Critical Software Update - JCE Certificate Expiration Problem
[B]Quick Links[/b]
This is a critical information announcement about an IBM software problem that could cause a failure in your webMethods installation after May 18, 2006. This notice describes the problem in the IBM software, lists the susceptible webMethods components, and explains how to prevent the failure from occurring.
Description of the IBM Software Problem
IBM has recently announced that a security certificate contained in certain versions of their Java Virtual Machine (JVM) will expire on May 18, 2006. This problem only occurs on V1.2 and 1.3 IBM JVMs in which the ibmjcefw.jar is dated prior to 040219 in the manifest file. If you have an ibmjcefw.jar that is dated 040219 or later in V1.2 or 1.3 IBM JVMs, or your JVM is V1.4 or greater, you will be unaffected by the certificate expiration issue.
See the following link on IBM’s Support Website for more information: http://www-1.ibm.com/support/docview.wss?uid=swg21212932
Susceptible webMethods Components
webMethods has thoroughly examined the entire webMethods software suite and has determined that the webMethods components listed below are susceptible to the expired security certificate failure.
- Version 6.1 webMethods Integration Servers that have been configured to run against IBM JVM 1.2 and 1.3 and in which the ibmjcefw.jar is dated prior to 040219 in the manifest file.
Note that Integration Server version 6.1 was the first version to make use of JCE and also the first time that webMethods distributed IBM JVM 1.3.1 containing the expiring certificate. Integration Server version 6.5 ships with JVM version 1.4 which does not contain the expiring certificate; therefore, Integration Server 6.1 is the only version susceptible to the certificate expiration problem.
- Enterprise components listed below that are configured to run against IBM JVM 1.2 and 1.3 in which the ibmjcefw.jar is dated prior to 040219 in the manifest file. Note that webMethods Enterprise components did ship with the IBM JVM 1.3 containing the expiring certificates.
[LIST]
- Enterprise Adapter Runtime
- Custom adapters created using Enterprise Adapter Runtime
- Enterprise Adapter Manager
- Any of the following webMethods Enterprise Adapters:
[LIST]
- BroadVision Edition
- Broker Package (AKA Broker Bridge)
- CICS Edition
- Clarify Edition
- CORBA Edition
- Database Edition
- Email Edition
- Enterprise Integrator Logger Adapter
- Enterprise JavaBeans Edition
- File I/O Edition
- Informix Edition
- Integration Logic Agent Edition
- J.D. Edwards OneWorld Edition
- JDBC Edition
- JMS Edition
- Kenan Arbor Edition
- LDAP Edition
[/LIST]
[LIST]
- Metasolv Edition
- Microsoft SQL Edition
- MQSeries Edition
- MSMQ Edition
- ODBC Edition
- Oracle Edition
- PeopleSoft Edition
- PeopleSoft PIA Edition 4.6 Plug-in
- PeopleSoft PIA Edition
- Portal Edition
- SAP Edition
- Siebel Edition
- Sybase Edition
- Tuxedo Edition
- Vantive Edition
- XML Edition
[/LIST]
[/LIST]
Prevent the Failure from Occurring
To prevent the expired security certificate failure from occurring for the Enterprise components listed above, take these steps:
- For non-AIX platforms, customers should move to Sun JVM 1.3.1 available from the Sun Website. However, in order to make this version of the Sun JVM compliant with webMethods, you must also install a previously released Sun JCE Patch available from the webMethods Advantage Web site. The switch to the Sun JVM is required because IBM no longer distributes their JVM for non-IBM platforms. Version 1.3.1 of the JVM is required because the webMethods Enterprise components do not support newer versions of the JVM.
- For AIX platforms, customers should move to the IBM JVM 1.4.1 available from IBM http://www-128.ibm.com/developerworks/java/jdk/aix/service.html
- Special note for customers running Enterprise EJB Adapter or Enterprise JMS Adapter versions 4.2 on AIX platforms. Our testing has shown that upgrading to the IBM JVM 1.4.1 does resolve the JCE expiration problem but causes compatibility issues between the Enterprise Adapters and WebSphere Application Server. For these customers, we recommend that you contact IBM directly for assistance or consider migrating to a later version of webMethods EJB and/or JMS solutions that do not exhibit the problem. Additionally, webMethods has contacted IBM to see if they have a separate fix for the WebSphere issue. We will acquire this fix if and when available, test it in our labs and update our customers as we discover additional information.
To prevent the failure from occurring for Integration Server users we recommend moving to the Sun 1.4.2 JVM.
For Windows, Sun and HP users, this version of the JVM ships with Integration Server and should already be installed in the webMethods directory. In order to configure the Integration Server to use the Sun JVM, follow these instructions
- Navigate to the <webMethods_install_dir>\IntegrationServer\bin directory and open the server.bat (windows) or server.sh (Unix) file in a text editor.
- Edit the JAVA_DIR parameter and point it to the JRE shipped with webMethods, located in <webMethods_install_dir>\jvm\win142\jre, then save and close the file.
For AIX users, download the appropriate patch from the IBM website for your current version of the JVM.
Finally, though we have performed extensive testing internally, customers are free to configure their systems using a variety of supported JVMs. Therefore, even though we have identified the webMethods components that are susceptible to the problem and the versions in which we explicitly shipped the JVM containing the expiring certificate, there is always a possibility that a customer may have reconfigured their environment to use a version of the IBM JVM that exhibits the problem. Therefore we encourage all customers using IBM JVMs to perform “time shift testing” on their environments by setting the system date time on their servers to May 19, 2006 or later and then restarting and testing their webMethods integrations.