Re: No more client sessions after server upgrade.
Hi all, It seems that most of the answers can be found here : http://www-01.ibm.com/support/docview.wss?uid=swg22004844 -- Best regards / Cordialement / مع تحياتي Erwann SIMON - Mail original - De: "Erwann SIMON" <erwann.si...@free.fr> À: "ADSM: Dist Stor Manager" <ADSM-L@VM.MARIST.EDU> Envoyé: Vendredi 9 Février 2018 10:40:02 Objet: Re: [ADSM-L] No more client sessions after server upgrade. Hi Eric, The default certificate (indicated by a * on the left) on older version is MD5-signed. TLS 1.2 need a SHA-signed certificatee to be the default. The update/upgrade process should change the default certificate but it seems that it does not. Here are the commands to verify the default certificate and how to change it. [root@centos7 config]# /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2 *- "TSM Server SelfSigned Key" - "TSM Server SelfSigned SHA Key" [root@centos7 config]# /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -setdefault -db cert.kdb -label "TSM Server SelfSigned SHA Key" -stashed [root@centos7 config]# /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2 - "TSM Server SelfSigned Key" *- "TSM Server SelfSigned SHA Key" After server restart, the "old" MD5-signed certificate labeled "TSM Server SelfSigned Key" will be deleted. PS : On Windows, path of gsk* commands is : C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin I sometimes had to change the PATH : set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64:C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin:%PATH% -- Best regards / Cordialement / مع تحياتي Erwann SIMON - Mail original - De: "Eric van Loon (ITOPT3) - KLM" <eric-van.l...@klm.com> À: ADSM-L@VM.MARIST.EDU Envoyé: Vendredi 9 Février 2018 09:39:58 Objet: Re: [ADSM-L] No more client sessions after server upgrade. Hi guys, To answer my own question so everybody else will be able to find it though ADSM-L. The solution was to generate a new certificate. During server startup I noticed the following message: ANR3336W Default certificate labeled TSM Server SelfSigned Key in key data base is down level. The fix was to stop the server and generate a new one by issuing the following command in the instance directory: gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key" Afterwards all clients were working again. Kind regards, Eric van Loon Air France/KLM Storage Engineering On Mon, Feb 5, 2018 at 10:52 AM, Loon, Eric van (ITOPT3) - KLM < eric-van.l...@klm.com> wrote: > Hi guys! > > I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients > cannot connect anymore. The only session that is working is the one > from the server itself. I opened an admin console through it and when > I try to establish and admins session from my pc, it's rejected with > the message "ANR8599W The connection with :37404 failed > due to an untrusted server certificate. An attempt to reconnect and > establish certificate trust might follow." A backup session from my pc > to the server fails with the same message in the actlog and with a > local message "ANS1592E Failed to initialize SSL protocol". Both my client > and my admin use Session Security: > Transitional. > > Thanks for your help in advance! > > Kind regards, > Eric van Loon > Air France/KLM Storage Engineering > > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. > If you are not the addressee, you are notified that no part of the > e-mail or any attachment may be disclosed, copied or distributed, and > that any other action related to this e-mail or attachment is strictly > prohibited, and may be unlawful. If you have received this e-mail by > error, please notify the sender immediately by return e-mail, and delete this > message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or > its employees shall not be liable for the incorrect or incomplete > transmission of this e-mail or any attachments, nor responsible for any delay > in receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal > Dutch > Airlines) is registered in Amstelveen, The Netherlands, with > registered number 33014286 > > -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Com
Re: No more client sessions after server upgrade.
