1. Community Tip: Please Give Thanks to Those Sharing Their Knowledge.
    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.
  2. Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)
    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Security settings for 8.1.2

Discussion in 'TSM Server' started by uwekoch, Oct 7, 2017.

  1. uwekoch

    uwekoch Active Newcomer

    Joined:
    Oct 6, 2017
    Messages:
    5
    Likes Received:
    0
    After installing server 8.1.2 and ba client 8.,1.2 to a new environment of 4 instances all instances worked fine.
    After the configuration of server-to-server communication between those 4 instances, the dsmadmc clients can no linger connect to the servers with message "client is down-level with this server version". But the client is 8.1.2 as well as the server.
    After removing and reregistering an admin, the session works fine until there is a server-server-session used. After that the client "is down-level" again. So it has to do with the security level of the admin's last connection.

    Any suggestions how to configure server and client to have a stable admin session possible by local dsmadmc AND by command redirection from other instance ?
     
  2.  
  3. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,831
    Likes Received:
    359
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    Have you deleted and redefined all server-to-server communications on all instances?

    Are there NO instance that are lower than 8.1.2 that an 8.1.2 instance is attempting to connect to.

    Remember that server-to-server communication is between TSM instances and as such ideally must be all on the same level. If the source instance is lower than the target instance, this would work but not vice-versa.
     
  4. uwekoch

    uwekoch Active Newcomer

    Joined:
    Oct 6, 2017
    Messages:
    5
    Likes Received:
    0
    Yes, all definitions ar enew. There are 4 instances freshly installed on 2 hw servers. 2 instances on each hw. Only these 4 instances of 8.1.2 and the tsm clients 8.1.2 are installed in this new environment.
    Currently inst0 and inst1 can communicate in both directions, inst2 and inst3 also communicate in both directions. (tested with ping server ...)
    But inst2 can ping to inst0 and inst1 but not from inst0 to inst2 or inst3
    and also inst 3 can ping inst0 and inst1 but not from inst0 or inst1 to inst3
    All ssl keys have been added on all machines and all admins are registered newly with the same parameters.

    But from inst1 to inst2 the ping answers:
    Protect: SRVBCK01>ping server srvbck02
    ANR1705W A ping request to server 'SRVBCK02' was not able to establish a connection by using administrator credentials.
    ANS8001I Rückkehrcode 4.
     
  5. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,831
    Likes Received:
    359
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    Have you set the server password on all instances at the same one?

    If you have not, delete all server-to-server settings, set the server password to the same on all, and redefine.
     
  6. uwekoch

    uwekoch Active Newcomer

    Joined:
    Oct 6, 2017
    Messages:
    5
    Likes Received:
    0

    And an additional question :

    Ususally all servers should have the same version for server-to-server-communication, thats clear.

    But here the customer wants to export data from an old (outdated, unsupported) version 6.2.3.100 to one of the new instances with 8.1.2.
    would this be possible by server-to-server-communication, or only be export/import tape or file ?

    (Customer knows that 6.2.3.100 is unsupported, but the data on it are still needed and should be transferred to 8.1.2)
     
  7. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,831
    Likes Received:
    359
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    Yes - see my original reply.
     
  8. uwekoch

    uwekoch Active Newcomer

    Joined:
    Oct 6, 2017
    Messages:
    5
    Likes Received:
    0
    The server passwords are all the same, and also the the admin password.
    It is not yet in production, so it's easier this way.
     
  9. uwekoch

    uwekoch Active Newcomer

    Joined:
    Oct 6, 2017
    Messages:
    5
    Likes Received:
    0
    I've seen it, but I explicitely wanted to know if an export from 6.2.3.100 to 8.1.2 will work.
    6.2.3.100 is listed in no current compatibility matrix any more,s ince it is out of support.
    But there was a large change between 6.2.3 and 6.3. as far as I remember. So maybe there could be an issue.
     
  10. roger

    roger ADSM.ORG Member

    Joined:
    Dec 4, 2003
    Messages:
    29
    Likes Received:
    10
    You've got bigger problems, involving certificates and administrator IDs. Read this: http://www-01.ibm.com/support/docview.wss?uid=swg22004844

    There's been a big discussion over on the ADSM-L email list about the problems with the security upgrades in TSM/ISP versions 7.1.8, 8.1.2, and 8.1.3.
     
  11. ILCattivo

    ILCattivo ADSM.ORG Member

    Joined:
    Jul 9, 2013
    Messages:
    86
    Likes Received:
    2
    Location:
    Oxford, United Kingdom
    So reading this thread is a little concerning for me...

    Having rigorously cross referenced this IBM article.. http://www-01.ibm.com/support/docview.wss?uid=swg21053218

    Are we now saying that current 7.1.x (non 7.1.8) clients sitting on Windows 2008 Servers will not be able to connect to a new ISP 8.1.2 Server using it's current standard communication method that it's been using to talk to a 7.1.5 Server?
     
  12. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,567
    Likes Received:
    358
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    No. Older clients will be able to connect to an 8.1.2 server.

    https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/srv.admin/c_adm_sec_ovr.html
    https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.2/client/c_sec_upg_serv_client_fast_path.html
     

Share This Page