V7R1, R&D LPAR, 8205, 10k spinny, adequate resources, SI57922 applied on 9/22/15, no issues with admin instances.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, September 29, 2015 8:55 AM
To: Midrange Systems Technical Discussion
Subject: Re: IBM ADMIN Instance Error
I just put on PTF's the weekend of 2015-09-18 and could not get into my admin instance
http://myibmi:2001 This affected both my 7.1 and 7.2 lpars.
I remembered this recent thread (but couldn't search for it for the life of me!) I ended up just going backwards through the archive website. I knew it was very recent.
Thanks to Bryan Dietz for his posting of
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020397
And thanks to Nadir Amra for the posting of the PTF's at that location.
SI57921 V6R1M0
SI57922 V7R1M0
SI57923 V7R2M0
I did one lpar by hand as per the instructions. That worked fine.
I did another lpar by following the cover letter for SI57923. That worked. I even checked the stuff listed in the manual steps and it is identical. The second lpar seemed to have some quirks first starting and I was getting internal server error. Then again the first lpar is on an
824 with all SSD and adequate memory and processor. The second lpar is a 'sandbox' lpar on a 814 with spinning disks and much less memory and processor. After awhile it worked fine.
I suspect that SI57923 may not make it to a cume or group just in case people are using ancient browsers. Therefore you may have to continue to order this separately. Then again, they had no problem issuing the PTF which broke it for the new browsers (or was it a Windows patch roll out which blew this out of the water?).
CORRECTION FOR APAR SE62802 :
-----------------------------
Need to automatically disable SSL Version 3 for
the HTTP ADMIN server, so that port 2005 will
only use TLS. This is to address concerns about
CVE-2014-3566 (POODLE).
SPECIAL INSTRUCTIONS :
----------------------
In order for the admin2 server to be
moved to the SSL TLS level, you will
need to end the HTTP ADMIN server and
then restart the server. This can be
done using the following command:
ENDTCPSVR *HTTP HTTPSVR(*ADMIN)
followed by the following command:
STRTCPSVR *HTTP HTTPSVR(*ADMIN)
Search words:
"IBM Navigator for i"
iNav
Port 2001
cume ptf
group ptfs
Port 2005
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
From: Bryan Dietz <bdietz400@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 09/17/2015 08:32 AM
Subject: Re: IBM ADMIN Instance Error
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
sounds like the problem I had last week.
IBM had me Follow steps in this document to resolve the SSL Exception
above:
How to Disable SSL Version 3 for HTTP Admin (Port 2005) - CVE-2014-3566
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020397
--
Bryan
Art Duarte wrote on 9/16/2015 3:44 PM:
Hello,
Anyone have an idea what this error means when trying to access the IBM
admin page (<host ip>:2001)
Firefox
Cannot communicate securely with peer: no common encryption
algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Chrome
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
A secure connection cannot be established because this site uses an
unsupported protocol.
Sometime ago I was messing with the QSSLCSL , QSSLCSLCTL,QSSLPCL values.
Here are the values:
QSSLCSL
*RSA_RC4_128_MD5
*RSA_EXPORT_RC4_40_MD5
*RSA_EXPORT_RC2_CBC_40_MD5
*RSA_RC2_CBC_128_MD5
*RSA_3DES_EDE_CBC_MD5
*RSA_DES_CBC_MD5
QSSLCSLCTL
Cipher control . . . . : *OPSYS
QSSLPCL
Protocols
*SSLV2
Not Sure if that has anything to do with error, or something else. Your
help is much appreciated.
Thank you
Art Duarte
midrange.com
