APAR status
Closed as program error.
Error description
A startup delay might be observed for Tivoli Storage Manager clients when loading the ICC modules. A service trace will report the delay as with the following example: 03-11-2011 12:36:13.226 ホ12910826レ ホ1レ : crypto.cpp ( 147): new_Crypto(): creating new AES-128 object 03-11-2011 12:36:13.226 ホ12910826レ ホ1レ : icccrypt.cpp ( 275): ICCCrypt(): entering the constructor 03-11-2011 12:36:13.226 ホ12910826レ ホ1レ : icclib.cpp ( 168): ICClib(): entering the constructor 03-11-2011 12:36:13.226 ホ12910826レ ホ1レ : icclib.cpp ( 173): ICClib(): the global ctxP has not been initialized| Loading ICC... 03-11-2011 12:36:13.226 ホ12910826レ ホ1レ : icclib.cpp ( 400): globalInit(): entering => delay here 03-11-2011 12:36:20.628 ホ12910826レ ホ1レ : icclib.cpp ( 535): globalInit(): ICC has been successfully loaded 03-11-2011 12:36:20.628 ホ12910826レ ホ1レ : icclib.cpp ( 539): ICC path : '/usr/opt/ibm/gsk8_64/lib64/C' 03-11-2011 12:36:20.628 ホ12910826レ ホ1レ : icclib.cpp ( 540): ICC version : 8.0.0.0 03-11-2011 12:36:20.628 ホ12910826レ ホ1レ : icclib.cpp ( 541): ICC FIPS approved mode : on 03-11-2011 12:36:20.629 ホ12910826レ ホ1レ : icclib.cpp ( 552): globalInit(): exiting with rc = 0 03-11-2011 12:36:20.629 ホ12910826レ ホ1レ : icclib.cpp ( 182): ICClib(): exiting the constructor 03-11-2011 12:36:20.629 ホ12910826レ ホ1レ : icccrypt.cpp ( 311): ICCCrypt(): cipher type AES-128-CBC, type 419, block_size 16 03-11-2011 12:36:20.629 ホ12910826レ ホ1レ : icccrypt.cpp ( 329): ICCCrypt(): exiting with retcode 0 A seond symtpom for this problem has also been identified. A SERVICE trace will report the delay as with the following example: 06/28/12 13:31:20.111 ■10944896 ■1 : tcasess.cpp (1296): ForkTA: Enter. 06/28/12 13:31:20.111 ■10944896 ■1 : tcasess.cpp (1376): Calling SpawnTask with tcaProgramPath : /usr/bin/dsmtca tcaDebugStop : 0 tcaAlertString : 0 : TCA Interfacee ADSM Release 3 tcaPipe0 : 7 tcaPipe1 : 8 tcaPipe2 : 9 tcaPipe3 : 10 tcaPswdFileName: /etc/security/adsm/TSM.PWD tcaLang : /usr/tivoli/tsm/client/ba/bin64/EN_US/ dsmclientV3.cat tcaErrorLog : /var/tsm/dsmerror.log tcaDsDir : /usr/tivoli/tsm/client/ba/bin64 tcaRequest : E tcaSessID : TSMDR1 tcaServerName : TSMDR1 tcaPasswordFile: /etc/security/adsm/TSM.PWD tcaPasswordDir : tcaBuildDate : Wed Sep 28 16:35:23 2011 tcaBuildTime : Wed Sep 28 16:35:23 2011 tcaCliType : N/A tcaTraceTrusted: 1 tcaClusterEnabled: 0 tcaCryptoType : 2 06/28/12 13:31:27.285 ■10944896 ■1 : tcasess.cpp (1537): PostTA(): in wait loop deadChildPID >26083500< errno >2< 06/28/12 13:31:27.285 ■10944896 ■1 : tcasess.cpp (1537): PostTA(): in wait loop deadChildPID >-1< errno >10<. 06/28/12 13:31:27.285 ■10944896 ■1 : tcasess.cpp ( 866): encryptNonRootUserName(): EXIT, rc=0. 06/28/12 13:31:27.285 ■10944896 ■1 : tcasess.cpp ( 669): Exit taPswdEncrypt.rc = 0 - - - - - - - - - - Note the time between 13:31:20.111 "Calling SpawnTask" and 13:31:27.285 "PostTA(): in wait loop" - - - - - - - - - - The symptom is seen on the Power 7 platform with ICC version being at 8.0.0.0 and newer Tivoli Storage Manager Versions Affected: V6.3 Initial Impact: Low Additional Keywords: GSKIT gskcrypt gskcrypt64
Local fix
make sure GSKit version 8.0.14.13 (or newer) is applied, then export the following environment variables: export ICC_IGNORE_FIPS=YES export ICC_TRNG=ALT
Problem summary
**************************************************************** * USERS AFFECTED: Backup-archive client version 6.3 running * * on AIX, on POWER 7 architecture. * * Not all p7 machines have the problem. * **************************************************************** * PROBLEM DESCRIPTION: See ERROR DESCRIPTION * **************************************************************** * RECOMMENDATION: Implement the workaround described in the * * LOCAL FIX section of this APAR. * * * * An alternative is to install Tivoli Storage * * Manager backup-archive client version 6.3.1 * * or later and add this option to the dsm.opt * * file: * * * * TESTFLAGS ICCTRNGALT * ****************************************************************
Problem conclusion
The root cause of this problem lies in the GSKit encryption library used by Tivoli Storage Manager. If the problem is fixed in a future release of the GSKit library, then it will be considered for inclusion in a future release of Tivoli Storage Manager. Meanwhile a new test flag was added: ICCTRNGALT. It can be specified when running TSM, instead of having to set the environmental variables mentioned in the workaround. This testflag causes the alternate TRNG method to be used, which should relieve the slowdown. Requires GSKit 8.0.4.13 or higher. Note: While we are confident of the security of TRNGALT, it is not as cryptographically verifiable as the current default, and therefore not considered as strong. Given that the problem only affects some machines (i.e. not all p7 have the problem) we recommend that the test flag ICCTRNGALT should only be used when necessary.
Temporary fix
Comments
APAR Information
APAR number
IC80341
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
63A
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-12-09
Closed date
2012-01-27
Last modified date
2013-02-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
GSKIT
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
R63A PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"63A","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
19 February 2013