IT33114: CLOUD TRANSFER PROCESS FAILS WITH ANR3701E CANNOT CONNECT TO THECLOUD SERVICE PROVIDER FOR CREATE CONTAINER OPERATION

相关文章推荐

大力的砖头 · Amazon.com: ECCPP ABS ...· 1 月前 ·

紧张的红金鱼 · 响应 CheckBox 单击 - ...· 1 年前 ·

慷慨大方的花卷 · 你可以使用 Guzzle HTTP ...· 1 年前 ·

茫然的风衣 · Radio Button——iOS单选按钮 ...· 1 年前 ·

To return expected results, you can:

Reduce the number of search terms. Each term you use focuses the search further.

Check your spelling. A single misspelled or incorrectly typed term can change your result.

Try substituting synonyms for your original terms. For example, instead of searching for "java classes", try "java training"

Did you search for an IBM acquired or sold product ? If so, follow the appropriate link below to find the content you need.

8.1.11.000-IBM-SPSRV-WindowsX64
8.1.11.000-IBM-SPSRV-Linuxx86_64
8.1.11.000-IBM-SPSRV-Linuxs390x
8.1.11.000-IBM-SPSRV-Linuxppc64le
8.1.11.000-IBM-SPSRV-AIX
IBM Spectrum Protect Server V8.1 Fix Pack 11 (V8.1.11) Downloads

