Abstract

TLS is a protocol used to establish a secure connection between applications. Since the initial release of TLS v1.0, TLS v1.1, TLS v1.2, and TLS v1.3 were released improving the security provided by the earlier versions.

Tivoli Monitoring components can be configured to use TLS by enabling IP.SPIPE in the KDC_FAMILIES/KDE_TRANSPORT definition; (see https://www.ibm.com/docs/en/tivoli-monitoring/6.3.0?topic=components-tivoli-monitoring-protocol-usage-protocol-modifiers).

TLS support for Tivoli Monitoring applications is provided by GSKit.

Tivoli Monitoring applications built with a framework before Tivoli Monitoring v6.3.0 rely on GSKit v7.
GSKit v7 does not support TLS v1.2 or TLS v1.3.

Tivoli Monitoring v6.3.0 relies on GSKit v8, which does support TLS v1.2 and TLS v1.3.
Tivoli Enterprise Monitoring 6.3.0.7 FP7 SP14 enables TLS v1.3 by default to take advantage of the increased security offered by that protocol.

The TLS v1.3 specification mandates that connections from endpoints that don’t support TLS v1.2 or higher are rejected.

Therefore, when a Tivoli Enterprise Monitoring Server or Warehouse Proxy Agent is upgraded to 6.3.0.7 SP0014, older agents and other clients that continue to use GSKit v7 will be unable to connect since GSKit v7 does not support TLS v1.2.

This problem affects agents and clients that attempt to connect to a Tivoli Enterprise Monitoring Server or to a Warehouse Proxy Agent that uses TLS. A client that attempts to connect to the Tivoli Enterprise Portal Server that uses TLS is also affected.