After upgrading to version 8.1.2, the Data Protection Oracle backups are failing

Resolving The Problem

When the IBM Spectrum Protect Server is upgraded to version 7.1.8 (or greater) or 8.1.2 (or greater), there are new security enhancements with the product. There is additional reference information in the following document:

https://www-01.ibm.com/support/docview.wss?uid=swg22004844#a

If the client is also upgraded, then the following rules apply for the new security enhancements.

• after you upgrade a client to v7.1.8 or v8.1.2 (or greater), you cannot use the same node name with a lower client version.
• after the IBM Spectrum Protect Server is upgraded to v8.1.2 or greater, it will always use SSL
• if both the server and client are at v8.1.2+ then the TLS 1.2 protocol will be used.

SSL will be required once you have upgraded the server to version 7.1.8 (or greater) or 8.1.2 (or greater) and using a v7.1.8 or v8.1.2 (or greater) client version. Any clients running 7.1.8, 8.1.2, 8.1.3 or higher will be required to use the TLS 1.2 protocol (cert256.arm certificate). If the client was previously using SSL, then you would need to create and import a new cert256.arm file for the client (the existing one from the older server will not be valid).

There is more information on the configuration for the certificate within the following document:
https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.2/client/t_cfg_ssl.html

For the Data Protection for Oracle client, it is necessary to ensure the DBA (non-root) user has the necessary permission and configuration settings:

1) SESSIONSECURITY on the IBM Spectrum Protect server needs to be set to TRANSITIONAL for both the ADMIN ID and NODE name.

2) Within the stanza in the dsm.sys which is being used by the Data Protection client, it is necessary to have the settings.
PASSWORDDIR {valid directory that oracle can write to}
PASSWORDACCESS GENERATE

3) Run the 'tdpoconf password' command as the Oracle user

4) The password files (TSM.IDX, TSM.KDB, TSM.sth) and spclicert files (spclicert.crt, spclicert.kdb, spclicert.rdb, spclicert.sth) should be created in the location specified by the PASSWORDDIR

5) Ensure these TSM* and spclicert.* files have write permissions for the oracle user.

6) Check the ORACLE_HOME/IBM/SpectrumProtect/certs/ directory to see if dsmcert.* files exist. Also check if these exist in the.../tivoli/tsm/client/ba/bin directory,
Ensure these dsmcert.* files have read permissions for the oracle user that will be running the backup/restore.

If this is an Oracle Cluster (RAC) environment, items #2-6 will need to be performed on all machines for this RAC environment.

In some cases, the Oracle RAC instance may be started such that "oracle" is not the user running the application. In these cases, it may be necessary to set the write permissions for the password/certificate files at the group level, ensuring that the DBA group can access/write to the files as necessary.


ADDITIONAL NOTES:
If Node replication is enabled, then it is necessary to set the nrtablepath for the non-root user as noted in the following document:
https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/client/r_opt_nrtablepath.html
For example, you would add the option into the appropriate stanza within the dsm.sys:
NRTABLEPATH /home/oracle
Then verify that the operating system permissions for the following files are set for the Oracle user or DBA group:

tsmnrtable.DB
tsmnrtable.DB.Lock

By default, the client has performance tracing enabled and errors may be seen when attempting to write performance statistics to the log. You can disable the performance tracing by adding the following entry to the dsm.sys file:
ENABLEINSTRUMENTATION No