IV72209: MONITORING SERVER INSTALLATION ON SOLARIS X86_64 FAILS

APAR status

• Closed as Permanent restriction.

Error description

• Installing the 06.30.02.00 or later Monitoring Server with no
  other components installed on a Solaris x86_64 system fails
  when attempting to create the self-signed certificate with the
  following messages in candle_installation.log:
  
  09.23.2014 12:12:41 installgs.sh: ----- Running command:
  /opt/IBM/ITM/sol603/gs/bin/private_verifyinstall -x -----
  installpath is /opt/IBM/ITM/sol603/gs
  libdir is /opt/IBM/ITM/sol603/gs/lib
  gskver is gsk8ver
  Verified Details of gskit in /opt/IBM/ITM/sol603/gs/lib
  09.23.2014 12:12:41 installgs.sh: return code from command is 0
  09.23.2014 12:12:41 installgs.sh: ----- End of running command
  -----
  09.23.2014 12:12:41 installgs.sh: Remove GSKit backup for
  sol603/gs
  09.23.2014 12:12:41 installgs.sh: Setting variable
  GskitInstallDir=/opt/IBM/ITM/sol603/gs in
  /opt/IBM/ITM/config/gsKit.config
  09.23.2014 12:12:41 installgs.sh: ...creating GSkit security
  keyfile and certificate
  09.23.2014 12:12:41 installgs.sh: ...GSkit version info
  GSKCAPICMD
  ==========
  @(#)CompanyName:      IBM Corporation
  @(#)LegalTrademarks:  IBM
  @(#)FileDescription:  IBM Global Security Toolkit
  @(#)FileVersion:      8.0.50.5
  @(#)InternalName:     gskcapicmd
  @(#)LegalCopyright:   Licensed Materials - Property of IBM GSKit
                        (C) Copyright IBM Corp.1995, 2013
                        All Rights Reserved. US Government Users
                        Restricted Rights - Use, duplication or
  disclosure
                        restricted by GSA ADP Schedule Contract
  with IBM Corp.
  @(#)OriginalFilename: gsk8capicmd
  @(#)ProductName:      gsk8d (GoldCoast Build) 130321
  @(#)ProductVersion:   8.0.50.5
  @(#)ProductInfo:      13/03/11.01:52:03.13/03/21.08:04:54
  @(#)CMVCInfo:         gsk8d_130320/gsk8d_ikm
  gsk8d_130311/gsk8d_ssl gsk8d_130204/gsk8d_support
  gsk8d_130122/gsk8d_acme gsk8d_130311/gsk8d_cms
  gsk8d_130209/gsk8d_pkg gsk8d_130311/gsk8d_doc
  
  09.23.2014 12:12:41 installgs.sh: return code from command is 0
  09.23.2014 12:12:41 installgs.sh: ...create GSkit security
  keyfile
  09.23.2014 12:12:42 installgs.sh: return code from command is 0
  09.23.2014 12:12:42 installgs.sh: ...create GSkit security
  certificate
  CTGSK2152W FIPS mode is not available.
  -Command usage-
  Object   Action       Description
  ------   ------       -----------
  -locale               Set the display language
  -fips                 Set FIPS mode
  -trace                Set the trace file name
  -keydb   -changepw    Change the password for a key database
           -convert     Convert the format of a key database
           -create      Create a key database
           -delete      Delete a key database
           -expiry      Display password expiry
           -list        Currently supported types of key database.
           -stashpw     Stash the password of a key database into
  a file
  -cert    -add         Add a CA Certificate
           -create      Create a self-signed certificate
           -delete      Delete a certificate
           -details     Show the details of a specific certificate
           -export      Export a personal certificate and
  associated private key
                          into a PKCS12 file or a key database
           -extract     Extract a certificate from a key database
           -getdefault  Show the default personal certificate
           -import      Import a certificate from a key database
  or a PKCS12 file
           -list        List certificates in a key database
           -modify      Modify a certificate (NOTE: the only field
  that may be
                          modified is the trust field)
           -receive     Receive a certificate
           -rename      Rename a certificate
           -setdefault  Set the default personal certificate
           -sign        Sign a certificate
           -validate    Validate a certificate
  -certreq -create      Create a certificate request
           -delete      Delete a certificate request from a
  certificate request
                          database
           -details     Show the details of a specific certificate
  request
           -extract     Extract a certificate from a certificate
  request database
           -list        List all certificate requests in a
  certificate request
                          database
           -recreate    Recreate a certificate request
  -random  -create      Create a random password
  -version              Display program version information
  -help                 Display this help text
  
  This problem is a result of a GSkit limitation.
  FIPS is not supported for Solaris x86_64 32 bit GSkit.
  

Local fix

• When installing the Monitoring Server on Solaris x86_64, install
  the Tivoli Enterprise Services User Interface Extensions
  component first or along with the Monitoring Server.
  
  This will cause the Solaris x86_64 64 bit GSKit binaries to be
  installed and used for the certificate creation.
  FIPS is supported for Solaris x86_64 64 bit GSkit.
  

Problem summary

• When installing the Monitoring Server on Solaris x86_64, install
  the Tivoli Enterprise Services User Interface Extensions
  component first or along with the Monitoring Server.
  
  This will cause the Solaris x86_64 64 bit GSKit binaries to be
  installed and used for the certificate creation.
  FIPS is supported for Solaris x86_64 64 bit GSkit.
  

Problem conclusion

• See Summary.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels