APAR status
Closed as documentation error.
Error description
The documentation for Spectrum Protect Plus needs clarification about certificate validation rules. Using wildcards for certificate validation will only cover one level of subdomains as the asterisk does not match full stops. Using domain *.domain.org will validate : server.domain.org but not : login.server.domain.org For example, when defining an object storage endpoint and bucket in the Spectrum Protect Plus GUI, if the bucket name includes dots, the certificate validation will fail with the following type of message seen in the job log for any processing involving the object storage. ERROR,<timestamp>,2,Unable to determine protection configuration for <ObjectStorageName> Error:Unable to execute HTTP request: Certificate for <BucketName>.<CloudEndPoint>> doesn't match any of the subject alternative names: [*.<CloudEndPoint> ... <BucketName>.<CloudEndPoint>] On the vSnap host, the following command will list the object storage details 'vsnap cloud partner show' : ID: <PartnerID> PARTNER TYPE: cloud ENDPOINT: http://<CloudEndPoint> MGMT ADDRESS: <CloudEndPoint> API PORT: 80 CREATED: <timestamp_1> UTC UPDATED: <timestamp_1> UTC PROVIDER: <CloudProviderType> BUCKET: <BucketName> Validation can be verified outside Spectrum Protect Plus by running the following type of command : openssl s_client -showcerts -verify_hostname <BucketName>.<CloudEndPoint> -connect <BucketName>.<CloudEndPoint>:443 If the bucket name includes dots, it will display the error : 'verify error:num=62:Hostname mismatch' IBM Spectrum Protect Plus Versions Affected: IBM Spectrum Protect Plus 10.1.x Initial Impact: Medium Additional Keywords: SPP, SPPLUS, TS003833057, SSL, certificate, hostname, invalid
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect Plus Knowledge Center and User's Guide * * in version 10.1.3, 10.1.4, 10.1.5 and 10.1.6 * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION. * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
This problem is currently projected to be fixed in the publication of the system requirements https://www.ibm.com/support/pages/node/6325245 and IBM Knowledge Center and User's Guide in version 10.1.7 at the following link discussing "Wildcard certificates": https://www.ibm.com/support/knowledgecenter/SSNQFQ_10.1.7/spp/r_ spp_system_reqs_all.html.
Temporary fix
Comments
APAR Information
APAR number
IT33832
Reported component name
SP PLUS
Reported component ID
5737SPLUS
Reported release
A16
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-08-07
Closed date
2020-11-20
Last modified date
2020-11-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A16","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
31 January 2024