IT45018: MISSING REQUIREMENT IN DOCUMENTATION ABOUT VMWARE ESXI CERTIFICATE

APAR status

• Closed as documentation error.

Error description

• The IBM Spectrum Protect Plus documentation does not mention the
  requirements about the VMware ESXi hosts Certificates.
  The IP address needs to be included in the certificate to be
  valid for use with IBM Spectrum Protect Plus.
  
  If that requirement is not met, the following job log message
  can be seen on VM restore :
  "Hypervisor Connection Exception
   Could not connect to server <IP>: Exception caught trying to
   invoke method RetrieveServiceContent;
   nested exception is: javax.net.ssl.SSLHandshakeException:
   PKIX path building failed:
   sun.security.provider.certpath.SunCertPathBuilderException:
   unable to find valid certification path to requested target"
  
  VM backups are unaffected as, for that type of task, the
  IBM Spectrum Protect Plus appliance does not use the
  VMware ESXi host certificate but the vCenter certificate for
  communications with the VMware vSphere environment.
  
  
  IBM Spectrum Protect Plus Versions Affected:
  IBM Spectrum Protect Plus 10.1.x
  
  Additional Keywords: SPP, SPPLUS, TS014620120
  

Local fix

• Install a certificate fulfilling the requirement.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Spectrum Protect Plus level 10.1.0 till 10.1.16.1        *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See Error Description                                        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply the fixing level when available. This problem is       *
  * currently projected to be fixed in IBM Spectrum Protect Plus *
  * level 10.1.16.2. Note that this is subject to change at the  *
  * discretion of IBM.                                           *
  ****************************************************************
  

Problem conclusion

• IBM Documentation did not mention the requirement that when you
  use "ESX host if vCenter is down" option for restore, ESXi
  certificate must include the IP address in Subject Alternative
  Name.
  
  So, the ?Restoring data when vCenter Server or other management
  VMs are not accessible? topic is updated to add the following
  note:
  
  Important: When you use the ESX host if vCenter is down option
  for restore, IBM Spectrum Protect Plus uses IP address of ESXi
  to communicate. Therefore, ESXi certificate must include the IP
  address in Subject Alternative Name (SAN). If IP address is
  missing then the following error will be displayed:
  
  Hypervisor Connection Exception Could not connect to server
  <IP>: Exception caught trying to invoke method
  RetrieveServiceContent; nested exception is:
  javax.net.ssl.SSLHandshakeException: PKIX path building failed:
  sun.security.provider.certpath.SunCertPathBuilderException:
  unable to find valid certification path to requested target
  
  This updated information will be published with the upcoming
  interim fix release 10.1.16 for IBM Spectrum Protect Plus in the
  following topic URL:
  https://www.ibm.com/docs/en/spp/10.1.16?topic=rvd-restoring-data
  -when-vcenter-server-other-management-vms-are-not-accessible
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels