APAR status
Closed as program error.
Error description
Automatic failover to the secondary server for the first time, after a Backup-Archive Client and Spectrum Protect Server upgrade to 7.1.8+/8.1.2+ or a fresh install with these versions, may fail although the "QUERY NODE F=D" output on the secondary server for the affected node shows "sessionsecurity transitional". These messages are seen in the dsmerror.log of the Client. ANS2106I Connection to primary IBM Spectrum Protect server aaa.aaa.aa.aa failed. ANS2107I Attempting to connect to secondary server SERVER2 at bbb.bbb.bb.bb: 1500 ANS2110I Connection to secondary server IBM Spectrum Protect SERVER2 failed. The ACTLOG of the secondary server will show: ANR8599W The connection with SERVER1:49537 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow. Backup-Archive Client trace will show: sesscntl.cpp(1068): ANS2106I Connection to primary IBM Spectrum Protect server 192.168.63.50 failed. optservices.cpp(9098): Fail Over TCP Server Name: SERVER2 Address: bbb.bbb.bb.bb Port: 1500 SSL Port: 1500 GUID: N/A Used: no sesscntl.cpp(1145): ANS2107I Attempting to connect to secondary server SERVER2 at bbb.bbb.bb.bb: 1500 commtcp.cpp(1727): TcpOpen: Trying to connect to server at: commtcp.cpp(1728): Domain Name: bbb.bbb.bb.bb commtcp.cpp(1730): Port #: 1500 gskit.cpp(3459): setError(): gsk_get_last_validation_error returned 575051: 'GSKVAL_ERROR_CA_MISSING_CRITICAL_BASIC_CONSTRAINT' gskit.cpp(2730): GSKit::GSKit() gsk_secure_soc_init() returned rc 414 session.cpp(2477): sessClose: Session closed. sesscntl.cpp(6387): OpenSess: sessOpen failed rc=-370 sesscntl.cpp(1170): ANS2110I Connection to secondary server IBM Spectrum Protect SERVER2 failed A secondary server trace with traceflags SESSION, SESSIOND, TCPINFO, SSLINFO will show: [tcpcomm.c][2816][SessionThread]:Detected incoming TLS connection, updating CommMethod to TLS, commtype: 2 [tcpcomm.c][1300][tcpQueryAddress]:Exit: hlAddress SERVER1, llAddress 49537, displayAddress SERVER1[aaa.aaa.aa.aa]:49537. [tlsio.c][237][tlsBegin]:Enter: outBound False, sessId 2442, certRetry False. [tlsio.c][413][tlsBegin]:gsk_secure_soc_init (sessId 2442): rc 414 GSK_ERROR_BAD_CERT [tlsio.c][421][PutConsoleMsg]:ANR8599W The connection with SERVER1:49537 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.~ IBM Spectrum Protect Client Version Affected: Version 7.1.8 and above and 8.1.2 and above on all platforms Initial Impact: Medium Additional Keywords: TSM server client Spectrum Protect TS001629277 failover replication forcefailover
Local fix
You can use any of the following options. 1. Import the certificate into the client key database by using the following command: dsmcert -add -server <secondary servername> -file <path_to_secondary_server_cert256.arm> or 2. Add the "forcefailover yes" option in the client options file. or 3. Establish a connection with the secondary server by specifying the -forcefailover=yes option with a command. For example: dsmc q sess -forcefailover=yes or 4. create a dummy clients option file with the following options: commmethod tcpip tcpport <port of the secondary server> TCPSERVERADDRESS <IP address of the secondary server> passwordaccess generate nodename <node name> Start the connection with "dsmc -optfile=dsmSec.opt"
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect client 7.1.8, 8.1.2, 8.1.4, 8.1.6, * * 8.1.7 and 8.1.8 running on all platforms. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION * **************************************************************** * RECOMMENDATION: * * This issue is projected to be fixed in the IBM Spectrum * * Protect client version 8.1.9 on all platforms. * * Note that this is subject to change at the discretion of * * IBM. * ****************************************************************
Problem conclusion
BA client connect to the secondary server correctly and import certificate automatically when option "sslAcceptCertFromServ yes" is set.
Temporary fix
Comments
APAR Information
APAR number
IT28380
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
81W
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-03-13
Closed date
2019-07-02
Last modified date
2019-07-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
dsmc
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81W"}]
Document Information
Modified date:
13 February 2021