IBM Support

Enabling & Disabling Legacy Protocol (SSLv3 & MD5 hash) for IBM Spectrum Control and Tivoli Storage Productivity Center

Troubleshooting


Problem

A temporary solution to resolve connection problems between some supported devices and IBM Spectrum Control and Tivoli Storage Productivity Center. You can configure IBM Spectrum Control and Tivoli Storage Productivity Center to use a legacy connection protocol (SSLv3 and MD5 hash) to maintain compatibility with those devices.

Please note that this solution is only applicable up to Spectrum Control 5.2.15.2.
 

 

Symptom

BPCUI0055E - Cannot connect to the DS8000 storage system. The DS8000 ESSNI server is not available or allowing connections.

Storage Insights users:
If you encounter error message BPCUI055E when adding a DS8000 storage system for monitoring, learn about how to troubleshoot the problem at https://www.ibm.com/support/knowledgecenter/SSQRB8/com.ibm.spectrum.si.doc/tpch_saas_t_configuring_ds8k_sslv3.html

Cause

IBM Spectrum Control and Tivoli Storage Productivity Center use different connection protocols to connect to devices. The default values of the connection protocols were changed for different releases of the products, which might cause a connection problem to some devices. Use the following table to identify the releases where the protocols were changed, and to determine where to enable legacy protocols that were disabled.
 

 
TLSv1 Enabled*
SSLv3 Disabled
MD5 Disabled
IBM Spectrum Control 5.2.x
5.2.8+
5.2.8+
5.2.9+
 
Tivoli Storage Productivity Center 5.2.x
5.2.5+
5.2.5+
See IBM Spectrum Control
 
Tivoli Storage Productivity Center 5.1.x
5.1.1.6+
5.1.1.6+
5.1.1.10+
 
Tivoli Storage Productivity Center 4.2.x
4.2.2.191+
4.2.2.191+
None
 


* The TLSv1 protocol cannot be disabled.

Storage systems that require SSLv3 for communication will no longer be compatible, unless you re-enable SSLv3 with one of the scripts provided below. IBM System Storage DS8000 storage systems that require SSLv3 enabled will also need MD5 enabled and new scripts are provided below that will enable both.

Any CIM agents that use the MD5 signed certificates should have the certificates replaced rather than enabling SSLv3 and MD5 with the script. See Resolving security certificate errors in IBM Spectrum Control.

Diagnosing The Problem

If you are adding a new storage system that does not support TLSv1, or performing a connection test on an existing storage system that does not support TLSv1, it will fail a connection test with either of the errors shown below:


or

  • In addition, Tivoli Storage Productivity Center for Replication users will see the following error message when failing to connect:
    IWNH1650E : Failed to successfully connect to the HMC server HMC:<IP|DNS_NAME> with the reason: 4.
  • If you have previously configured IBM Spectrum Control or Tivoli Storage Productivity Center with storage subsystems that do not support TLSv1 and then upgraded to one of the levels listed above (through IBM Spectrum Control version 5.2.12), connections can no longer be established.  
  • If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 and MD5 settings (enabled or disabled) are maintained through the upgrade and the same storage subsystem connections will persist after the upgrade.  
  • If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to IBM Spectrum Control version 5.2.13 or later, SSLv3 and MD5 are disabled during the upgrade and connections can no longer be established.
  • If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to 5.1.1.13 or later, re-run the script to set your desired configuration of SSLv3 and MD5 (enabled or disabled).

 

 

Resolving The Problem

Important: This is a temporary solution to resolve connection problems. Before enabling any protocols that were disabled by default, review the following security bulletins:


Confirm the storage system is supported by reviewing the list of supported devices:
http://www-01.ibm.com/support/docview.wss?uid=swg21386446

Please note that this solution is applicable up to Spectrum Control 5.2.15.2.

If the storage system does not support TLSv1, and you are unable to upgrade the device to a level that does, a script may be run to enable SSLv3 and MD5 within IBM Spectrum Control or Tivoli Storage Productivity Center to communicate to the storage system. The effects of the script will persist until it is subsequently run with the disable option or you upgrade to Tivoli Storage Productivity Center (version 5.1.1.x) or to IBM Spectrum Control (version 5.2.12 or earlier).  If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 and MD5 settings (enabled or disabled) are maintained through the upgrade and the same storage subsystem connections will persist after the upgrade.  If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to IBM Spectrum Control version 5.2.13 or later, SSLv3 and MD5 are disabled during the upgrade and connections can no longer be established. Once the affected storage systems have been upgraded, you should run the script again to disable SSLv3 and MD5.

The scripts to enable and disable the legacy protocol are version and platform dependent. Choose the correct one to download for your environment and follow the steps to run it.

Download the script package
5.2.9 - 5.2.15.x  |  5.2.8  |  5.2.5 - 5.2.7.1  |  5.1.1.10+  |  5.1.1.6 - 5.1.1.9  |  4.2.2.x

 

IBM Spectrum Control 5.2.9 - 5.2.15.x
Enable/Disable Properties
AIX & Linux

Use with Spectrum Control 5.2.9 and higher only.

