IBM Support

After upgrading the Monitoring Server or Warehouse Proxy Agent installation to 6.3.0.7 SP0014, agents in GSKit 7 based installations can no longer connect.

Flashes (Alerts)


Abstract

TLS is a protocol used to establish a secure connection between applications. Since the initial release of TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3 were released improving the security provided by the earlier versions.

Tivoli Monitoring components can be configured to use TLS by enabling IP.SPIPE in the KDC_FAMILIES/KDE_TRANSPORT definition; (see https://www.ibm.com/docs/en/tivoli-monitoring/6.3.0?topic=components-tivoli-monitoring-protocol-usage-protocol-modifiers).

TLS support for Tivoli Monitoring applications is provided by GSKit.

Tivoli Monitoring applications built with a framework before Tivoli Monitoring v6.3.0 rely on GSKit v7.
GSKit v7 does not support TLS v1.2 or TLS v1.3.

Tivoli Monitoring v6.3.0 relies on GSKit v8, which does support TLS v1.2 and TLS v1.3.
Tivoli Enterprise Monitoring 6.3.0.7 FP7 SP14 enables TLS v1.3 by default to take advantage of the increased security offered by that protocol.

The TLS v1.3 specification mandates that connections from endpoints that don’t support TLS v1.2 or higher are rejected.

Therefore, when a Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent is upgraded to 6.3.0.7 SP0014, older agents and other clients that continue to use GSKit v7 will be unable to connect since GSKit v7 does not support TLS v1.2.

This problem affects agents and clients that attempt to connect to a Tivoli Enterprise Monitoring Server or to a Warehouse Proxy Agent that uses TLS. A client that attempts to connect to the Tivoli Enterprise Portal Server that uses TLS is also affected.

Content

Diagnosing the Problem
To determine whether the Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent installation is upgraded to 6.3.0.7 SP0014, run the following commands in the Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent installation:
  • Linux / UNIX: 
    <CANDLEHOME>/bin/cinfo -t gs
Where <CANDLEHOME> is replaced by the full path to the TEMS or WPA installation home.
  • Windows: 
    kincinfo -t gs
To determine whether the agents that fail to connect to the Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent have GSKit v7 in the installation, run the following commands in the agent installation:
  • Linux / UNIX:
  • <CANDLEHOME>/bin/cinfo -t gs
Where <CANDLEHOME> is replaced by the full path to the agent installation home.
    Windows: 
    kincinfo -t gs
If any of the "ui" versions are "06.30.07.20" or higher, and any of the "gs" versions start with "07", then follow the resolution steps in this technote.
Resolving the Problem
You can upgrade the agent installation, for the agents that fail to connect to the Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent, to a current Tivoli Enterprise Monitoring 6.3.0.7 Service pack framework.
If there is an OS agent in the agent installation that fails to connect, then the OS agent must be upgraded before the framework.
Upgrade to a current Tivoli Enterprise Monitoring 6.3.0.7 Service pack framework by following the steps in this technote.
If you cannot upgrade the agent installations, you can disable the use of TLS 1.3 in the Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent.
To override the default behavior of the Tivoli Enterprise Monitoring Server and prevent its use of TLS 1.3:
  • On Linux / UNIX:
    Edit, or create, the <CANDLEHOME>/config/ms.environment file
    Add the line
    KDEBE_TLS13_ON=NO
    Restart the Tivoli Enterprise Monitoring Server
KDEBE_TLS13_ON=NO
  • On Windows:
    Edit %CANDLE_HOME%\CMS\kbbenv
    Add the line
    KDEBE_TLS13_ON=NO
    Restart the Tivoli Enterprise Monitoring Server
To override the default behavior of the Warehouse Proxy Agent and prevent its use of TLS 1.3:
  • On Linux / UNIX:
    Edit, or create, the <CANDLEHOME>/config/hd.environment file
    Add the line
    KDEBE_TLS13_ON=NO
    Restart the Warehouse Proxy Agent
  • On Windows:
    Edit %CANDLE_HOME%\TMAITM6*\khdenv
    Add the line
    KDEBE_TLS13_ON=NO
    Restart the Warehouse Proxy Agent

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"ARM Category":[{"code":"a8m3p000000hBW3AAM","label":"ITM Communications"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
18 July 2023

UID

ibm17005035

Page Feedback