IC61360: LOADING OF SIGNED BINARIES IS DELAYED WITHOUT INTERNET ACCESS

APAR status

• Closed as documentation error.

Error description

• Some later versions of TSM software contain binary files with
  Microsoft Authenticode signature.
  Before beginning regular operation, these will complete an
  online validation attempt at software startup.
  Completion is acheived by success or timeout.
  .
  Case success
  ------------
  If successful, the certificate information is stored locally by
  the system. So subsequent excution of the binary will result in
  local lookup without noticeable delay.
  .
  Case timeout
  ------------
  If online validation times out, e.g. if the system is detached
  from the internet physically or by firewall, the timeout becomes
  apparent to the user as a loading delay of the software.
  This delay is repeated at every start of the binary, as long
  as there is neither internet nor local certificate available.
  Delays between 15 sec and 90 sec have been witnessed by users of
  TDP MS-SQL.
  .
  There are 2 options how to avoid the described delay.
  .
  Either
  ------
  Ensure the binaries in question (For TDP MS-SQL this would be
  tdpsql.exe and tdpsqlc.exe) are allowed access to the internet
  at least once, in order to store the certificate information
  onto your local machine.
  .
  Or
  --
  Disable certificate verification.
  This method requires MS Hotfix KB936707
  Microsoft reference: http://support.microsoft.com/kb/936707
  Create files by the name <executable.name>.config.
  For TDP MS-SQL this would be tdpsql.exe.config and
  tdpsqlc.exe.config with the following contents:
  .
  <?xml version="1.0" encoding="utf-8"?>
  <configuration>
  <runtime>
  <generatePublisherEvidence enabled="false" />
  </runtime>
  </configuration>
  .
  Put these files into same directory as the binaries (tdpsql.exe
  and tdpsqlc.exe).
  .
  TSM Versions Affected:
  .   TSM 5.5 binaries on Windows
  Customer/L2 Diagnostics:
  .   If available review the logfile of your firewall.
  .   You may find connection attempts to CRL.VERISIGN.NET
  .   This behaviour cannot be traced by TSM, since tracing
  .   activity starts only AFTER the validation attempt.
  Initial Impact:
  .   Low
  Additional Keywords:
  .   signed binary authenticode certificate validation
  .   verification verisign delay
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Administrators and end-users of              *
  *                 IBM Tivoli Storage Manager for Mail          *
  *                 Data Protection for Microsoft Exchange       *
  *                 Server                                       *
  *                 and                                          *
  *                 IBM Tivoli Storage Manager for Databases     *
  *                 Data Protection for Microsoft SQL Server     *
  ****************************************************************
  * PROBLEM DESCRIPTION: The user's guides fail to mention that  *
  *                      there can be a startup delay due to     *
  *                      online validation of Microsoft          *
  *                      Authenticode signature.                 *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  *
  

Problem conclusion

• Add the following FAQ to the Appendix A. of the Data Protection
  for Microsoft Exchange Server Installation and User's Guide:
  
  How can I prevent a startup delay when Data Protection for
  Microsoft Exchange Server has no external network connection?
  
  A delay at startup when there is no external network
  connection could be caused by an attempt at online validation.
  Some versions of Data Protection for Microsoft Exchange Server
  contain binary files with Microsoft Authenticode signature.
  When starting up, these files attempt online validation.
  
  If the validation is successful, the certificate information is
  
  stored locally, and can be used for future startups.
  
  If the system has no external network connection and there is
  no local certificate, startup is delayed until the
  authentication attempt times out.  The delay can be from
  15 seconds to 90 seconds.
  
  There are 2 ways to avoid the delay.
  
  1. Allow external network access during one startup of
  Data Protection for Microsoft Exchange Server.
  The certificate information is stored locally and becomes
  available for future startups when there is no internet access.
  
  2. Prevent certificate verification.
  This method requires that you apply Microsoft hotfix KB936707.
  You must also create two configuration files for the Microsoft
  .NET Framework.
  The configuration files must be named <application>.config,
  and must reside in the same directory as the binary files.
  In this case, the files are tdpexc.exe.config
  (in the directory that contains tdpexc.exe) and
  tdpexcc.exe.config (in the directory that contains tdpexcc.exe).
  
  
  The configuration files must contain this content:
  
  <?xml version="1.0" encoding="utf-8"?>
  <configuration>
  <runtime>
  <generatePublisherEvidence enabled="false" />
  </runtime>
  </configuration>
  
  
  Add the following FAQ to the Appendix A. of the Data Protection
  for Microsoft SQL Server Installation and User's Guide:
  
  How can I prevent a startup delay when Data Protection for
  Microsoft SQL Server has no external network connection?
  
  A delay at startup when there is no external network
  connection could be caused by an attempt at online validation.
  Some versions of Data Protection for Microsoft SQL Server
  contain binary files with Microsoft Authenticode signature.
  When starting up, these files attempt online validation.
  
  If the validation is successful, the certificate information is
  
  stored locally, and can be used for future startups.
  
  If the system has no external network connection and there is
  no local certificate, startup is delayed until the
  authentication attempt times out.  The delay can be from
  15 seconds to 90 seconds.
  
  There are 2 ways to avoid the delay.
  
  1. Allow external network access during one startup of
  Data Protection for Microsoft SQL Server.
  The certificate information is stored locally and becomes
  available for future startups when there is no internet access.
  
  2. Prevent certificate verification.
  This method requires that you apply Microsoft hotfix KB936707.
  You must also create two configuration files for the Microsoft
  .NET Framework.
  The configuration files must be named <application>.config,
  and must reside in the same directory as the binary files.
  In this case, the files are tdpsql.exe.config
  (in the directory that contains tdpsql.exe) and
  tdpsqlc.exe.config (in the directory that contains tdpsqlc.exe).
  
  
  The configuration files must contain this content:
  
  <?xml version="1.0" encoding="utf-8"?>
  <configuration>
  <runtime>
  <generatePublisherEvidence enabled="false" />
  </runtime>
  </configuration>
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels