Known issues with IBM Spectrum Protect Operations Center Version 8.1.2

Answer

The following issues have been identified in version 8.1.2 of the Operations Center:

Log-in and general issues

• You cannot configure the Operations Center for first-time use
• After you install or upgrade the Operations Center, you are unable to view the login page
• After you reinstall the Operations Center, you cannot log in
• Message: "ANR3218E UPDATE ADMIN: Administrator IBM-OC-server_name is a managed object and cannot be updated

Servers

• You cannot manually back up a server database
• The Connect Spoke Server wizard does not accept the SSLTCPPORT or SSLTCPADMINPORT port numbers

Replication

• You cannot configure replication if the target server is running an earlier version of IBM Spectrum Protect

Symptom

You are connecting to the Operations Center for the first time. You enter the connection and configuration information for the hub server in the appropriate fields, but the Configure Operations Center wizard does not complete. The wizard fails with the status message "Not ready to show server information".

Cause

If the Operations Center is not installed on the same computer as the IBM Spectrum Protect server, the "Connect to" field must identify the hub server by its IP address or full domain name. The wizard is unable to complete the configuration because only the hostname was provided.

Solution

When you are connecting to the Operations Center for the first time, enter the connection information for the hub server by using the following syntax: host:port_number.

host
If the Operations Center is installed on the same computer as the IBM Spectrum Protect server, enter localhost. If the server is installed on a different computer, enter the IP address or full domain name of that computer.

port_number
If the ADMINONCLIENTPORT server option is enabled for the IBM Spectrum Protect server, enter the port number that is specified by the TCPADMINPORT server option. If the ADMINONCLIENTPORT server option is not enabled, enter the port number that is specified by the TCPPORT server option.

You can view server option settings by using the QUERY OPTION command.

Return to list

Symptom

You installed or upgraded the Operations Center. In a web browser, you enter the address for the Operations Center, but the browser does not display the login screen. Instead, the following error is displayed:

Error 400: SRVE0295E: Error reported: 400

Cause

The web server of the Operations Center runs as a service and starts automatically. Sometimes, because the service hangs, a duplicate service might be started. Other times, a server might continue running after you stop the Operations Center, and a duplicate service starts when you start the Operations Center. When multiple instances of the service are running, it can cause unpredictable results in the Operations Center. When you reinstall or upgrade the Operations Center, for example, a running service can interfere with the installation process.

Solution

Complete the following steps to diagnose and resolve this problem:

1.
If you reinstalled or upgraded the Operations Center, review the web-server log file, console.log, to determine whether errors were reported during the installation of Operations Center components. Errors might be reported in this file even if the Installation Manager completed successfully.

The console.log log file is located in the following directory:

installation_dir/ui/Liberty/usr/servers/guiServer/logs

Where installation_dir represents the directory in which the product is installed.

If no errors are recorded in the file, you need to restart the web server after you end web server processes. If errors are reported, you need to uninstall and reinstall the Operations Center after you end web server processes.

2.
Depending on your operating system, complete the following steps to end all running instances of the guiServer process.

• On a UNIX or Linux system, complete the following steps:
  
  a) Enter the following ps command to determine whether multiple instances of the guiServer process are running on the computer where the Operations Center is installed:
  
  ps -ef | grep guiServer

b) End all running instances of the guiServer process by using the kill command, or by rebooting your system.

• On a Windows system, end all running instances of the guiServer process by rebooting your system.

3.
If you newly installed the Operations Center, or if you reinstalled or upgraded the Operations Center and the console.log file did not contain installation errors, restart the web server as described in the following Knowledge Center topic:

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/srv.install/t_oc_inst_web_server_startstop.html

If you reinstalled or upgraded the Operations Center, and the console.log file did contain installation errors, uninstall, and reinstall the Operations Center.

Return to list

Symptom

You uninstalled and reinstalled the Operations Center by using the IBM Installation Manager. When you attempt to log in to the Operations Center, the following error message is displayed on the login page:

The administrator ID or password is not valid, or the certificate of the hub server expired or was not found in the truststore file.

Cause

The hub server cannot authenticate the administrator ID because the TLS certificate of the hub server is not in the truststore file of the Operations Center.

When the Operations Center was reinstalled, the truststore file of the Operations Center was overwritten. Because the administrator ID was previously authenticated to the hub server by using TLS 1.2, the SESSIONSECURITY parameter value for the administrator ID was automatically set to STRICT. When the SESSIONSECURITY parameter value is STRICT, the administrator must authenticate to the hub server by using TLS 1.2. However, because the truststore file of the Operations Center was overwritten, it does not contain the TLS 1.2 certificate of the hub server and the hub server cannot authenticate the administrator ID.

Solution

Add the TLS 1.2 certificate of the hub server to the truststore file of the Operations Center. For more information about adding the certificate to the truststore file, see the following topic in the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/srv.install/t_oc_inst_ssl_configure_ochub.html

Return to list

Symptom

The error message ANR3218E is displayed. This error might be displayed when you try to connect a spoke server to the hub server, or when you try to update passwords on spoke servers.

Cause

The Operations Center runs independently of enterprise configuration, and is unable to update user IDs that are managed by the configuration manager. An administrator ID that the Operations Center creates and maintains on spoke servers was unintentionally placed under the control of the configuration manager.

When you try to connect a spoke server to the hub, the Operations Center attempts to register the monitoring administrator ID, IBM-OC-server_name, on the new spoke server. This same monitoring administrator ID with the same password is registered on the hub server and on all spoke servers. Periodically, the Operations Center automatically updates the monitoring administrator ID password on the hub and spoke servers. You typically do not need to use or manage this password. If the password update was not successful, and the Operation Center detects that the passwords on one or more spokes are not current, it prompts you to have it attempt the password update again.

If the error message ANR321E is displayed when you try to connect a spoke server or update a spoke server's monitoring administrator ID password, it might be because the monitoring administrator ID was inadvertently placed under the configuration manager's control. You might unintentionally place the monitoring administrator ID under the control of the configuration manager when you issue the DEFINE PROFASSOCIATION command. If you use a wildcard character in the DEFINE PROFASSOCIATION command to identify which administrators are associated with the configuration profile, you might unintentionally match the monitoring administrator ID. For example, you might associate all administrator IDs with the configuration profile by specifying admins=* in the DEFINE PROFASSOCIATION command.

Solution

Do not specify admins=* in the DEFINE PROFASSOCIATION command when you associate administrator IDs with the configuration profile. Instead, list all administrator IDs, excluding the monitoring administrator ID, in the command. For example, admins=admin1,admin2,admin3,admin4. Make sure to update the list when administrator IDs are added to or removed from the hub server.

Tip: You can use an enterprise configuration to maintain the monitoring administrator ID on spoke servers, but only if you designate the configuration manager server as the Operations Center hub server. For more information about grouping hub and spoke servers in an enterprise configuration, see https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/srv.install/c_oc_inst_reqs_tips_for_hub_spoke.html

Return to list

Symptom

You are attempting to manually back up a server database. On the Servers page of the Operations Center, you select the server whose database you want to back up and click Back Up. You follow the instructions in the Back Up Database window, but the Operations Center fails to start the backup operation. The Back Up Database window displays the following error message:

ANR1748E   The PASSWORD parameter is required when PROTECTKEYS is enabled.

Cause

By default, database backups in IBM Spectrum Protect Version 8.1.2 are configured to include a copy of the master encryption key for the server. When a copy of the master encryption key is included in a database backup, a password that is used to protect database backups must also be provided. The required password is not provided by the Operations Center, and must be provided when you configure automatic backups by using the SET DBRECOVERY command.

Solution

Configure the defaults for automatic backups by using the Operations Center or the SET DBRECOVERY command.

To configure the defaults for automatic backups by using the Operations Center, complete the following steps:

1. On the Servers page, select the server row and click Details.
2. Click the Properties tab.
3. On the Properties tab, unlock the Database Backup and Recovery section by clicking the Unlock icon.
4. Specify the password for database backups in the Password and Confirm password fields. Ensure that you remember the password. You must specify the same password to restore the database.

To configure the defaults for automatic backups by using the command line, issue the SET DBRECOVERY command. The PROTECTKEYS parameter of the SET DBRECOVERY command specifies that database backups include a copy of the master encryption key for the server that is used to encrypt storage pool data. This parameter is optional, and defaults to the value Yes. You can either specify PROTECTKEYS=No, or you can specify a password that is used to protect the database backups.

