Fixes are available
APAR status
Closed as fixed if next.
Error description
Current methodology with Storage Resource Agent utilizes SHA1 certification. APAR created to Investigate SHA-256 certification with Storage Resource Agent deployments. RECREATE STEPS: Install Storage Resource Agent and view certificates utilizing SHA1 algorithm. ________________________________________________________________ DB2 Version used for Server: N/A The defect is against component: 5608TPC00 Server/Manager build/release (TPC): 5.2.7 Agent build/release (TPC): Server/Manager (OS): Windows 2012 SE Agent (OS): ________________________________________________________________ Problem as described by customer: Storage Resource Agents do not use SHA-256 certificates Initial customer impact (low/med/high): med
Local fix
TBD
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Control 5.2.x users with Storage Resource * * Agents deployed * **************************************************************** * PROBLEM DESCRIPTION: * * Current methodology with Storage Resource Agent (SRA) * * utilizes SHA1 certification. This APAR is created to * * investigate SHA-256 certification with Storage Resource * * Agent deployments. * * * * While upgrading Spectrum Control, the upgrade of the * * certificates will happen automatically and without * * interruption, because the trust is established based on the * * CA certificate which signed the certificates that are used * * by the Data Server & SRA. Since the old as well as the new * * certificates will be signed by the same CA certificate, * * there's no impact. However, this only applies to Spectrum * * Control environments that currently use the default 2048 bit * * certificates. Spectrum Control environments that still use * * older default certificates (1024 bit length) or Spectrum * * Control environments that have been configured for custom * * certificates cannot be "upgraded" automatically. In this * * case, the installer will show an appropriate message at * * upgrade time. * * * * Additional information: * * * * - IBM Spectrum Control provides default SSL certificates * * for communication between the Data server and Storage * * Resource agent. * * - IBM Spectrum Control Version 5.2.2 (and higher) uses SSL * * certificates with 2048-bit encryption keys whereas previous * * versions of IBM Spectrum Control used 1024-bit encryption * * keys. * * - If you upgrade IBM Spectrum Control from a version * * earlier than 5.2.2, your SSL certificates are not updated * * automatically. * * - If you want to use 2048-bit encryption keys with previous * * versions of IBM Spectrum Control, you must replace the * * default SSL certificates with custom SSL certificates. * * * * Reference documentation: * * * * Preparing for an upgrade * * https://www.ibm.com/support/knowledgecenter/SS5R93_5.2.14/co * * m.ibm.spectrum.sc.doc/fqz0_t_upgrading_prepare.html * * * * Replacing default SSL certificates with custom certificates * * https://www.ibm.com/support/knowledgecenter/SS5R93_5.2.14/co * * m.ibm.spectrum.sc.doc/fqz0_r_create_custom_certificate_ssl.h * * tml * **************************************************************** * RECOMMENDATION: * * Apply fix maintenance when available * ****************************************************************
Problem conclusion
The fix for this APAR is targeted for the following maintenance package: | refresh pack | 5.2-TIV-TPC-RP0015 - target August 2017 Fixed in IBM Spectrum Control 5.2.15 http://www.ibm.com/support/docview.wss?&uid=swg21320822 The target dates for future refresh packs do not represent a formal commitment by IBM. The dates are subject to change without notice.
Temporary fix
Comments
APAR Information
APAR number
IT16953
Reported component name
TPC
Reported component ID
5608TPC00
Reported release
527
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-14
Closed date
2017-07-10
Last modified date
2017-09-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNE44","label":"Tivoli Storage Productivity Center"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"527"}]
Document Information
Modified date:
24 June 2022