IT35015: HTTPS CATALOGIC SOFTWARE CERTIFICATE CAN BE IMPORTED INTO IBM SPECTRUM PROTECT PLUS KEYSTORE, BUT NOT RUN IN ANY WEB BROWSER

APAR status

• Closed as Permanent restriction.

Error description

• HTTPS Catalogic Software Certificate can be imported into IBM
  Spectrum Protect Plus keystore, but is not used when URL HTTPS
  is run in any WEB Browser. It is shown in the keystore using
  command below:
  
   /usr/java/latest/bin/keytool -list -keystore
  /opt/virgo/configuration/keystore -storepass ecx-beta
  
  It is shown from keystore list as "yutvzxu" label below:
  
  yutvzxu, Oct 11, 2017, trustedCertEntry,
  Certificate fingerprint (SHA1):
  DB:8F:F2:7B:85:81:BC:37:2F:AB:7B:92:DA:DD:D9:5A:42:18:20:11
  
  When the onbaord "alias" default Certificate is also in the
  keystore that is the Certificate being used when
  https://ssltest3.devad.catalogic.us is executed in Chrome,
  Firefox, etc. browsers. If the "alias" default Certificate is
  deleted from the keystore then the
  https://ssltest3.devad.catalogic.us no longer is able to access
  the SPP Appliance and the following Web Page error is shown:
  
  This site can?t provide a secure connection
  ssltest3.devad.catalogic.us uses an unsupported protocol.
  ERR_SSL_VERSION_OR_CIPHER_MISMATCH
  HIDE DETAILS
  Unsupported protocol
  The client and server don't support a common SSL protocol
  version or cipher suite.
  

Local fix

• The Administrative Console supports importing external public
  key certificates, which allows the appliance to make outbound
  connections to resources such as secured LDAP servers. ASCII and
  Binary format certificate are accepted with the usual .pem, .cer
  and.crt file extensions. The SPP interface certificate import
  function cannot be used to update the appliance's SSL web server
  communications, however SSL can be updated using the procedure
  below. This requires that you package the private key, public
  key, and chain certificates into a PKCS12 format file (often
  referred to as PFX file with .p12 extension) and import this
  manually into the IBM Spectrum Protect Plus Java keystore.  The
  procedure assumes you already have the private, public, and all
  supporting security objects provided by your security vendor
  packaged into a PKCS12 format file called "NAME.p12". If you do
  not have this already, you will need to work with your security
  vendor using a separate server and/or OpenSSL to generate the
  necessary certificate signing request and on reply, package the
  resulting private, public, and chain certificate objects into
  the required file referenced below. To import the PKCS12 file
  called NAME.p12 use the following procedure.
   __
  Login as root user on the IBM Spectrum Protect Plus appliance
  and at the command line execute the following command:
  ?/usr/java/latest/bin/keytool -importkeystore -deststorepass
  ecx-beta -destkeystore /opt/virgo/configuration/keystore
  -srckeystore NAME.p12 -srcstoretype PKCS12", then reboot the
  appliance.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Spectrum Protect Plus level 10.1.0 and later.            *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See ERROR DESCRIPTION                                        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  

Problem conclusion

• The HTTPS Catalogic Software certificate can be imported into
  the IBM Spectrum Protect Plus keystore, but is not used when URL
  HTTPS is run in any web browser. This is a permanent
  restriction.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels