Direct links to fixes
8.1.15.100-IBM-SPSRV-WindowsX64
8.1.15.100-IBM-SPSRV-Linuxx86_64
8.1.15.100-IBM-SPSRV-Linuxs390x
8.1.15.100-IBM-SPSRV-Linuxppc64le
8.1.15.100-IBM-SPSRV-AIX
8.1.16.000-IBM-SPCMS-WindowsX64
8.1.16.000-IBM-SPCMS-WindowsI32
8.1.16.000-IBM-SPCMS-Linuxx86_64
8.1.16.000-IBM-SPOC-WindowsX64
8.1.16.000-IBM-SPOC-Linuxx86_64
8.1.16.000-IBM-SPOC-Linuxs390x
8.1.16.000-IBM-SPOC-LinuxPPC64le
8.1.16.000-IBM-SPOC-AIX
8.1.16.000-IBM-SPSRV-WindowsX64
8.1.16.000-IBM-SPSRV-Linuxx86_64
8.1.16.000-IBM-SPSRV-Linuxs390x
8.1.16.000-IBM-SPSRV-Linuxppc64le
8.1.16.000-IBM-SPSRV-AIX
8.1.14.200-IBM-SPSRV-WindowsX64
8.1.14.200-IBM-SPSRV-Linuxx86_64
8.1.14.200-IBM-SPSRV-Linuxs390x
8.1.14.200-IBM-SPSRV-Linuxppc64le
8.1.14.200-IBM-SPSRV-AIX
APAR status
Closed as program error.
Error description
In a Storage Agent, Library Client, Library Manager environment, when the Library Manager Server and the Storage Agent first attempt to connect, the Library Manager does not have the Storage Agent's certificate and will request the Storage Agent for its certificate. The Storage Agent requires the Library Manager's password in order to send the certificate, but it does not have the password, so it is unable to send the certificate to the Library Manager. This results in ANR0453W and ANR0454E messages on Storage Agent start up. A ?PING SERVER? vice versa between the Storage Agent and the Library Manager also fails with the messages documented in the following example. For example: Storage Agent start up: ANR0396I Session 3 started for server LC (AIX) (SSL cc.cc.cc.cc:xxxxx) for storage agent. ANR0453W Server to server session refused - no password defined. ANR0454E Session rejected by server LM, reason: 201 - Communication Failure. ANR0993I Server initialization complete. ANR0916I IBM Spectrum Protect distributed by International Business Machines is now ready for use. PING SERVER 'Library Manager' ANR0453W Server to server session refused - no password defined. ANR0454E Session rejected by server 'Library Manager', reason: 201 - Communication Failure. ANR4546W A ping request to server 'Library Manager' was not able to establish a connection by using server credentials. Storage Agent trace with traceflags SESSION SEC SSL: [24][smnode.c][29153][SmDoCertQry]:Enter: LM(12), entity [24][smnode.c][29240][SmDoCertQry]:s2scertFound: True [24][smnode.c][29276][SmDoCertQry]:no password for kdb [24][smnode.c][29282][TraceMsg]:ANR0453W Server to server session refused - no password defined.~ [24][smnode.c][29331][SmDoCertQry]:secGetProtectedItem error: 2405 (none 0). [25][tlsio.c][461][tlsBegin]:gsk_secure_soc_init (sessId 13): rc 414 GSK_ERROR_BAD_CERT [25][tlsio.c][469][TraceMsg]:ANR8599W The connection with ccccc.ccccc.ccc.cccc:xxxxx failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.~ [25][tlsio.c][536][tlsBegin]:Inbound session handshake failure: sslRc 414. Trace PING SERVER 'Library Manager' [5][admutil.c][3401][admIsDBServerName]:server LM is db server: False [5][smnode.c][29153][SmDoCertQry]:Enter: LM(16), entity [5][smnode.c][29240][SmDoCertQry]:s2scertFound: True [5][smnode.c][29276][SmDoCertQry]:no password for kdb [5][smnode.c][29282][TraceMsg]:ANR0453W Server to server session refused - no password defined.~ [5][smservv2.c][1901][ServSendCertQryResp]:Exit rc=47 [5][smservv2.c][1716][DoNegotiateResponse]:rc 47 SmSendCertQryResp [5][smservv2.c][1576][DoNegotiate]:Exiting rc 9997. [5][smservv2.c][923][SmV2AuthServer]:Exit: rc 9997, v2ProtocolDone True, v2ProtocolSuccess False. [5][smserv.c][6571][SignOnToServer]:rc 9997 doVerify True for LM [5][smserv.c][6660][SignOnToServer]:rc 9997 for LM [5][smserv.c][5475][smServIssueRejectMsg]:Issuing message for reason 201 from smserv.c(6668). [5][smserv.c][5598][TraceMsg]:ANR0454E Session rejected by server LM, reason: 201 - Communication Failure.