APAR status
Closed as program error.
Error description
IBM Spectrum Protect Plus, VMware backups will fail with the error below. When a HTTPS signed certificate, that has wildcard set as hostname, and is missing the IP address of the Spectrum Protect Plus Server, is applied. Job Log: ERROR,[<timestamp>],2,CTGGA2649,Backup of virtual machine (VM) #### has failed. Error: vmdkbackup backup process could not be launched. The VADP proxy cannot communicate with the IBM Spectrum Protect Plus server. Error: I/O error on GET request for "https://#.#.#.#/api/site": Host name '#.#.#.#' does not match the certificate subject provided by the peer (CN=*.### O=## L=## ST=## C=##); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name '#.#.#.#' does not match the certificate subject provided by the peer (CN=*.## O=## L=## ST=## C=##) IBM Spectrum Protect Plus Versions Affected: IBM Spectrum Protect Plus 10.1.13.x
Local fix
On each VADP Proxy Server run the command below to create file, DisableCertValidation sudo touch /opt/IBM/SPP/etc/DisableCertValidation
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect Plus level 10.1.13, and 10.1.14 * **************************************************************** * PROBLEM DESCRIPTION: * * see error description * **************************************************************** * RECOMMENDATION: * * Apply the fixing level when available. This problem is * * currently projected to be fixed in IBM Spectrum Protect Plus * * level 10.1.14.1 and 10.1.15. Note that this is subject to * * change at the discretion of IBM. * ****************************************************************
Problem conclusion
If there are wildcard characters in the "Subject" or "Subject Alternative Name" field of the IBM Spectrum Protect Plus server TLS certificate and the IP address of IBM Spectrum Protect Plus server is not in the certificate, the IBM Spectrum Protect Plus server should notify VADP proxy to use hostname to connect IBM Spectrum Protect Plus server. But by some wrong logic, IBM Spectrum Protect Plus server did not catch this situation and VADP proxy still used IP address to connect IBM Spectrum Protect Plus server. This caused hostname validation failure in TLS handshake because the IP address of IBM Spectrum Protect Plus server is not in the certificate. When IBM Spectrum Protect Plus server send credential URL to VADP proxy, it always use the IP address of IBM Spectrum Protect Plus server in the credential URL. If the IP address is not in IBM Spectrum Protect Plus server certificate, then VADP proxy will got hostname validaton failure when access the credential URL. To fix this problem, IBM Spectrum Protect Plus server need to handle the wildcard characters in the certificate. And also if the IP address of IBM Spectrum Protect Plus server is not in certificate, then IBM Spectrum Protect Plus server should use hostname in the credential URL.
Temporary fix
Comments
APAR Information
APAR number
IT43347
Reported component name
SP PLUS
Reported component ID
5737SPLUS
Reported release
A1C
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-03-14
Closed date
2023-05-08
Last modified date
2023-05-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SP PLUS
Fixed component ID
5737SPLUS
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A1C","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
30 January 2024