• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Another SSL connection problem

chad_small

ADSM.ORG Moderator
#1
I have a management server that I access all my TSM/SP servers from and I have one Spectrum Protect 8.1.4 instance on Red Hat Linux that I cannot connect to remotely. If I am logged into the SP server I can connect with the admin command line but no remote admin sessions work. I configured SSL and even regenerated the cert256.arm file on the SP instance and remote host, copied the cert256.arm to the management server, recreated my dsmcert.kdb, and then imported the new key. I still cannot connect to the server and am receiving this error in the actlog

Date/Time Message
-------------------- ----------------------------------------------------------
01/25/2018 13:33:32 ANR8583E An SSL socket-initialization error occurred on se
ssion 62295. The GSKit return code is 420 GSK_ERROR_SOCK
ET_CLOSED. (SESSION: 62295)
01/25/2018 13:33:32 ANR0479W Session 62295 for server 171.xx.xx.xx () terminat
ed - connection with server severed. (SESSION: 62295)


Here is the remote host dsmerror.log info:

01/25/2018 18:33:34 ANS1579E GSKit function gsk_secure_soc_init failed with 406: GSK_ERROR_IO
01/25/2018 18:33:34 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
01/25/2018 18:33:34 ANS1592E Failed to initialize SSL protocol.
01/25/2018 18:33:34 ANS8023E Unable to establish session with server.



Anyone seen this? Do I need to modify something on the management server?

NOTE: I modified the IP in the output for security reasons.
 

ILCattivo

ADSM.ORG Senior Member
#2
I also have a RHEL 7 Server running Protect v8.1.4 but do not have this issue connecting to it remotely via a client for Admin purposes.

Have you checked that the relevant SSL ports are open on any local firewall on the RHEL 7 server?
 

rcdelaw

ADSM.ORG Member
#3
I have a management server that I access all my TSM/SP servers from and I have one Spectrum Protect 8.1.4 instance on Red Hat Linux that I cannot connect to remotely. If I am logged into the SP server I can connect with the admin command line but no remote admin sessions work. I configured SSL and even regenerated the cert256.arm file on the SP instance and remote host, copied the cert256.arm to the management server, recreated my dsmcert.kdb, and then imported the new key. I still cannot connect to the server and am receiving this error in the actlog

Date/Time Message
-------------------- ----------------------------------------------------------
01/25/2018 13:33:32 ANR8583E An SSL socket-initialization error occurred on se
ssion 62295. The GSKit return code is 420 GSK_ERROR_SOCK
ET_CLOSED. (SESSION: 62295)
01/25/2018 13:33:32 ANR0479W Session 62295 for server 171.xx.xx.xx () terminat
ed - connection with server severed. (SESSION: 62295)


Here is the remote host dsmerror.log info:

01/25/2018 18:33:34 ANS1579E GSKit function gsk_secure_soc_init failed with 406: GSK_ERROR_IO
01/25/2018 18:33:34 ANS9020E A session could not be established with a IBM Spectrum Protect server or client agent. The return code is -362.
01/25/2018 18:33:34 ANS1592E Failed to initialize SSL protocol.
01/25/2018 18:33:34 ANS8023E Unable to establish session with server.



Anyone seen this? Do I need to modify something on the management server?

NOTE: I modified the IP in the output for security reasons.
There are a few reason you may be getting that error. Let me ask the obvious questions first:
1) Have you attempted to contact the server from the remote client?
2) Is the remote client running a compatible client version?
3) Do you have SSLFIPSMODE OFF on the Server?
4) Is your client option file setup to use SSL? I would recommend using a dedicated SSL Port rather than letting it default to the TCPPort, (personal preference)

This is out of the manual:
ANR8583E and GSKit return code 406: This error might indicate that a non-SSL-enabled client is trying to contact an SSL port. When a client contacts a Tivoli® Storage Manager server at a port that is defined by SSLTCPPORT or SSLTCPADMINPORT, the server establishes a session and initiates an SSL "handshake

I will respond again after I see your answers

Ron Delaware
IBM Systems Lab Services
925-476-5315
 

chad_small

ADSM.ORG Moderator
#4
There are a few reason you may be getting that error. Let me ask the obvious questions first:
1) Have you attempted to contact the server from the remote client?
2) Is the remote client running a compatible client version?
3) Do you have SSLFIPSMODE OFF on the Server?
4) Is your client option file setup to use SSL? I would recommend using a dedicated SSL Port rather than letting it default to the TCPPort, (personal preference)

This is out of the manual:
ANR8583E and GSKit return code 406: This error might indicate that a non-SSL-enabled client is trying to contact an SSL port. When a client contacts a Tivoli® Storage Manager server at a port that is defined by SSLTCPPORT or SSLTCPADMINPORT, the server establishes a session and initiates an SSL "handshake

I will respond again after I see your answers

Ron Delaware
IBM Systems Lab Services
925-476-5315

The problem turned out to be what I had suspected....it was a routing/firewall issue. Once we got the Network admins to make sure that ports 1500/1550 (TCP and SSL ports) from one Data Center to another was allowed we were able to connect and authenticate without issue.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 16 19.0%
  • Keep using TSM for Spectrum Protect.

    Votes: 52 61.9%
  • Let's be formal and just say Spectrum Protect

    Votes: 9 10.7%
  • Other (please comement)

    Votes: 7 8.3%

Forum statistics

Threads
31,419
Messages
133,822
Members
21,533
Latest member
MACH
Top