APAR status
Closed as program error.
Error description
The Summarization and Pruning (KSY component) cannot successfully connect to the TEPS if the agent is configured to use the HTTP protocol over port 15200, or use the HTTPS protocol over port 15201. This problem only occurs if a non-default passphrase has been configured for encryption/decryption purpose. If the IBM-supplied default passphrase is used when installing / configuring ITM components, then the SY agent can connect successfully to the TEPS using HTTP/S. The default certificate passphrase is "IBMTivoliMonitoringEncryptionKey". The passphrase used in the failing environment uses a different value. To recreate the issue, create a ITM environment with TEPS, TEMS and SY agent and use a non-default passphrase other than "IBMTivoliMonitoringEncryptionKey" you will notice the following trace log in KSY_cnp.log (5d02962b.2fbe4a40-(null)Thread-3:SecurityKey,0,"SecurityKey.unp rotectString(String, RequestContext)") unprotectString source= YpesjWXlBbnKao1DPENSag== (5d02962b.2fbe4a40-(null)Thread-3:SecurityKey,0,"SecurityKey.unp rotectString(String, RequestContext)") unprotectString not recognized as DES. Trying AES (5d02962b.2fcd8c80-(null)Thread-3:SecurityKey,0,"SecurityKey.unp rotectString(String, RequestContext)") unprotectString protectStringAES:javax.crypto.Cipher@552302ef (5d02962b.2fcd8c80-(null)Thread-3:SecurityKey,0,"SecurityKey.unp rotectString(String, RequestContext)") unprotectString aes key generated: javax.crypto.spec.SecretKeySpec@1b406 (5d02962b.2fcd8c80-(null)Thread-3:SecurityKey,0,"SecurityKey.unp rotectString(String, RequestContext)") unprotectString AES decryption doFinal exception: javax.crypto.BadPaddingException: Given final block not properly padded
Local fix
1) Use the IIOP protocol to connect the SY agent to the TEPS if (if ITM6.3FP7 SP1 is installed, make sure that APAR IJ16759 is also applied before attempting to use the IIOP protocol). 2) Use the IBM-supplied default passphrase for all ITM components. 3) Re-configure the SY agent for autonomous operation; this mode of operation does not require a connection to the TEPS.
Problem summary
SY AGENT CANNOT CONNECT TO TEPS USING HTTP/15200 or HTTPS/15201 if a non-default ITM encryption key (passphrase) has been configured. An attempt to connect the ITM Summarization and Pruning Agent (SY) to the TEPS using either the HTTP protocol over port 15200, or the HTTPS protocol over port 15201, will fail if the ITM encryption key (also known as the 'passphrase') has been assigned a value other than the installation default.
Problem conclusion
The supporting communications layer used by the SY agent has been corrected to use the customer-configured encryption key (passphrase) if use of the default encryption key value is unsuccessful when the SY agent attempt to connect to the TEPS using the HTTP/15200 or HTTPS/15201 protocols. The fix for this APAR is contained in the following maintenance packages: | service pack | 6.3.0.7-TIV-ITM-SP0002
Temporary fix
Comments
APAR Information
APAR number
IJ16913
Reported component name
TEPS
Reported component ID
5724C04PS
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-06-14
Closed date
2019-10-23
Last modified date
2019-10-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEPS
Fixed component ID
5724C04PS
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 March 2023