APAR status
Closed as documentation error.
Error description
The vSnap-to-vSnap replication fails on IBM Spectrum Protect Plus when using private CA signed certificates. After starting replication between source and target vSnap server, the verification of the SSL certificate fails, and the following SSL error is posted in the replication job log: ERROR,..,CTGGA3323,Replication failed due to SSL certificate verify failed (Failed to start Storage Replication Failed to get storage replication session for server XXX replication session id <SESSION_ID> message: "HTTPSConnectionPool(host='YYY' port=8900): Max retries exceeded with url: /api/internal/snapshot (Caused by SSLError(SSLError(1 '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)')))" type: "SSLError"). The certificate validation is working if self-signed certificate is used. |MDVREGR 10.1.12.6 5737SPLUS| IBM Storage Protect Plus Versions Affected: IBM Storage Protect Plus 10.1.13 and later
Local fix
Following the steps to re-configure the vSnap servers to use Self-signed certificates: -temporarily remove the partnership between the vSnap's -regenerate a self-signed certificate on both vSnap server -update the registration of both vSnap's in the web GUI to specify the newly regenerated self-signed certificates -recreate the partnership between the vSnap server
Problem summary
**************************************************************** * USERS AFFECTED: * * BM Spectrum Protect Plus level 10.1.0 till 10.1.16.2 * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Apply the fixing level when available. This problem is * * currently projected to be fixed in IBM Spectrum Protect Plus * * level 10.1.16.3. Note that this is subject to change at the * * discretion of IBM. * ****************************************************************
Problem conclusion
IBM Documentation did not mention the requirement that if the certificate is signed by using a private CA (Certificate Authority), then the full certificate chain must be provided as a single file. The file must contain the vSnap server certificate, followed by the intermediate certificate (if any), followed by the root certificate, with all certificates in the PEM format. And then use this concatenated 'cert' file when registering vSnap or editing the vSnap configuration. This documentation is now updated on the relevant online documentation pages at the following URL: https://ibmdocs-test.dcs.ibm.com/docs/en/spp/10.1.16?topic=refer ence-certificate-management https://ibmdocs-test.dcs.ibm.com/docs/en/spp/10.1.16?topic=serve r-editing-settings-vsnap https://ibmdocs-test.dcs.ibm.com/docs/en/spp/10.1.16?topic=serve rs-registering-vsnap-server
Temporary fix
Comments
APAR Information
APAR number
IT45929
Reported component name
SP PLUS
Reported component ID
5737SPLUS
Reported release
A1F
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-04-12
Closed date
2024-08-31
Last modified date
2024-08-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SP PLUS
Fixed component ID
5737SPLUS
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSNQFQ","label":"IBM Spectrum Protect Plus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A1F","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]
Document Information
Modified date:
31 August 2024