IBM Support

IT23533: UNDETECTED INCOMPATIBLE LOCAL GSKIT VERSION MAY YIELD UNWANTED RESULTS WITH THE 7.1.8 AND 8.1.2 CLIENT SECURITY ENHANCEMENTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • The new 7.1.8 and 8.1.2 IBM Spectrum Protect client key
    management security feature relies on the minimum GSKit version
    8.0.50.78 which is shipped with the client install packages,
    meant to be installed globally.
    
    Some applications which are backed up by the IBM Spectrum
    Protect client use a local GSKit for their own security
    requirements and force the IBM Spectrum Protect client to use
    that same local GSKit which might not be at the minimum level
    required for IBM Spectrum Protect operations.
    
    This forcing of a local GSKit by a non - IBM Spectrum Protect
    application can happen in 2 ways:
    
    1. By setting the environment.
       Example: IBM Spectrum Scale
       mmbackup starts 'dsmc' in an environment with the variable
       LIBPATH and/or LD_LIBRARY_PATH pointing to their specific
       local GSKit directory.
    
    2. By loading the IBM Spectrum Protect API client code when the
       application's local GSKit is already present in the
       application processe's address space.
       Example: DB2 both with and without
               IBM Spectrum Protect for Enterprise Resource Planning
    
    The client code misses to detect and report the incompatible
    GSKit version. Subsequent failures caused by the undetected
    incompatible GSKit version are typically reported in the context
    of client authentication.
    The messages and return codes do not indicate the downlevel
    GSKit as the reason of the error.
    
    Customer/L2 diagnostics
    -----------------------
    Depending on which incompatible GSKit version is loaded,
    there is no guarantee for specific symptoms.
    Typical are failures during session initialization.
    Following is an example of a client 'service' trace:
    
    gskkmlib.cpp        ( 853): GSKKMlib::gskkmImportKeys
     Import keys failed.
     Reason(GSKKM_ERR_DATABASE_INVALID_FILE_TYPE) - rc(17)
        ...
    dsmmsg.cpp          (1232): tsmHandle=1 rc: -1 msg :
     >ANS1235E (RC-1)   An unknown system error has occurred
                        from which TSM cannot recover.
    
    Product versions affected: IBM Spectrum Protect client versions
                               7.1.8.0 and later 7.1.8 versions
                               8.1.2.0 and later 8.1.2 versions
               Initial impact: Medium
          Additional keywords: gskit key management gsk km
                               certificate cert gpfs hsm
                               application app downlevel
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * IBM Spectrum Protect client version 7.1.8, 8.1.2 and 8.1.4   *
    * running on all  platforms.                                   *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See ERROR DESCRIPTION                                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * This issue is projected to be fixed in the IBM Spectrum      *
    * Protect version 8.1.6 on all platforms. Note 1: This is      *
    * subject to change at the discretion of IBM.                  *
    ****************************************************************
    

Problem conclusion

  • Now IBM Spectrum Protect client checks if GSKit version is
    compatible
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT23533

  • Reported component name

    TSM CLIENT

  • Reported component ID

    5698ISMCL

  • Reported release

    81A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-12-19

  • Closed date

    2018-03-05

  • Last modified date

    2018-03-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TSM CLIENT

  • Fixed component ID

    5698ISMCL

Applicable component levels



Document information

More support for: Tivoli Storage Manager

Software version: 81A

Reference #: IT23533

Modified date: 05 March 2018


Translate this page: