• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Can i restore TSM DB (v8.1.4) without master key?

rpandey

ADSM.ORG Member
#1
Hi,
My TSM DB recover setup with "Protect Master Encryption Key = No." I have not backed up the master key. Server instance, db, active log directories wiped by wrong LUN is used for the flash copy. I have reconfigured the server and able to restore the DB. But i am not able to access to the server as it is complaining about not found the key to decrypt. Is there is a way to get access to the server without master key?
 

marclant

ADSM.ORG Moderator
#3
I think you can restore the DB using "RESTOREKeys=No", but you won't be able to access data in storage pools that are encrypted.

What's the exact error message you get regarding the master key?
Do you have container pools with encryption enabled?
 

rpandey

ADSM.ORG Member
#4
Yes i am able to restore DB using "RESTOREKeys=No", but admin and client connection with server refused with below error.

anr8599w the connection with <Node_Name>:33395 failed due to an untrusted server certificate
ans8023e unable to establish session with server
anr8583e an ssl socket-initialization error occurred on session 4. the gskit return code is 414 gsk_error_bad_cert
 

marclant

ADSM.ORG Moderator
#6
Ah, that has nothing to do with the master key. It's the SSL certificate between the client and server that is untrusted. Not sure how to fix it though.
 

rpandey

ADSM.ORG Member
#8
Now, when i try to restart the server on foreground, received below error

ANR7800I DSMSERV generated at 15:52:10 on Nov 17 2017.

IBM Spectrum Protect for AIX
Version 8, Release 1, Level 4.000

Licensed Materials - Property of IBM

(C) Copyright IBM Corporation 1990, 2017.
All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corporation.

ANR7801I Subsystem process ID is 7341672.
ANR0900I Processing options file /tsm/UDCPRD1/dsmserv.opt.
ANR7811I Using instance directory /tsm/UDCPRD1.
ANR8587E The server was not able to create the SSL self-signed certificate.
The GSKit key management return code is 23.
 

rpandey

ADSM.ORG Member
#10
Thanks. Here is more error

During instance restart on foreground

09/12/18 22:31:33 ANR3339I Default Label in key data base is TSM Server SelfSigned SHA Key.
09/12/18 22:31:33 ANR4726I The ICC support module has been loaded.
09/12/18 22:31:33 ANR0990I Server restart-recovery in progress.
09/12/18 22:31:35 ANR0152I Database manager successfully started.
09/12/18 22:32:24 ANR1628I The database manager is using port 51530 for server connections.
09/12/18 22:32:27 ANR2284S The server master encryption key has changed. Passwords protected with the previous master encryption key are not available.

=========

after restart the server process on foreground

ANR8583E An SSL socket-initialization error occurred on session 24. The GSKit return code is 414 GSK_ERROR_BAD_CERT.





Anye Idea how to fix this issue?
 

marclant

ADSM.ORG Moderator
#11
09/12/18 22:32:27 ANR2284S The server master encryption key has changed. Passwords protected with the previous master encryption key are not available.
You said you are not encrypting storage pools, so this should not be an issue. It some nodes or administrators cannot login, you can follow this: https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.5/srv.msgs/AND2284S.html

ANR8583E An SSL socket-initialization error occurred on session 24. The GSKit return code is 414 GSK_ERROR_BAD_CERT.
This means:
"414 - GSK_ERROR_BAD_CERT Incorrectly formatted certificate received from partner. "
source: https://www.ibm.com/support/knowled...ics.tx.doc/reference/r_gskit_error_codes.html

The help on ANR8583E says to reconfigure the client for SSL: https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/client/t_cfg_ssl.html

There's 2 sections depending if you use your own certificate or self-signed.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 20.0%
  • Keep using TSM for Spectrum Protect.

    Votes: 55 61.1%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 11.1%
  • Other (please comement)

    Votes: 7 7.8%

Forum statistics

Threads
31,505
Messages
134,278
Members
21,590
Latest member
madebi
Top