Cloud transfer processing may fail to specific cloud providers
with message ANR3701E Cannot connect to the cloud service
provider for the create container operation on the CLOUD.POOL
storage pool.
A server trace using the SDCLOUD SDCLOUDJ
SDCLOUDDETAIL trace classes will show the following:
tsmt1.bk1.
test/c61-a577772e38d011e289c5086380548865-L.
11:05:41.866
[180][jvm.c][1736][JavaSideTrace]:E
com.tivoli.dsm.cloud.api.ProviderS3 handleException Exception:
com.amazonaws.SdkClientException: Unable to execute HTTP
request: Received fatal alert: handshake_failure Unable to
execute HTTP request: Received fatal alert: handshake_failure
om.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryab
leException(AmazonHttpClient.java:1175)
	com.amazonaws.http.Amaz
onHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java
:1121)
	com.amazonaws.http.AmazonHttpClient$RequestExecutor.doEx
ecute(AmazonHttpClient.java:770)
	com.amazonaws.http.AmazonHttpC
lient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744
	com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(A
mazonHttpClient.java:726)
	com.amazonaws.http.AmazonHttpClient$R
equestExecutor.access$500(AmazonHttpClient.java:686)
	com.amazon
aws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(Am
azonHttpClient.java:668)
	com.amazonaws.http.AmazonHttpClient.ex
ecute(AmazonHttpClient.java:532)
	com.amazonaws.http.AmazonHttpC
lient.execute(AmazonHttpClient.java:512)
	com.amazonaws.services
.s3.AmazonS3Client.invoke(AmazonS3Client.java:4920)
	com.amazona
ws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4866)
com.amazonaws.services.s3.AmazonS3Client.getAcl(AmazonS3Client.j
ava:3893)
	com.amazonaws.services.s3.AmazonS3Client.getBucketAcl
(AmazonS3Client.java:1226)
	com.amazonaws.services.s3.AmazonS3Cl
ient.getBucketAcl(AmazonS3Client.java:1216)
	com.amazonaws.servi
ces.s3.AmazonS3Client.doesBucketExistV2(AmazonS3Client.java:1352
	com.tivoli.dsm.cloud.api.S3Client.doesBucketExist(S3Client.ja
va:858)
	com.tivoli.dsm.cloud.api.ProviderS3.createContainer(Pro
viderS3.java:633)
	com.tivoli.dsm.cloud.api.ProviderS3.createCon
tainer(ProviderS3.java:608)
	com.tivoli.dsm.cloud.api.CloudHandl
er.createContainer(CloudHandler.java:580)
11:05:41.869
[3][ffdcutil.c][432][FFDCLogThread]:[05-06-2020 11:05:41.869][
FFDC_GENERAL_SERVER_ERROR ]: (jvm.c:1786)
com.tivoli.dsm.cloud.api.ProviderS3 handleException
com.amazonaws.SdkClientException Unable to execute HTTP
request: Received fatal alert: handshake_failure
11:05:41.869
[180][jvm.c][1736][JavaSideTrace]:<
com.tivoli.dsm.cloud.api.ProviderS3 createContainer rc =
NotConnected (1)
11:05:41.870
[3][ffdcutil.c][443][FFDCLogThread]:newpos=947855
maxSize=1048576
11:05:41.870
[180][jvm.c][1736][JavaSideTrace]:<
com.tivoli.dsm.cloud.api.CloudHandler createContainer rc =
NotConnected (1)
11:05:41.870
[180][sdcloud.c][6101][PrintJavaError]:Entering
11:05:41.871
[180][sdcloud.c][6137][PutConsoleMsg]:ANR3701E Cannot connect
to the cloud service provider for the create container
operation on the CLOUD.POOL storage pool.~
11:05:41.871
[180][sdcloud.c][6307][PrintJavaError]:Exit
11:05:41.871
[180][sdcloud.c][5647][CloudCreateContainer]:Exit:
rc=2903
11:05:41.872
[180][sdcloud.c][2208][SdCloudCreateContainer]:Exit:
rc=2903
11:05:41.872
[180][sdcloud.c][2736][SdCloudUploadFile]:not attached
indication of a handshake failure is the primary key that the
issue addressed by this APAR is being seen.
Note that there
are other possible reasons for the handshake failure to occur
that this APAR will not address. This APAR addresses the
problem that the cloud provider (which in the reporting
customer's case was the validated provider Wasabi) was only
allowing the GCM algorithms which the server had disabled.
Review of the java security file
(/opt/tivoli/tsm/jre/lib/security) to determine if the GCM
algorithm is disabled. It will be listed in the line in the
security file starting with jdk.tls.disabledAlgorithms=
Example
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH keySize
< 2048,  EC keySize < 256, DSS, 3DES_EDE_CBC, DES, DESede, RC4,
MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, GCM
Note the last
disabled algorithm in this list is GCM.
The handshake failure
from the trace AND the GCM algorithm being disabled is
indicative of this APAR being the reason for the ANR3701E cloud
service connection failure.
Spectrum Protect Versions
Affected:
IBM Spectrum Protect server at 8.1.2 and
above.
Initial Impact:: Medium
Additional Keywords: (please
include the case number in any case)
TSM TS003639792
Local fix
Remove the GCM algorithm from being excluded in the java
security file (/opt/tivoli/tsm/jre/lib/security):
Edit the
java.security file, changing this line to remove the GCM
entry
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DH
keySize < 2048,  EC keySize < 256, DSS, 3DES_EDE_CBC, DES,
DESede, RC4, MD5, SHA1, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_256_GCM_SHA384, anon, NULL, GCM
Remove only
the GCM part and the associated/preceding comma as
needed.
Then restart the IBM Spectrum Protect server.
Problem summary
****************************************************************
* USERS AFFECTED:                                              *
* All IBM Spectrum Protect server users with cloud storage     *
* pools connected to service providers restricting certian TLS *
* algorithms.                                                  *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See error description.                                       *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fixing level when available. This problem is currently *
* projected to be fixed in level 8.1.11. Note that this is     *
* subject to change at the discretion of IBM.                  *
****************************************************************
Problem conclusion
This problem was fixed.
Affected platforms for reported release:  AIX, Linux, and
Windows.
Platforms fixed:  AIX, Linux, and Windows.
Temporary fix
Comments
APAR Information
APAR number
IT33114
Reported component name
TSM SERVER
Reported component ID
5698ISMSV
Reported release
81L
Status
CLOSED  PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-06-08
Closed date
2020-07-27
Last modified date
2021-11-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TSM SERVER
Fixed component ID
5698ISMSV
Applicable component levels