IBM Support

IT33682: DSMADMC OR DSMC COMMAND MAY EXPERIENCE A CONNECTION DELAY WHILE LOGGED WITH NON-ROOT USER.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The IBM Spectrum Protect administrator client command line
(dsmadmc) or dsmc experiences a delay in connecting to an IBM
Spectrum
Protect server when the following two(2) conditions are met :

1. The dsmadmc command is run while logged on as a non-root
   userid.

2. The Spectrum Protect server certificate does not exist
   in the client local key database.

/home/<user>/IBM/SpectrumProtect/certs/dsmcert.kdb

For example, if the user running the dsmadmc command is "userA",
then the client local key database is :

/home/userA/IBM/SpectrumProtect/certs/dsmcert.kdb

The delay is experienced even if the certificate exists in the
global key database.

AIX   : /usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb
Linux : /opt/tivoli/tsm/client/ba/bin/dsmcert.kdb

Customer/Support Diagnostics :
A client trace (service) shows the following entries :

<timestamp> [nnn] [1] : gskit.cpp (3513):
checkDbAccess [/usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb]
[r+] returning 0
<timestamp> [nnn] [1] : gskit.cpp ( 944):
GSKit::DoImportCertificate(): Unable to open global keystore
for writing.
<timestamp> [nnn] [1] : gskit.cpp (1102):
GSKit::DoImportCertificate(): open key db
'/usr/tivoli/tsm/client/ba/bin64/dsmcert.kdb'.
<timestamp> [nnn] [1] : gskit.cpp (1123):
 GSKit::DoImportCertificate(): key db is busy,
 will retry (#1) in 100ms...
<timestamp> [nnn] r1] : gskit.cpp (1123):
 GSKit::DoImportCertificate(): key db is busy,
 will retry (#2) in 100ms...
...
<timestamp> [nnn] [1] : gskit.cpp (1123):
 GSKit::DoImportCertificate(): key db is busy,
 will retry (#1499) in 100ms...
<timestamp> [nnn] [1] : gskit.cpp (1123):
 GSKit::DoImportCertificate(): key db is busy,
 will retry (#1500) in 100ms...
<timestamp> [nnn] [1] : gskit.cpp (1131):
 GSKit::DoImportCertificate(): GSKKM_OpenKeyDb() failed. err=6

Initial Impact:
Low

Additional Keywords:
nonroot TS003899555

Versions Affected:
Spectrum Protect client 7.1.8 and above on UNIX.
Spectrum Protect client 8.1.2 and above on UNIX.

| MDVPARTL
8.1.10.0-TIV_5698MCL | IT30041

Local fix

  • Use one of the following to avoid the delay.
1) Update the Spectrum Protect admin id sessionsecurity to
transitional (update admin xxx sessionsecurity=transitional)
and connect once to specific Spectrum Protect server so the
server certificate can be stored in the local key database.
Subsequent connections will no longer experience the delay.
--or--
2) Add the following option to the dsm.opt file :
TESTFLAG C2S_CERTDIR:"/shared_folder/MY_CLIENT_TO_SERVER_CERT"
Replace "/shared_folder/MY_CLIENT_TO_SERVER_CERT" with a path
that the user has write permissions to.

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* IBM Spectrum Protect Backup-Archive Client versions 7.1 and  *
* 8.1 running on UNIX platforms                                *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* see ERROR DESCRIPTION                                        *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fixing level when available. This problem is projected *
* to be fixed in level 8.1.11.                                 *
* Note that this is subject to change at the discretion of     *
* IBM.                                                         *
****************************************************************

Problem conclusion

  • Backup-archive and administrative client will not experience a
connection delay anymore.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT33682
    • 

  • Reported component name
    TSM CLIENT
    • 

  • Reported component ID
    5698ISMCL
    • 

  • Reported release
    81A
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-07-24
    • 

  • Closed date
    2020-08-26
    • 

  • Last modified date
    2020-12-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • dsmadmc  dsmc

    



Fix information


    

  • Fixed component name
    TSM CLIENT
    • 

  • Fixed component ID
    5698ISMCL
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81A"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback