Expert GuideIBM Storage Protect Server version 8.1.20.0 releases new command CREATE CERTIFICATE to create a new server certificate (cert256.arm)

Sebastian Kentzler — 16. October 2023
Reading tome 1:04 Minutes

IBM Storage Protect Server Version 8.1.20.0 bringt neues Kommando CREATE CERTIFICATE zur Erstellung eines neuen Server Zertifikats (cert.256.arm)

How to simplify Transport Layer Security (TLS) certificate management in IBM Storage Protect and make certificate expiration monitoring more controllable.

As a follow-up to our article IBM Storage Protect server certificate cert256.arm expired: 10 steps to fix, we present the following features in version 8.1.20 in IBM Storage Protect.

IBM Storage Protect server version 8.1.20.0 introduces new command CREATE CERTIFICATE to create new server certificate (cert256.arm)

3 steps to create the new certificate

The following new commands are part of version 8.1.20 in IBM Storage Protect:

  • CREATE CERTIFICATE (Create a new TLS certificate)
  • SET DEFAULTTLSCERT (Mark a TLS certificate as the default)
  • SET COMMANDAPPROVAL (Specifies whether command approval)

For better monitoring and notification of the certificate expiration date, the following options have been added:

  • TLSCERTEXPIREWARNCONN
  • TLSCERTEXPIREWARNDAYS

In the following we will show the steps necessary to use the new commands and how this is done in a sample environment.

Step 1: "New certificate IBM Storage Protect 8.1.20 - 20 days duration"

Create a certificate with the label "New certificate IBM Storage Protect 8.1.20 - 20 days runtime" for an IBM Storage Protect server using CREATE CERTIFICATE:

CREATE CERTIFICATE “Neues Zertifikat IBM Storage Protect 8.1.20 – 20 Tage Laufzeit“ TODATE=today+20
1. Erstellung eines Zertifikats mit dem Label „Neues Zertifikat IBM Storage Protect 8.1.20 – 20 Tage Laufzeit“
Creating a certificate with the label "New certificate IBM Storage Protect 8.1.20 - 20 days duration"

Unfortunately, there is no feedback that the certificate has been created. This must be checked accordingly using GSK8 commands:

Man erhält leider keine Rückmeldung, dass das Zertifikat erstellt wurde. Dieses muss man mittels GSK8 Befehlen entsprechend prüfen:
Testing by means of GSK8 commands

The screenshot shows that the certificate has been created and added to cert.kdb, but is not yet the default certificate. The public key is stored in the instance directory as documented:

Der öffentliche Schlüssel wird wie dokumentiert im Instanzverzeichnis abgelegt:
File in the instance directory

The correct runtime can also be checked using GSK8:

Die korrekte Laufzeit kann ebenfalls mittel GSK8 geprüft werden:
Checking the runtime

Step 2: The generated certificate is declared as the default certificate.

 
As next step the generated certificate is declared as default certificate by SET DEFAULTTLSCERT:
 
SET DEFAULTTLSCERT "New certificate IBM Storage Protect 8.1.20 - 20 days duration".
das erzeugte Zertifikat zum Default-Zertifikat deklariert
Default certificate is declared

This can be checked with GSK8:

Verification with GSK8

To ensure that the certificate is used by the instance as the new default certificate, the instance must be restarted.

Step 3: Monitoring the expiration date of the default certificate

On the client side, the previous action plan remains as described in our blog entry:

For further clues, please also refer to the action plan described in the 8.1.18 release:

IBM Spectrum Protect server certificate cert.256.arm expired: Troubleshooting tips

The new options for better monitoring of the expiration date of the default certificate are set accordingly and entered in the dsmserv.opt file of the instance

Die neuen Optionen zur besseren Überwachung des Ablaufdatums des Default-Zertifikats werden entsprechend gesetzt und in der Datei dsmserv.opt der Instanz eingetragen:
Set the new options for better monitoring of the expiration date
Bild 2 zu Die neuen Optionen zur besseren Überwachung des Ablaufdatums des Default-Zertifikats werden entsprechend gesetzt und in der Datei dsmserv.opt der Instanz eingetragen

Source

 
CREATE CERTIFICATE: https://www.ibm.com/docs/en/storage-protect/8.1.20?topic=commands-create-certificate-create-new-tls-certificate

Sebastian Kentzler

More than 25 years of experience in IT in large and medium-sized environments, system administration in large heterogeneous environments, project experience in various large-scale projects, and more than 20 years of experience with the products Tivoli Storage Manager // IBM Spectrum Protect // IBM Storage Protect characterize Sebastian's focus at Empalis. Sebastian Kentzler was a Service Engineer at Empalis Consulting from 2015 to 2020 and has been back on board since 04/2023.

Sie haben Fragen?

Wir freuen uns auf Ihre Kontaktaufnahme!

 

 

You were interested in this, then you may also be interested in...