IBM Support

The 'tacmd login' command fails after placing custom certificates at the HUB TEMS

Troubleshooting


Problem

After adding the custom certificate files in the $CANDLEHOME/keyfiles directory and restarting the HUB TEMS, all attempts to login to the TEMS using 'tacmd login' command fails.

Symptom

Error message seen in the TEMS RAS log during the login attempt:
(5D559986.0000-23:kglldp1.c,1210,"LDP1_ValidateLDAPSearch") LDAP initialization error. (5D559986.0001-23:kdspac1.c,1605,"VPA1_CreatePath") VPA1_CreatePath failure detected 1021. (5D559986.0002-23:kdssqrun.c,965,"CreatePath") Create Path Error. status 1021 path CT/DS:{SERVER=SRVR01 USER=KSH} (5D559986.0003-23:kshdsr.cpp,361,"login") Create Path Error st=1021 for 'testuser' 'xxxxxxxx' 'ip.ssl' (5D559986.0004-23:kshhttp.cpp,493,"writeSoapErrorResponse") faultstring: CMS logon validation failed.

Cause

The TEMS process is failing to load the custom certificates stored in the $CANDLEHOME/keyfiles directory.

Environment

ITM 6.3 HUB TEMS installed on a server running any version of a Linux Operating System.

Diagnosing The Problem

After resstarting the TEMS confirm which certificates are being loaded at runtime by reviewing the $CANDLEHOME/config/ms.env file.
grep KGL_KEY $CANDLEHOME/config/ms.env
Check these values for these variables:
KGL_KEYRING_LABEL
KGL_KEYRING_STASH
KGL_KEYRING_FILE
If necessary the debug level for the TEMS can be increased to gather more useful messages using this procedure:

Update the file $CANDLEHOME/config/ms.config changing the KBB_RAS1 setting to the following:

KBB_RAS1='ERROR (UNIT:kdslg ALL)(UNIT:kdsvl ALL)(UNIT:kgllg ALL)(UNIT:kglld ALL)'

 

NOTE: The single quotes are critical.  If the trace setting is not included in single quotes any attempt to restart the TEMS will fail.

Save the ms.config file

 

From the Operating System command line set these environment variables:

export LDAP_DEBUG=65535

export LDAP_DEBUG_FILE=/opt/IBM/ITM/logs/LDAP_tacmd_failure.trace

 

NOTE: If $CANDLEHOME is not using the default location (/opt/IBM/ITM), change the path for the LDAP_DEBUG_FILE variable.

From the same command line where the LDAP_DEBUG variables were set - restart the TEMS using the command:
itmcmd server start {TEMS Name}
After the TEMS is back online attempt the 'tacmd login' command.
These errors written to the $CANDLEHOME/logs/LDAP_tacmd_failure.trace file when the KGL_KEYRING variables are not correctly set:
2019-08-20T16:11:16.753169-4:00 T11824 K32964989 ldap_getenv: LDAP_OPT_SSL_EXTN_SIGALG=NULL
2019-08-20T16:11:16.753216-4:00 T11824 K32964989 setExtnSigalg:pGskAttributeSetBuffer rc =0 setting GSK_SSL_EXTN_SIGALG to default
2019-08-20T16:11:16.754224-4:00 T11824 K32964989 Error - initGSKitEnv(): pGskEnvInit()
2019-08-20T16:11:16.754243-4:00 T11824 K32964989 Error - ldap_ssl_client_init_setup: gsk_environment_init() returns rc=202 GSK_KEYRING_OPEN_ERROR

Resolving The Problem

If the KGL_KEYRING variables are incorrectly set, update the $CANDLHOME/ms.config file, and restart the TEMS.
The KGL_KEYRING_FILE and KGL_KEYRING_STASH variables require the fully qualified path to the custom certificates:
example:
KGL_KEYRING_STASH=/opt/IBM/ITM/keyfiles/ourcustom.sth
KGL_KEYRING_FILE=/opt/IBM/ITM/keyfiles/ourcustom.kdb
The KGL_KEYRING_LABEL value can be gathered using the command:
/opt/IBM/ITM/lx8266/gs/bin/gsk8capicmd_64 -cert -list -db /opt/IBM/ITM/keyfiles/ourcustom.kdb -stashed

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Component":"TEMS","Platform":[{"code":"PF016","label":"Linux"}],"Version":"6.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 August 2019

UID

ibm11071774