• Please help support our sponsors by considering their products and services.
    Our sponsors enable us to serve you with this high-speed Internet connection and fast webservers you are currently using at ADSM.ORG.
    They support this free flow of information and knowledge exchange service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions
  • Community Tip: Please Give Thanks to Those Sharing Their Knowledge.

    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.

  • Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)

    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

Use Domain Or Local Account For ISP Initial Configuration?

jayp2200

ADSM.ORG Member
Error 168 is either an API issue or the password. You ruled out the API by making sure you are now running the same fix pack level (first 3 numbers of 8.1.6).

That leaves the password, which is step 4 here: https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.0/srv.install/t_srv_prep_dbmgr-windows.html
OK so now I was able to get the database restored finally. However, now I am running into some further issues, and I'm wondering if it is partially related to the option used:

So I am using the recovery plan document that is usually generated by a script for us every day. In it, it tells me to run the following command for the restore:

"directory_path\DSMSERV" -k "instance_name" restore db todate=mm/dd/yyyy totime=hh:mm:ss source=dbb RESTOREKEYS=NO

My first question for this would be... If I tell it "RESTOREKEYS=YES" then which password would need to be used exactly?

Next, after I used the command above to restore the database, it then tells me to start the server using the command "start "instance_name" "dir_path\DSMSERV" -k "instance_name""

If I do that, I see several errors including:

ANR0110E An unexpected system date has been detected; the server is disabled

My second question is... Are these two topics sort of related? If not, then how do I enter the ACCEPT DATE command if I can't log in using the admin command line with the admin account I had been using all along prior to the cyberattack?
 

Phil_02GT

ADSM.ORG Senior Member
Stop the TSM server service. Then, login as the instance owner as per documentation:
  1. Change to the directory where the server is installed. For example, change to the c:\program files\tivoli\tsm\server directory.
  2. Enter the following command: dsmserv -k instance_name
Now you will be loggeg in the console. ACCEPT DATE and fix your account/password issue.
When done, just type HALT to stop the TSM server. Restart it using the service.
 

jayp2200

ADSM.ORG Member
Stop the TSM server service. Then, login as the instance owner as per documentation:
  1. Change to the directory where the server is installed. For example, change to the c:\program files\tivoli\tsm\server directory.
  2. Enter the following command: dsmserv -k instance_name
Now you will be loggeg in the console. ACCEPT DATE and fix your account/password issue.
When done, just type HALT to stop the TSM server. Restart it using the service.
OK well I am able to enter the ACCEPT DATE command successfully, and I will fix the account/password issue later. For now though, what are the next steps to restore the actual data from copypool storage?
 

jayp2200

ADSM.ORG Member
OK well I am able to enter the ACCEPT DATE command successfully, and I will fix the account/password issue later. For now though, what are the next steps to restore the actual data from copypool storage?
Never mind that part. I see further down in the disaster recovery document where it says to run some macros.

Problem is, when I try to run the macro commands, it doesn't like the -ITEMCOMMIT" parameter for some reason. Instead, I get the error ANR2004E Missing value for keyword parameter -ITEMCOMMIT

One of the commands it tells me to run is:

dsmadmc -id=%1 -pass=%2 -ITEMCOMMIT -OUTFILE="dir_path\IBMTSM01.PRIMARY.VOLUMES.DESTROYED.LOG" macro "dir_path\IBMTSM01.PRIMARY.VOLUMES.DESTROYED.MAC"

It doesn't matter what I put for the ID and password, it just gives me the same error. Therefore I am reduced to running all the commands in the macro files manually, which you can imagine will take a very long time.

Any idea on how I can format the command to get it to actually run the macros?
 

marclant

ADSM.ORG Moderator
The ID and password is a Spectrum Protect administrator ID and password. Same you used to connect to dsmadmc manually to execute the commands manually.
 

jayp2200

ADSM.ORG Member
The ID and password is a Spectrum Protect administrator ID and password. Same you used to connect to dsmadmc manually to execute the commands manually.
I can only use the SERVER_CONSOLE user since no other admin logins work at this point, considering we did not have a backup of the encryption key files.

So if I try anything related to the admin accounts configured in the system, I only get the error:

ANR9999D_3855409967 secUpdatePassword(secpwd.c:393) Thread<178>: Unable to get key of type 3:256


Is there really no way around this and we are just screwed since I don't have the key files?
 

jayp2200

ADSM.ORG Member
Have you tried something like this ?
update admin admin_name SESSIONSECurity=TRANSitional
Just tried that, and it will set the session security parameter on the admin account as transitional, but that doesn't make a difference as far as resetting its password or accessing anything else node related. If I try to log in with that admin, I just see the errors:

ANR0150E Failed to open admin XXXXX. There was an error decrypting the Admin password.
ANR0423W Session xx for administrator XXXXX refused - administrator name not registered.

Of course the account is registered because if I run the q admin command, I see it there. So I just can't get around the missing encryption keys issue... *sigh*
 

jayp2200

ADSM.ORG Member
Just tried that, and it will set the session security parameter on the admin account as transitional, but that doesn't make a difference as far as resetting its password or accessing anything else node related. If I try to log in with that admin, I just see the errors:

ANR0150E Failed to open admin XXXXX. There was an error decrypting the Admin password.
ANR0423W Session xx for administrator XXXXX refused - administrator name not registered.

Of course the account is registered because if I run the q admin command, I see it there. So I just can't get around the missing encryption keys issue... *sigh*

Yep, we're screwed. This confirms it:



Well, thanks for all your help and effort anyway guys. I really do appreciate it!
 

Advertise at ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

UpCloud high performance VPS at $5/month

Get started with $25 in credits on Cloud Servers. You must use link below to receive the credit. Use the promo to get upto 5 month of FREE Linux VPS.

The Spectrum Protect TLA (Three-Letter Acronym): ISP or something else?

  • Every product needs a TLA, Let's call it ISP (IBM Spectrum Protect).

    Votes: 18 18.4%
  • Keep using TSM for Spectrum Protect.

    Votes: 60 61.2%
  • Let's be formal and just say Spectrum Protect

    Votes: 12 12.2%
  • Other (please comement)

    Votes: 8 8.2%

Forum statistics

Threads
31,716
Messages
135,196
Members
21,721
Latest member
abucci63
Top