Troubleshooting
Problem
Beginning with IBM Spectrum Protect Version 8.1.2 and Tivoli Storage Manager V7.1.8, security enhancements were introduced. For an overview of the security enhancements, review the following information:
- What you should know about security before you install or upgrade the server
This overview applies to V8.1.2 and later and V7.1.8 and later versions.
- FAQ - Security updates in IBM Spectrum Protect
Answers to frequently asked questions about the security enhancements.
Before you install or upgrade your environment to apply these enhancements, review the limitations that are associated with each version. To avoid these restrictions and take advantage of the latest security enhancements, update all IBM Spectrum Protect servers and backup-archive clients in your environment to the latest version. For the latest version of the backup-archive client, see Download Information: IBM Storage Protect clients 8.1.20.
Note: Beginning with version 8.1.19, IBM Spectrum® Protect is now IBM® Storage Protect. To learn more about the rebranding transition, see IBM Spectrum brand change to IBM Storage.
Resolving The Problem
This document describes the known issues and limitations related to the following areas. Use the following links to navigate to the section of the document you need.
Table 1: Limitations affecting certificates
Limitation |
Applicable versions and impact of limitation | |
V7.1.8+ V8.1.2, V8.1.3 |
V7.1.9+, V8.1.4+ |
|
If you have an existing cert.kdb database and cert.arm file that were created before V7.1.8 or V8.1.2, then V7.1.8, V8.1.2, and V8.1.3 clients and the Operations Center are unable to connect to a V7.1.8+ V8.1.2, or V8.1.3 server. |
When you upgrade a server to V7.1.8 or later V7 levels, V8.1.2, or V8.1.3, you must manually change the default certificate on the server and reconfigure existing clients to use the cert256.arm certificate. To update the default certificate, see Updating the default certificate. |
No updates are required. Beginning in V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled "TSM Server SelfSigned SHA Key". Optionally, to update the default certificate, see the Updating the default certificate. |
Limitation |
V7.1.8, V8.1.2, V8.1.3 |
V7.1.9+, V8.1.4+ |
Certificates are not automatically configured between storage agents, library clients, and library manager servers. |
Storage agents that use V7.1.8 or later software or V8.1.3 or later software are automatically configured to use SSL. Library clients and library manager servers automatically use SSL to communicate with storage agents that use V7.1.8 or later software or V8.1.2 or later software, but you must manually configure the certificates between them. Beginning with V8.1.3, a storage agent automatically exchanges certificates with its database server. For instructions, see Configuring a storage agent to use SSL. Note: Manual configuration is also required for servers, clients, library clients, and library managers that use software versions earlier than V8.1.2 or V8.1.0. |
No updates are required. Beginning in V8.1.4, certificates are automatically configured between storage agents, library clients, and library manager servers. Manual configuration is no longer required. |
Limitation |
Applicable versions and impact of limitation | |
V8.1.6 |
||
After you upgrade the server to V8.1.6, a database backup operation fails with the following error: ANR2968E Database backup terminated. DB2 sqlcode: -2033. DB2 sqlerrmc: -369 |
The BACKUP DB command fails when the following conditions are true: To resolve the issue, complete one of the following procedures: |
Table 2: Limitations affecting authentication
Limitation |
Applicable versions and impact of limitation |
V7.1.8+ V8.1.2+ |
|
After a successful authentication to V8.1.2 or later software or V7.1.8 or later software, an administrator ID cannot authenticate with the same server under the following conditions:
This restriction also applies when a single administrator ID is used to authenticate with a destination server by using multiple systems. For example, when you use the following functions:
|
For information about planning for and resolving administrator authentication issues, see Troubleshooting security updates. |
Table 3: Limitations affecting SSL and TLS communication
Limitation |
Applicable versions and impact of limitation |
|
V7.1.8, V8.1.2, V8.1.3 |
V7.1.9+, V8.1.4+ |
|
After you upgrade a server to V7.1.8 or later or V8.1.2 or later, messages are displayed even though communication is successful |
Applicable to listed versions. If server-to-server operations are failing and messages ANR8583E and ANR8599W are displayed, follow the procedure in Retrying certificate exchange between servers. |
This limitation no longer applicable. During the first server-to-server connection after you upgrade the server, a certificate exchange is initiated. This connection causes messages ANR8583E and ANR8599W to appear in the log just once per server, before a certificate exchange takes place. If the messages are displayed more than once per server and operations are failing, follow the procedure in Retrying certificate exchange between servers. |
Limitation |
Applicable versions and impact of limitation |
|
V8.1.2 |
||
After you upgrade a server to V8.1.2, Transport Layer Security (TLS) 1.2 communication between servers might fail. |
To resolve the issue, follow the procedure in Retrying certificate exchange between servers. |
|
Limitation |
Applicable versions and impact of limitation | |
V7.1.8+ V8.1.2+ |
||
Limitations apply when you specify the SSL-only server ports (SSLTCPPORT and SSLTCPADMINPORT).[I1] |
The following limitations apply to the listed versions:
|
Updating the default certificate
Update the default server certificate by issuing the following command from the server instance directory:
gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
Tip: To display the current default certificate, issue the following command from the server instance directory, then restart the server to apply the change:
gsk8capicmd_64 -cert -getdefault -db cert.kdb -stashed
If you do not change the default certificate, one or more of the following messages are displayed after you upgrade the server to V8.1.2:
- ANR3336W Default certificate labeled Label in key data base is down level.
- ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 504 GSK_ERROR_PROTOCOL_MISMATCH.
- ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 410 GSK_ERROR_BAD_MESSAGE.
- ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 415 GSK_ERROR_BAD_PEER.
- ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 447 GSK_ERROR_CERTIFICATE_INVALIDSIGALG.
- ANS1579E GSKit function gsk_secure_soc_init failed with 410: GSK_ERROR_BAD_MESSAGE
- ANS1592E Failed to initialize SSL protocol.
Background information:
In releases prior to V7.1.8, the default certificate was labeled "TSM Server SelfSigned Key" and had an MD5 signature, which does not support the TLS 1.2 protocol that is required by default for V8.1.2 or later clients and the Operations Center.
A certificate labeled "TSM Server SelfSigned SHA Key" with a SHA signature is also automatically generated and, beginning in V8.1.0, it is created as the default certificate. A copy of the certificate is stored in the cert256.arm file, which is in the server instance directory.
Tip: Beginning with V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled "TSM Server SelfSigned SHA Key". No update is required.
If the certificate that is labeled "TSM Server SelfSigned Key" is set as the default, follow the procedure above to update the default certificate.
For existing clients that are configured to use SSL with the cert.arm certificate, reconfigure them to use the cert256.arm certificate. For instructions, see Configuring storage agents, servers, clients, and the Operations Center to connect to the server by using SSL.
For more information about troubleshooting certificate exchange, see Troubleshooting security updates.
Related Information
Was this topic helpful?
Document Information
Modified date:
15 September 2023
UID
swg22004844