Direct links to fixes
6.3.6.100-TIV-TSMALL-SolarisSPARC
6.3.6.100-TIV-TSMSTA-WindowsI32
6.3.6.100-TIV-TSMALL-WindowsX64
6.3.6.100-TIV-TSMALL-Linuxx86_64
6.3.6.100-TIV-TSMALL-Linuxs390x
6.3.6.100-TIV-TSMALL-Linuxppc64
6.3.6.100-TIV-TSMALL-HP-UX
6.3.6.100-TIV-TSMALL-AIX
IBM Tivoli Storage Manager server V6.3.6.x interim fix downloads
IBM Spectrum Protect Server V7.1.7.X interim fix downloads
IBM Spectrum Protect Server V7.1 Fix Pack 8 (7.1.8.000) Downloads
APAR status
Closed as program error.
Error description
When using server to server SSL connection, and using a CA signed certificate, the communication will fail between the library manager and the storage agent. The error message will be showed on the library manager as ANR8583E An SSL socket-initialization error occurred on session 34. The GSKit return code is 420.~ The error message will be showed on the storage agent as ANR0454E Session rejected by server XXX, reason: 201 - Communication Failure.~ Customer/L2 Diagnostics: This APAR documents a library manager and storage agent communication issue when CA signed certificates are used. Under the APAR condition, the following error is reported in the actlog for both, library manager and storage agent: ANR8583E An SSL socket-initialization error occurred on session 34. The GSKit return code is 420.~ In addition, the reason 201 is logged in the storage agent trace. <ADDMSG SSLINFO SESSION PVR MMS> trace from the library manager shows: . 09:48:17.598 [371][output.c][7647][PutConsoleMsg]:ANR8592I Session 39 connection is using SSL version TLSV12, cipher specification AES-256-GCM, certificate serial number 19:d0:4a:8d:30:58:62. ~ 09:48:17.606 [371][output.c][7647][PutConsoleMsg]:ANR0407I Session 39 started for administrator IBM-OC-TSMOCHUB (Windows) (SSL tsmochub-it.local(50374)).~ 09:48:17.648 [371][smtrans.c][2268][SmRecvVerbX]:Session 39, Length=56, Size 4, Code=0016, Ext: No, Type=SignOnAuth. 09:48:17.648 [371][smsec.c][836][SmAuthenticate]:SmAuth: Failed decrypt. Input Len 48, Output Len 48. Session IBM-OC-TSMOCHUB(39), rc=-1 09:48:17.650 [371][ssltcomm.c][1700][ssltcpRecv]:ssltcpRecv: Reading 512 bytes from socket on session 39 09:48:17.654 [371][ssltcomm.c][1709][ssltcpRecv]:ssltcpRecv: ssl read on session 39 rc 420 GSK_ERROR_SOCKET_CLOSED 09:48:17.654 [371][smtrans.c][7895][ReceiveVerb]:Failure reading verbHdr commRc -1 sessTerm 0. 09:48:17.654 [371][smtrans.c][2169][SmRecvVerbX]:ReceiveVerb rc=-1 09:48:17.654 [371][smexec.c][7422][DoAdminGeneral]:SmAuthenticate returned with authRc 9999 for session 39(IBM-OC-TSMOCHUB) 09:48:17.655 [371][smexec.c][4153][smEndMessage]:Session 39 for IBM-OC-TSMOCHUB ending with termReason 1. 09:48:17.655 [371][output.c][7647][PutConsoleMsg]:ANR0568W Session 39 for admin IBM-OC-TSMOCHUB (Windows) terminated - connection with client severed.~ 09:48:17.656 [371][smutil.c][2223][smRemoveSessMountCount]:Session number 39 for node IBM-OC-TSMOCHUB does not have any mount point a llocated. 09:48:54.592 [331][ssltcomm.c][2033][sslSocOpen]:sslSocOpen gsk_secure_soc_init session 34 rc 420 GSK_ERROR_SOCKET_CLOSED 09:48:54.592 [331][output.c][7647][PutConsoleMsg]:ANR8583E An SSL socket-initialization error occurred on session 34. The GSKit return code is 420.~ . . <ADDMSG SSLINFO SESSION PVR MMS> trace from the storage agent shows (note the reason 201 is logged here): . 9:46:33.678 [18][ssltcomm.c][3933][SslFlushBuffer]:SslFlushBuffer: Sending 145 bytes of data to client at tsmsrv1.romelab.it on socket 00000000000108D4, port 16480. 09:51:53.947 [18][output.c][7647][PutConsoleMsg]:ANR0400I Session 11 started for node VC-DM (TDP VMware) (Shared Memory).~ 09:51:53.950 [18][ssltcomm.c][3933][SslFlushBuffer]:SslFlushBuffer: Sending 145 bytes of data to client at tsmsrv1.romelab.it on socket 00000000000108D4, port 16480. 09:51:53.998 [18][smexec.c][5489][SmAddReplServerAddress]:Session 11 for node VC-DM Error getting comm info for Replication server, status = 2095 09:51:54.164 [18][output.c][7647][PutConsoleMsg]:ANR8595I Session to address tsmsrv1.romelab.it is using SSL version TLSV12, cipher specification AES-256-GCM, certificate serial number 36:a0:2d:db:21:ce:e3:7e.~ 09:51:57.674 [18][smexec.c][4619][smOpenSession]:session 14 open 09:51:57.675 [18][smtrans.c][1915][SmSendVerbX]:Session 14, Length=4, Code=001D, Type=Identify, verbPtr 00000000060CA000. 09:51:57.675 [18][smtrans.c][2163][SmRecvVerbX]:Receiving verb for TSMSRVLM(14) using buffer 0000000005FDF990. 09:54:53.310 [18][smtrans.c][7895][ReceiveVerb]:Failure reading verbHdr commRc -1 sessTerm 0. 09:54:53.310 [18][smtrans.c][2169][SmRecvVerbX]:ReceiveVerb rc=-1 09:54:53.310 [18][smserv.c][5793][SignOnToServer]:IdentifyVerb exchange failed. 09:54:53.310 [18][smserv.c][5122][smServIssueRejectMsg]:Issuing message for reason 201 from smserv.c(6020).^H 09:54:53.311 [18][output.c][7647][PutConsoleMsg]:ANR0454E Session rejected by server TSMSRVLM, reason: 201 - Communication Failure.~ . IBM Spectrum Protect versions affected: Server 6.3.6.000, 7.1.7.000 and before on supported platforms Initial Impact: Medium Additional Keywords: TSM SPECTRUM PROTECT SP CA signed certificate unable to connect Server to Server storage agent session ANR0530W ANR8580E "The GSKit return code is 406" (RTC) 130384
Local fix
Specify SSLCERTVERIFY NO in the both server and storage agent option file when the CA signed certificate is used and SSL=NO. There is no local fix if the SSL is set YES.
Problem summary
**************************************************************** * USERS AFFECTED: * * All IBM Tivoli Storage Manager server users of a CA signed * * certificate. * **************************************************************** * PROBLEM DESCRIPTION: * * See error description. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is projected * * to be fixed in levels 6.3.6.100, and 7.1.7.100. * * Note that this is subject to change at the discretion of * * IBM. * ****************************************************************
Problem conclusion
This problem was fixed. Affected platforms: AIX, HP, Linux, Solaris, and Windows.
Temporary fix
Comments
APAR Information
APAR number
IT18563
Reported component name
TSM SERVER
Reported component ID
5698ISMSV
Reported release
71A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-12-23
Closed date
2017-02-21
Last modified date
2017-02-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM SERVER
Fixed component ID
5698ISMSV
Applicable component levels
R63A PSY
UP
R63H PSY
UP
R63L PSY
UP
R63S PSY
UP
R63W PSY
UP
R71A PSY
UP
R71H PSY
UP
R71L PSY
UP
R71S PSY
UP
R71W PSY
UP
[{"Line of Business":{"code":"LOB26","label":"Storage"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.3"}]
Document Information
Modified date:
25 September 2021