IBM Support

IT16390: ANS1694E AND ANR8581E FAILURES USING SSL CONNECTION WITH A CERTIFICATE WITH WILDCARDED COMMON NAME (CN).

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • When using client to server SSL connection, and using a
    certificate with a wildcard for Common Name (CN), the client
    will suffer failure connecting to server with following error:
    
    ANE1694E The certificate identity could not be verified.
    
    
    The following will be logged in the activity log:
    
    ANR8581E An SSL read error occurred on session 8.  The   GSKit
    return code is 406.
    
    
    Client SERVICE trace will report;
    
    
    07/01/2016 14:49:08.687 [003040] [2080] :
    ..\..\common\com\gskit.cpp( 855): verifyPartnerIdentity(): this
    is not a TSM self-issued certficate
    07/01/2016 14:49:08.687 [003040] [2080] :
    ..\..\common\com\gskit.cpp( 860): verifyPartnerIdentity():
    subject alternative name is not present and match not found
    earlier
    07/01/2016 14:49:08.687 [003040] [2080] :
    ..\..\common\com\gskit.cpp( 862): verifyPartnerIdentity():
    common name match not found earlier
    07/01/2016 14:49:08.687 [003040] [2080] :
    ..\..\common\com\gskit.cpp( 872): verifyPartnerIdentity():
    Verdict: Identity IS NOT verified!
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\ut\GlobalRC.cpp( 428): msgNum = 9020 changed the
    Global RC.
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\ut\GlobalRC.cpp( 429): Old values: rc = 0,
    rcMacroMax = 0, rcMax = 0.
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\ut\GlobalRC.cpp( 444): New values: rc = 12,
    rcMacroMax = 12, rcMax = 12.
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\com\session.cpp(4956): sessClose: Transitioning:
    sInit state ===> sInit state
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\com\session.cpp(2100): sessClose: Session closed.
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\com\session.cpp(4956): sessClose: Transitioning:
    sInit state ===> sInit state
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\com\session.cpp(2100): sessClose: Session closed.
    07/01/2016 14:49:08.695 [003040] [2080] :
    ..\..\common\ba\DccRCMap.cpp( 715): Enter DccRCMap::ccMap: rc =
    -369
    07/01/2016 14:49:08.696 [003040] [2080] :
    ..\..\common\nls\amsglog.cpp( 485): nlLogPrintf: msg number =
    1694
    
    
    The error occurs as the client  is incorrectly not accepting a
    certificate with wildcarded Common Name (CN).
    
    
    
    
    
    Tivoli Storage Manager Versions Affected:
    Tivoli Storage Manager Client: 6.3.x, 6.4.x and 7.1.x on all
    supported platforms
    
    
    Initial Impact: Medium
    
    
    Additional Keywords: TSM IBM Spectrum Protect SSL wildcard
    certificate
    

Local fix

  • Use a certificate with wildcarded subjectAltName (SAN) rather
    than the wildcarded Common Name (CN)
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Tivoli Storage Manager backup-archive client version 7.1     *
    * running on all platforms.                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See ERROR DESCRIPTION                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    

Problem conclusion

Temporary fix

Comments

  • If there is a next release of Tivoli Storage Manager after 7.1,
    this APAR will be fixed in that next release
    

APAR Information

  • APAR number

    IT16390

  • Reported component name

    TSM CLIENT

  • Reported component ID

    5698ISMCL

  • Reported release

    71A

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-07-30

  • Closed date

    2016-10-21

  • Last modified date

    2016-10-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • dsmc
    

Fix information

Applicable component levels

  • R71A PSN

       UP

  • R71H PSN

       UP

  • R71L PSN

       UP

  • R71M PSN

       UP

  • R71S PSN

       UP

  • R71W PSN

       UP

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"71A","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
08 January 2022