IBM Support

IT35814: DATABASE RESTORE OPERATION WITH RESTOREKEYS=YES/ONLY MAY FAIL TODECRYPT THE MASTER ENCRYPTION KEY AT SPECIFIC SERVER LEVELS.

Direct links to fixes

8.1.12.000-IBM-SPSRV-WindowsX64
8.1.12.000-IBM-SPSRV-Linuxx86_64
8.1.12.000-IBM-SPSRV-Linuxs390x
8.1.12.000-IBM-SPSRV-Linuxppc64le
8.1.12.000-IBM-SPSRV-AIX
7.1.13.100-TIV-TSMOC-Windows
7.1.13.100-TIV-TSMOC-Linuxx64
7.1.13.100-TIV-TSMOC-LinuxS390
7.1.13.100-TIV-TSMOC-LinuxPPC64le
7.1.13.100-TIV-TSMOC-LinuxPPC64
7.1.13.100-TIV-TSMOC-AIX
7.1.13.100-TIV-TSMSRV-WIN
7.1.13.100-TIV-TSMSRV-SolarisSPARC
7.1.13.100-TIV-TSMSRV-Linuxx86_64
7.1.13.100-TIV-TSMSRV-Linuxs390x
7.1.13.100-TIV-TSMSRV-Linuxppc64
7.1.13.100-TIV-TSMSRV-HP-UX
7.1.13.100-TIV-TSMSRV-AIX
IBM Spectrum Protect Server V8.1 Fix Pack 12 (V8.1.12) Downloads

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Decryption of the master encryption key during a database
restore operation may fail if the GSKit version used to create
the database backup is earlier than the version of GSKit that is
being used to restore the database backup. This problem is more
likely to affect disaster recovery scenarios where the database
backup is being restored to an alternate host. Despite
specifying the correct password for the master encryption key,
the restore operation will generate the following error:

   ANR1741E The server master encryption key in the database
   backup cannot be read. The password might be incorrect, or
   the encryption key might be invalid.

Due to code changes made in GSKit, a database backed up using
GSKit <8.0.50.78 in Non-FIPS mode or GSKit <8.0.50.86 in FIPS
mode cannot be restored using a newer version of GSKit. The
7.1.8, 8.1.2 and 8.1.3 versions of server code are bundled with
GSKit version 8.0.5.78 (FIPSMODE enabled) and, as such, attempts
to restore database backups created by these server versions on
hosts with more current versions of GSKit installed will likely
experience this problem.

Instructions for determining the installed version of GSKit can
be found at the following URL:

https://www.ibm.com/support/pages/node/1095874

Spectrum Protect Versions Affected:
o Server version 7.1.8 and above 7.1 levels on all platforms
  when restoring database backups from server version 7.1.8
o Server version 8.1.2 and above 8.1 levels on all platforms
  when restoring database backups from server version 8.1.2
o Server version 8.1.3 and above 8.1 levels on all platforms
  when restoring database backups from server versions 8.1.2
  and 8.1.3

Initial Impact:
Medium

Additional Keywords:
TS004607524

Local fix

  • 1. Ensure that the same version of GSKit installed on the host
where the database backup was performed is also installed on the
host where the database backup is being restored.

2. As a circumvention for the database restore failure, the
master encryption key files (eg. dsmkeydb.kdb, dsmkeydb.sth) can
be copied from the original host, if possible.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* All IBM Spectrum Protect server users.                       *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See error description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fixing level when available. This problem is currently *
* projected to be fixed in levels 7.1.13.100 and 8.1.12. Note  *
* that this is subject to change at the discretion of IBM.     *
****************************************************************

Problem conclusion

  • This problem was fixed.
Affected platforms for reported release:  AIX, HP-UX, Solaris,
Linux, and Windows.
Platforms fixed:   AIX, HP-UX, Solaris, Linux, and Windows.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT35814
    • 

  • Reported component name
    TSM SERVER
    • 

  • Reported component ID
    5698ISMSV
    • 

  • Reported release
    81A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-02-05
    • 

  • Closed date
    2021-02-12
    • 

  • Last modified date
    2021-02-12
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TSM SERVER
    • 

  • Fixed component ID
    5698ISMSV
    • 



Applicable component levels


    

  • R71A  PSY
       UP
    • 

  • R71H  PSY
       UP
    • 

  • R71L  PSY
       UP
    • 

  • R71S  PSY
       UP
    • 

  • R71W  PSY
       UP
    • 

  • R81A  PSY
       UP
    • 

  • R81L  PSY
       UP
    • 

  • R81W  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81A","Line of Business":{"code":"LOB26","label":"Storage"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            05 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback