Known issues with IBM Spectrum Protect Operations Center Version 8.1.4

Answer

The following issues have been identified in version 8.1.4 of the Operations Center:

Log-in and general issues

• You cannot configure the Operations Center for first-time use
• Message: "ANR3218E UPDATE ADMIN: Administrator IBM-OC-server_name is a managed object and cannot be updated
• After you upgrade the Operations Center, the browser cannot connect to the Operations Center

Servers

• You cannot manually back up a server database
• The Connect Spoke Server wizard does not accept the SSLTCPPORT or SSLTCPADMINPORT port numbers

Replication

• You cannot configure replication by using the Add Server Pair wizard

Symptom

You are connecting to the Operations Center for the first time. You enter the connection and configuration information for the hub server in the appropriate fields, but the Configure Operations Center wizard does not complete. The wizard fails with the status message "Not ready to show server information".

Cause

If the Operations Center is not installed on the same computer as the IBM Spectrum Protect server, the "Connect to" field must identify the hub server by its IP address or full domain name. The wizard is unable to complete the configuration because only the hostname was provided.

Solution

When you are connecting to the Operations Center for the first time, enter the connection information for the hub server by using the following syntax: host:port_number.

host
If the Operations Center is installed on the same computer as the IBM Spectrum Protect server, enter localhost. If the server is installed on a different computer, enter the IP address or full domain name of that computer.

port_number
If the ADMINONCLIENTPORT server option is enabled for the IBM Spectrum Protect server, enter the port number that is specified by the TCPADMINPORT server option. If the ADMINONCLIENTPORT server option is not enabled, enter the port number that is specified by the TCPPORT server option.

You can view server option settings by using the QUERY OPTION command.



Return to list

Symptom

The error message ANR3218E is displayed. This error might be displayed when you try to connect a spoke server to the hub server, or when you try to update passwords on spoke servers.

Cause

The Operations Center runs independently of enterprise configuration, and is unable to update user IDs that are managed by the configuration manager. An administrator ID that the Operations Center creates and maintains on spoke servers was unintentionally placed under the control of the configuration manager.

When you try to connect a spoke server to the hub, the Operations Center attempts to register the monitoring administrator ID, IBM-OC-server_name, on the new spoke server. This same monitoring administrator ID with the same password is registered on the hub server and on all spoke servers. Periodically, the Operations Center automatically updates the monitoring administrator ID password on the hub and spoke servers. You typically do not need to use or manage this password. If the password update was not successful, and the Operation Center detects that the passwords on one or more spokes are not current, it prompts you to have it attempt the password update again.

If the error message ANR321E is displayed when you try to connect a spoke server or update a spoke server's monitoring administrator ID password, it might be because the monitoring administrator ID was inadvertently placed under the configuration manager's control. You might unintentionally place the monitoring administrator ID under the control of the configuration manager when you issue the DEFINE PROFASSOCIATION command. If you use a wildcard character in the DEFINE PROFASSOCIATION command to identify which administrators are associated with the configuration profile, you might unintentionally match the monitoring administrator ID. For example, you might associate all administrator IDs with the configuration profile by specifying admins=* in the DEFINE PROFASSOCIATION command.

Solution

Do not specify admins=* in the DEFINE PROFASSOCIATION command when you associate administrator IDs with the configuration profile. Instead, list all administrator IDs, excluding the monitoring administrator ID, in the command. For example, admins=admin1,admin2,admin3,admin4. Make sure to update the list when administrator IDs are added to or removed from the hub server.

Tip: You can use an enterprise configuration to maintain the monitoring administrator ID on spoke servers, but only if you designate the configuration manager server as the Operations Center hub server. For more information about grouping hub and spoke servers in an enterprise configuration, see
https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.4/srv.install/c_oc_inst_reqs_tips_for_hub_spoke.html





Return to list

Symptom

You were running a version of the Operations Center that is earlier than Versions 8.1.3 or 7.1.8. You upgraded the Operations Center to the new version, and now the browser cannot connect to the Operations Center. The browser displays an error that the secure connection failed.

Cause

In Operations Center V8.1.3 and later (and V7.1.8 and later), hash signatures must be generated by using SHA256 certificates. The web server's default certificate is an SHA-1 certificate, which was allowed in earlier versions of the Operations Center. However, in the current version signatures must be generated by using a stronger algorithm.

Solution

Replace the older SHA-1 certificate in the web server's keystore with a new default certificate that uses an SHA256 signature. To replace the older SHA-1 certificate, complete the following steps on the computer where the Operations Center is installed:

1. Stop the Operations Center web server.
   
2. Go to the following directory, where installation_dir represents the directory in which the Operations Center is installed:
   
   On AIX and Linux machines:
   installation_dir/ui/Liberty/usr/servers/guiServer
   
   On Windows machines:
   installation_dir\ui\Liberty\usr\servers\guiServer
   
   For example, the default locations are:
   
   On AIX and Linux machines: /opt/tivoli/tsm/ui/Liberty/usr/servers/guiServer
   
   On Windows machines:
   c:\Program Files\Tivoli\TSM\ui\Liberty\usr\servers\guiServer
   
3. Delete the current default certificate by using the ikeycmd command. If the ikeycmd is not in your PATH, specify the path to the command.
   
   On AIX and Linux machines, enter the following command:
   
   installation_dir/ui/jre/bin/ikeycmd -cert -delete -db gui-truststore.jks -label 'default'
   
   On Windows machines, enter the following command:
   
   installation_dir\ui\jre\bin\ikeycmd -cert -delete -db gui-truststore.jks -label 'default'
   
4. Create a default certificate that uses an SHA256 signature.
   
   On AIX and Linux machines, enter the following command:
   
   installation_dir/ui/jre/bin/ikeycmd -cert -create -db gui-truststore.jks -label 'default' -sig_alg SHA256withRSA -size 2048 -DN "CN=localhost, OU=guiServer, O=ibm, C=us"
   
   On Windows machines, enter the following command:
   
   installation_dir\ui\jre\bin\ikeycmd -cert -create -db gui-truststore.jks -label 'default' -sig_alg SHA256withRSA -size 2048 -DN "CN=localhost, OU=guiServer, O=ibm, C=us"
   
5. Start the Operations Center web server.

Return to list

Symptom

You are attempting to manually back up a server database. On the Servers page of the Operations Center, you select the server whose database you want to back up and click Back Up. You follow the instructions in the Back Up Database window, but the Operations Center fails to start the backup operation. The Back Up Database window displays the following error message:

ANR1748E   The PASSWORD parameter is required when PROTECTKEYS is enabled.

Cause

By default, database backups are configured to include a copy of the master encryption key for the server. When a copy of the master encryption key is included in a database backup, a password that is used to protect database backups must also be provided. The required password is not provided by the Operations Center, and must be provided when you configure automatic backups by using the SET DBRECOVERY command.

Solution

Configure the defaults for automatic backups by using the Operations Center or the SET DBRECOVERY command.

To configure the defaults for automatic backups by using the Operations Center, complete the following steps:

1. On the Servers page, select the server row and click Details.
2. Click the Properties tab.
3. On the Properties tab, unlock the Database Backup and Recovery section by clicking the Unlock icon.
4. Specify the password for database backups in the Password and Confirm password fields. Ensure that you remember the password. You must specify the same password to restore the database.

To configure the defaults for automatic backups by using the command line, issue the SET DBRECOVERY command. The PROTECTKEYS parameter of the SET DBRECOVERY command specifies that database backups include a copy of the master encryption key for the server that is used to encrypt storage pool data. This parameter is optional, and defaults to the value Yes. You can either specify PROTECTKEYS=No, or you can specify a password that is used to protect the database backups.

If you specify PROTECTKEYS=No, you must manually back up the master encryption key for the server and make the key available when you implement disaster recovery.

If you accept the default PROTECTKEYS=Yes, you must specify the password for database backups by using the PASSWORD parameter. Ensure that you remember the password. You must specify the same password on the RESTORE DB command to restore the database.

For more information on the SET DBRECOVERY command, see the following topic in the IBM Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.4/srv.reference/r_cmd_dbrecovery_set.html




Return to list

Symptom

You are using the Connect Spoke Server wizard to configure a spoke server to be managed by the Operations Center. On the Identity page of the wizard, you specify the SSLTCPPORT or SSLTCPADMINPORT in the Port field. The wizard is not able to configure the spoke server. The spoke server issues the following message:

ANR8600W An incoming TCP connection from port_number was detected on the SSL port. Connection refused

Cause

The behavior of the TCPPORT and TCPADMINPORT ports was changed in IBM Spectrum Protect V8.1.2. The TCPPORT and TCPADMINPORT ports now listen for and accept both TCP/IP and SSL-enabled sessions. You are no longer required to specify the SSLTCPPORT or SSLTCPADMINPORT option to allow SSL-enabled sessions from the client.

Solution

In the Connect Spoke Server wizard, enter one of the following port numbers:

• If the ADMINONCLIENTPORT server option is enabled for the spoke server, enter the port number that is specified by the TCPADMINPORT server option.
• If the ADMINONCLIENTPORT server option is not enabled, enter the port number that is specified by the TCPPORT server option.

Alternatively to define server-to-server communications by using the DEFINE SERVER command to specify the SSLTCPPORT or SSLTCPADMINPORT ports, complete the following steps:

1. On the hub server, issue the DEFINE SERVER command, according to the following example:
   
   DEFINE SERVER spoke_servername HLA=spoke_address
   LLA=spoke_SSLTCPADMINPort SERVERPA=spoke_serverpassword SSL=YES
   
2. On the Operations Center menu bar, click Servers.
   
   On the Servers page, the spoke server that you defined has a status of "Unmonitored." Depending on the setting for the status refresh interval, you might not see the spoke server immediately.
   
3. Select the spoke server in the table and click Monitor Spoke.

Return to list

Symptom

You are using the Add Server Pair wizard to define a source and target server relationship for replicating client data. You cannot advance past the Passwords page of the wizard, which displays the error "Unable to connect".

Cause


IBM Spectrum Protect V8.1.2 and later enforces stricter security requirements for network communication. All servers, for example, are expected to secure communication by using TLS 1.2 certificates. Although a transition period exists during which existing security settings are used for communication with servers and clients that are running earlier versions, the stricter security settings are required after they are first used.

All actions that are taken by the wizard are performed on behalf of the administrator who is logged in to the Operations Center. Because the administrator account has authenticated by using the stricter security settings, all communication that is initiated by the administrator must also use the stricter security settings. This restriction might cause the Add Server Pair wizard to fail because it cannot establish a session with the source or target replication server.


Solution

Use the Command Builder to configure replication. To use the Command Builder to configure replication between the servers, complete the following steps:

1. Configure server-to-server communication between the source and target servers by using the DEFINE SERVER command. Issue the command on the source server to define the target server, and on the target server to define the source server.
   
2. On the source server, issue the SET REPLSERVER command to set the target server.
   
3. To define a client replication schedule, use the DEFINE SCHEDULE command to create a new administrative schedule on the source server to run the REPLICATE NODE command.
   
4. To improve the performance of client replication, use the DEFINE SCHEDULE command to create a new administrative schedule on the source server to run the PROTECT STGPOOL command. By regularly running the PROTECT STGPOOL command to copy data in a directory-container storage pool to the target server, you can improve replication performance. Replication performance is typically improved because the data extents that are already copied to the target replication server by storage pool protection operations are skipped when node replication is started. Schedule enough time for the PROTECT STGPOOL schedule to complete before the REPLICATE NODE schedule starts.

Return to list