Troubleshooting
Problem
After adding the custom certificate files in the $CANDLEHOME/keyfiles directory and restarting the HUB TEMS, all attempts to login to the TEMS using 'tacmd login' command fails.
Symptom
Error message seen in the TEMS RAS log during the login attempt:
(5D559986.0000-23:kglldp1.c,1210,"LDP1_ValidateLDAPSearch") LDAP initialization error. (5D559986.0001-23:kdspac1.c,1605,"VPA1_CreatePath") VPA1_CreatePath failure detected 1021. (5D559986.0002-23:kdssqrun.c,965,"CreatePath") Create Path Error. status 1021 path CT/DS:{SERVER=SRVR01 USER=KSH} (5D559986.0003-23:kshdsr.cpp,361,"login") Create Path Error st=1021 for 'testuser' 'xxxxxxxx' 'ip.ssl' (5D559986.0004-23:kshhttp.cpp,493,"writeSoapErrorResponse") faultstring: CMS logon validation failed.
Cause
The TEMS process is failing to load the custom certificates stored in the $CANDLEHOME/keyfiles directory.
Environment
ITM 6.3 HUB TEMS installed on a server running any version of a Linux Operating System.
Diagnosing The Problem
After resstarting the TEMS confirm which certificates are being loaded at runtime by reviewing the $CANDLEHOME/config/ms.env file.
grep KGL_KEY $CANDLEHOME/config/ms.env
Check these values for these variables:
KGL_KEYRING_LABEL
KGL_KEYRING_STASH
KGL_KEYRING_FILE
KGL_KEYRING_STASH
KGL_KEYRING_FILE
If necessary the debug level for the TEMS can be increased to gather more useful messages using this procedure:
Update the file $CANDLEHOME/config/ms.config changing the KBB_RAS1 setting to the following:
KBB_RAS1='ERROR (UNIT:kdslg ALL)(UNIT:kdsvl ALL)(UNIT:kgllg ALL)(UNIT:kglld ALL)'
NOTE: The single quotes are critical. If the trace setting is not included in single quotes any attempt to restart the TEMS will fail.
Save the ms.config file
From the Operating System command line set these environment variables:
export LDAP_DEBUG=65535
export LDAP_DEBUG_FILE=/opt/IBM/ITM/logs/LDAP_tacmd_failure.trace
NOTE: If $CANDLEHOME is not using the default location (/opt/IBM/ITM), change the path for the LDAP_DEBUG_FILE variable.
From the same command line where the LDAP_DEBUG variables were set - restart the TEMS using the command:
itmcmd server start {TEMS Name}
After the TEMS is back online attempt the 'tacmd login' command.
These errors written to the $CANDLEHOME/logs/LDAP_tacmd_failure.trace file when the KGL_KEYRING variables are not correctly set:
2019-08-20T16:11:16.753169-4:00 T11824 K32964989 ldap_getenv: LDAP_OPT_SSL_EXTN_SIGALG=NULL
2019-08-20T16:11:16.753216-4:00 T11824 K32964989 setExtnSigalg:pGskAttributeSetBuffer rc =0 setting GSK_SSL_EXTN_SIGALG to default
2019-08-20T16:11:16.754224-4:00 T11824 K32964989 Error - initGSKitEnv(): pGskEnvInit()
2019-08-20T16:11:16.754243-4:00 T11824 K32964989 Error - ldap_ssl_client_init_setup: gsk_environment_init() returns rc=202 GSK_KEYRING_OPEN_ERROR
2019-08-20T16:11:16.753216-4:00 T11824 K32964989 setExtnSigalg:pGskAttributeSetBuffer rc =0 setting GSK_SSL_EXTN_SIGALG to default
2019-08-20T16:11:16.754224-4:00 T11824 K32964989 Error - initGSKitEnv(): pGskEnvInit()
2019-08-20T16:11:16.754243-4:00 T11824 K32964989 Error - ldap_ssl_client_init_setup: gsk_environment_init() returns rc=202 GSK_KEYRING_OPEN_ERROR
Resolving The Problem
If the KGL_KEYRING variables are incorrectly set, update the $CANDLHOME/ms.config file, and restart the TEMS.
The KGL_KEYRING_FILE and KGL_KEYRING_STASH variables require the fully qualified path to the custom certificates:
example:
KGL_KEYRING_STASH=/opt/IBM/ITM/keyfiles/ourcustom.sth
KGL_KEYRING_FILE=/opt/IBM/ITM/keyfiles/ourcustom.kdb
The KGL_KEYRING_LABEL value can be gathered using the command:
/opt/IBM/ITM/lx8266/gs/bin/gsk8capicmd_64 -cert -list -db /opt/IBM/ITM/keyfiles/ourcustom.kdb -stashed
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Component":"TEMS","Platform":[{"code":"PF016","label":"Linux"}],"Version":"6.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
23 August 2019
UID
ibm11071774