Can i restore TSM DB (v8.1.4) without master key?

rpandey

ADSM.ORG Member
Joined
Feb 2, 2009
Messages
91
Reaction score
2
Points
0
Location
Australia
PREDATAR Control23

Hi,
My TSM DB recover setup with "Protect Master Encryption Key = No." I have not backed up the master key. Server instance, db, active log directories wiped by wrong LUN is used for the flash copy. I have reconfigured the server and able to restore the DB. But i am not able to access to the server as it is complaining about not found the key to decrypt. Is there is a way to get access to the server without master key?
 
PREDATAR Control23

I think you can restore the DB using "RESTOREKeys=No", but you won't be able to access data in storage pools that are encrypted.

What's the exact error message you get regarding the master key?
Do you have container pools with encryption enabled?
 
PREDATAR Control23

Yes i am able to restore DB using "RESTOREKeys=No", but admin and client connection with server refused with below error.

anr8599w the connection with <Node_Name>:33395 failed due to an untrusted server certificate
ans8023e unable to establish session with server
anr8583e an ssl socket-initialization error occurred on session 4. the gskit return code is 414 gsk_error_bad_cert
 
PREDATAR Control23

Ah, that has nothing to do with the master key. It's the SSL certificate between the client and server that is untrusted. Not sure how to fix it though.
 
PREDATAR Control23

Now, when i try to restart the server on foreground, received below error

ANR7800I DSMSERV generated at 15:52:10 on Nov 17 2017.

IBM Spectrum Protect for AIX
Version 8, Release 1, Level 4.000

Licensed Materials - Property of IBM

(C) Copyright IBM Corporation 1990, 2017.
All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corporation.

ANR7801I Subsystem process ID is 7341672.
ANR0900I Processing options file /tsm/UDCPRD1/dsmserv.opt.
ANR7811I Using instance directory /tsm/UDCPRD1.
ANR8587E The server was not able to create the SSL self-signed certificate.
The GSKit key management return code is 23.
 
PREDATAR Control23

Thanks. Here is more error

During instance restart on foreground

09/12/18 22:31:33 ANR3339I Default Label in key data base is TSM Server SelfSigned SHA Key.
09/12/18 22:31:33 ANR4726I The ICC support module has been loaded.
09/12/18 22:31:33 ANR0990I Server restart-recovery in progress.
09/12/18 22:31:35 ANR0152I Database manager successfully started.
09/12/18 22:32:24 ANR1628I The database manager is using port 51530 for server connections.
09/12/18 22:32:27 ANR2284S The server master encryption key has changed. Passwords protected with the previous master encryption key are not available.

=========

after restart the server process on foreground

ANR8583E An SSL socket-initialization error occurred on session 24. The GSKit return code is 414 GSK_ERROR_BAD_CERT.





Anye Idea how to fix this issue?
 
PREDATAR Control23

09/12/18 22:32:27 ANR2284S The server master encryption key has changed. Passwords protected with the previous master encryption key are not available.
You said you are not encrypting storage pools, so this should not be an issue. It some nodes or administrators cannot login, you can follow this: https://www.ibm.com/support/knowledgecenter/en/SSEQVQ_8.1.5/srv.msgs/AND2284S.html

ANR8583E An SSL socket-initialization error occurred on session 24. The GSKit return code is 414 GSK_ERROR_BAD_CERT.
This means:
"414 - GSK_ERROR_BAD_CERT Incorrectly formatted certificate received from partner. "
source: https://www.ibm.com/support/knowled...ics.tx.doc/reference/r_gskit_error_codes.html

The help on ANR8583E says to reconfigure the client for SSL: https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/client/t_cfg_ssl.html

There's 2 sections depending if you use your own certificate or self-signed.
 
Top