Fixes are available
APAR status
Closed as program error.
Error description
Error Description: Triple DES or 3DES ciphers are still allowed for SSL client connections while the client option SSLFIPSMODE is set to YES. This should not be the case. Products affected: IBM Spectrum Protect Backup-Archive Client version 7.1 and 8.1 on all platforms. IBM Spectrum Protect for Virtual Environments: Data Protection for VMware version 7.1 and 8.1 on Microsoft Windows x64 and Linux x86_64 platforms. IBM Spectrum Protect for Virtual Environments: Data Protection for Microsoft Hyper-V version 7.1 and 8.1 on Microsoft Windows x64 platform. If you are using Backup-Archive Client 7.1 and 8.1, refer to APAR IT25661 Note 1: The Backup-Archive Client is a prerequisite to using the Data Protection for VMware version 7.1. In Data Protection for VMware environments, the Backup-Archive Client is also known as the data mover. Note 2: The Backup-Archive Client is a prerequisite to using the Data Protection for Microsoft Hyper-V versions 7.1 till 8.1.2. In Data Protection for Microsoft Hyper-V environments, the Backup-Archive Client is also known as the data mover. If you are using Data Protection for VMware 8.1, refer to APAR IT26341 If you are using Data Protection for Microsoft Hyper-V 8.1.4-8.1.6, refer to APAR IT26342 Initial Impact: High Additional Keywords: TS000962393 SSL FIPS cipher 3DES
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect backup-archive client versions 7.1 and * * 8.1 on all platforms. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * * For more information, refer to the security bulletin * * published here: * * http://www.ibm.com/support/docview.wss?uid=ibm10729873 * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is projected * * to be fixed in levels: * * - 7.1.8.4 for Linux x86 and Microsoft Windows x64 platforms, * * 7.1.8.5 for all remaining platforms, * * - 8.1.6 for all platforms * * * * Note 1: The Backup-Archive Client is a prerequisite to using * * the Data Protection for VMware version 7.1. * * In Data Protection for VMware environments, the * * Backup-Archive Client is also known as the data mover. * * * * Note 2: The Backup-Archive Client is a prerequisite to using * * the Data Protection for Microsoft Hyper-V versions 7.1 till * * 8.1.2. * * In Data Protection for Microsoft Hyper-V environments, the * * Backup-Archive Client is also known as the data mover. * * * * Note 3: This is subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
After the fix, the 3DES cipher is not allowed for SSL client connections regardless of the SSLFIPSMODE option setting.
Temporary fix
Comments
APAR Information
APAR number
IT25661
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
71L
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-07-12
Closed date
2018-08-15
Last modified date
2018-11-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
dsmc dsmcad
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
R71A PSY
UP
R71H PSY
UP
R71L PSY
UP
R71M PSY
UP
R71S PSY
UP
R71W PSY
UP
R81A PSY
UP
R81L PSY
UP
R81M PSY
UP
R81W PSY
UP
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71L"}]
Document Information
Modified date:
28 September 2021