Another SSL connection problem

chad_small

ADSM.ORG Moderator
Joined
Dec 17, 2002
Messages
2,262
Reaction score
52
Points
0
Location
Gilbert, AZ
Website
www.tsmadmin.com
PREDATAR Control23

I have a management server that I access all my TSM/SP servers from and I have one Spectrum Protect 8.1.4 instance on Red Hat Linux that I cannot connect to remotely. If I am logged into the SP server I can connect with the admin command line but no remote admin sessions work. I configured SSL and even regenerated the cert256.arm file on the SP instance and remote host, copied the cert256.arm to the management server, recreated my dsmcert.kdb, and then imported the new key. I still cannot connect to the server and am receiving this error in the actlog

Date/Time Message
-------------------- ----------------------------------------------------------
01/25/2018 13:33:32 ANR8583E An SSL socket-initialization error occurred on se
ssion 62295. The GSKit return code is 420 GSK_ERROR_SOCK
ET_CLOSED. (SESSION: 62295)
01/25/2018 13:33:32 ANR0479W Session 62295 for server 171.xx.xx.xx () terminat
ed - connection with server severed. (SESSION: 62295)


Here is the remote host dsmerror.log info:

01/25/2018 18:33:34 ANS1579E GSKit function gsk_secure_soc_init failed with 406: GSK_ERROR_IO
01/25/2018 18:33:34 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
01/25/2018 18:33:34 ANS1592E Failed to initialize SSL protocol.
01/25/2018 18:33:34 ANS8023E Unable to establish session with server.



Anyone seen this? Do I need to modify something on the management server?

NOTE: I modified the IP in the output for security reasons.
 
PREDATAR Control23

I also have a RHEL 7 Server running Protect v8.1.4 but do not have this issue connecting to it remotely via a client for Admin purposes.

Have you checked that the relevant SSL ports are open on any local firewall on the RHEL 7 server?
 
PREDATAR Control23

I have a management server that I access all my TSM/SP servers from and I have one Spectrum Protect 8.1.4 instance on Red Hat Linux that I cannot connect to remotely. If I am logged into the SP server I can connect with the admin command line but no remote admin sessions work. I configured SSL and even regenerated the cert256.arm file on the SP instance and remote host, copied the cert256.arm to the management server, recreated my dsmcert.kdb, and then imported the new key. I still cannot connect to the server and am receiving this error in the actlog

Date/Time Message
-------------------- ----------------------------------------------------------
01/25/2018 13:33:32 ANR8583E An SSL socket-initialization error occurred on se
ssion 62295. The GSKit return code is 420 GSK_ERROR_SOCK
ET_CLOSED. (SESSION: 62295)
01/25/2018 13:33:32 ANR0479W Session 62295 for server 171.xx.xx.xx () terminat
ed - connection with server severed. (SESSION: 62295)


Here is the remote host dsmerror.log info:

01/25/2018 18:33:34 ANS1579E GSKit function gsk_secure_soc_init failed with 406: GSK_ERROR_IO
01/25/2018 18:33:34 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
01/25/2018 18:33:34 ANS1592E Failed to initialize SSL protocol.
01/25/2018 18:33:34 ANS8023E Unable to establish session with server.



Anyone seen this? Do I need to modify something on the management server?

NOTE: I modified the IP in the output for security reasons.
There are a few reason you may be getting that error. Let me ask the obvious questions first:
1) Have you attempted to contact the server from the remote client?
2) Is the remote client running a compatible client version?
3) Do you have SSLFIPSMODE OFF on the Server?
4) Is your client option file setup to use SSL? I would recommend using a dedicated SSL Port rather than letting it default to the TCPPort, (personal preference)

This is out of the manual:
ANR8583E and GSKit return code 406: This error might indicate that a non-SSL-enabled client is trying to contact an SSL port. When a client contacts a Tivoli® Storage Manager server at a port that is defined by SSLTCPPORT or SSLTCPADMINPORT, the server establishes a session and initiates an SSL "handshake

I will respond again after I see your answers

Ron Delaware
IBM Systems Lab Services
925-476-5315
 
PREDATAR Control23

There are a few reason you may be getting that error. Let me ask the obvious questions first:
1) Have you attempted to contact the server from the remote client?
2) Is the remote client running a compatible client version?
3) Do you have SSLFIPSMODE OFF on the Server?
4) Is your client option file setup to use SSL? I would recommend using a dedicated SSL Port rather than letting it default to the TCPPort, (personal preference)

This is out of the manual:
ANR8583E and GSKit return code 406: This error might indicate that a non-SSL-enabled client is trying to contact an SSL port. When a client contacts a Tivoli® Storage Manager server at a port that is defined by SSLTCPPORT or SSLTCPADMINPORT, the server establishes a session and initiates an SSL "handshake

I will respond again after I see your answers

Ron Delaware
IBM Systems Lab Services
925-476-5315


The problem turned out to be what I had suspected....it was a routing/firewall issue. Once we got the Network admins to make sure that ports 1500/1550 (TCP and SSL ports) from one Data Center to another was allowed we were able to connect and authenticate without issue.
 
Top