IT33114: CLOUD TRANSFER PROCESS FAILS WITH ANR3701E CANNOT CONNECT TO THECLOUD SERVICE PROVIDER FOR CREATE CONTAINER OPERATION

8.1.11.000-IBM-SPSRV-WindowsX64
8.1.11.000-IBM-SPSRV-Linuxx86_64
8.1.11.000-IBM-SPSRV-Linuxs390x
8.1.11.000-IBM-SPSRV-Linuxppc64le
8.1.11.000-IBM-SPSRV-AIX
IBM Spectrum Protect Server V8.1 Fix Pack 11 (V8.1.11) Downloads

APAR status

• Closed as program error.

Error description

• Cloud transfer processing may fail to specific cloud providers
  with message ANR3701E Cannot connect to the cloud service
  provider for the create container operation on the CLOUD.POOL
  storage pool.
  
  A server trace using the SDCLOUD SDCLOUDJ
  SDCLOUDDETAIL trace classes will show the following:
  
  tsmt1.bk1.
  test/c61-a577772e38d011e289c5086380548865-L.
  11:05:41.866
  [180][jvm.c][1736][JavaSideTrace]:E
  com.tivoli.dsm.cloud.api.ProviderS3 handleException Exception:
  com.amazonaws.SdkClientException: Unable to execute HTTP
  request: Received fatal alert: handshake_failure Unable to
  execute HTTP request: Received fatal alert: handshake_failure
  	c
  om.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryab
  leException(AmazonHttpClient.java:1175)
  	com.amazonaws.http.Amaz
  onHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java
  :1121)
  	com.amazonaws.http.AmazonHttpClient$RequestExecutor.doEx
  ecute(AmazonHttpClient.java:770)
  	com.amazonaws.http.AmazonHttpC
  lient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744
  )
  	com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(A
  mazonHttpClient.java:726)
  	com.amazonaws.http.AmazonHttpClient$R
  equestExecutor.access$500(AmazonHttpClient.java:686)
  	com.amazon
  aws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(Am
  azonHttpClient.java:668)
  	com.amazonaws.http.AmazonHttpClient.ex
  ecute(AmazonHttpClient.java:532)
  	com.amazonaws.http.AmazonHttpC
  lient.execute(AmazonHttpClient.java:512)
  	com.amazonaws.services
  .s3.AmazonS3Client.invoke(AmazonS3Client.java:4920)
  	com.amazona
  ws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
  
  com.amazonaws.services.s3.AmazonS3Client.getAcl(AmazonS3Client.j
  ava:3893)
  	com.amazonaws.services.s3.AmazonS3Client.getBucketAcl
  (AmazonS3Client.java:1226)
  	com.amazonaws.services.s3.AmazonS3Cl
  ient.getBucketAcl(AmazonS3Client.java:1216)
  	com.amazonaws.servi
  ces.s3.AmazonS3Client.doesBucketExistV2(AmazonS3Client.java:1352
  )
  	com.tivoli.dsm.cloud.api.S3Client.doesBucketExist(S3Client.ja
  va:858)
  	com.tivoli.dsm.cloud.api.ProviderS3.createContainer(Pro
  viderS3.java:633)
  	com.tivoli.dsm.cloud.api.ProviderS3.createCon
  tainer(ProviderS3.java:608)
  	com.tivoli.dsm.cloud.api.CloudHandl
  er.createContainer(CloudHandler.java:580)
  
  11:05:41.869
  [3][ffdcutil.c][432][FFDCLogThread]:[05-06-2020 11:05:41.869][
  FFDC_GENERAL_SERVER_ERROR ]: (jvm.c:1786)
  com.tivoli.dsm.cloud.api.ProviderS3 handleException
  com.amazonaws.SdkClientException Unable to execute HTTP
  request: Received fatal alert: handshake_failure
  
  11:05:41.869
  [180][jvm.c][1736][JavaSideTrace]:<
  com.tivoli.dsm.cloud.api.ProviderS3 createContainer rc =
  NotConnected (1)
  11:05:41.870
  [3][ffdcutil.c][443][FFDCLogThread]:newpos=947855
  maxSize=1048576
  11:05:41.870
  [180][jvm.c][1736][JavaSideTrace]:<
  com.tivoli.dsm.cloud.api.CloudHandler createContainer rc =
  NotConnected (1)
  11:05:41.870
  [180][sdcloud.c][6101][PrintJavaError]:Entering
  11:05:41.871
  [180][sdcloud.c][6137][PutConsoleMsg]:ANR3701E Cannot connect
  to the cloud service provider for the create container
  operation on the CLOUD.POOL storage pool.~
  11:05:41.871
  [180][sdcloud.c][6307][PrintJavaError]:Exit
  11:05:41.871
  [180][sdcloud.c][5647][CloudCreateContainer]:Exit:
  rc=2903
  11:05:41.872
  [180][sdcloud.c][2208][SdCloudCreateContainer]:Exit:
  rc=2903
  11:05:41.872
  [180][sdcloud.c][2736][SdCloudUploadFile]:not attached
  
  The
  indication of a handshake failure is the primary key that the
  issue addressed by this APAR is being seen.
  
  Note that there
  are other possible reasons for the handshake failure to occur
  that this APAR will not address. This APAR addresses the
  problem that the cloud provider (which in the reporting
  customer's case was the validated provider Wasabi) was only
  allowing the GCM algorithms which the server had disabled.
  Review of the java security file
  (/opt/tivoli/tsm/jre/lib/security) to determine if the GCM
  algorithm is disabled. It will be listed in the line in the
  security file starting with jdk.tls.disabledAlgorithms=
  
  Example
  :
  jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize
  < 2048,  EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4,
  MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, GCM
  
  Note the last
  disabled algorithm in this list is GCM.
  
  The handshake failure
  from the trace AND the GCM algorithm being disabled is
  indicative of this APAR being the reason for the ANR3701E cloud
  service connection failure.
  
  Spectrum Protect Versions
  Affected:
  IBM Spectrum Protect server at 8.1.2 and
  above.
  
  Initial Impact:: Medium
  
  Additional Keywords: (please
  include the case number in any case)
  TSM TS003639792
  

Local fix

• Remove the GCM algorithm from being excluded in the java
  security file (/opt/tivoli/tsm/jre/lib/security):
  
  Edit the
  java.security file, changing this line to remove the GCM
  entry
  jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH
  keySize < 2048,  EC keySize < 256, DSS, 3DES_EDE_CBC, DES,
  DESede, RC4, MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, GCM
  
  Remove only
  the GCM part and the associated/preceding comma as
  needed.
  
  Then restart the IBM Spectrum Protect server.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All IBM Spectrum Protect server users with cloud storage     *
  * pools connected to service providers restricting certian TLS *
  * algorithms.                                                  *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See error description.                                       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply fixing level when available. This problem is currently *
  * projected to be fixed in level 8.1.11. Note that this is     *
  * subject to change at the discretion of IBM.                  *
  ****************************************************************
  

Problem conclusion

• This problem was fixed.
  Affected platforms for reported release:  AIX, Linux, and
  Windows.
  Platforms fixed:  AIX, Linux, and Windows.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TSM SERVER

• Fixed component ID

  5698ISMSV

Applicable component levels