLSv1.2 (FIPS) AES-256-GCM

 

 

 

Der Beitrag TSM Server und Client – TLS12 – SSL Kommunikation erschien zuerst auf Spectrum Protect (TSM) Blog.



Teilen Sie diesen Inhalt: