IT40757: TEST CONNECTION ERROR "FAILED TO CONNECT ... SSL FINGERPRINT MISMATCH" FOR GUEST CONFIGURED FOR FILE CATALOGING

APAR status

• Closed as program error.

Error description

• When the global IBM Spectrum Protect Plus preference "Windows
  Clients Port (WinRM) used for application and file indexing"
  value is set to 5986, file indexing using the guest backup
  option "Catalog File Metadata" can be enabled and the guest SSL
  certificate thumbprint set with the option
  ?Get SSL certificate thumbprint? or ?Get SSH key?.
  Using SSL certificates for in-guest communication is possible
  starting with version 10.1.3.
  When the guest certificate is a Trusted CA Signed SSL
  Certificate as opposed to a self-signed certificate, IBM
  Spectrum Protect Plus can record an incorrect certificate
  thumbprint in its internal database when clicking on the
  ?Get SSL certificate thumbprint? button.
  This causes any in-guest connection to fail with a certificate
  mismatch message.
  Running the ?Test connection? wizard for such a guest will
  display the error
  "Failed to connect ... ssl fingerprint mismatch" for the
  ?Remote Session Test?.
  
  IBM Spectrum Protect Plus Versions Affected:
  IBM Spectrum Protect Plus 10.1.3 and later
  
  Additional Keywords: SPP, SPPLUS, TS008788564
  

Local fix

• If in-house security rules permit, to allow file indexing,
  temporarily use Windows Remote Management (WinRM) port 5985
  that does not use SSL or use a self-signed guest certificate.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Spectrum Protect Plus level 10.1.9 and 10.1.10           *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * See ERROR DESCRIPTION                                        *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply fixing level when available. This problem is currently *
  * projected to be fixed IBM Spectrum Protect Plus level        *
  * 10.1.11. Note that this is subject to change at the          *
  * discretion of IBM.                                           *
  ****************************************************************
  

Problem conclusion

• Fixed an issue with selecting certificate from certificate chain
  for validating connections. After applying the fix test
  connection will use the correct certificate for validating
  server.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Modules/Macros

• Apps
  

Fix information

• Fixed component name

  SP PLUS

• Fixed component ID

  5737SPLUS

Applicable component levels