IBM Support

Security updates beginning in IBM Spectrum Protect V8.1.2 and Tivoli Storage Manager V7.1.8

Troubleshooting


Problem

Beginning with IBM Spectrum Protect Version 8.1.2 and Tivoli Storage Manager V7.1.8, security enhancements were introduced. For an overview of the security enhancements, review the following information:

Before you install or upgrade your environment to apply these enhancements, review the limitations that are associated with each version.  To avoid these restrictions and take advantage of the latest security enhancements, update all IBM Spectrum Protect servers and backup-archive clients in your environment to the latest version. For the latest version of the backup-archive client, see IBM Spectrum Protect™ Client 8.1.6 Downloads and READMEs.

Resolving The Problem

This document describes the known issues and limitations related to the following areas. You may use the links below to navigate to the section of the document you need.

Certificates

Authentication

SSL and TLS communication

 

Table 1: Limitations affecting certificates

Limitation

Applicable versions and impact of limitation

V7.1.8+, V8.1.2, V8.1.3

V7.1.9+, V8.1.4+

If you have an existing cert.kdb database and cert.arm file that were created before V7.1.8 or V8.1.2, then V7.1.8, V8.1.2, and V8.1.3 clients and the Operations Center are unable to connect to a V7.1.8+, V8.1.2, or V8.1.3 server.

When you upgrade a server to V7.1.8 or later V7 levels, V8.1.2, or V8.1.3, you must manually change the default certificate on the server and reconfigure existing clients to use the cert256.arm certificate.

 

To update the default certificate, see Updating the default certificate.

No updates are required.

Beginning in V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled "TSM Server SelfSigned SHA Key".

Optionally, to update the default certificate, see the Updating the default certificate.

Limitation

V7.1.8, V8.1.2, V8.1.3

V7.1.9+, V8.1.4+

Certificates are not automatically configured between storage agents, library clients, and library manager servers.

Storage agents that use V7.1.8 or later software or V8.1.3 or later software are automatically configured to use SSL. Library clients and library manager servers automatically use SSL to communicate with storage agents that use V7.1.8 or later software or V8.1.2 or later software, but you must manually configure the certificates between them. Beginning with V8.1.3, a storage agent automatically exchanges certificates with its database server. For instructions, see Configuring a storage agent to use SSL.

Note: Manual configuration is also required for servers, clients, library clients, and library managers that use software versions earlier than V8.1.2 or V8.1.0.

No updates are required.

 

Beginning in V8.1.4, certificates are automatically configured between storage agents, library clients, and library manager servers. Manual configuration is no longer required.

 

Limitation

Applicable versions and impact of limitation

V8.1.6

After upgrading the server to V8.1.6, a database backup operation fails with the following error:

ANR2968E Database backup terminated. DB2 sqlcode: -2033. DB2 sqlerrmc: -369

The BACKUP DB command fails when the following conditions are true:
·    The server uses a CA-signed certificate
·    The communication method used for the backup is set to TCP/IP

To resolve the issue, complete one of the following procedures:
·    For Linux and AIX systems, enable the shared memory communications protocol on the server and configure database backups to use shared memory.
Note: Database backup and restore over shared memory are not available on Windows systems.
·    For Linux, AIX, and Windows systems, update the server options file by adding the following option:
DBMTRUSTEDIPIGNORE YES
Then, update the database backup configuration to specify the server's external IP address instead of localhost. For information, see:
AIX: Preparing the database manager for database backup
Linux: Preparing the database manager for database backup
Windows: Preparing the database manager for database backup

 

Table 2: Limitations affecting authentication

Limitation

Applicable versions and impact of limitation

V7.1.8+, V8.1.2+

After a successful authentication to V8.1.2 or later software or V7.1.8 or later software, an administrator ID cannot authenticate with the same server under the following conditions:

  • The administrator ID cannot authenticate by using earlier versions of IBM Spectrum Protect software (For example, V8.1.1 or earlier V8 levels or V7.1.7 or earlier V7 levels).
  •  A single administrator ID cannot be used to log in to multiple systems. For example, after an administrator ID successfully authenticates with an upgraded client (V8.1.2+ or V7.1.8+), the same administrator ID cannot be used to authenticate with another upgraded client that uses the same administrator ID.

This restriction also applies when a single administrator ID is used to authenticate with a destination server by using multiple systems. For example, when you use the following functions:

  • Command routing
  • Server-to-server export
  • Connecting from an administrative client in the Operations Center

For information about planning for and resolving administrator authentication issues, see Troubleshooting security updates.

 

Table 3: Limitations affecting SSL and TLS communication

Limitation

Applicable versions and impact of limitation

V7.1.8, V8.1.2, V8.1.3

V7.1.9+, V8.1.4+

After you upgrade a server to V7.1.8 or later or V8.1.2 or later, messages are displayed even though communication is successful

Applicable to listed versions.

 

If server-to-server operations are failing and messages ANR8583E and ANR8599W are displayed, follow the procedure in Retrying certificate exchange between servers.

This limitation no longer applicable.

 

During the first server-to-server connection after you upgrade the server, a certificate exchange is initiated. This connection causes messages ANR8583E and ANR8599W to appear in the log just once per server, before a certificate exchange takes place.

 

If the messages are displayed more than once per server and operations are failing, follow the procedure in Retrying certificate exchange between servers.

Limitation

Applicable versions and impact of limitation

V8.1.2

After you upgrade a server to V8.1.2, Transport Layer Security (TLS) 1.2 communication between servers might fail.

To resolve the issue, follow the procedure in Retrying certificate exchange between servers.

Limitation

Applicable versions and impact of limitation

V7.1.8+, V8.1.2+

Limitations apply when you specify the SSL-only server ports (SSLTCPPORT and SSLTCPADMINPORT).[I1] 

The following limitations apply to the listed versions:

  • When you specify the server's SSL-only port for the LLADDRESS on the DEFINE SERVER or UPDATE SERVER command, you must also specify the SSL=YES parameter.
  • When you specify the server's SSL-only port for the client's TCPPORT option, you must also specify YES for the SSL client option.

 

 

Updating the default certificate

 

Update the default server certificate by issuing the following command from the server instance directory: 

gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"

Tip: To display the current default certificate, issue the following command from the server instance directory, then restart the server to apply the change:

gsk8capicmd_64 -cert -getdefault -db cert.kdb -stashed

If you do not change the default certificate, one or more of the following messages are displayed after you upgrade the server to V8.1.2:

  • ANR3336W Default certificate labeled Label in key data base is down level.
  • ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 504 GSK_ERROR_PROTOCOL_MISMATCH.
  • ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 410 GSK_ERROR_BAD_MESSAGE.
  • ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 415 GSK_ERROR_BAD_PEER.
  • ANR8583E An SSL socket-initialization error occurred on session 1. The GSKit return code is 447 GSK_ERROR_CERTIFICATE_INVALIDSIGALG.
  • ANS1579E GSKit function gsk_secure_soc_init failed with 410: GSK_ERROR_BAD_MESSAGE
  • ANS1592E Failed to initialize SSL protocol.

Background information:

In releases prior to V7.1.8, the default certificate was labeled "TSM Server SelfSigned Key" and had an MD5 signature, which does not support the TLS 1.2 protocol that is required by default for V8.1.2 or later clients and the Operations Center.

A certificate labeled "TSM Server SelfSigned SHA Key" with a SHA signature is also automatically generated and, beginning in V8.1.0, it is created as the default certificate. A copy of the certificate is stored in the cert256.arm file, which is in the server instance directory.

Tip: Beginning with V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled "TSM Server SelfSigned SHA Key". No update is required.

If the certificate that is labeled "TSM Server SelfSigned Key" is set as the default, follow the procedure above to update the default certificate.

For existing clients that are configured to use SSL with the cert.arm certificate, reconfigure them to use the cert256.arm certificate. For instructions, see Configuring storage agents, servers, clients, and the Operations Center to connect to the server by using SSL.  

For more information about troubleshooting certificate exchange, see Troubleshooting security updates.

Related information

What you should know about security before you install or upgrade the server
FAQ - Security updates in IBM Spectrum Protect

Cross reference information
Product Component Platform Version Edition
Tivoli Storage Manager AIX, Linux, Windows 7.1.8, 7.1.9

Document information

More support for: IBM Spectrum Protect

Component: Server

Software version: 7.1.8, 7.1.9, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 2004844

Modified date: 05 December 2018