~ Library Manager actlog: PING SERVER 'Storage Agent' ANR8583E An SSL socket-initialization error occurred on session 6073518. The GSKit return code is 414 GSK_ERROR_BAD_CERT. ANR4546W A ping request to server 'Storage Agent' was not able to establish a connection by using server credentials. Library Manager trace with traceflags SESSION SEC SSL: [6628709][admcmd.c][10052][TraceMsg]:ANR2017I Administrator DKX8GYJ issued command: PING SERVER STA ~ [6628709][secpwd.c][155][secGetPassword]:Entry for type 5, id 51 [6628709][adms2sc.c][9564][admOpenServerEx]:Enter: STA, keyRequested 1 [6628709][secutil.c][181][secGetProtectedItem]:Entry for type 6, id 679, item type 4 [6628709][secutil.c][258][secGetProtectedItem]:Exit rc=1116 [6628709][adms2sc.c][9705][admOpenServerEx]:rc 1116 getting server cert for STA [6628709][smutil.c][22167][SmCheckCertRequired]:rc 1116 looking up cert for STA .. [6628709][tlsio.c][461][tlsBegin]:gsk_secure_soc_init (sessId 6073518): rc 414 GSK_ERROR_BAD_CERT [6628709][tlsio.c][473][TraceMsg]:ANR8583E An SSL socket-initialization error occurred on session 6073518. The GSKit return code is 414 GSK_ERROR_BAD_CERT.~ [6628709][smserv.c][6716][SignOnToServer]:Exit rc 3518. [6628709][smserv.c][5689][StartConversation]:rc 3518 from SignOnToServer for STA IBM Spectrum Protect versions Affected: IBM Spectrum Protect Version 8.1.11.000 and above on all supported platforms | MDVREGR 8.1.11-TIV_5698MSV | Additional Keywords: Communication Failure GSKit GSK_ERROR_BAD_CERT password
Local fix
1. Rename the devconfig and dsmsta.opt file from Storage Agent 2. Configure the Library Manager as server on the Storage Agent as following: dsmsta setstorageserver myname=storage_agent_name mypa=sta_password myhla=ip_address servername=LM_server_name serverpa=LM_server_password hla=LM_ip_address lla=LM_port 3. Start the Storage Agent and check if the communication to the Library Manager works 4. Stop the Storage Agent and delete the new created devconfig and dsmsta.opt 5. Rename the devconfig and dsmsta.opt from step 1 back to its original name 6. Start the Storage Agent again and verify that it works correctly as expected
Problem summary
**************************************************************** * USERS AFFECTED: * * All IBM Spectrum Protect server and storage agent users. * **************************************************************** * PROBLEM DESCRIPTION: * * See error description. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in levels 8.1.13.100, 8.1.14.200, * * 8.1.15.1, and 8.1.16. Note that this is subject to change at * * the discretion of IBM. * ****************************************************************
Problem conclusion
This problem was fixed. Affected platforms for reported release: AIX, Linux, and Windows. Platforms fixed: AIX, Linux, and Windows.
Temporary fix
Comments
APAR Information
APAR number
IT39606
Reported component name
TSM SERVER
Reported component ID
5698ISMSV
Reported release
81A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-01-11
Closed date
2022-06-03
Last modified date
2022-06-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM SERVER
Fixed component ID
5698ISMSV
Applicable component levels
Document Information
Modified date:
01 November 2022