IBM Support

IT22236: ANR8596E WHEN SERVER HLA DOES NOT MATCH REVERSE DNS LOOKUP FOR THIS SERVER'S HOSTNAME

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When SSL communication is initiated for a server to server
    session, the certificate needs to be verified against the server
     HLA that is used to define server to server communication.
    This server HLA needs to match the certificate subject CN or a
    Subject Alternate Name in the certificate.
    
    During SSL initiation, a reverse DNS lookup result is used
    instead of the server's HLA.
    When the result of this reverse lookup is not in the
    certificate, validation will fail.
    
    IBM Spectrum Protect Versions Affected: IBM Spectrum Protect
    Server 8.1.2 on all platforms
    
    Customer/L2 Diagnostics
    Review the server activity log from the server that is
    initiating the SSL session.
    This will show:
    ANR8596E The certificate identity could not be verified for the
    server at address SERVER A
    
    Initial Impact: Medium
    
    Additional Keywords: gskit, TSM, Tivoli, Storage, Manager,
    secure, tcpip
    

Local fix

  • Use one of the following bypasses that is feasible for the
    environment:
    
    1. Create a host file entry to return the same address as in the
    certificate for the partner server.
    Example: if Server A connects to Server B, A will validate B's
    certificate against the HLA that is returned from the reverse
    lookup rather than what was used with DEFINE SERVER.
    Create a host entry in A so that the HLA for B matches the
    DEFINE SERVER HLA.
    
    or
    
    2. Update the partner hla address with UPDATE SERVER to match
    the result of the reverse DNS lookup.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All IBM Spectrum Protect server users.                       *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See error description.                                       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply fixing level when available. This problem is currently *
    * projected to be fixed in levels 7.1.9.100, 7.1.10 and 8.1.3. *
    * Note that this is subject to change at the discretion of     *
    * IBM.                                                         *
    ****************************************************************
    

Problem conclusion

  • This problem was fixed.
    Affected platforms for reported release:  AIX,  Linux, and
    Windows.
    Platforms fixed:  AIX,  HP, Linux, Solaris and Windows.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT22236

  • Reported component name

    TSM SERVER

  • Reported component ID

    5698ISMSV

  • Reported release

    81L

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-09-07

  • Closed date

    2017-09-12

  • Last modified date

    2018-09-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TSM SERVER

  • Fixed component ID

    5698ISMSV

Applicable component levels



Document information

More support for: Tivoli Storage Manager

Software version: 81L

Reference #: IT22236

Modified date: 12 September 2018