Troubleshooting
Problem
A temporary solution to resolve connection problems between some supported devices and IBM Spectrum Control and Tivoli Storage Productivity Center. You can configure IBM Spectrum Control and Tivoli Storage Productivity Center to use a legacy connection protocol (SSLv3 and MD5 hash) to maintain compatibility with those devices.
Please note that this solution is only applicable up to Spectrum Control 5.2.15.2.
Symptom
BPCUI0055E - Cannot connect to the DS8000 storage system. The DS8000 ESSNI server is not available or allowing connections.
Storage Insights users:
If you encounter error message BPCUI055E when adding a DS8000 storage system for monitoring, learn about how to troubleshoot the problem at https://www.ibm.com/support/knowledgecenter/SSQRB8/com.ibm.spectrum.si.doc/tpch_saas_t_configuring_ds8k_sslv3.html
Cause
IBM Spectrum Control and Tivoli Storage Productivity Center use different connection protocols to connect to devices. The default values of the connection protocols were changed for different releases of the products, which might cause a connection problem to some devices. Use the following table to identify the releases where the protocols were changed, and to determine where to enable legacy protocols that were disabled.
TLSv1 Enabled*
|
SSLv3 Disabled
|
MD5 Disabled
|
|
IBM Spectrum Control 5.2.x |
5.2.8+
|
5.2.8+
|
5.2.9+
|
Tivoli Storage Productivity Center 5.2.x |
5.2.5+
|
5.2.5+
|
See IBM Spectrum Control
|
Tivoli Storage Productivity Center 5.1.x |
5.1.1.6+
|
5.1.1.6+
|
5.1.1.10+
|
Tivoli Storage Productivity Center 4.2.x |
4.2.2.191+
|
4.2.2.191+
|
None
|
* The TLSv1 protocol cannot be disabled.
Storage systems that require SSLv3 for communication will no longer be compatible, unless you re-enable SSLv3 with one of the scripts provided below. IBM System Storage DS8000 storage systems that require SSLv3 enabled will also need MD5 enabled and new scripts are provided below that will enable both.
Any CIM agents that use the MD5 signed certificates should have the certificates replaced rather than enabling SSLv3 and MD5 with the script. See Resolving security certificate errors in IBM Spectrum Control.
Diagnosing The Problem
If you are adding a new storage system that does not support TLSv1, or performing a connection test on an existing storage system that does not support TLSv1, it will fail a connection test with either of the errors shown below:
or
- In addition, Tivoli Storage Productivity Center for Replication users will see the following error message when failing to connect:
IWNH1650E : Failed to successfully connect to the HMC server HMC:<IP|DNS_NAME> with the reason: 4. - If you have previously configured IBM Spectrum Control or Tivoli Storage Productivity Center with storage subsystems that do not support TLSv1 and then upgraded to one of the levels listed above (through IBM Spectrum Control version 5.2.12), connections can no longer be established.
- If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 and MD5 settings (enabled or disabled) are maintained through the upgrade and the same storage subsystem connections will persist after the upgrade.
- If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to IBM Spectrum Control version 5.2.13 or later, SSLv3 and MD5 are disabled during the upgrade and connections can no longer be established.
- If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to 5.1.1.13 or later, re-run the script to set your desired configuration of SSLv3 and MD5 (enabled or disabled).
Resolving The Problem
Important: This is a temporary solution to resolve connection problems. Before enabling any protocols that were disabled by default, review the following security bulletins:
- Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Tivoli Storage Productivity Center October 2014 CPU and CVE-2014-3566 (SSLv3)
- Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center October 2015 CPU and January 2016 CPU (MD5)
Confirm the storage system is supported by reviewing the list of supported devices:
http://www-01.ibm.com/support/docview.wss?uid=swg21386446
Please note that this solution is applicable up to Spectrum Control 5.2.15.2.
If the storage system does not support TLSv1, and you are unable to upgrade the device to a level that does, a script may be run to enable SSLv3 and MD5 within IBM Spectrum Control or Tivoli Storage Productivity Center to communicate to the storage system. The effects of the script will persist until it is subsequently run with the disable option or you upgrade to Tivoli Storage Productivity Center (version 5.1.1.x) or to IBM Spectrum Control (version 5.2.12 or earlier). If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 and MD5 settings (enabled or disabled) are maintained through the upgrade and the same storage subsystem connections will persist after the upgrade. If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to IBM Spectrum Control version 5.2.13 or later, SSLv3 and MD5 are disabled during the upgrade and connections can no longer be established. Once the affected storage systems have been upgraded, you should run the script again to disable SSLv3 and MD5.
