IBM Support

IT39606: SERVER TO SERVER COMMUNICATION BETWEEN THE STORAGE AGENT AND THE LIBRARY MANAGER MIGHT FAIL WITH ANR0453W AND ANR0454E.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In a Storage Agent, Library Client, Library Manager environment,
    when the Library Manager Server and the Storage Agent first
    attempt to connect, the Library Manager does not have the
    Storage Agent's certificate and will request the Storage Agent
    for its certificate. The Storage Agent requires the Library
    Manager's password in order to send the certificate, but it does
    not have the password, so it is unable to send the certificate
    to the Library Manager. This results in ANR0453W and ANR0454E
    messages on Storage Agent start up.
    A ?PING SERVER? vice versa between the Storage Agent and the
    Library Manager also fails with the messages documented in the
    following example.
    
    For example:
    
    Storage Agent start up:
    ANR0396I Session 3 started for server LC (AIX) (SSL
    cc.cc.cc.cc:xxxxx) for storage agent.
    ANR0453W Server to server session refused - no password defined.
    
    ANR0454E Session rejected by server LM, reason: 201 -
    Communication Failure.
    ANR0993I Server initialization complete.
    ANR0916I IBM Spectrum Protect distributed by International
    Business Machines is now ready for use.
    
    PING SERVER 'Library Manager'
    ANR0453W Server to server session refused - no password defined.
    
    ANR0454E Session rejected by server 'Library Manager', reason:
    201 - Communication Failure.
    ANR4546W A ping request to server 'Library Manager' was not able
    to establish a connection by using server credentials.
    
    Storage Agent trace with traceflags SESSION SEC SSL:
    [24][smnode.c][29153][SmDoCertQry]:Enter: LM(12), entity
    
    [24][smnode.c][29240][SmDoCertQry]:s2scertFound: True
    [24][smnode.c][29276][SmDoCertQry]:no password for kdb
    [24][smnode.c][29282][TraceMsg]:ANR0453W Server to server
    session refused - no password defined.~
    [24][smnode.c][29331][SmDoCertQry]:secGetProtectedItem error:
    2405 (none 0).
    [25][tlsio.c][461][tlsBegin]:gsk_secure_soc_init (sessId 13): rc
    414 GSK_ERROR_BAD_CERT
    [25][tlsio.c][469][TraceMsg]:ANR8599W The connection with
    ccccc.ccccc.ccc.cccc:xxxxx failed due to an untrusted server
    certificate. An attempt to reconnect and establish certificate
    trust might follow.~
    [25][tlsio.c][536][tlsBegin]:Inbound session handshake failure:
    sslRc 414.
    
    Trace PING SERVER 'Library Manager'
    [5][admutil.c][3401][admIsDBServerName]:server LM is db server:
    False
    [5][smnode.c][29153][SmDoCertQry]:Enter: LM(16), entity
    
    [5][smnode.c][29240][SmDoCertQry]:s2scertFound: True
    [5][smnode.c][29276][SmDoCertQry]:no password for kdb
    [5][smnode.c][29282][TraceMsg]:ANR0453W Server to server session
    refused - no password defined.~
    [5][smservv2.c][1901][ServSendCertQryResp]:Exit rc=47
    [5][smservv2.c][1716][DoNegotiateResponse]:rc 47
    SmSendCertQryResp
    [5][smservv2.c][1576][DoNegotiate]:Exiting rc 9997.
    [5][smservv2.c][923][SmV2AuthServer]:Exit: rc 9997,
    v2ProtocolDone True, v2ProtocolSuccess False.
    [5][smserv.c][6571][SignOnToServer]:rc 9997 doVerify True for LM
    
    [5][smserv.c][6660][SignOnToServer]:rc 9997 for LM
    [5][smserv.c][5475][smServIssueRejectMsg]:Issuing message for
    reason 201 from smserv.c(6668).
    [5][smserv.c][5598][TraceMsg]:ANR0454E Session rejected by
    server LM, reason: 201 - Communication Failure.~
    
    
    Library Manager actlog:
    PING SERVER 'Storage Agent'
    ANR8583E An SSL socket-initialization error occurred on session
    6073518.  The GSKit return code is 414 GSK_ERROR_BAD_CERT.
    
    ANR4546W A ping request to server 'Storage Agent' was not able
    to establish a connection by using server credentials.
    
    
    Library Manager trace with traceflags SESSION SEC SSL:
    [6628709][admcmd.c][10052][TraceMsg]:ANR2017I Administrator
    DKX8GYJ issued command: PING SERVER STA ~
    [6628709][secpwd.c][155][secGetPassword]:Entry for type 5, id 51
    
    [6628709][adms2sc.c][9564][admOpenServerEx]:Enter: STA,
    keyRequested 1
    [6628709][secutil.c][181][secGetProtectedItem]:Entry for type 6,
    id 679, item type 4
    [6628709][secutil.c][258][secGetProtectedItem]:Exit rc=1116
    [6628709][adms2sc.c][9705][admOpenServerEx]:rc 1116 getting
    server cert for STA
    [6628709][smutil.c][22167][SmCheckCertRequired]:rc 1116 looking
    up cert for STA
    ..
    [6628709][tlsio.c][461][tlsBegin]:gsk_secure_soc_init (sessId
    6073518): rc 414 GSK_ERROR_BAD_CERT
    [6628709][tlsio.c][473][TraceMsg]:ANR8583E An SSL
    socket-initialization error occurred on session 6073518.  The
    GSKit return code is 414 GSK_ERROR_BAD_CERT.~
    [6628709][smserv.c][6716][SignOnToServer]:Exit rc 3518.
    [6628709][smserv.c][5689][StartConversation]:rc 3518 from
    SignOnToServer for STA
    
    
    
    IBM Spectrum Protect versions Affected:
    
    IBM Spectrum Protect Version 8.1.11.000 and above on all
    supported platforms
    
    | MDVREGR 8.1.11-TIV_5698MSV |
    
    Additional Keywords:  Communication Failure GSKit
    GSK_ERROR_BAD_CERT password
    

Local fix

  • 1. Rename the devconfig and dsmsta.opt file from Storage Agent
    2. Configure the Library Manager as server on the Storage Agent
    as following:
    dsmsta setstorageserver myname=storage_agent_name
    mypa=sta_password
    
    myhla=ip_address servername=LM_server_name
    serverpa=LM_server_password hla=LM_ip_address lla=LM_port
    
    3. Start the Storage Agent and check if the communication to the
    Library Manager works
    4. Stop the Storage Agent and delete the new created devconfig
    and dsmsta.opt
    5. Rename the devconfig and dsmsta.opt from step 1 back to its
    original name
    6. Start the Storage Agent again and verify that it works
    correctly as expected
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All IBM Spectrum Protect server and storage agent users.     *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See error description.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply fixing level when available. This problem is currently *
    * projected to be fixed in levels 8.1.13.100, 8.1.14.200,      *
    * 8.1.15.1, and 8.1.16. Note that this is subject to change at *
    * the discretion of IBM.                                       *
    ****************************************************************
    

Problem conclusion

  • This problem was fixed.
    Affected platforms for reported release:  AIX, Linux, and
    Windows.
    Platforms fixed:  AIX, Linux, and Windows.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT39606

  • Reported component name

    TSM SERVER

  • Reported component ID

    5698ISMSV

  • Reported release

    81A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-01-11

  • Closed date

    2022-06-03

  • Last modified date

    2022-06-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TSM SERVER

  • Fixed component ID

    5698ISMSV

Applicable component levels

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81A","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
01 November 2022