Issues while running "import tsm config" cli command to configure IBM Tivoli Storage Manager (TSM) as backup system: "ANS1051I Invalid user id or password" followed by "ANS1592E Failed to initialize SSL protocol"

Troubleshooting

Problem

Some Aggregation tasks like Data Archive or System Backup, which can be configured to send the files to an external system, for example the IBM Tivoli Storage Manager (TSM), sometimes fail to complete because of configuration issues of the TSM client embedded to every IBM Security Guardium appliances.

This leads to be unable to create backups of the data contained in the appliances and increases the risk of historical data loss.

This technical note is intended to show how to resolve one of the most common issues that appear when configuring the IBM Security Guardium to send backups to a TSM server.

Symptom

When trying to run the "import tsm config" cli command as a part of the integration of IBM Security Guardium with the IBM Tivoli Storage Manager, one or both of the following error messages appear:

ANS1051I Invalid user id or password

ANS1592E Failed to initialize SSL protocol.

The first error may appear if the password entered at the cli command is incorrect, but if after validating the password is correct, likely the second error message will appear and it will confirm the issue is rather a wrong configuration due missing authentication information.

Cause

If you are using a TSM server version 7.1.8 or above, as a part of the configuration you need to import the SSL certificate file that is provided by your TSM administrator in order to allow new TSM clients to connect to the Server.

Environment

Guardium version: 10.6 (and above)

TSM Server version: 7.1.8

Diagnosing The Problem

Run the "import tsm config" cli command.

The error messages mentioned above will be displayed as the user follows the wizard to configure the TSM client at the Guardium appliance.

Resolving The Problem

To solve the issue, it is required to:

1) Install the IBM Security Guardium GPU patch P630 or above.

2) Use the "import tsm config" cli command to re-import the TSM configuration files and, additionally, the SSL certificates obtained from the TSM server, as follows:

import tsm config user@host:file [certificates] Where: user = the user name of the remote host from where the TSM configuration file is going to be retrieved from. host = the hostname or IP address of the remote system to get the configuration files from. file = full path at the remote system where the TSM configuration file is located. [certificates] = name of the SSL certificate files of the TSM Server. IMPORTANT: Note there is a space between the file and the certificates parameters.

Tip 1: The SSL certificate file must be located at the same folder where the TSM configuration file is.

An example of the normal output of using the cli to import either the dsm.sys and the certificate file (named cert256.arm as a standard) can be seen below. :

dantestlabappliance.mytest.lab> import tsm config daniel_e@centos_lab:/home/daniel_e/dsm.sys cert256.arm Password: Enter the scp port if you need to use a special port. Enter "0" or press "Enter key" to use the default port. The file transfer process can take a while to complete. Leave the terminal open and do not answer any questions until the transfer is complete. Starting transfer, please wait. spawn /usr/bin/scp -4 daniel_e@centos_lab:/home/daniel_e/dsm.sys /opt/tivoli/tsm/client/ba/bin/dsm.sys Warning: Permanently added 'centos_lab,172.33.66.66' (RSA) to the list of known hosts. Windows Password: dsm.sys 100% 454 0.4KB/s 00:00 The file transfer is complete. Cleaning up previous TSM configuration... Downloading certificate /home/daniel_e//cert256.arm... Starting transfer, please wait. spawn /usr/bin/scp -4 daniel_e@centos_lab:/home/daniel_e//cert256.arm /tmp/cert256.arm Warning: Permanently added 'centos_lab,172.33.66.66' (RSA) to the list of known hosts. Windows Password: cert256.arm 100% 1257 1.2KB/s 00:00 Importing the certificate for server TSMLABHOST... IBM Tivoli Storage Manager dsmcert utility dsmcert Version 7, Release 1, Level 8.0 dsmcert date/time: 12/16/2019 15:58:35 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved. Result : Success Running dsmc command to ensure password is set locally... IBM Tivoli Storage Manager Command Line Backup-Archive Client Interface Client Version 7, Release 1, Level 8.0 Client date/time: 12/16/2019 15:58:35 (c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved. Node Name: dantestlabappliance_ARCHIVE Please enter your user id <dantestlabappliance_ARCHIVE>: Please enter password for user id "dantestlabappliance_ARCHIVE": Session established with server TSMLABSERVER: AIX Server Version 8, Release 1, Level 7.000 Server date/time: 12/16/2019 15:58:36 Last access: 12/16/2019 11:28:53 VIRTUALNODENAME: dantestlabappliance_ARCHIVE Successfully imported dsm.sys. ok

After the SSL certificate is imported, try to execute the Aggregation tasks of interest to validate it works.

Related Information

IBM Security Guardium 10.6.0 > Managing your Guardium system > Archive, Purge a…

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"Aggregation;Data Archive;System Backup;TSM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips