Use Domain Or Local Account For ISP Initial Configuration?

PREDATAR Control23

Error 168 is either an API issue or the password. You ruled out the API by making sure you are now running the same fix pack level (first 3 numbers of 8.1.6).

That leaves the password, which is step 4 here: https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.0/srv.install/t_srv_prep_dbmgr-windows.html

OK so now I was able to get the database restored finally. However, now I am running into some further issues, and I'm wondering if it is partially related to the option used:

So I am using the recovery plan document that is usually generated by a script for us every day. In it, it tells me to run the following command for the restore:

"directory_path\DSMSERV" -k "instance_name" restore db todate=mm/dd/yyyy totime=hh:mm:ss source=dbb RESTOREKEYS=NO

My first question for this would be... If I tell it "RESTOREKEYS=YES" then which password would need to be used exactly?

Next, after I used the command above to restore the database, it then tells me to start the server using the command "start "instance_name" "dir_path\DSMSERV" -k "instance_name""

If I do that, I see several errors including:

ANR0110E An unexpected system date has been detected; the server is disabled

My second question is... Are these two topics sort of related? If not, then how do I enter the ACCEPT DATE command if I can't log in using the admin command line with the admin account I had been using all along prior to the cyberattack?
 
PREDATAR Control23

Stop the TSM server service. Then, login as the instance owner as per documentation:
  1. Change to the directory where the server is installed. For example, change to the c:\program files\tivoli\tsm\server directory.
  2. Enter the following command: dsmserv -k instance_name
Now you will be loggeg in the console. ACCEPT DATE and fix your account/password issue.
When done, just type HALT to stop the TSM server. Restart it using the service.
 
PREDATAR Control23

Stop the TSM server service. Then, login as the instance owner as per documentation:
  1. Change to the directory where the server is installed. For example, change to the c:\program files\tivoli\tsm\server directory.
  2. Enter the following command: dsmserv -k instance_name
Now you will be loggeg in the console. ACCEPT DATE and fix your account/password issue.
When done, just type HALT to stop the TSM server. Restart it using the service.

OK well I am able to enter the ACCEPT DATE command successfully, and I will fix the account/password issue later. For now though, what are the next steps to restore the actual data from copypool storage?
 
PREDATAR Control23

OK well I am able to enter the ACCEPT DATE command successfully, and I will fix the account/password issue later. For now though, what are the next steps to restore the actual data from copypool storage?

Never mind that part. I see further down in the disaster recovery document where it says to run some macros.

Problem is, when I try to run the macro commands, it doesn't like the -ITEMCOMMIT" parameter for some reason. Instead, I get the error ANR2004E Missing value for keyword parameter -ITEMCOMMIT

One of the commands it tells me to run is:

dsmadmc -id=%1 -pass=%2 -ITEMCOMMIT -OUTFILE="dir_path\IBMTSM01.PRIMARY.VOLUMES.DESTROYED.LOG" macro "dir_path\IBMTSM01.PRIMARY.VOLUMES.DESTROYED.MAC"

It doesn't matter what I put for the ID and password, it just gives me the same error. Therefore I am reduced to running all the commands in the macro files manually, which you can imagine will take a very long time.

Any idea on how I can format the command to get it to actually run the macros?
 
PREDATAR Control23

The ID and password is a Spectrum Protect administrator ID and password. Same you used to connect to dsmadmc manually to execute the commands manually.
 
PREDATAR Control23

The ID and password is a Spectrum Protect administrator ID and password. Same you used to connect to dsmadmc manually to execute the commands manually.

I can only use the SERVER_CONSOLE user since no other admin logins work at this point, considering we did not have a backup of the encryption key files.

So if I try anything related to the admin accounts configured in the system, I only get the error:

ANR9999D_3855409967 secUpdatePassword(secpwd.c:393) Thread<178>: Unable to get key of type 3:256


Is there really no way around this and we are just screwed since I don't have the key files?
 
PREDATAR Control23

If admins can't login, nodes will likely not be able to either.
 
PREDATAR Control23

Have you tried something like this ?
update admin admin_name SESSIONSECurity=TRANSitional

Just tried that, and it will set the session security parameter on the admin account as transitional, but that doesn't make a difference as far as resetting its password or accessing anything else node related. If I try to log in with that admin, I just see the errors:

ANR0150E Failed to open admin XXXXX. There was an error decrypting the Admin password.
ANR0423W Session xx for administrator XXXXX refused - administrator name not registered.

Of course the account is registered because if I run the q admin command, I see it there. So I just can't get around the missing encryption keys issue... *sigh*
 
PREDATAR Control23

Just tried that, and it will set the session security parameter on the admin account as transitional, but that doesn't make a difference as far as resetting its password or accessing anything else node related. If I try to log in with that admin, I just see the errors:

ANR0150E Failed to open admin XXXXX. There was an error decrypting the Admin password.
ANR0423W Session xx for administrator XXXXX refused - administrator name not registered.

Of course the account is registered because if I run the q admin command, I see it there. So I just can't get around the missing encryption keys issue... *sigh*


Yep, we're screwed. This confirms it:



Well, thanks for all your help and effort anyway guys. I really do appreciate it!
 
Top