Direct links to fixes
8.1.10.000-IBM-SPOC-WindowsX64
8.1.10.000-IBM-SPOC-Linuxx86_64
8.1.10.000-IBM-SPOC-Linuxs390x
8.1.10.000-IBM-SPOC-LinuxPPC64le
8.1.10.000-IBM-SPOC-AIX
8.1.10.000-IBM-SPCMS-WindowsX64
8.1.10.000-IBM-SPCMS-WindowsI32
8.1.10.000-IBM-SPCMS-Linuxx86_64
8.1.10.000-IBM-SPSRV-WindowsX64
8.1.10.000-IBM-SPSRV-Linuxx86_64
8.1.10.000-IBM-SPSRV-Linuxs390x
8.1.10.000-IBM-SPSRV-Linuxppc64le
8.1.10.000-IBM-SPSRV-AIX
IBM Spectrum Protect Server V8.1 Fix Pack (V8.1.10) Downloads
APAR status
Closed as program error.
Error description
The Spectrum Protect server LDAP connection fails with the following errors when connecting to a Windows active directory if automatic root certificate updates is not turned off. ANR3114E LDAP error 116 (Failed to connect to the SSL server) ANR3116E LDAP SSL/TLS error 406 (I/O error) ANR3103E Failure occurred while initializing LDAP directory services ANR2732E Unable to communicate with the LDAP directory server The Spectrum Protect server LDAP connection fails with the following errors when connecting to an IBM Security Directory Server and the LDAP server authentication is set to serverClientAuth (sslAuth serverClientAuth) instead of serverAuth or the certificate is not trusted. When connecting to LDAP port 389, the following errors are logged in the activity log : ANR3114E LDAP error 116 (Failed to connect to ssl server.) occurred during ldap_start_tls_s_np. ANR3116E LDAP SSL/TLS error 420 (Socket closed) occurred during ldap_start_tls_s_np. ANR3103E Failure occurred while initializing LDAP directory services. ANR2732E Unable to communicate with the external LDAP directory server. When connecting to LDAP port 636, the following errors are logged in the activity log : ANR3114E LDAP error 81 (Can't contact LDAP server) occurred during ldap_sasl_bind. ANR3116E LDAP SSL/TLS error 116 (Unknown SSL error) occurred during ldap_sasl_bind. ANR3103E Failure occurred while initializing LDAP directory services. ANR2732E Unable to communicate with the external LDAP directory server. Customer/L2 Diagnostics : Verify the Windows automatic root certificate updates configuration to determine if it is turned on or off. Review the IBM Security Directory Server configuration file (ibmslapd.conf) to obtain the value of the sslAuth option and determine if it is set to serverClientAuth or serverAuth. Initial Impact: Medium Additional Keywords: ldap ssl TS003048082 Versions Affected: Spectrum Protect server 7.1 and 8.1 on all platforms.
Local fix
- When connecting to a Windows Active directory, turn off automatic root certificate updates to Windows Update if your Windows Active Directory server does not have access to the internet. - When connecting to an IBM Security Directory Server, configurethe IBM Security Directory Server LDAP server authentication to use the serverAuth authentication (sslAuth serverAuth). If serverClientAuth (sslAuth serverClientAuth) must be used, then add the Spectrum Protect server certificate as a trusted certificate on the LDAP server.
Problem summary
**************************************************************** * USERS AFFECTED: * * All IBM Spectrum Protect server users. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in level 8.1.10. Note that this is * * subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
This problem was fixed. Affected platforms for reported release: AIX, Linux, and Windows. Platforms fixed: AIX, Linux, and Windows.
Temporary fix
Comments
APAR Information
APAR number
IT31582
Reported component name
TSM SERVER
Reported component ID
5698ISMSV
Reported release
81A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-01-20
Closed date
2020-01-24
Last modified date
2020-01-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM SERVER
Fixed component ID
5698ISMSV
Applicable component levels
R81A PSY
UP
R81L PSY
UP
R81W PSY
UP
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81A"}]
Document Information
Modified date:
15 September 2021