If you specify PROTECTKEYS=No, you must manually back up the master encryption key for the server and make the key available when you implement disaster recovery.

If you accept the default PROTECTKEYS=Yes, you must specify the password for database backups by using the PASSWORD parameter. Ensure that you remember the password. You must specify the same password on the RESTORE DB command to restore the database.

For more information on the SET DBRECOVERY command, see the following topic in the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/srv.reference/r_cmd_dbrecovery_set.html

Return to list

Symptom

You are using the Connect Spoke Server wizard to configure a spoke server to be managed by the Operations Center. On the Identity page of the wizard, you specify the SSLTCPPORT or SSLTCPADMINPORT in the Port field. The wizard is not able to configure the spoke server. The spoke server issues the following message:

ANR8600W An incoming TCP connection from port_number was detected on the SSL port. Connection refused

Cause

In IBM Spectrum Protect Version 8.1.2, the behavior of the TCPPORT and TCPADMINPORT ports has changed. The TCPPORT and TCPADMINPORT ports now listen for and accept both TCP/IP and SSL-enabled sessions. You are no longer required to specify the SSLTCPPORT or SSLTCPADMINPORT option to allow SSL-enabled sessions from the client.

Solution

In the Connect Spoke Server wizard, enter one of the following port numbers:

• If the ADMINONCLIENTPORT server option is enabled for the spoke server, enter the port number that is specified by the TCPADMINPORT server option.
• If the ADMINONCLIENTPORT server option is not enabled, enter the port number that is specified by the TCPPORT server option.

Alternatively, to define server-to-server communications by using the DEFINE SERVER command to specify the SSLTCPPORT or SSLTCPADMINPORT ports, complete the following steps:

1. On the hub server, issue the DEFINE SERVER command, according to the following example:
   
   DEFINE SERVER spoke_servername HLA=spoke_address
   LLA=spoke_SSLTCPADMINPort SERVERPA=spoke_serverpassword SSL=YES
   
2. On the Operations Center menu bar, click Servers.
   
   On the Servers page, the spoke server that you defined has a status of "Unmonitored." Depending on the setting for the status refresh interval, you might not see the spoke server immediately.
   
3. Select the spoke server in the table and click Monitor Spoke.

Return to list

Symptom

You are using the Add Server Pair wizard to define a source and target server relationship for replicating client data. On the Servers page of the wizard, you selected a source server that is running IBM Spectrum Protect Version 8.1.2, and a target server that is running an earlier version. You cannot advance past the Passwords page of the wizard, which displays the error "Unable to connect".

Cause

IBM Spectrum Protect V8.1.2 enforces stricter security requirements for network communication. All servers, for example, are expected to secure communication by using TLS 1.2 certificates that are installed on V8.1.2 servers. Although a transition period exists during which existing security settings are used for communication with servers and clients that are running earlier versions, the stricter security settings are required after they are first used.

All actions that are taken by the wizard are performed on behalf of the administrator who is logged in to the Operations Center. Because the administrator account has authenticated by using the stricter security settings, all communication that is initiated by the administrator must also use the stricter security settings. The target server must communicate with the source server by using the stricter security settings, but cannot because it is running an earlier version of IBM Spectrum Protect.

Solution

Upgrade the target server to IBM Spectrum Protect V8.1.2, or use the Command Builder to configure replication.

To use the Command Builder to configure replication between the servers, complete the following steps:

1. Configure server-to-server communication between the source and target servers by using the DEFINE SERVER command. Issue the command on the source server to define the target server, and on the target server to define the source server.
   
2. On the source server, issue the SET REPLSERVER command to set the target server.
   
3. To define a client replication schedule, use the DEFINE SCHEDULE command to create a new administrative schedule on the source server to run the REPLICATE NODE command.
   
4. To improve the performance of client replication, use the DEFINE SCHEDULE command to create a new administrative schedule on the source server to run the PROTECT STGPOOL command. By regularly running the PROTECT STGPOOL command to copy data in a directory-container storage pool to the target server, you can improve replication performance. Replication performance is typically improved because the data extents that are already copied to the target replication server by storage pool protection operations are skipped when node replication is started. Schedule enough time for the PROTECT STGPOOL schedule to complete before the REPLICATE NODE schedule starts.

Return to list