IBM Support

Resolving security certificate errors in IBM Spectrum Control V5.2.9 and later

Troubleshooting


Problem

Starting with IBM Spectrum Control™ V5.2.9, an enhancement that disables the MD5 hash might require new security certificates for resources that are managed by CIM agents. These resources are typically Brocade switches and non-IBM storage systems. Until new certificates are generated, IBM Spectrum Control will be unable to monitor those resources. These changes might also affect connections to older levels of IBM® System Storage® DS8000® storage systems. [
]

Cause

Both the IBM Spectrum Control server and the CIM agent must support a common set of security algorithms. If these algorithms do not match, a secure connection cannot be established between the server and the agent. Starting with IBM Spectrum Control V5.2.9, the MD5 security algorithm is disabled by default.

The connection mechanism for some older levels of DS8000 storage systems also relies on MD5-signed certificates and will prevent IBM Spectrum Control V5.2.9 and later versions from connecting with these storage systems.

Diagnosing The Problem

If IBM Spectrum Control or IBM® Tivoli® Storage Productivity Center has previously been configured to manage resources by using CIM agents, the upgrade to V5.2.9 or later will display the following warning message during the upgrade process.



Continuing to use existing CIM agents with MD5-signed certificates with IBM Spectrum Control V5.2.9 or higher will result in connection issues with the resources. Any affected devices will show as unreachable in the GUI, and probes and performance monitors for the devices will fail. CIM agents using MD5-signed certificates can no longer be added. Adding a device with a CIM agent using an MD5-signed certificate after the V5.2.9 upgrade will result in the following error:



Error HWN021744E displays the same message in similar cases. Additionally, the following error is logged to dmSvcTrace.log indicating that the algorithm used by the CIM agent certificates does not match what is allowed by the IBM Spectrum Control server during the Test Connection action.

    2016-02-01 16:54:18.639-0700 HWN099993E Exception received while trying to connect to https://x.x.x.x:5989 due to CIM_ERR_FAILED @(- 9223372036854773297;|-9223372036854773068,0,1|;-9223372036854772950;DiskManagerThread-1 - testOneCIMOMConnection(|CIMOM=https://x.x.x.x: 5989, /interop, Administrator, ******|)) WBEMException: CIM_ERR_FAILED ... Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

To avoid or resolve these communication issues with the CIM agents after upgrading, evaluate your environment using the following guidelines and regenerate certificates for any affected CIM agents.

  1. Is the CIM agent configured with IBM Spectrum Control using a secure protocol (i.e., https)?

    The steps to bring up the dialog to check the CIM agent connection vary by version of IBM Spectrum Control or Tivoli Storage Productivity Center, but should result in a similar dialog where the connection protocol is displayed. This protocol was specified when the CIM agent was originally added to IBM Spectrum Control.

    1. If https is being used, continue to the next question about the security algorithm.
    2. If http is specified instead, this CIM agent is not affected by the V5.2.9 upgrade.

  2. Does the CIM agent use the MD5 security algorithm?
    The CIM agent software should provide a mechanism for viewing the certificates and identifying the security algorithm used. This can also be checked with some other tools, including opening the CIM agent URI in a Firefox browser. When the certificate warning is shown, click Add Exception... -> View... -> Details -> Certificate Fields to view the Certificate Signature Algorithm.
    1. If the MD5 security algorithm is used, as shown above, generate new certificates for the affected CIM agents.
    2. If the security algorithm is not MD5, the CIM agent is not affected by the V5.2.9 upgrade.

For comparison purposes, the graphic below shows a CIM agent that has a certificate signed with SHA-256 rather than MD5. This would not require a change.


Although DS8000 storage systems do not use CIM agents, the DS8000 ESSNI server uses security certificates and certain levels will report error BPCUI0055E, indicating connection problems when adding a storage system or testing the connection for an existing one.





Note: If your DS8000 storage systems have required SSLv3 to be re-enabled using the legacyprotocol script to connect, they will not connect when MD5 is disabled.


Resolving The Problem

Use the following information to resolve connection problems between IBM Spectrum Control V5.2.9 and CIM agents and DS8000 storage systems.

CIM Agents
Create new certificates for the affected CIM agents and replace the existing certificates. The following links are intended to you get started but do not cover all supported CIM agents. Refer to the vendor documentation for the CIM agent for details.

NetApp
Generating a self-signed certificate for the CIM server (Linux)
Generating a self-signed certificate for the CIM server (Windows)

Brocade
Upgrade to Network Advisor 14.0.1 or higher to replace any MD5-signed certificates.

Note: The Brocade Network Advisor SMI Agent might report SSL connection errors even if it is not using MD5-signed certificates if it has incorrectly been configured to enable mutual authentication. See Resolving communication issues with Brocade Network Advisor for more details.

IBM System Storage DS8000
DS8000 storage systems that have not been or cannot be updated to fix levels resolving CVE-2014-3566 (see the security bulletin) will only have MD5-signed certificates. To maintain an option for compatibility, both SSLv3 and MD5 support can be re-enabled in IBM Spectrum Control using a script. Refer to the following documents for more information:

Note: Starting with Spectrum Control 5.2.16, the option to re-enable SSLv3 and MD5 for compatibility with older devices and certificates is no longer available.



[{"Product":{"code":"SS5R93","label":"IBM Spectrum Control"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"5.2.9;5.2.10;5.2.11;5.2.12;5.2.13;5.2.14;5.2.15","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS5R93","label":"IBM Spectrum Control"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
22 February 2022

UID

swg21976237

Page Feedback