IBM Support

IT18563: SERVERS ARE UNABLE TO CONNECT TO OTHER SERVERS WHEN USING A CA SIGNED CERTIFICATE.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When using server to server SSL connection, and using a CA
    signed certificate, the communication will fail between the
    library manager and the storage agent. The error message will be
    showed on the library manager as
    
    ANR8583E An SSL socket-initialization error occurred on session
    34. The GSKit return code is 420.~
    
    The error message will be showed on the storage agent as
    ANR0454E Session rejected by server XXX, reason: 201 -
    Communication Failure.~
    
    
    
    Customer/L2 Diagnostics:
    
    This APAR documents a library manager and storage agent
    communication issue when CA signed certificates are used.
    Under the APAR condition, the following error is reported in the
    actlog for both, library manager and storage agent:
    ANR8583E An SSL socket-initialization error occurred on session
    34.  The GSKit return code is 420.~
    
    In addition, the reason 201 is logged in the storage agent
    trace.
    
    <ADDMSG SSLINFO SESSION PVR MMS> trace from the library manager
    shows:
    .
    09:48:17.598 [371][output.c][7647][PutConsoleMsg]:ANR8592I
    Session 39 connection is using SSL version TLSV12, cipher
    specification AES-256-GCM, certificate serial number
    19:d0:4a:8d:30:58:62. ~
    09:48:17.606 [371][output.c][7647][PutConsoleMsg]:ANR0407I
    Session 39 started for administrator IBM-OC-TSMOCHUB (Windows)
    (SSL tsmochub-it.local(50374)).~
    09:48:17.648 [371][smtrans.c][2268][SmRecvVerbX]:Session 39,
    Length=56, Size 4, Code=0016, Ext: No, Type=SignOnAuth.
    09:48:17.648 [371][smsec.c][836][SmAuthenticate]:SmAuth: Failed
    decrypt. Input Len 48, Output Len 48. Session
    IBM-OC-TSMOCHUB(39), rc=-1
    09:48:17.650 [371][ssltcomm.c][1700][ssltcpRecv]:ssltcpRecv:
    Reading 512 bytes from socket on session 39
    09:48:17.654 [371][ssltcomm.c][1709][ssltcpRecv]:ssltcpRecv: ssl
    read on session 39 rc 420 GSK_ERROR_SOCKET_CLOSED
    09:48:17.654 [371][smtrans.c][7895][ReceiveVerb]:Failure reading
    verbHdr commRc -1 sessTerm 0.
    09:48:17.654 [371][smtrans.c][2169][SmRecvVerbX]:ReceiveVerb
    rc=-1
    09:48:17.654
    [371][smexec.c][7422][DoAdminGeneral]:SmAuthenticate returned
    with authRc 9999 for session 39(IBM-OC-TSMOCHUB)
    09:48:17.655 [371][smexec.c][4153][smEndMessage]:Session 39 for
    IBM-OC-TSMOCHUB ending with termReason 1.
    09:48:17.655 [371][output.c][7647][PutConsoleMsg]:ANR0568W
    Session 39 for admin IBM-OC-TSMOCHUB (Windows) terminated -
    connection with client severed.~
    09:48:17.656
    [371][smutil.c][2223][smRemoveSessMountCount]:Session number 39
    for node IBM-OC-TSMOCHUB does not have any mount point a
    llocated.
    
    09:48:54.592 [331][ssltcomm.c][2033][sslSocOpen]:sslSocOpen
    gsk_secure_soc_init session 34 rc 420 GSK_ERROR_SOCKET_CLOSED
    09:48:54.592 [331][output.c][7647][PutConsoleMsg]:ANR8583E An
    SSL socket-initialization error occurred on session 34.  The
    GSKit return code is 420.~
    