Does not apply to Spectrum Control 5.2.16 or higher

 

SSLv3
MD5

Windows

 

IBM Spectrum Control 5.2.8
Enable/Disable Properties
AIX & Linux Use with Spectrum Control 5.2.8.
SSLv3
Windows
Tivoli Storage Productivity Center 5.2.5 - 5.2.7.1
Enable/Disable Properties
AIX Use with TPC 5.2.5 through 5.2.7 only.
SSLv3
Linux
Windows
Tivoli Storage Productivity Center 5.1.1.10+
Enable/Disable Properties
AIX & Linux Use with TPC 5.1.1.10 and higher only.
SSLv3
MD5
Windows
Tivoli Storage Productivity Center 5.1.1.6 - 5.1.1.9
Enable/Disable Properties
AIX Use with TPC 5.1.1.6 through 5.1.1.9 only.
SSLv3
Linux
Windows
Tivoli Storage Productivity Center 4.2.2.x
Enable/Disable Properties
AIX Use with TPC 4.2.2.191 (FP8) or higher only.
SSLv3
Linux
Windows


Note: The provided packages apply configuration updates to your IBM Spectrum Control or Tivoli Storage Productivity Center server and must be applied only to the versions listed in the table above. Earlier versions of Tivoli Storage Productivity Center cannot disable some properties.

Install the script:

Tivoli Storage Productivity Center
1. The script is provided in a single compressed file. Extract it onto the IBM Spectrum Control or Tivoli Storage Productivity Center server in a directory of your choosing.

2. Once extracted, there will be two files:

  • A shell script (install.bat or install.sh)
  • An archive (exe or tar file)


3. Issue the following from the command line:

  • <install script> <TPC installation directory>

    As an example, for the default TPC location in Windows: "install.bat C:\Program Files\IBM\TPC"

    It will create the following files in <TPC installation directory>/service where xx specifies the Tivoli Storage Productivity Center version:
    • A shell script (legacy_protocol_xx.bat or legacy_protocol_xx.sh)
    • An archive (legacy_protocol_xx.jar)


Follow the steps provided below to run the script.

IBM Spectrum Control
The script is provided in a single compressed file. Extract it onto the IBM Spectrum Control server into the following directory:

<IBM Spectrum Control installation directory>/service

Once extracted, the following files should be in the service directory:

  • A shell script (legacy_protocol_52.bat or legacy_protocol_52.sh)
  • An archive (legacy_protocol_xx.jar)


Follow the steps provided below to run the script.


Run the script
Disable, enable or check your protocol using the installed script. You will be prompted to restart the Device and Replication servers to finish enabling the legacy protocol.

  • IBM Spectrum Control 5.2.8 and higher (including TPC 5.2.5 and higher)
    legacy_protocol_52.bat -status | -enable | -disable
    legacy_protocol_52.bat -status | -enable | -disable

    TPC 5.1.1.6 and higher
    legacy_protocol_511.bat -status | -enable | -disable
    legacy_protocol_511.bat -status | -enable | -disable

    TPC 4.2.2.191 (FP8) and higher
    legacy_protocol_42.bat -status | -enable | -disable
    legacy_protocol_42.bat -status | -enable | -disable

 


Examples
Enable the legacy protocols



Disable the legacy protocols



Check the status of the legacy protocols




Additional notes concerning security vulnerabilities

  • By choosing to run this script, you are choosing to reintroduce SSLv3 and/or MD5 into your environment that had been disabled due to security vulnerabilities. See the related security bulletins for more details on the vulnerabilities.
  • It is your responsibility to run the script again to disable SSLv3 and MD5 after the storage systems have been upgraded.
  • Subsequent IBM Spectrum Control or Tivoli Storage Productivity Center upgrades to version 5.2.12 or earlier (including manual WebSphere Application Server and Java updates) will reset the legacy protocol state back to the default value of disabled (SSLv3 and MD5 disabled). If your environment still requires SSLv3 and/or MD5 for compatibility with other devices, you must run the script again to enable the legacy protocol.  If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 and MD5 settings (enabled or disabled) are maintained through the upgrade and the same storage subsystem connections will persist after the upgrade.  If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to IBM Spectrum Control version 5.2.13 or later, SSLv3 and MD5 are disabled during the upgrade and connections can no longer be established.
  • Running the script to enable SSLv3 does not change the TLSv1 support added. If you run the script to enable SSLv3, both protocols are available.
  • These scripts do not work with earlier versions of Tivoli Storage Productivity Center to enable or disable SSLv3 or MD5. See the security bulletins for how to resolve the vulnerability for affected earlier versions.
  • The newer scripts that enable or disable MD5 are more verbose, providing better output confirming your changes.

Related information

Security Bulletin: IBM Java CPU (Oct 2014 - SSLv3)
Security Bulletin: IBM Java CPU (Jan 2016 - MD5)
Troubleshooting for Storage Insights

Cross reference information
Product Component Platform Version Edition
Tivoli Storage Productivity Center Not Applicable AIX, Linux, Windows 5.1, 5.1.1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7 All Editions
Tivoli Storage Productivity Center Standard Edition Not Applicable AIX, Linux, Windows 4.1, 4.1.1, 4.2, 4.2.1, 4.2.2

Document information

More support for: IBM Spectrum Control Standard Edition

Component: --, Not Applicable

Software version: 4.1, 4.1.1, 4.2, 4.2.1, 4.2.2, 5.1, 5.1.1, 5.2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15

Operating system(s): AIX, Linux, Windows

Software edition: All Editions

Reference #: 1697904

Modified date: 13 July 2018