APAR status
Closed as program error.
Error description
When the global IBM Spectrum Protect Plus preference "Windows Clients Port (WinRM) used for application and file indexing" value is set to 5986, file indexing using the guest backup option "Catalog File Metadata" can be enabled and the guest SSL certificate thumbprint set with the option ?Get SSL certificate thumbprint? or ?Get SSH key?. Using SSL certificates for in-guest communication is possible starting with version 10.1.3. When the guest certificate is a Trusted CA Signed SSL Certificate as opposed to a self-signed certificate, IBM Spectrum Protect Plus can record an incorrect certificate thumbprint in its internal database when clicking on the ?Get SSL certificate thumbprint? button. This causes any in-guest connection to fail with a certificate mismatch message. Running the ?Test connection? wizard for such a guest will display the error "Failed to connect ... ssl fingerprint mismatch" for the ?Remote Session Test?. IBM Spectrum Protect Plus Versions Affected: IBM Spectrum Protect Plus 10.1.3 and later Additional Keywords: SPP, SPPLUS, TS008788564
Local fix
If in-house security rules permit, to allow file indexing, temporarily use Windows Remote Management (WinRM) port 5985 that does not use SSL or use a self-signed guest certificate.
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect Plus level 10.1.9 and 10.1.10 * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed IBM Spectrum Protect Plus level * * 10.1.11. Note that this is subject to change at the * * discretion of IBM. * ****************************************************************
Problem conclusion
Fixed an issue with selecting certificate from certificate chain for validating connections. After applying the fix test connection will use the correct certificate for validating server.
Temporary fix
Comments
APAR Information
APAR number
IT40757
Reported component name
SP PLUS
Reported component ID
5737SPLUS
Reported release
A1A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-04-27
Closed date
2022-06-15
Last modified date
2022-06-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Apps
Fix information
Fixed component name
SP PLUS
Fixed component ID
5737SPLUS
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A1A","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
01 February 2024