     .
    . <ADDMSG SSLINFO SESSION PVR MMS> trace from the storage agent
    shows (note the reason 201 is logged here):
    .
    9:46:33.678
    [18][ssltcomm.c][3933][SslFlushBuffer]:SslFlushBuffer: Sending
    145 bytes of data to client at tsmsrv1.romelab.it on
    socket 00000000000108D4, port 16480.
    09:51:53.947 [18][output.c][7647][PutConsoleMsg]:ANR0400I
    Session 11 started for node VC-DM (TDP VMware) (Shared
    Memory).~
    09:51:53.950
    [18][ssltcomm.c][3933][SslFlushBuffer]:SslFlushBuffer: Sending
    145 bytes of data to client at tsmsrv1.romelab.it on
    socket 00000000000108D4, port 16480.
    09:51:53.998
    [18][smexec.c][5489][SmAddReplServerAddress]:Session 11 for node
    VC-DM Error getting comm info for Replication server,
    status = 2095
    09:51:54.164 [18][output.c][7647][PutConsoleMsg]:ANR8595I
    Session to address tsmsrv1.romelab.it is using SSL
    version TLSV12, cipher specification AES-256-GCM, certificate
    serial number 36:a0:2d:db:21:ce:e3:7e.~
    09:51:57.674 [18][smexec.c][4619][smOpenSession]:session 14 open
    09:51:57.675 [18][smtrans.c][1915][SmSendVerbX]:Session 14,
    Length=4, Code=001D, Type=Identify, verbPtr 00000000060CA000.
    09:51:57.675 [18][smtrans.c][2163][SmRecvVerbX]:Receiving verb
    for TSMSRVLM(14) using buffer 0000000005FDF990.
    09:54:53.310 [18][smtrans.c][7895][ReceiveVerb]:Failure reading
    verbHdr commRc -1 sessTerm 0.
    09:54:53.310 [18][smtrans.c][2169][SmRecvVerbX]:ReceiveVerb
    rc=-1
    09:54:53.310 [18][smserv.c][5793][SignOnToServer]:IdentifyVerb
    exchange failed.
    09:54:53.310 [18][smserv.c][5122][smServIssueRejectMsg]:Issuing
    message for reason 201 from smserv.c(6020).^H
    09:54:53.311 [18][output.c][7647][PutConsoleMsg]:ANR0454E
    Session rejected by server TSMSRVLM, reason: 201 - Communication
    Failure.~
     .
    
    
    
    IBM Spectrum Protect versions affected:
    Server 6.3.6.000, 7.1.7.000 and before on supported platforms
    
    
    
    Initial Impact:
    Medium
    
    
    
    Additional Keywords:
    TSM SPECTRUM PROTECT SP CA signed certificate unable to connect
    Server to Server storage agent session ANR0530W ANR8580E "The
    GSKit return code is 406"  (RTC) 130384
    

Local fix

  • Specify SSLCERTVERIFY NO in the both server and storage agent
    option file when the CA signed certificate is used and SSL=NO.
    There is no local fix if the SSL is set YES.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All IBM Tivoli Storage Manager server users of a CA signed   *
    * certificate.                                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See error description.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply fixing level when available. This problem is projected *
    * to be fixed in levels  6.3.6.100, and 7.1.7.100.             *
    * Note that this is subject to change at the discretion of     *
    * IBM.                                                         *
    ****************************************************************
    

Problem conclusion

  • This problem was fixed.
    Affected platforms: AIX, HP, Linux, Solaris, and Windows.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT18563

  • Reported component name

    TSM SERVER

  • Reported component ID

    5698ISMSV

  • Reported release

    71A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-12-23

  • Closed date

    2017-02-21

  • Last modified date

    2017-02-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TSM SERVER

  • Fixed component ID

    5698ISMSV

Applicable component levels

  • R63A PSY

       UP

  • R63H PSY

       UP

  • R63L PSY

       UP

  • R63S PSY

       UP

  • R63W PSY

       UP

  • R71A PSY

       UP

  • R71H PSY

       UP

  • R71L PSY

       UP

  • R71S PSY

       UP

  • R71W PSY

       UP



Document information

More support for: Tivoli Storage Manager

Software version: 7.1.3

Reference #: IT18563

Modified date: 21 February 2017