IT14261: Detailed Instructions

Content

Tip: Beginning with Version 7.1.3, IBM Tivoli Storage Manager is now IBM Spectrum Protect. Some applications such as the software fulfillment systems and IBM License Metric Tool use the new product name. However, the software and its product documentation continue to use the Tivoli Storage Manager product name. To learn more about the re-branding transition, see the technical note at http://www.ibm.com/support/docview.wss?uid=swg21963634.


Background

IBM Spectrum Protect uses the Global Security Kit (GSKit) component for a variety of functions.
Certain levels of GSKit might become unresponsive during application start-up on Solaris systems with SPARC64-X processors. This issue does not affect other processors for Solaris systems, nor does the problem appear on any other operating system.

During initialization, GSKit typically loads two types of modules when initializing: a module certified for the Federal Information Processing Standard (FIPS), and a non-FIPS-certified module. The FIPS-certified module is in a C subdirectory, while the non-FIPS is in an N subdirectory. From a functional standpoint, either module can be used by the server.

The issue with startup occurs when loading the non-FIPS module on GSKit levels 8.0.50.40 or later. The problem occurs for both FIPS and non-FIPS modules in GSKit 8.0.50.51 through 8.0.50.58. ; GSKit Levels at 8.0.50.59 and later have a corrected non-FIPS module in the N subdirectory, but if the FIPS module is also loaded, the hang will still occur.

Tivoli Storage Manager V7.1.1.3 through IBM Spectrum Protect V7.1.3, including interim releases of V7.1.3, contain GSKit levels earlier than 8.0.50.51, which are affected by the problem in the non-FIPS module.

IBM Spectrum Protect V7.1.4, including interim releases of V7.1.4, and V7.1.5 are affected by the problem in the FIPS module and in the non-FIPS module.

IBM Spectrum Protect V7.1.6 or later is delivered with a GSKit level above 8.0.50.58 or later, which includes a fix for the non-FIPS module. The availability of IBM Spectrum Protect V7.1.6 is subject to change at the sole discretion of IBM.

This issue might occur in a variety of circumstances when GSKit is started by server processes. Typical situations where this issue might occur include formatting a database, starting an IBM DB2 instance, starting a server, or backing up the server database.

If you experience the issue, upgrade the server to IBM Spectrum Protect V7.1.6, when that release becomes available, and implement the work-around. The workaround prevents the FIPS module in the GSKit C subdirectory from being loaded by IBM Spectrum Protect components, including servers, storage agents, clients, and DB2.

Preparing to implement the workaround

1. Log in with the root user ID.
2. Rename the system GSKit C subdirectory:
   /opt/ibm/gsk8_64/lib64/C
   For example, to rename the C subdirectory to C_sav, run the following commands:
   
   # cd /opt/ibm/gsk8_64/lib64
   # mv C C_sav
3. Prevent issues that are caused by renaming the C subdirectory by defining the following environment variables:

• For the ICC_IGNORE_FIPS variable, specify a value of YES.
• If you are using the IBM Spectrum Protect V7.1.6 or later server, for the DB2_ICC_IGNORE_FIPS variable, specify a value of YES.
  
  Tips:
  - When an environment variable exists with the name ICC_IGNORE_FIPS and the value YES, GSKit does not load the FIPS module.
  - Create the environment variables at the system level in a file such as /etc/environment so that they exist for any process that requires GSKit. For IBM Spectrum Protect, you alternatively can create the environment variables in the DB2 initialization script in the sqllib subdirectory of the instance user ID (userprofile, or usercshrc, for the C shell).

DB2 does not pass all environment variables to components that it invokes. The special environment variable DB2_ICC_IGNORE_FIPS is used by a shared library update (dsmdb2pw.so). IT14261 updates that shared library with function to create the environment variable ICC_IGNORE_FIPS within its process before starting its GSKit environment.

DB2 has a private version of GSKit that resides in the DB2 directory: /opt/tivoli/tsm/db2/lib64/gskit_db2
When you install IBM Spectrum Protect V7.1.6 or later, the directory is reoriented to point to and use the system GSKit directory. However, you still need to rename the GSKit C subdirectory as described above.

Implementing the workaround

· Update IBM Spectrum Protect to the V7.1.6 or later level on the server and/or storage agent.

This version installs a new level of dsmdb2pw.so for the server; this is a DB2 security plug-in module that looks for the DB2_ICC_IGNORE_FIPS environment variable. This version also installs a GSKit level later than 8.0.50.58 and sets up DB2 to use the same level of GSKit.

· Restart the server to pick up the updated security plug-in.

· Update the following definitions in the file /etc/environment or /export/home/instance_user/sqllib/userprofile, where instance_user is the user ID under which the server executes:

· ICC_IGNORE_FIPS=YES

· DB2_ICC_IGNORE_FIPS=YES

Tip: Before you restart the server, the instance user ID can run

. /export/home/instance_user/sqllib/userprofile

to make the environment variables available for the server or storage agent and for DB2 if it is running in the foreground. You can find a separate file for C shell users in the sqllib directory.

For the server database backup, the client API configuration must include the client option

testflag ICCNONFIPS

to prevent loading of the GSKit FIPS module. This option goes into the dsm.sys file. The default database backup configuration api-client file is in the

/opt/tivoli/tsm/server/api/bin64/dsm.sys directory.

In the dsmserv.opt file, set the following server options:

· FIPSMODE NO

If you are using Lightweight Directory Access Protocol (LDAP) authentication, set the following server option in the dsmsrv.opt file:

· Start the server.