Direct links to fixes
8.1.12.100-IBM-SPCMS-WindowsX64
8.1.12.100-IBM-SPCMS-WindowsI32
8.1.12.100-IBM-SPCMS-Linuxx86_64
8.1.12.100-IBM-SPOC-WindowsX64
8.1.12.100-IBM-SPOC-Linuxx86_64
8.1.12.100-IBM-SPOC-Linuxs390x
8.1.12.100-IBM-SPOC-LinuxPPC64le
8.1.12.100-IBM-SPOC-AIX
8.1.12.100-IBM-SPSRV-WindowsX64
8.1.12.100-IBM-SPSRV-Linuxx86_64
8.1.12.100-IBM-SPSRV-Linuxs390x
8.1.12.100-IBM-SPSRV-Linuxppc64le
8.1.12.100-IBM-SPSRV-AIX
IBM Spectrum Protect Server V8.1.12.X interim fix downloads
IBM Spectrum Protect Server V8.1 Fix Pack 13 (V8.1.13) Downloads
APAR status
Closed as program error.
Error description
Running IBM Spectrum Protect Server version 8.1.10.x 8.1.11.x and 8.1.12.0, the access to cloud object storage using https may fail. The same operation may work well at a lower level, but start to fail after the upgrade server to version 8.1.10, 8.1.11 and 8.1.12.0 . Customer/Support diagnostics: 1: After upgrade a spectrum protect server to version 8.1.11, the operations access cloud storage started to fail. example errors in server activity log: ANR3701E Cannot connect to the cloud service provider for the delete container operation on the CLOUD_POOL connection or storage pool. 2: validate cloud command fails: VALIDATE CLOUD cloudurl=https://xxxx.xxxx.xxx cloudt=S3 identity=xxxxx password=yyyyy bucketn=zzzz ANR3556E The server cannot connect to the cloud service provider with the specified cloud URL of https://xxxx.xxxx.xxx when using the cloud ID xxxxx and its password. 3: install and execute nmap to obtain cloud object storage SSL cipher information: nmap --script ssl-enum-ciphers -p 443 xxxx.xxxx.xxx The command return: ... PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.2: | ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong .... Tt returns "TLS_RSA_WITH_AES_128_CBC_SHA256" from TLSv1.2 Ciphers. this is the cipher was disabled in our v8.1.10, v8.1.11 and v8.1.12.0 code. Note: there are many reason can cause a secure access to cloud object storage to fail, it is important to obtain the nmap result to verify the condition. Platform/Version affected: Spectrum Protect Server v8.1.10, v8.1.11 and v8.1.12.0 on all supported platforms. | MDVPARTL 8.1.10.0-TIV_5698MSV Additional keywords: ANR3701E ANR3556E TS005479267 SSL cipher TLS_RSA_WITH_AES_128_CBC_SHA256
Local fix
1: save a copy of java.security ( under /opt/tivoli/tsm/jre/lib/security) 2: modify line: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, GCM, SHA1 usage TLSServer change it to use: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize < 2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4, MD5, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256 usage TLSServer, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, SHA1 usage TLSServer 3: restart Spectrum Protect Server to commit the change.
Problem summary
**************************************************************** * USERS AFFECTED: * * All IBM Spectrum Protect server users of cloud object * * storage. * **************************************************************** * PROBLEM DESCRIPTION: * * See error description. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in levels 8.1.12.100 and 8.1.13. Note * * that this is subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
This problem was fixed. Affected platforms for reported release: AIX, Linux, and Windows. Platforms fixed: AIX, Linux, and Windows.
Temporary fix
Comments
APAR Information
APAR number
IT36766
Reported component name
TSM SERVER
Reported component ID
5698ISMSV
Reported release
81L
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-05-18
Closed date
2021-05-20
Last modified date
2021-05-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM SERVER
Fixed component ID
5698ISMSV
Applicable component levels
R81A PSY
UP
R81L PSY
UP
R81W PSY
UP
Document Information
Modified date:
17 December 2021