Hi Eric, The default certificate (indicated by a * on the left) on older version is MD5-signed. TLS 1.2 need a SHA-signed certificatee to be the default. The update/upgrade process should change the default certificate but it seems that it does not. Here are the commands to verify the default certificate and how to change it. [root@centos7 config]# /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2 *- "TSM Server SelfSigned Key" - "TSM Server SelfSigned SHA Key" [root@centos7 config]# /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -setdefault -db cert.kdb -label "TSM Server SelfSigned SHA Key" -stashed [root@centos7 config]# /usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -list -db cert.kdb -stashed | tail -2 - "TSM Server SelfSigned Key" *- "TSM Server SelfSigned SHA Key" After server restart, the "old" MD5-signed certificate labeled "TSM Server SelfSigned Key" will be deleted. PS : On Windows, path of gsk* commands is : C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin I sometimes had to change the PATH : set PATH=C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64:C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin:%PATH% -- Best regards / Cordialement / مع تحياتي Erwann SIMON - Mail original - De: "Eric van Loon (ITOPT3) - KLM" <eric-van.l...@klm.com> À: ADSM-L@VM.MARIST.EDU Envoyé: Vendredi 9 Février 2018 09:39:58 Objet: Re: [ADSM-L] No more client sessions after server upgrade. Hi guys, To answer my own question so everybody else will be able to find it though ADSM-L. The solution was to generate a new certificate. During server startup I noticed the following message: ANR3336W Default certificate labeled TSM Server SelfSigned Key in key data base is down level. The fix was to stop the server and generate a new one by issuing the following command in the instance directory: gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key" Afterwards all clients were working again. Kind regards, Eric van Loon Air France/KLM Storage Engineering On Mon, Feb 5, 2018 at 10:52 AM, Loon, Eric van (ITOPT3) - KLM < eric-van.l...@klm.com> wrote: > Hi guys! > > I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients > cannot connect anymore. The only session that is working is the one > from the server itself. I opened an admin console through it and when > I try to establish and admins session from my pc, it's rejected with > the message "ANR8599W The connection with :37404 failed > due to an untrusted server certificate. An attempt to reconnect and > establish certificate trust might follow." A backup session from my pc > to the server fails with the same message in the actlog and with a > local message "ANS1592E Failed to initialize SSL protocol". Both my client > and my admin use Session Security: > Transitional. > > Thanks for your help in advance! > > Kind regards, > Eric van Loon > Air France/KLM Storage Engineering > > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. > If you are not the addressee, you are notified that no part of the > e-mail or any attachment may be disclosed, copied or distributed, and > that any other action related to this e-mail or attachment is strictly > prohibited, and may be unlawful. If you have received this e-mail by > error, please notify the sender immediately by return e-mail, and delete this > message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or > its employees shall not be liable for the incorrect or incomplete > transmission of this e-mail or any attachments, nor responsible for any delay > in receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal > Dutch > Airlines) is registered in Amstelveen, The Netherlands, with > registered number 33014286 > > -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ For information, services and offer
Re: No more client sessions after server upgrade.
Hi guys, To answer my own question so everybody else will be able to find it though ADSM-L. The solution was to generate a new certificate. During server startup I noticed the following message: ANR3336W Default certificate labeled TSM Server SelfSigned Key in key data base is down level. The fix was to stop the server and generate a new one by issuing the following command in the instance directory: gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key" Afterwards all clients were working again. Kind regards, Eric van Loon Air France/KLM Storage Engineering On Mon, Feb 5, 2018 at 10:52 AM, Loon, Eric van (ITOPT3) - KLM < eric-van.l...@klm.com> wrote: > Hi guys! > > I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients > cannot connect anymore. The only session that is working is the one > from the server itself. I opened an admin console through it and when > I try to establish and admins session from my pc, it's rejected with > the message "ANR8599W The connection with :37404 failed > due to an untrusted server certificate. An attempt to reconnect and > establish certificate trust might follow." A backup session from my pc > to the server fails with the same message in the actlog and with a > local message "ANS1592E Failed to initialize SSL protocol". Both my client > and my admin use Session Security: > Transitional. > > Thanks for your help in advance! > > Kind regards, > Eric van Loon > Air France/KLM Storage Engineering > > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. > If you are not the addressee, you are notified that no part of the > e-mail or any attachment may be disclosed, copied or distributed, and > that any other action related to this e-mail or attachment is strictly > prohibited, and may be unlawful. If you have received this e-mail by > error, please notify the sender immediately by return e-mail, and delete this > message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or > its employees shall not be liable for the incorrect or incomplete > transmission of this e-mail or any attachments, nor responsible for any delay > in receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal > Dutch > Airlines) is registered in Amstelveen, The Netherlands, with > registered number 33014286 > > -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286
Re: No more client sessions after server upgrade.
Hi Eric, What is the client version ? Was SSL activated for client-server communications before you upgraded the server to 7.1.8 ? -- Best regards / Cordialement / مع تحياتي Erwann SIMON - Mail original - De: "Eric van Loon (ITOPT3) - KLM" <eric-van.l...@klm.com> À: ADSM-L@VM.MARIST.EDU Envoyé: Mardi 6 Février 2018 11:08:37 Objet: Re: [ADSM-L] No more client sessions after server upgrade. Hi Zoltan, The server is a Linux box, but the client is Windows... Kind regards, Eric van Loon Air France/KLM Storage Engineering -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: maandag 5 februari 2018 19:26 To: ADSM-L@VM.MARIST.EDU Subject: Re: No more client sessions after server upgrade. If this is a Linux box, did you run the utility to convert the cert/keys file? https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.0/srv.admin/t_ssl_config_ca.html On Mon, Feb 5, 2018 at 10:52 AM, Loon, Eric van (ITOPT3) - KLM < eric-van.l...@klm.com> wrote: > Hi guys! > > I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients > cannot connect anymore. The only session that is working is the one > from the server itself. I opened an admin console through it and when > I try to establish and admins session from my pc, it's rejected with > the message "ANR8599W The connection with :37404 failed > due to an untrusted server certificate. An attempt to reconnect and > establish certificate trust might follow." A backup session from my pc > to the server fails with the same message in the actlog and with a > local message "ANS1592E Failed to initialize SSL protocol". Both my client > and my admin use Session Security: > Transitional. > > Thanks for your help in advance! > > Kind regards, > Eric van Loon > Air France/KLM Storage Engineering > > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. > If you are not the addressee, you are notified that no part of the > e-mail or any attachment may be disclosed, copied or distributed, and > that any other action related to this e-mail or attachment is strictly > prohibited, and may be unlawful. If you have received this e-mail by > error, please notify the sender immediately by return e-mail, and delete this > message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or > its employees shall not be liable for the incorrect or incomplete > transmission of this e-mail or any attachments, nor responsible for any delay > in receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal > Dutch > Airlines) is registered in Amstelveen, The Netherlands, with > registered number 33014286 > > -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286
Re: No more client sessions after server upgrade.
