Fixes are available
APAR status
Closed as program error.
Error description
The scenario can happen as follows: the user is using old MD5 certificates and they upgrade both the client and Server to either 7.1.8 or 8.1.2. Since 7.1.8 and 8.1.2 Server now require TLS 1.2 or later, but client still has the MD5 certificate, the client will initialize a TLS connection using TLS 1.1 protocol, thus TLS handshake fails. Then a very generic error message is given that SSL could not be initialized.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * Backup-archive client version 7.1.8 and 8.1.2 running on all * * platforms and trying to establish an SSL connection to a * * newly upgraded Spectrum Protect Server 7.1.8 or 8.1.2 * **************************************************************** * PROBLEM DESCRIPTION: * * The problem is that we don't have a good error message * * explaining a TLS protocol mismatch between the client and * * the Server. * * Currently we only display and log the following error * * message: * * ANS1592E Failed to initialize SSL protocol. * * * * If the Backup-archive is already setup to use SSL * * communication with the Spectrum Protect Server using MD5 * * type certificates, and both the Backup-archive client and * * Server are upgraded to either 7.1.8 or 8.1.2, the connection * * will failed with the error indicated above. Instead it * * should fail with a better message explaining the error. * * Something like: * * ANS2027E GSKit function gsk_secure_soc_init failed with 410: * * During the SSL/TLS handshake, the client could not agree on * * a supported SSL/TLS protocol version to use with server. * * GSK_ERROR_BAD_MESSAGE * * * * This new error message will provide better indication that * * the client and server could not establish agreement on an * * SSL/TLS protocol, Thus indicating to the user that they need * * to update their certificates. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in 8.1.4. * * Note that this is subject to change at the discretion of * * IBM. * ****************************************************************
Problem conclusion
A better message will be displayed if client and server cannot agree on SSL/TLS protocol.
Temporary fix
Comments
APAR Information
APAR number
IT22689
Reported component name
TSM FOR VE DP V
Reported component ID
5725TVEVM
Reported release
71W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-05
Closed date
2017-10-23
Last modified date
2017-10-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
R71W PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71W","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
08 January 2022