• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

dsmadmc - ANS1357S Session rejected: Downlevel client code version

Teet

ADSM.ORG Member
#1
Environment:
TSM 8.1.3.0, recently upgraded from 7.1.8.0
Problem:
After upgrading TSM from 7.1.8.0 to 8.1.3.0 for a while dsmadmc worked fine with client version 7.1.x.x but from some random moment dsmadmc refused to connect with an error message:

ANS1357S Session rejected: Downlevel client code version
ANS8023E Unable to establish session with server.

ANS8002I Highest return code was 57.

TSM Server actlog also displays:

ANR0404W Session 1209 for administrator IGOR.ADMIN (WinNT) refused - client is down-level with this server version. (SESSION: 1209)

This error occurs with dsmadmc of client 7.1.4.0 and 8.1.0.2 (the latest). TSM OP Center works fine and also the command builder.

Thanks for any advice, this is quite urgent.

Teet Saar.
 

Teet

ADSM.ORG Member
#3
When creating a new admin user, logging in with that user works, even with 7.1.4.0 dsmadmc client. There isn't any replication servers set up but this problem seems to be similar with this https://adsm.org/forum/index.php?threads/security-settings-for-8-1-2.32096/, so can there be a security setting that somehow blocked some admin users login?

Currently a workaround is to recreate all admin-users from the command builder, but a workaround is a workaround and not the real solution.

Teet Saar.
 

Teet

ADSM.ORG Member
#5

Teet

ADSM.ORG Member
#6
Update, it seems that after a while the users session security attribute changes back to strict, maybe some server setting is overriding it?

Teet Saar.
 

marclant

ADSM.ORG Moderator
#7
If you upgrade the machines where you use dsmadmc to a supported 7.1.8+ or 8.1.2+ they will work fine. Transitional means in transition until you upgrade to a current client that supports new security features. Once you connect with a current client it switches it from transitional to strict (the transition is considered over), therefore if you go to a different machine and use an older client (dsmadmc), it will give you that error.
 

Teet

ADSM.ORG Member
#8
If you upgrade the machines where you use dsmadmc to a supported 7.1.8+ or 8.1.2+ they will work fine. Transitional means in transition until you upgrade to a current client that supports new security features. Once you connect with a current client it switches it from transitional to strict (the transition is considered over), therefore if you go to a different machine and use an older client (dsmadmc), it will give you that error.
But I am getting the prementioned error even with version 8.1.0.2 dsmadmc, does the dsm.opt need some extra parameters other than
NODENAME, TCPSERVERADDRESS, TCPCLIENTADDRESS, TCPADMINPORT and TCPPORT?

Teet Saar.
 

marclant

ADSM.ORG Moderator
#9
8.1.0.2 is older than 8.1.2.0 when the new security features were implemented. Once an admin ID connects to a Spectrum Protect at 8.1.2 or higher, you can only connect using machines that have the client (which includes dsmadmc) 8.1.2.0 or greater installed.
upload_2017-10-23_15-52-34.png
source: http://www-01.ibm.com/support/docview.wss?uid=swg22004844#a_0

I recommend you review the Release Notes and the ReadMe with server 8.1.2 and 8.1.3. There's a lot of details with the new security features that are important to understand.
 

Teet

ADSM.ORG Member
#10
Hello again, I've reviewed the article and understood the new security features, I've managed to find only the 8.1.0.2 older client under 'patches' but the latest client 8.1.2.0 was under 'maintenance' category on the IBM FTP site. Anyway after installing 8.1.2.0 client and dsmadmc everything worked like a charm, it seems that the 8.1.0.2 invokes the server settings to strict and tls 1.2 but itself the 8.1.0.2 client doesn't support the new security features and as previously mentioned with 8.1.2.0 everything started working.

Thanks a lot for the help and explanation/clarification.

Teet Saar.
 

scr1pt

ADSM.ORG Member
#11
Hello again, I've reviewed the article and understood the new security features, I've managed to find only the 8.1.0.2 older client under 'patches' but the latest client 8.1.2.0 was under 'maintenance' category on the IBM FTP site. Anyway after installing 8.1.2.0 client and dsmadmc everything worked like a charm, it seems that the 8.1.0.2 invokes the server settings to strict and tls 1.2 but itself the 8.1.0.2 client doesn't support the new security features and as previously mentioned with 8.1.2.0 everything started working.

Thanks a lot for the help and explanation/clarification.

Teet Saar.
8.1.0.2 does not invoke sessionsec=strict, the admin ID was probably authenticating with the server from a 8.1.2 client else-where or you were doing "tsmsrv1> tsmsrv2: <some command>" where tsmsrv2 is 8.1.2 or higher then it will also set it to strict (not sure if this is a bug or by design) - that will happen even when using dsmadmc with lower than 8.1.2 in version.

If you are curious about why you will probably find out why in the activity log.
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 17 19.5%
  • Keep using TSM for Spectrum Protect.

    Votes: 53 60.9%
  • Let's be formal and just say Spectrum Protect

    Votes: 10 11.5%
  • Other (please comement)

    Votes: 7 8.0%

Forum statistics

Threads
31,468
Messages
134,118
Members
21,568
Latest member
MESSID
Top