IBM Support

IT36766: SPECTRUM PROTECT SERVER SECURE COMMUNICATIONS ( HTTPS) TO CLOUD OBJECT STORAGE MAY FAIL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Running IBM Spectrum Protect Server  version 8.1.10.x  8.1.11.x
    and 8.1.12.0,  the access to cloud object storage using https
    may fail.  The same operation may work well at a lower level,
    but start to fail after the upgrade server  to version 8.1.10,
    8.1.11 and  8.1.12.0
    .
    Customer/Support diagnostics:
    
    1: After upgrade a spectrum protect server to  version  8.1.11,
    the operations access cloud storage started to fail.
     example errors in server activity log:
    
    ANR3701E Cannot connect to the cloud service provider for the
    delete container operation on the CLOUD_POOL connection or
    storage pool.
    
    
    2: validate cloud command fails:
    VALIDATE CLOUD cloudurl=https://xxxx.xxxx.xxx  cloudt=S3
    identity=xxxxx  password=yyyyy bucketn=zzzz
    
    ANR3556E The server cannot connect to the cloud service provider
    with the specified cloud URL of https://xxxx.xxxx.xxx when using
    the cloud ID xxxxx  and its password.
    
    3: install and execute nmap to  obtain cloud object storage SSL
    cipher information:
    
    
    nmap --script ssl-enum-ciphers -p 443 xxxx.xxxx.xxx
    
    The command return:
    ...
    PORT STATE SERVICE
    443/tcp open https
    | ssl-enum-ciphers:
    | SSLv3: No supported ciphers found
    | TLSv1.2:
    | ciphers:
    | TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    
    ....
    
    Tt returns "TLS_RSA_WITH_AES_128_CBC_SHA256"  from TLSv1.2
    Ciphers.   this is the cipher was disabled in our v8.1.10,
    v8.1.11 and v8.1.12.0 code.
    
    Note: there are many reason can cause a secure access to cloud
    object storage to fail,  it is important to obtain the nmap
    result to verify the condition.
    Platform/Version affected:
    Spectrum Protect Server v8.1.10, v8.1.11 and v8.1.12.0 on all
    supported platforms.
    | MDVPARTL 8.1.10.0-TIV_5698MSV
    
    
    Additional keywords:
     ANR3701E ANR3556E  TS005479267 SSL cipher
    TLS_RSA_WITH_AES_128_CBC_SHA256
    

Local fix

  • 1: save a copy of java.security ( under
    /opt/tivoli/tsm/jre/lib/security)
    2: modify line:
     jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize <
    2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4,
    MD5, SSL_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA,
    SSL_RSA_WITH_AES_256_CBC_SHA256,
    SSL_RSA_WITH_AES_128_GCM_SHA256,
    SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, GCM, SHA1 usage
    TLSServer
    
    change it to use:
    
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize <
    2048, EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4,
    MD5, SSL_RSA_WITH_AES_128_CBC_SHA,
    SSL_RSA_WITH_AES_128_CBC_SHA256 usage TLSServer,
    SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA256,
    SSL_RSA_WITH_AES_128_GCM_SHA256,
    SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, SHA1 usage
    TLSServer
    
    3: restart Spectrum Protect Server to commit the change.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All IBM Spectrum Protect server users of cloud object        *
    * storage.                                                     *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See error description.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply fixing level when available. This problem is currently *
    * projected to be fixed in levels 8.1.12.100 and 8.1.13. Note  *
    * that this is subject to change at the discretion of IBM.     *
    ****************************************************************
    

Problem conclusion

  • This problem was fixed.
    Affected platforms for reported release:  AIX, Linux, and
    Windows.
    Platforms fixed:  AIX, Linux, and Windows.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT36766

  • Reported component name

    TSM SERVER

  • Reported component ID

    5698ISMSV

  • Reported release

    81L

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-05-18

  • Closed date

    2021-05-20

  • Last modified date

    2021-05-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TSM SERVER

  • Fixed component ID

    5698ISMSV

Applicable component levels

  • R81A PSY

       UP

  • R81L PSY

       UP

  • R81W PSY

       UP

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81L","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 December 2021