311 - ANS1692E The certificate is not trusted.

1.1 Preliminary remark

A valid certificate is one of the requirements for a connection from the ISP node to the server.
Otherwise a connection cannot be established and you will receive an error message: 

ANS1692E The certificate is not trusted.
ANS8023E Unable to establish session with server.
ANS8002I Highest return code was -367.

One possible reason for this error message may be that the server certificate has been changed/renewed.
This new certificate must now be transferred to the node again.

A renewal is necessary, for example, if the ISP server is moved to a newer hardware.
Unfortunately, the certificate contains the IP address of the ISP server, which means that it is no longer valid for the new server with its new IP address.
Accordingly, the ISP node must then obtain a new certificate from the new ISP server in order to be able to trust the ISP server again.

If a node is used by several computers at the time of certificate renewal, the following steps must be carried out on each of these computers.

1.2 What needs to be done?

A. You are using one or more nodes on a system and at least one of these nodes is running a scheduler on this system.

In this case, you usually have to wait a day and do nothing. Just check that the scheduler is running on the system. It will automatically transfer the certificate.
One day later, access should work again. Please check whether the backup was successful.

In the unlikely event that access still does not work, please carry out steps B and C below.

B. You are using a simple configuration of one to three nodes without a scheduler on your system.

In this case, it is easiest to delete the distributed key database, consisting of the files dsmcert.kdb, dsmcert.sth and dsmcert.idx.

Procedure under Windows:
Directory: C:\Program Files\Tivoli\TSM\baclient

In Explorer, navigate to the directory C:\Program Files\Tivoli\TSM\baclient and delete the three files dsmcert.kdb, dsmcert.sth and dsmcert.idx.

Procedure under Linux:
Directory: /opt/tivoli/tsm/client/ba/bin/

cd  /opt/tivoli/tsm/client/ba/bin/; rm dsmcert.kdb dsmcert.sth dsmcert.idx

Procedure under Mac OS:
Directory: /Library/Application\ Support/tivoli/tsm/client/ba/bin/

cd /Library/Application\ Support/tivoli/tsm/client/ba/bin/; rm dsmcert.kdb dsmcert.sth dsmcert.idx

Procedure under AIX:
Directory: /usr/tivoli/tsm/client/ba/bin/

cd   /usr/tivoli/tsm/client/ba/bin/; rm dsmcert.kdb dsmcert.sth dsmcert.idx

The client must then be started for each configured node and, if necessary, the password entered. 
This creates a new key database, which retrieves the new certificate from the new ISP server.

C. You are using a complex configuration with several nodes without a scheduler on a system or a TDP client.

In this case, the new certificate must unfortunately be downloaded manually. It can then be imported into the key database using the gsk8capicmd_64 -cert -add command.
The command gsk8capicmd_64 -cert -list -db <path to the certificate>/dsmcert.kdb -stashed lists the existing certificates. It can be used for checking before and after importing.
All client sessions must be terminated before executing gsk8capicmd_64 -cert -add command, otherwise you will continue to receive the "ANS1692E The certificate is not trusted" error message despite the correct certificate.

It is important that you download the correct certificate for your server. You will find a list of possible certificates in the table below.
Replace the entries <new certificate file> and <new label> with the corresponding values from the table below in the following commands!

Procedure under Linux:

gsk8capicmd_64 -cert -list -db /opt/tivoli/tsm/client/ba/bin/dsmcert.kdb -stashed
gsk8capicmd_64 -cert -add -db /opt/tivoli/tsm/client/ba/bin/dsmcert.kdb -file <new certificate file> -label "<new label>" -stashed
gsk8capicmd_64 -cert -list -db /opt/tivoli/tsm/client/ba/bin/dsmcert.kdb -stashed

Procedure under Mac OS:

/Library/ibm/gsk8/bin/gsk8capicmd -cert -list -db /Library/Application\ Support/tivoli/tsm/client/ba/bin/dsmcert.kdb -stashed
/Library/ibm/gsk8/bin/gsk8capicmd -cert -add -db  /Library/Application\ Support/tivoli/tsm/client/ba/bin/dsmcert.kdb /Library/Application\ Support/tivoli/tsm/client/ba/bin/dsmcert.kdb
/Library/ibm/gsk8/bin/gsk8capicmd -cert -list -db /Library/Application\ Support/tivoli/tsm/client/ba/bin/dsmcert.kdb -stashed

Procedure under Windows:
Start cmd.exe and execute the following commands:

set PATH=C:\Program Files\ibm\gsk8\lib64;C:\Program Files\ibm\gsk8\bin;%PATH%

cd C:\Program Files\Tivoli\TSM\baclient
gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed
gsk8capicmd_64 -cert -add -db /opt/tivoli/tsm/client/ba/bin/dsmcert.kdb -file <new certificate file> -label "<new label>" -stashed
gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed
server<new certificate file>

<new label>

Date of Move
T69I2Server_SelfSigned_T69I2.arm10.156.29.121:692003.06.2025
S65Server_SelfSigned_S65.arm10.156.29.121:215004.06.2025
S101Server_SelfSigned_S101.arm10.156.29.121:251011.06.2025
S100Server_SelfSigned_S100.arm10.156.29.121:250016.06.2025