nathrix
ADSM.ORG Member
After upgrading server from 7.6 to 7.1.9.3 the following Error was reported:
ANR2097E Unable to retrieve the master encryption key from the server password file, dsmserv.pwd.
Spectrum Protect (Product Level com.tivoli.dsm.server_7.1.9.20190617_1349)
Spectrum Protect Client installed 8.1.4.1
Operating System AIX 7.1 (OS Version 7200-03-02-1846)
I had a look at this link:
https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.8/srv.common/r_techchg_srv_ekey_718.html
The newly generated master encryption key is stored in a new key database, dsmkeydb.kdb. If the server has an existing master encryption key, the key is migrated from the dsmserv.pwd file to the new key database. The automatic generation of the master encryption key and its storage in the new key database are designed to enhance system security. Server certificates are still stored in the cert.kdb key database and accessed by the stash file cert.sth.
There is no dsmkeydb.kdb file.
As per link. "During the upgrade, the newly generated master encryption key is stored in a new key database, dsmkeydb.kdb."
The key was not migrated from the dsmserv.pwd file to the new key database.
TSM:/home/tsminst1#> ls -l cert*
-rw------- 1 tsminst1 tsmsrvrs 80 Oct 10 2018 cert.crl
-rw------- 1 tsminst1 tsmsrvrs 130080 Nov 19 10:41 cert.kdb <--- exact time of upgrade
-rw------- 1 tsminst1 tsmsrvrs 80 Oct 10 2018 cert.rdb
-rw------- 1 tsminst1 tsmsrvrs 129 Oct 10 2018 cert.sth
-rw-r--r-- 1 tsminst1 tsmsrvrs 1164 Oct 10 2018 cert256.arm
TSM:/home/tsminst1#> ls -l | grep dsm
-rw-r--r-- 1 tsminst1 tsmsrvrs 0 Nov 19 12:11 .dsmserv.ilock
-rw-r--r-- 1 tsminst1 tsmsrvrs 82353796 Nov 21 05:38 dsmaccnt.log
-rw-r--r-- 1 tsminst1 tsmsrvrs 623993 Nov 20 15:26 dsmffdc.log
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048582 Feb 26 2019 dsmffdc.log.1
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.2
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.3
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.4
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.5
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.6
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.7
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.8
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048680 Feb 26 2019 dsmffdc.log.9
-rw-r--r-- 1 tsminst1 tsmsrvrs 27 Oct 10 2018 dsmserv.dbid
-rw-r--r-- 1 tsminst1 tsmsrvrs 257 Oct 3 2018 dsmserv.err
-rw-r--r-- 1 tsminst1 tsmsrvrs 703 Nov 18 10:08 dsmserv.opt
-rw------- 1 tsminst1 tsmsrvrs 181 Oct 3 2018 dsmserv.pwd <--- exact time of upgrade
-rw-r--r-- 1 tsminst1 tsmsrvrs 61 Nov 19 12:11 dsmserv.v6lock
TSM:/home/tsminst1#> find / -name dsmkeydb.kdb
find: cannot open < /proc/7733746 >
find: cannot open < /proc/8061438 >
TSM:/home/tsminst1#>
Now, the HUGE problem I have is I'm unable to run db backup after upgrading the server upgrade because of those keys and two days of backups have gone through with no issues!
TSM> backup db type=dbsnapshot devclass=LTO5RDC
ANR2270E The PROTECTKEYS parameter is not enabled.
TSM> set dbrecovery lto5rdc protectkeys=no
ANR2784W Specifying PROTECTKEYS=NO requires the server's encryption keys to be backed up manually.
Do you want to proceed? (Yes (Y)/No (N)) y
ANR2782I SET DBRECOVERY completed successfully and device class for automatic DB backup is set to LTO5RDC.
TSM> backup db type=dbsnapshot devclass=LTO5RDC
ANR2270E The PROTECTKEYS parameter is not enabled.
TSM> set dbrecovery lto5rdc protectkeys=yes passw=xxxxxxx
ANR2270E The PROTECTKEYS parameter is not enabled.
I have logged a call with IBM yesterday morning after noting the backup db did not run.
Thought I will post this here as well as any suggestions will be much appreciated and I'm sure there will be some poor folk out there that will run into this same issue.
