dsmadmc - ANS1357S Session rejected: Downlevel client code version

[Teet]

Environment:
TSM 8.1.3.0, recently upgraded from 7.1.8.0
Problem:
After upgrading TSM from 7.1.8.0 to 8.1.3.0 for a while dsmadmc worked fine with client version 7.1.x.x but from some random moment dsmadmc refused to connect with an error message:

ANS1357S Session rejected: Downlevel client code version
ANS8023E Unable to establish session with server.

ANS8002I Highest return code was 57.

TSM Server actlog also displays:

ANR0404W Session 1209 for administrator IGOR.ADMIN (WinNT) refused - client is down-level with this server version. (SESSION: 1209)

This error occurs with dsmadmc of client 7.1.4.0 and 8.1.0.2 (the latest). TSM OP Center works fine and also the command builder.

Thanks for any advice, this is quite urgent.

Teet Saar.

 

[Teet]

Also to mention that dsmc works fine and connects without errors, the problem is only with dsmadmc.

Teet Saar.

 

[Teet]

When creating a new admin user, logging in with that user works, even with 7.1.4.0 dsmadmc client. There isn't any replication servers set up but this problem seems to be similar with this https://adsm.org/forum/index.php?threads/security-settings-for-8-1-2.32096/, so can there be a security setting that somehow blocked some admin users login?

Currently a workaround is to recreate all admin-users from the command builder, but a workaround is a workaround and not the real solution.

Teet Saar.

 

[marclant]

Here you go: http://www-01.ibm.com/support/docview.wss?uid=swg22004844#a_0

 

[Teet]

Problem solved, updated all admin users with the following command:

update admin *.admin sessionsecurity=transitional

Here you go: http://www-01.ibm.com/support/docview.wss?uid=swg22004844#a_0

I've already executed these commands when communication between TSM OC and TSM somehow broke after updating from 7.1 to 8.1 as described here https://www.ibm.com/support/knowled...nstall.doc/t_oc_inst_ssl_configure_ochub.html

 

[Teet]

Update, it seems that after a while the users session security attribute changes back to strict, maybe some server setting is overriding it?

Teet Saar.

 

[marclant]

If you upgrade the machines where you use dsmadmc to a supported 7.1.8+ or 8.1.2+ they will work fine. Transitional means in transition until you upgrade to a current client that supports new security features. Once you connect with a current client it switches it from transitional to strict (the transition is considered over), therefore if you go to a different machine and use an older client (dsmadmc), it will give you that error.

 

[Teet]

If you upgrade the machines where you use dsmadmc to a supported 7.1.8+ or 8.1.2+ they will work fine. Transitional means in transition until you upgrade to a current client that supports new security features. Once you connect with a current client it switches it from transitional to strict (the transition is considered over), therefore if you go to a different machine and use an older client (dsmadmc), it will give you that error.

But I am getting the prementioned error even with version 8.1.0.2 dsmadmc, does the dsm.opt need some extra parameters other than
NODENAME, TCPSERVERADDRESS, TCPCLIENTADDRESS, TCPADMINPORT and TCPPORT?

Teet Saar.

 

[marclant]

8.1.0.2 is older than 8.1.2.0 when the new security features were implemented. Once an admin ID connects to a Spectrum Protect at 8.1.2 or higher, you can only connect using machines that have the client (which includes dsmadmc) 8.1.2.0 or greater installed.

source: http://www-01.ibm.com/support/docview.wss?uid=swg22004844#a_0

I recommend you review the Release Notes and the ReadMe with server 8.1.2 and 8.1.3. There's a lot of details with the new security features that are important to understand.

 

[Teet]

Hello again, I've reviewed the article and understood the new security features, I've managed to find only the 8.1.0.2 older client under 'patches' but the latest client 8.1.2.0 was under 'maintenance' category on the IBM FTP site. Anyway after installing 8.1.2.0 client and dsmadmc everything worked like a charm, it seems that the 8.1.0.2 invokes the server settings to strict and tls 1.2 but itself the 8.1.0.2 client doesn't support the new security features and as previously mentioned with 8.1.2.0 everything started working.

Thanks a lot for the help and explanation/clarification.

Teet Saar.

 

[scr1pt]

Hello again, I've reviewed the article and understood the new security features, I've managed to find only the 8.1.0.2 older client under 'patches' but the latest client 8.1.2.0 was under 'maintenance' category on the IBM FTP site. Anyway after installing 8.1.2.0 client and dsmadmc everything worked like a charm, it seems that the 8.1.0.2 invokes the server settings to strict and tls 1.2 but itself the 8.1.0.2 client doesn't support the new security features and as previously mentioned with 8.1.2.0 everything started working.

Thanks a lot for the help and explanation/clarification.

Teet Saar.

8.1.0.2 does not invoke sessionsec=strict, the admin ID was probably authenticating with the server from a 8.1.2 client else-where or you were doing "tsmsrv1> tsmsrv2: <some command>" where tsmsrv2 is 8.1.2 or higher then it will also set it to strict (not sure if this is a bug or by design) - that will happen even when using dsmadmc with lower than 8.1.2 in version.

If you are curious about why you will probably find out why in the activity log.