APAR status
Closed as Permanent restriction.
Error description
IBM Spectrum Protect Client 8.1.12.0 on zLinux will report the following error when performing initial connection: ANS1592E Failed to initialize SSL protocol. For example: root@testmachine:/#q sess IBM Spectrum Protect Command Line Backup-Archive Client Interface Client Version 8, Release 1, Level 12.0 Client date/time: 04/05/2021 16:20:52 (c) Copyright by IBM Corporation and other(s) 1990, 2021. All Rights Reserved. Node Name: TEST-NEW ANS1592E Failed to initialize SSL protocol. The dsmerror.log shows: ANS1579E GSKit function gsk_secure_soc_init failed with 9: GSK_ERROR_CRYPTO A service trace will report: 04/05/2021 15:09:11.468 [2495302] [2218190656] : gskit.cpp (2776): GSKit::enableIOCallback(): gsk_attribute_set_callback(GSK_IO_CALLBACK) returned rc 0 GSK_OK 04/05/2021 15:09:11.468 [2495302] [2218190656] : gskit.cpp (2813): GSKit::setIOCallbackUserData(): gsk_attribute_set_buffer(GSK_USER_DATA): commObjP 0x3ff80d7e060 : rc 0 GSK_OK 04/05/2021 15:09:11.475 [2495302] [2218190656] : gskit.cpp (3807): setError(): gsk_secure_soc_init returned 9: 'GSK_ERROR_CRYPTO' 04/05/2021 15:09:11.475 [2495302] [2218190656] : GlobalRC.cpp ( 428): msgNum = 1579 changed the Global RC. 04/05/2021 15:09:11.475 [2495302] [2218190656] : GlobalRC.cpp ( 429): Old values: rc = 0, rcMacroMax = 0, rcMax = 0. 04/05/2021 15:09:11.475 [2495302] [2218190656] : GlobalRC.cpp ( 444): New values: rc = 12, rcMacroMax = 12, rcMax = 12. The problem could occur both on Spectrum Client or Spectrum Server at version 8.1.12.0 or later on Z15 platform. Notice that the issue seems to affect any mixed platforms SP client<->SP server communications i.e. where either the SP client side or the SP server side (but not both) runs on a IBM z15 LPARs. IBM Spectrum Protect Versions Affected: IBM Spectrum Client 8.1.12.0 and later on Z platform Additional Keywords: ANS1579E gskit zLinux z15
Local fix
1) Disable IBM z15 hardware acceleration and only use z10 capabilities by exporting the following OPENSSL_s390xcap environmental variable setting: a) on Spectrum Protect client side: - when starting dsmc in the foreground: OPENSSL_s390xcap=z10 /usr/bin/dsmc sched or - in the dsmcad startup script when starting the client schedule via the dsmcad: For example, in rc.dsmcad script on Linux: ... start_() { echo -n "Starting dsmcad:" cd $DSMCAD_DIR export OPENSSL_s390xcap=z10 daemon $DSMCAD_BIN echo } ... Or, in dsmcad.service systemd related config file on Linux: [Unit] Description="IBM Spectrum Client dsmcad service." After=local-fs.target network-online.target [Service] Type=forking GuessMainPID=no Environment="DSM_LOG=/opt/tivoli/tsm/client/ba/bin" Environment="JAVA_HOME=/opt/tivoli/tsm/tdpvmware/common/jre/jre" Environment="LD_LIBRARY_PATH=/opt/tivoli/tsm/client/ba/bin:/opt /tivoli/tsm/tdpvmware/common/jre/jre/bin/classic" Environment="PATH=/opt/tivoli/tsm/tdpvmware/common/jre/jre/bin: /sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/b in:/bin" Environment="LANG=en_US" Environment="LC_ALL=en_US" Environment="OPENSSL_s390xcap=z10" ExecStart=/usr/bin/dsmcad ... b) on Spectrum server side: - when starting dsmserv in the foreground: OPENSSL_s390xcap=z10 /usr/bin/dsmserv or - in the rc.dsmserv script when starting the server as a daemon: exec su - $instanceUser -c "OPENSSL_s390xcap=z10 nohup $serverBinDir/dsmserv $cmdParms" 2) Disable TLS 1.3 protocol usage: a) on Spectrum client side: - specify the following testflag setting in the dsm.opt: testflag DISABLE_TLS13 b) on Spectrum server side: - specify the following option setting: TLS13 disable
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect backup-archive client versions 7.1.x * * and 8.1.x running on Linux zSeries platform. * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
Due to complexity of a potential fix and its impact on the overall SP product's performance, the fix is not going to be delivered in the field.
Temporary fix
Comments
APAR Information
APAR number
IT39839
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
81L
Status
CLOSED PRS
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-02-03
Closed date
2022-04-13
Last modified date
2022-04-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
dsmc dsmagent dsmcad
Fix information
Applicable component levels
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81L"}]
Document Information
Modified date:
14 April 2022