Troubleshooting an error about lockbox stable value threshold after major system update
When a host first accesses a stand-alone or shared lockbox, certain System Stable Values (SSVs) are stored in the lockbox for the host. The Microsoft application agent requires a specific number of the SSVs to be matched for the host for each subsequent lockbox access.
When a major update of the host system causes multiple SSVs to change, the required number of SSVs might not match when the host tries to access the lockbox during a backup or restore operation. In this case, the host's attempt to access the lockbox might produce the following error:
The Lockbox stable value threshold was not met because the system fingerprint has changed. To reset the system fingerprint, open the Lockbox using the passphrase.
If you encounter this error, you can complete the following operation to enable the lockbox access for the host:
In a stand-alone system, re-create the lockbox for the host and perform the registration again.
In a high-availability system with a shared lockbox:
Revoke the lockbox access of the host by running the
msagentadmin administration -R command from another host.
Grant the lockbox access to the host by running the
msagentadmin administration -G command from another host.
NOTE To update the lockbox configuration on a host, run the
msagentadmin administration -U command on that host. This operation ensures that the lockbox is continuously accessible to the host.
The following
msagentadmin administration commands perform the lockbox operations:
You can optionally set and use a customized passphrase that enables you to reset the lockbox or regain access for a host when the lockbox becomes inaccessible. This feature is useful when a nonshared lockbox becomes inaccessible on an occasional basis.
Set and use a customized passphrase for lockbox access provides details about setting a customized passphrase.
You can also use a lockbox security option to select either a default level or custom level for the lockbox security. The default security level is recommended. The custom security level can enable easier access to the lockbox after a major OS update. However, the custom level has potential security concerns, so the setting and use of a customized passphrase is recommended.
Reset the lockbox security level provides more details about setting the lockbox security level.
Set and use a customized passphrase for lockbox access
You can optionally set a customized passphrase that enables you to reset the lockbox or regain access for a host when the lockbox becomes inaccessible. This feature is useful when a host frequently loses access to a nonshared lockbox due to reasons such as OS updates. In this case, it is useful to set a customized passphrase when the lockbox is still accessible, so that when any access issue occurs, the lockbox can be reset by the host.
A customized passphrase must meet the following passphrase requirements:
Minimum of nine characters.
Minimum of one uppercase letter.
Minimum of one lowercase letter.
Minimum of one special character, such as % or $.
Minimum of one numeric character.
To set a customized passphrase for the lockbox, run the following command as the root user or administrative user and type the passphrase at the prompts:
msagentadmin administration -U -a SET_LOCKBOX_PASSPHRASE=TRUE -a LOCKBOX_PATH=<lockbox_directory_pathname>
Enter a passphrase (refer to the administration guide for passphrase complexity requirements):
Confirm the passphrase:
The passphrase for the lockbox 'agents.clb' in the directory '/opt/lockbox' has been updated.
NOTE Treat the customized lockbox passphrase with care, and guard it against use by unauthorized persons. If a person learns the passphrase and obtains a copy of the lockbox files, the person can access the lockbox.
After you set a customized passphrase, you can use the passphrase to reset the lockbox or regain access to the lockbox. For example, if the lockbox becomes inaccessible, run the following command as the root user or administrative user and type the customized passphrase at the prompt:
msagentadmin administration -U -a USE_LOCKBOX_PASSPHRASE=TRUE -a LOCKBOX_PATH=<lockbox_directory_pathname>
Enter a previously set passphrase:
The lockbox 'agents.clb' in the directory '/opt/lockbox' has been reset.
Reset the lockbox security level
You can optionally select a default level or custom level for the lockbox security. The custom security level is not recommended due to potential security concerns. However, the custom level might be useful when you do not want to set a customized passphrase for lockbox inaccessibility issues. The custom security level reduces the frequency at which the lockbox becomes inaccessible after major OS updates, but it does not guarantee that the inaccessibility will not recur.
Setting and using a customized passphrase ensures that the lockbox is always accessible, and does not have any security implications.
To set the lockbox security level, run the following command as the root user or administrative user:
msagentadmin administration -U -a SET_LOCKBOX_SECURITY={"custom"|"default"} -a LOCKBOX_PATH=<lockbox_directory_pathname>
For example, the following command sets the custom level of lockbox security:
msagentadmin administration -U -a SET_LOCKBOX_SECURITY="custom" -a LOCKBOX_PATH=/opt/lockbox
The lockbox 'agents.clb' in the directory '/opt/lockbox' has been reset with the custom security level.
Note that with a lower security level, the lockbox is more vulnerable to external threats. If you are not sure whether you want a lower security, we recommend using LOCKBOX_SECURITY="default" for regular usage.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\