APAR status
Closed as program error.
Error description
When the IBM Spectrum Protect Operation Center is installed on Windows the following old ciphers will show up when running a network scanner (For example nmap) although they should be disabled: TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 Typically these ciphers should be disabled as per the oc.security file located in "C:\Program Files\Tivoli\TSM\ui\Liberty\usr\servers\" however on Windows this file is skipped as there is a wrapper utility that is used to launch Liberty and any parameters that need to be passed to Liberty have to be set in the wrapper configuration file: "C:\Program Files\Tivoli\TSM\ui\Liberty\conf\wrapper.conf" IBM Spectrum Protect versions affected: IBM Spectrum Protect Operations Center version 8.1.x on all Supported Windows Platforms Additional Keywords: TSM, TS011815801, spectrum, protect, operations, center, OC, ciphers, windows
Local fix
1- Add the following lines into the wrapper.conf in the Java Additional Parameters stanza: wrapper.java.additional.4=-Djdk.tls.rejectClientInitiatedRenego tiation=true wrapper.java.additional.5=-Djava.security.properties="C:\Program Files\Tivoli\TSM\ui\Liberty\usr\servers\guiServer\oc.security" The file should look like this: # Java Additional Parameters wrapper.java.additional.1=-javaagent:../../../lib/bootstrap-age nt.jar wrapper.java.additional.2=-DKC_HOME=kcci_usr wrapper.java.additional.3=-Dcom.ibm.jsse2.sp800-131=strict wrapper.java.additional.4=-Djdk.tls.rejectClientInitiatedRenego tiation=true wrapper.java.additional.5=-Djava.security.properties="C:\Program Files\Tivoli\TSM\ui\Liberty\usr\servers\guiServer\oc.security" 2- Restart the OC service and re-run the nmap script and the ciphers should be disabled
Problem summary
**************************************************************** * USERS AFFECTED: * * All IBM Spectrum Protect Operations Center server users. * **************************************************************** * PROBLEM DESCRIPTION: * * See error description. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in level 8.1.19. Note that this is * * subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
This problem was fixed. Affected platforms for reported release: Windows. Platforms fixed: Windows.
Temporary fix
Comments
APAR Information
APAR number
IT43153
Reported component name
TSM OPERATIONS
Reported component ID
5608E01UI
Reported release
81X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-02-20
Closed date
2023-03-15
Last modified date
2023-03-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM OPERATIONS
Fixed component ID
5608E01UI
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81X","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
15 March 2023