IBM Support

IT41627: CLIENT FAILS TO CONNECT TO THE SERVER IF THE CA CERTIFICATE INHIBITANYPOLICY EXTENTION IS NOT MARKED AS CRITICAL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • IBM Spectrum Protect client fails to communicate with the server
    that uses a CA certificate if the inhibitanypolicy extention in
    the certificate chain is not marked as critical.
    The client reports the following errors:
    ANS1695E The certificate is not valid.
    ANS8023E Unable to establish session with server.
    ANS8002I Highest return code was -370.
    
    A client service trace shows a validation error with return code
    575069:
    
    04/11/22 08:59:15.496 [21430572] [1] : gskit.cpp (3807):
    setError(): gsk_get_last_validation_error returned 575069:
    'GSKVAL_ERROR_INHIBITANYPOLICY_NOT_CRITICAL'
    04/11/22 08:59:15.496 [21430572] [1] : ../ut/GlobalRC.cpp (
    428): msgNum = 1579 changed the Global RC
    
    IBM Spectrum Protect Versions Affected:
    IBM Spectrum Protect client version 8.1.2 and higher on all
    supported platforms
    

Local fix

  • The Certificate Authority provider needs to mark the
    inhibitanypolicy extention as critical.
    
    Otherwise, set the following environment variable before
    starting the client:
    export GSK_ALLOW_NONCRITICALINHIBITANYPOLICY=1
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * IBM Spectrum Protect backup-archive client version 8.1 and   *
    * later running on all platforms.                              *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * see ERROR DESCRIPTION                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    

Problem conclusion

  • A requirement of RFC 5280 Certificate validation is that CA MUST
    set the inhibitAnyPolicy extension to critical.
    Users should follow RFC 5280.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT41627

  • Reported component name

    TSM CLIENT

  • Reported component ID

    5698ISMCL

  • Reported release

    81A

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2022-07-27

  • Closed date

    2022-11-15

  • Last modified date

    2022-11-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • dsmc
    

Fix information

Applicable component levels

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81A","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
15 November 2022