APAR status
Closed as program error.
Error description
If the installation of IBM Storage Protect Plus met all of the following criteria: -have installed IBM Storage Protect Plus levels 10.1.0 till 10.1.16 -have not installed a custom certificate The user will get after upgrading an error for any action, for example during backup of a VM: Error: vmdkbackup backup process could not be launched. The VADP proxy cannot communicate with the IBM Spectrum Protect Plus server. Error: I/O error on GET request for "https://9.11.66.248/api/site": com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target The backup operation failed for the item listed. The reason for this error is that for all IBM Storage Protect Plus levels till 10.1.16 the default certification will expire in September 2027. The certification expiration affects only the upgrade path. The new installations after IBM Storage Protect Plus 10.1.16.1 and later are not affected. Affected versions: IBM Storage Protect Plus 10.1.x
Local fix
Make sure before the upgrade you will regenerate the certification. To do that follow the steps described in Regenerating the Secure Sockets Layer (SSL) certificate https://www.ibm.com/docs/en/spp/10.1.16?topic=tasks-regenerating -secure-sockets-layer-ssl-certificate.
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Protect Plus level 10.1.0 till 10.1.16 * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Apply the fixing level when available. This problem is fixed * * in IBM Spectrum Protect Plus level 10.1.16.1. * * * * Note: This is subject to change at the discretion of IBM. * ****************************************************************
Problem conclusion
The default self-signed certificate that ships with IBM Spectrum Protect Plus 10.1.16 or earlier will expire in September 2027. A new default self-signed certificate will be installed on new 10.1.16.1 or later appliances. Therefore, newly deployed 10.1.16.1 or later appliances are not affected by this defect. For existing IBM Spectrum Protect Plus appliances, a valid CA certificate must be installed, or a new self-signed certificate must be regenerated (using the steps outlined in https://www.ibm.com/docs/en/spp/10.1.16?topic=tasks-regenerating -secure-sockets-layer-ssl-certificate) before September 2027.
Temporary fix
Comments
APAR Information
APAR number
IT45597
Reported component name
SP PLUS
Reported component ID
5737SPLUS
Reported release
A1R
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-02-29
Closed date
2024-03-05
Last modified date
2024-03-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SP PLUS
Fixed component ID
5737SPLUS
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A1R","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]
Document Information
Modified date:
04 April 2024