The scripts to enable and disable the legacy protocol are version and platform dependent. Choose the correct one to download for your environment and follow the steps to run it.
Download the script package
5.2.9 - 5.2.15.x | 5.2.8 | 5.2.5 - 5.2.7.1 | 5.1.1.10+ | 5.1.1.6 - 5.1.1.9 | 4.2.2.x
Note: The provided packages apply configuration updates to your IBM Spectrum Control or Tivoli Storage Productivity Center server and must be applied only to the versions listed in the table above. Earlier versions of Tivoli Storage Productivity Center cannot disable some properties.
Install the script:
Tivoli Storage Productivity Center
1. The script is provided in a single compressed file. Extract it onto the IBM Spectrum Control or Tivoli Storage Productivity Center server in a directory of your choosing.
2. Once extracted, there will be two files:
- A shell script (install.bat or install.sh)
- An archive (exe or tar file)
3. Issue the following from the command line:
- <install script> <TPC installation directory>
As an example, for the default TPC location in Windows: "install.bat C:\Program Files\IBM\TPC"
It will create the following files in <TPC installation directory>/service where xx specifies the Tivoli Storage Productivity Center version:- A shell script (legacy_protocol_xx.bat or legacy_protocol_xx.sh)
- An archive (legacy_protocol_xx.jar)
Follow the steps provided below to run the script.
IBM Spectrum Control
The script is provided in a single compressed file. Extract it onto the IBM Spectrum Control server into the following directory:
<IBM Spectrum Control installation directory>/service
Once extracted, the following files should be in the service directory:
- A shell script (legacy_protocol_52.bat or legacy_protocol_52.sh)
- An archive (legacy_protocol_xx.jar)
Follow the steps provided below to run the script.
Run the script
Disable, enable or check your protocol using the installed script. You will be prompted to restart the Device and Replication servers to finish enabling the legacy protocol.
- IBM Spectrum Control 5.2.8 and higher (including TPC 5.2.5 and higher)
legacy_protocol_52.bat -status | -enable | -disable
legacy_protocol_52.bat -status | -enable | -disable
TPC 5.1.1.6 and higher
legacy_protocol_511.bat -status | -enable | -disable
legacy_protocol_511.bat -status | -enable | -disable
TPC 4.2.2.191 (FP8) and higher
legacy_protocol_42.bat -status | -enable | -disable
legacy_protocol_42.bat -status | -enable | -disable
Examples
Enable the legacy protocols
Disable the legacy protocols
Check the status of the legacy protocols
Additional notes concerning security vulnerabilities
- By choosing to run this script, you are choosing to reintroduce SSLv3 and/or MD5 into your environment that had been disabled due to security vulnerabilities. See the related security bulletins for more details on the vulnerabilities.
- It is your responsibility to run the script again to disable SSLv3 and MD5 after the storage systems have been upgraded.
- Subsequent IBM Spectrum Control or Tivoli Storage Productivity Center upgrades to version 5.2.12 or earlier (including manual WebSphere Application Server and Java updates) will reset the legacy protocol state back to the default value of disabled (SSLv3 and MD5 disabled). If your environment still requires SSLv3 and/or MD5 for compatibility with other devices, you must run the script again to enable the legacy protocol. If you upgrade from version 5.2.x to IBM Spectrum Control version 5.2.13 or later, your SSLv3 and MD5 settings (enabled or disabled) are maintained through the upgrade and the same storage subsystem connections will persist after the upgrade. If you upgrade from Tivoli Storage Productivity Center version 5.1.1.x to IBM Spectrum Control version 5.2.13 or later, SSLv3 and MD5 are disabled during the upgrade and connections can no longer be established.
- Running the script to enable SSLv3 does not change the TLSv1 support added. If you run the script to enable SSLv3, both protocols are available.
- These scripts do not work with earlier versions of Tivoli Storage Productivity Center to enable or disable SSLv3 or MD5. See the security bulletins for how to resolve the vulnerability for affected earlier versions.
- The newer scripts that enable or disable MD5 are more verbose, providing better output confirming your changes.
Related Information
Was this topic helpful?
Document Information
Modified date:
22 February 2022
UID
swg21697904