ANR2097E Unable to retrieve the master encryption key from the server password file, dsmserv.pwd.
Spectrum Protect (Product Level com.tivoli.dsm.server_7.1.9.20190617_1349)
Spectrum Protect Client installed 8.1.4.1
Operating System AIX 7.1 (OS Version 7200-03-02-1846)
I had a look at this link:
https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.8/srv.common/r_techchg_srv_ekey_718.html
The newly generated master encryption key is stored in a new key database, dsmkeydb.kdb. If the server has an existing master encryption key, the key is migrated from the dsmserv.pwd file to the new key database. The automatic generation of the master encryption key and its storage in the new key database are designed to enhance system security. Server certificates are still stored in the cert.kdb key database and accessed by the stash file cert.sth.
There is no dsmkeydb.kdb file.
As per link. "During the upgrade, the newly generated master encryption key is stored in a new key database, dsmkeydb.kdb."
The key was not migrated from the dsmserv.pwd file to the new key database.
TSM:/home/tsminst1#> ls -l cert*
-rw------- 1 tsminst1 tsmsrvrs 80 Oct 10 2018 cert.crl
-rw------- 1 tsminst1 tsmsrvrs 130080 Nov 19 10:41 cert.kdb <--- exact time of upgrade
-rw------- 1 tsminst1 tsmsrvrs 80 Oct 10 2018 cert.rdb
-rw------- 1 tsminst1 tsmsrvrs 129 Oct 10 2018 cert.sth
-rw-r--r-- 1 tsminst1 tsmsrvrs 1164 Oct 10 2018 cert256.arm
TSM:/home/tsminst1#> ls -l | grep dsm
-rw-r--r-- 1 tsminst1 tsmsrvrs 0 Nov 19 12:11 .dsmserv.ilock
-rw-r--r-- 1 tsminst1 tsmsrvrs 82353796 Nov 21 05:38 dsmaccnt.log
-rw-r--r-- 1 tsminst1 tsmsrvrs 623993 Nov 20 15:26 dsmffdc.log
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048582 Feb 26 2019 dsmffdc.log.1
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.2
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.3
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.4
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.5
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.6
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.7
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048658 Feb 26 2019 dsmffdc.log.8
-rw-r--r-- 1 tsminst1 tsmsrvrs 1048680 Feb 26 2019 dsmffdc.log.9
-rw-r--r-- 1 tsminst1 tsmsrvrs 27 Oct 10 2018 dsmserv.dbid
-rw-r--r-- 1 tsminst1 tsmsrvrs 257 Oct 3 2018 dsmserv.err
-rw-r--r-- 1 tsminst1 tsmsrvrs 703 Nov 18 10:08 dsmserv.opt
-rw------- 1 tsminst1 tsmsrvrs 181 Oct 3 2018 dsmserv.pwd <--- exact time of upgrade
-rw-r--r-- 1 tsminst1 tsmsrvrs 61 Nov 19 12:11 dsmserv.v6lock
TSM:/home/tsminst1#> find / -name dsmkeydb.kdb
find: cannot open < /proc/7733746 >
find: cannot open < /proc/8061438 >
TSM:/home/tsminst1#>
Now, the HUGE problem I have is I'm unable to run db backup after upgrading the server upgrade because of those keys and two days of backups have gone through with no issues!
TSM> backup db type=dbsnapshot devclass=LTO5RDC
ANR2270E The PROTECTKEYS parameter is not enabled.
TSM> set dbrecovery lto5rdc protectkeys=no
ANR2784W Specifying PROTECTKEYS=NO requires the server's encryption keys to be backed up manually.
Do you want to proceed? (Yes (Y)/No (N)) y
ANR2782I SET DBRECOVERY completed successfully and device class for automatic DB backup is set to LTO5RDC.
TSM> backup db type=dbsnapshot devclass=LTO5RDC
ANR2270E The PROTECTKEYS parameter is not enabled.
TSM> set dbrecovery lto5rdc protectkeys=yes passw=xxxxxxx
ANR2270E The PROTECTKEYS parameter is not enabled.
I have logged a call with IBM yesterday morning after noting the backup db did not run.
Thought I will post this here as well as any suggestions will be much appreciated and I'm sure there will be some poor folk out there that will run into this same issue.