How to get IBM gskit to trust Lets Encrypt

I'm trying to get a server running IBM Storage Protect 8.1.20 (AKA Spectrum Protect, SP, Tivoli Storage Manager, TSM) to trust a minio server over https to use as an S3 store. This is with the minio server having certs signed by Let's Encrypt (which seem to be working ok, as the config console of minio works fine with https).

It seems that the instance of SP needs to trust certificates signed by Let's Encrypt, however doesn't and won't communicate with the minio server. In order to trust Let's Encrypt I think I need to include LE's certificates into the SP server instance's certs.kdb using the gsk8capicmd_64 command. However I'm not 100% sure, I may need to do something with the cacerts file and unknown command.

Has anyone successfully done this? (probably also applies to DB2 and a few other products which use gskit)
Has anyone got a how to? (I've been searching for ages and am asking here as a last resort)

Have you tried using a cert from any other free CA?


You can find other ACME CA that are free here ACME CA Comparison - Posh-ACME

1 Like

Before you mess too much with your client trust config, double check that your minio instance is serving the leaf and appropriate chain certs and not just the leaf cert by itself.

You should also be able to verify whether the client's trust store has the ISRG Root X1 cert in it or not.


I'm working on a possible bug in the install with some IBM devs and will report back when I've got it working... It seems that there's two different installs for different IBM products within the Storage Protect system - The Operations Centre uses Websphere Liberty, this has a nice x gui and included "install CA" feature, which enables you to install whatever CA you want at the touch of a button (LE, included). Storage Protect uses a command line based around gsk8capicmd_64, which doesn't have the same features as Liberty and certainly no gui...


Sorry for the delay in getting back to everyone here... I managed to allow the DB2 logs on the Protect server to fill up and rather than going back to clear them out with a manual DB backup, I decided to revert to the snapshot prior to defining the Protect instance. This turned out to be a good idea(tm) as re-defining the instance from scratch has fixed this problem. I'm not 100% sure what I did extra, but //I think// it's to do with installing the BAclient on the server, which I hadn't done previously - part of the process of BAclient installation requires importing certificates and creating trusts etc. etc.

That said many thanks to @rmbolger who saved me quite some time when I checked out my minio instance which would have caused an error after I'd fixed the server as it wasn't reporting a DNS name...

Cheers all...


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.