IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Securing communications > Configure TLS/SSL communication with the Authorization Policy Server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Configure the tivcmd CLI for TLS/SSL
In order to use TLS/SSL with the Authorization Policy Server you must prepare the tivcmd Command-Line Interface, create a new key database, add the public signer certificate used by the Authorization Policy Server to the new key database, and then modify the tivcmd CLI environment variable file.
If you requested a digital certificate for the Authorization Policy Server, wait until the certificate has been received before performing this procedure.
The following instructions for managing certificates on the tivcmd CLI computers use the GSKit command line tool that is installed with the tivcmd CLI component. These instructions should be followed on each computer that the tivcmd CLI is installed on.
See Use the GSKit command-line interface to work with key databases and certificates for terms that are used in this procedure. Most terms are based upon the directory to which the tivcmd CLI is installed.
Procedure
- Set the path to invoke the GSKit command line tool using the following commands:
- Windows 64-bit:
set PATH=<gskithome>\lib64;%PATH% cd <gskithome>\bin
- Windows 32-bit:
set PATH=<gskithome>\lib;%PATH% cd <gskithome>\bin
- Linux and UNIX 32-bit:
export LD_LIBRARY_PATH=<gskithome>/lib:$LD_LIBRARY_PATH cd <gskithome>/bin
- Linux and UNIX 64-bit:
export LD_LIBRARY_PATH=<gskithome>/lib64:$LD_LIBRARY_PATH cd <gskithome>/bin
- Save the existing tivcmd CLI key database.
In order to recover issues, best practice is to save the installed version of the tivcmd CLI key database on each tivcmd CLI computer.
Copy the following files with extensions .crl, .kdb, .rdb, and .sth, to another location:
- Windows: <keydbdir>\<oldkeydbname>.*
- Linux and UNIX: <keydbdir>/<oldkeydbname>.*
- Create a new tivcmd CLI key database.
- Create a new database and remove all the extraneous public signer certificates with the following command:
<gskittoolcmd> -keydb -create -db <newkeydb> -pw <newkeydbpw> -expire 3650 -stash -fips
- Verify the database is empty with the following command:
<gskittoolcmd> -cert -list -db <newkeydb> -pw <newkeydbpw> -fipsIf the database is not empty, use the delete command to remove any remaining certificates.
- Add the public signer certificate to the new tivcmd CLI key database.
This step assumes that the public signer certificate has been placed in a location on the tivcmd CLI computer. For example, C:\policyauthcerts\PolicyAuthSignerCert.arm or C:\policyauthcerts\CASignerCert.arm. This location is referenced in this step as <policyauthsignercert>.
Add the public signer certificate to the new tivcmd CLI key database using the following command:
<gskittoolcmd> -cert -add -db <newkeydb> -pw <newkeydbpw> -label "Authorization Policy Signer Certificate" -trust enable -format ascii -file <policyauthsignercert> -fips
- Enable TLS/SSL certificate exchange at each tivcmd CLI computer.
At each tivcmd CLI computer, use the following steps to enable TLS/SSL certificate exchange using the public signed certificate.
- Delete the current key database. Remove the <oldkeydbname>.* files in the <keydbdir> directory.
- Rename all new key database files. For example, <newkeydbname>.* to <oldkeydbname>.* in the <keydbdir> directory.
- Set the environment variable to enable authentication of the Authorization Policy Server certificate.
- Windows: Edit the tivcmd CLI environment file <authclidir>\KDQ\bin\KDQENV by adding the variable ITM_AUTHENTICATE_SERVER_CERTIFICATE=Y after the KDEBE_KEY_LABEL variable.
- Linux and UNIX: Edit the tivcmd CLI environment file <authclidir>/bin/tivcmd by adding the variable export ITM_AUTHENTICATE_SERVER_CERTIFICATE=Y after the KDEBE_KEY_LABEL variable.
Parent topic:
Configure TLS/SSL communication with the Authorization Policy Server