A fix is available
APAR status
Closed as fixed if next.
Error description
When using client to server SSL connection, and using a certificate with a wildcard for Common Name (CN), the client will suffer failure connecting to server with following error: ANE1694E The certificate identity could not be verified. The following will be logged in the activity log: ANR8581E An SSL read error occurred on session 8. The GSKit return code is 406. Client SERVICE trace will report; 07/01/2016 14:49:08.687 [003040] [2080] : ..\..\common\com\gskit.cpp( 855): verifyPartnerIdentity(): this is not a TSM self-issued certficate 07/01/2016 14:49:08.687 [003040] [2080] : ..\..\common\com\gskit.cpp( 860): verifyPartnerIdentity(): subject alternative name is not present and match not found earlier 07/01/2016 14:49:08.687 [003040] [2080] : ..\..\common\com\gskit.cpp( 862): verifyPartnerIdentity(): common name match not found earlier 07/01/2016 14:49:08.687 [003040] [2080] : ..\..\common\com\gskit.cpp( 872): verifyPartnerIdentity(): Verdict: Identity IS NOT verified! 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\ut\GlobalRC.cpp( 428): msgNum = 9020 changed the Global RC. 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\ut\GlobalRC.cpp( 429): Old values: rc = 0, rcMacroMax = 0, rcMax = 0. 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\ut\GlobalRC.cpp( 444): New values: rc = 12, rcMacroMax = 12, rcMax = 12. 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\com\session.cpp(4956): sessClose: Transitioning: sInit state ===> sInit state 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\com\session.cpp(2100): sessClose: Session closed. 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\com\session.cpp(4956): sessClose: Transitioning: sInit state ===> sInit state 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\com\session.cpp(2100): sessClose: Session closed. 07/01/2016 14:49:08.695 [003040] [2080] : ..\..\common\ba\DccRCMap.cpp( 715): Enter DccRCMap::ccMap: rc = -369 07/01/2016 14:49:08.696 [003040] [2080] : ..\..\common\nls\amsglog.cpp( 485): nlLogPrintf: msg number = 1694 The error occurs as the client is incorrectly not accepting a certificate with wildcarded Common Name (CN). Tivoli Storage Manager Versions Affected: Tivoli Storage Manager Client: 6.3.x, 6.4.x and 7.1.x on all supported platforms Initial Impact: Medium Additional Keywords: TSM IBM Spectrum Protect SSL wildcard certificate
Local fix
Use a certificate with wildcarded subjectAltName (SAN) rather than the wildcarded Common Name (CN)
Problem summary
**************************************************************** * USERS AFFECTED: * * Tivoli Storage Manager backup-archive client version 7.1 * * running on all platforms. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
Temporary fix
Comments
If there is a next release of Tivoli Storage Manager after 7.1, this APAR will be fixed in that next release
APAR Information
APAR number
IT16390
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
71A
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-07-30
Closed date
2016-10-21
Last modified date
2016-10-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
dsmc
Fix information
Applicable component levels
R71A PSN
UP
R71H PSN
UP
R71L PSN
UP
R71M PSN
UP
R71S PSN
UP
R71W PSN
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71A","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
08 January 2022