As a follow-up to our article IBM Storage Protect server certificate cert256.arm expired: 10 steps to fix, we present the following features in version 8.1.20 in IBM Storage Protect.
IBM Storage Protect server version 8.1.20.0 introduces new command CREATE CERTIFICATE to create new server certificate (cert256.arm)
3 steps to create the new certificate
The following new commands are part of version 8.1.20 in IBM Storage Protect:
CREATE CERTIFICATE
(Create a new TLS certificate)SET DEFAULTTLSCERT
(Mark a TLS certificate as the default)SET COMMANDAPPROVAL
(Specifies whether command approval)
For better monitoring and notification of the certificate expiration date, the following options have been added:
TLSCERTEXPIREWARNCONN
TLSCERTEXPIREWARNDAYS
In the following we will show the steps necessary to use the new commands and how this is done in a sample environment.
Step 1: "New certificate IBM Storage Protect 8.1.20 - 20 days duration"
Create a certificate with the label "New certificate IBM Storage Protect 8.1.20 - 20 days runtime" for an IBM Storage Protect server using CREATE CERTIFICATE:
CREATE CERTIFICATE “Neues Zertifikat IBM Storage Protect 8.1.20 – 20 Tage Laufzeit“ TODATE=today+20
Unfortunately, there is no feedback that the certificate has been created. This must be checked accordingly using GSK8 commands:
The screenshot shows that the certificate has been created and added to cert.kdb, but is not yet the default certificate. The public key is stored in the instance directory as documented:
The correct runtime can also be checked using GSK8:
Step 2: The generated certificate is declared as the default certificate.
SET DEFAULTTLSCERT
:SET DEFAULTTLSCERT "New certificate IBM Storage Protect 8.1.20 - 20 days duration".
This can be checked with GSK8:
To ensure that the certificate is used by the instance as the new default certificate, the instance must be restarted.
Step 3: Monitoring the expiration date of the default certificate
On the client side, the previous action plan remains as described in our blog entry:
For further clues, please also refer to the action plan described in the 8.1.18 release:
IBM Spectrum Protect server certificate cert.256.arm expired: Troubleshooting tips
The new options for better monitoring of the expiration date of the default certificate are set accordingly and entered in the dsmserv.opt file of the instance
Source
Sebastian Kentzler
Sie haben Fragen?
Wir freuen uns auf Ihre Kontaktaufnahme!