Hi Zoltan, The server is a Linux box, but the client is Windows... Kind regards, Eric van Loon Air France/KLM Storage Engineering -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Zoltan Forray Sent: maandag 5 februari 2018 19:26 To: ADSM-L@VM.MARIST.EDU Subject: Re: No more client sessions after server upgrade. If this is a Linux box, did you run the utility to convert the cert/keys file? https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.0/srv.admin/t_ssl_config_ca.html On Mon, Feb 5, 2018 at 10:52 AM, Loon, Eric van (ITOPT3) - KLM < eric-van.l...@klm.com> wrote: > Hi guys! > > I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients > cannot connect anymore. The only session that is working is the one > from the server itself. I opened an admin console through it and when > I try to establish and admins session from my pc, it's rejected with > the message "ANR8599W The connection with :37404 failed > due to an untrusted server certificate. An attempt to reconnect and > establish certificate trust might follow." A backup session from my pc > to the server fails with the same message in the actlog and with a > local message "ANS1592E Failed to initialize SSL protocol". Both my client > and my admin use Session Security: > Transitional. > > Thanks for your help in advance! > > Kind regards, > Eric van Loon > Air France/KLM Storage Engineering > > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. > If you are not the addressee, you are notified that no part of the > e-mail or any attachment may be disclosed, copied or distributed, and > that any other action related to this e-mail or attachment is strictly > prohibited, and may be unlawful. If you have received this e-mail by > error, please notify the sender immediately by return e-mail, and delete this > message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or > its employees shall not be liable for the incorrect or incomplete > transmission of this e-mail or any attachments, nor responsible for any delay > in receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal > Dutch > Airlines) is registered in Amstelveen, The Netherlands, with > registered number 33014286 > > -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/ For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286
Re: No more client sessions after server upgrade.
If this is a Linux box, did you run the utility to convert the cert/keys file? https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.0/srv.admin/t_ssl_config_ca.html On Mon, Feb 5, 2018 at 10:52 AM, Loon, Eric van (ITOPT3) - KLM < eric-van.l...@klm.com> wrote: > Hi guys! > > I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients > cannot connect anymore. The only session that is working is the one from > the server itself. I opened an admin console through it and when I try to > establish and admins session from my pc, it's rejected with the message > "ANR8599W The connection with :37404 failed due to an untrusted > server certificate. An attempt to reconnect and establish certificate trust > might follow." A backup session from my pc to the server fails with the > same message in the actlog and with a local message "ANS1592E Failed to > initialize SSL protocol". Both my client and my admin use Session Security: > Transitional. > > Thanks for your help in advance! > > Kind regards, > Eric van Loon > Air France/KLM Storage Engineering > > For information, services and offers, please visit our web site: > http://www.klm.com. This e-mail and any attachment may contain > confidential and privileged material intended for the addressee only. If > you are not the addressee, you are notified that no part of the e-mail or > any attachment may be disclosed, copied or distributed, and that any other > action related to this e-mail or attachment is strictly prohibited, and may > be unlawful. If you have received this e-mail by error, please notify the > sender immediately by return e-mail, and delete this message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its > employees shall not be liable for the incorrect or incomplete transmission > of this e-mail or any attachments, nor responsible for any delay in receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch > Airlines) is registered in Amstelveen, The Netherlands, with registered > number 33014286 > > -- *Zoltan Forray* Spectrum Protect (p.k.a. TSM) Software & Hardware Administrator Xymon Monitor Administrator VMware Administrator Virginia Commonwealth University UCC/Office of Technology Services www.ucc.vcu.edu zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://phishing.vcu.edu/
No more client sessions after server upgrade.
Hi guys! I just upgraded our engineering server from 7.1.7 to 7.1.8 and clients cannot connect anymore. The only session that is working is the one from the server itself. I opened an admin console through it and when I try to establish and admins session from my pc, it's rejected with the message "ANR8599W The connection with :37404 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow." A backup session from my pc to the server fails with the same message in the actlog and with a local message "ANS1592E Failed to initialize SSL protocol". Both my client and my admin use Session Security: Transitional. Thanks for your help in advance! Kind regards, Eric van Loon Air France/KLM Storage Engineering For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286
