IBM Support

Connection fails with GSK_ERROR_BAD_DATE (401)

Troubleshooting


Problem

A Client to Client connection between nodes in a proxy relation fails during IBM Spectrum Protect Client backup, restore, or query operations.

Symptom

The following error is logged in the dsmerror.log:

ANS1579E GSKit function gsk_secure_soc_init failed with 401: GSK_ERROR_BAD_DATE 


A Backup-Archive client or API client 'service c2c' trace does not reveal further hints apart from the error as reported, for example on a Windows system:

<timestamp> [PID] [TID] : ..\..\common\com\gskit.cpp(3199): setError(): gsk_secure_soc_init returned 401: 'GSK_ERROR_BAD_DATE'

Cause

The client node SSL certificate is out of date. See APAR IT26545.

Diagnosing The Problem

1.
On Windows go to the GSKit installation directory:
 - "C:\Program Files\ibm\gsk8\bin" (IBM Spectrum Protect Client 8.1.6 or 7.1.8.4 and higher)
"C:\Program Files\Common Files\Tivoli\TSM\api\gsk8\bin" (IBM Spectrum Protect Client before 8.1.6 or 7.1.8.4)


2.
On all platforms run the command:
 gsk8capicmd_64 -cert -list -db PASSWORDDIR\spclicert.kdb -stashed
On AIX and Linux systems, PASSWORDDIR is the default or configured path for the client encrypted password files (see the link in the related URL section).
On Windows systems, PASSWORDDIR is always the directory "C:\ProgramData\Tivoli\TSM\BAClient\Nodes\NODENAME" where NODENAME is the appropriate node name.


3.
On Windows, if you get the error that a dll file is missing, then verify whether the following paths are listed by the global system environment variable PATH:
 - for the IBM Spectrum Protect client 8.1.6 or 7.1.8.4 and higher:
"c:\program files\ibm\gsk8\bin";"c:\program files\ibm\gsk8\lib64"
 - for the IBM Spectrum Protect client before 8.1.6 or 7.1.8.4:
"c:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin";"c:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64"


4.
The query returns the name of the certificate, most likely like the NODENAME.
Use it to run the following query:

gsk8capicmd_64 -cert -details -label <Certificate Name> -db PASSWORDDIR\spclicert.kdb -stashed


5.
In the query output search for the entries:

Not Before : <timestamp_1>
Not After : <timestamp_2>

If the current date is not within the allowed date range, then go to "Resolving the Problem".

Resolving The Problem

Re-create all SSL certificate related spclicert* files by manually deleting these files and let the client re-create them:

1. Stop all client services

2. Delete all PASSWORDDIR\spclicert* files

3. Re-create the spclicert* files:

dsmc query session -optfile="<path and dsm.opt filename>"

4. Restart the client services and retry the backup

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Client","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Product Synonym

baclient; ba; api

Document Information

Modified date:
01 February 2022

UID

ibm10732283