IT42905 TSM / Spectrum Protect SSL cert expiration

TSM 7.1.8 / Spectrum Protect 8.1.2 and later create SSL certs with a 10 year expiration.

IBM reference: https://www.ibm.com/support/pages/apar/IT42905

The fix is:

Delete the instance keystore (cert.kdb)
Set all clients, admins, servers to SESSIONSECURITY=TRANSITIONAL
HALT the server and restart it – this will make a NEW key.
FORCESYNC for server connections.
Delete the client keystore (dsmcert.idx)
Restart the client and make sure it connects for the new key.

If you don’t wipe the client keystore:

ANS1695E The certificate is not valid.
ANS8023E Unable to establish session with server.
ANS8002I Highest return code was -370.

From the actlog/SERVER_CONSOLE

ANR8599W The connection with someserver:port failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.

IBM is considering automating this.

There is no automation yet as of 8.1.18.0 in 2023-03, and once the key expires, you’re stuck doing it manually.
You may be able to use DEFINE CLIENTACTION to delete the keystores on the clients if you use dsmcad.


Replacing TSM / ISP server

I ran into an issue where a primary TSM 7.1.8 server was broken, and it was easier to just move all of the clients over to the secondary 8.1.5 server. These used the new TLS encryption, and I kept running into issues.

    —————

First, I physically shut down the old server, and updated the new server to use the IP as an alias by editing /etc/network/interfaces. (Ubuntu 16 LTS)

    —————

Various errors included:
ANR8599W The connection with host address:host port failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.

ANR2284S The server master encryption key has changed. Passwords protected with the previous master encryption key are not available.

I had to make the server trust itself again with:[LINK]
dsmcert -add -server TSM -file /home/tsminst1/cert256.arm

    —————

This error:
ANR0456W Session rejected for server DT – the server name at 192.168.1.99, 1500 does not match.

I removed the server:
REMOVE SERVER DT

    —————

These errors:
ANR1651E Server information for DT is not available.
ANR4377E Session failure, target server DT is not defined on the source server.
ANR3151E Configuration refresh failed with configuration manager DT.

I disabled replication config
REMOVE REPLNODE *
Q REPLSERVER
REMOVE REPLSERVER {GUID}
DEL SUBSCRIPTION DEFAULT_PROFILE

    —————

These errors:
ANS1695E The certificate is not valid.
ANS1592E Failed to initialize SSL protocol.
ANS8023E Unable to establish session with server.
ANR3335W Unable to distribute certificate to for session .
ANR8599W The connection with 192.168.1.2:40250 failed due to an untrusted server certificate. An attempt to reconnect and establish certificate trust might follow.

From the clients, I had to remove /opt/tivoli/tsm/client/ba/bin/dsmcert.* and C:\Program Files\Tivoli\TSM\baclient\dsmcert.* on the clients per http://andrewjtobiason.com/index.php/2018/08/16/resolving-ssl-errors/

However, I also had to fix dsmcert / dsmcert.exe which I clobbered in the process.

    —————

And on the server, allow keys to be swapped again:[LINK]
UPD NODE * SESSIONSECURITY=TRANSITIONAL
UPD ADMIN * SESSIONSECURITY=TRANSITIONAL

Swap keys on client:
dsmadmc

    —————

NOTE: I also removed /etc/adsm/* during troubleshooting, but that was not needed. That just lead to me having to re-enter passwords again. Simply deleting the cert database corrected the problem on other clients.

    —————

I tried to order this in dependency order. I was sort of all over the place when I did it, and might have missed something. I just could not exactly get all of the right info from any one documentation source.