APAR status
Closed as program error.
Error description
In some environments, IBM Spectrum Protect client code is executed by several simultaneously running processes which are owned by differnt operating system user accounts, including root. This situation is typical of IBM Spectrum Protect for Enterprise Resource Planning: Data Protection for HANA, where the API client code is active in the 'prole' daemon under the root account, as well as in several 'hdbbackint' processes owned by different HANA tenant users. The inter process coordination uses a locking mechanism for the TSM.* password files which includes the creation of the lock file 'tsmpswd.lck'. When a client node password expires on the IBM Spectrum Protect server, the API client might attempt the updating of the encrypted TSM.* password files per 'PASSWORDACCESS GENERATE' even if it had failed to acquire the lock, due to insufficient privilege as a result of the heterogeneous process ownerships. Despite not owning the lock, processing might continue and result in invalidated TSM.* password files, thus causing the current and subsequent sessions to fail. Diagnosing the issue: dsierror.log ------------ ANS1579E GSKit function GSKKM_ImportKeys failed with 101: GSKKM_ERR_KEYDB_NOT_EXIST ANS0361I DIAG: fopen() for lock password file failed with errno = 13 (reason: Permission denied)! ANS0282E (RC168) Password file is not available. API client trace ---------------- fopen() for lock password file failed with errno = 13 (reason: Permission denied)! PasswordFile::lockPasswordFile(): Can't create lock file '/tsm/hana/tsmpswd.lck' ... GSKitPasswordFile::readPassword: GSKKM_OpenKeyDb failed with error 155 GSKitPasswordFile::readPassword: returning 168 ... NegotiateSession(): exit with rc=168 GSKitPasswordFile::deletePassword(public): type:0 nodeName:'node_name' serverName:'server_name' applicationType:'TDP R3 Linux' Affected versions: All 7.1 and 8.1 versions of the API Client Initial Impact: Medium Additional Keywords: tsm tdp API TS001819228
Local fix
There are 2 possible work arounds: 1. If possible specify different values for 'PASSWORDDIR' in dsm.sys for each user. or: 2. Temporarily disable the expiration of the node password on the IBM Spectrum Protect server: Set PASSExp 0 Node=node_name
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect API client versions 7.1 and 8.1 on all * * platforms. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is projected * * to be fixed in levels 7.1.8.6 and 8.1.8. Note that this is * * subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
The appropriate code to handle a timing GSKKM_ERR_DATABASE_BUSY error during the node password expiration processing has been added.
Temporary fix
Comments
APAR Information
APAR number
IT29091
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
71L
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-05-10
Closed date
2019-05-20
Last modified date
2019-07-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
API
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71L"}]
Document Information
Modified date:
13 February 2021