While Year 2000 (Y2K) required a lot of preparation, June 5th, 2021 also requires action to replace TEP JAVA Certificate which will expire. The Tivoli Enterprise Portal (TEP) leverages JAVA files, which for security and code integrity purposes are signed with a certificate. Unfortunately, that Java Certificate will expire on June 5th.
What happens if you don’t update the certificate?
It’s not always the same for every environment, but typically, the end user at the TEP will get a message that says the certificate is expired and ask for action. If the user has administrative authority, they may be able to accept the expired certificate and continue work. Without admin authority, they may be forced to initial a service call within their business to get the exception handled and may not be able to leverage the TEP until the exception is processed.
Don’t wait until it’s too late.
Being proactive, there are two choices. Install a bunch of fix packs or have your Jar files submitted to IBM service to be re-signed and then get re-installed. That seems to be the easiest process. And since service updates can take 3-6 months to get into production, it’s probably the most expedient process as well.
Using a PMR to get JAR files re-certified
Instructions from IBM:
Contact IBM support by opening a PMR/CASE requesting the updated certificate for Tivoli Enterprise Portal server (TEPS) support files. You will need to send the jar and zip files from your Tivoli Enterprise Portal Server (TEPS) located as follows:
Support will then update and return the jar files.
Once the jar files are returned from IBM support, copy the files back to the same location on the TEP server noted above in this document. After the jar files are copied back to the TEP server there is no further action needed on the TEP server side. The TEP server does not need to be reconfigured nor does it need to be restarted. On the TEP client side the java plugin jar cache should be cleared in order to force the download of the newly signed jar files to the client machine. This can be accomplished by going to Windows control panel and opening the java plugin control panel. From the "General" tab in the plugin control panel press the "Settings" button under the "Temporary Internet Files" heading, then press the "Delete Files" button. Once the delete is complete, restart the TEP client to force the download of the newly signed jar files from the TEP server.
Performing a service update to get JAR files re-certified
When this is done, you’ll get the certificates updated as well.
To resolve this, the following (not exhaustive list) of fix-packs are required to be installed into the TEP, and the associated OMEGAMON APARs. The TEP maintenance must be installed first, and the OMEGAMON software can be installed after that - and is not tied to the June 5 deadline.
Fixpack OMEGAMON APAR PTF
5.5.0-TIV-KC5-FP0005 OA61236 UJ05468
5.5.0-TIV-KGW-FP0003 OA61239 UJ05467
7.5.0-TIV-KMQ-FP0004 OA61198 UJ05431
7.5.0-TIV-KQI-FP0004 OA61199 UJ05432
5.4.0-TIV-KDP-FP0020 PH36052 UI75129
5.5.0-TIV-KS3-IF0023 OA61197 (OXES GA) UJ05388
5.4.0-TIV-KS3-IF0018 OA61203 (OXES GA-1)
5.3.0-TIV-KS3-IF0019 OA61312 (OXES GA-2)
5.5.0-TIV-KIP-FP0005 OA61269 UJ05399
5.5.0-TIV-KJJ-FP0003 OA61299 UJ05460
Following is for OMEGAMON for z/VM
For OMEGAMON for z/OS and Networks, there are different service based on product levels.
5.6.0-IBM-RKZ-FP0009 (ZOS ) OA61164 UJ05364
5.3.0-TIV-KM5-FP0009 (zOS) OA61156 UJ05434
5.5.0-TIV-KM5-FP0007 (zOS) OA61156 UJ05433
5.6.0-IBM-RKN-FP0006 (Networks) OA61166 UJ05365
5.3.0-TIV-KN3-FP0003 (Networks) OA61154 UJ05233
5.5.0-TIV-KN3-FP0007 (Networks) OA61154 UJ05232
This won’t be the last time that this action is required
Something else to consider. These expiring certificates were good for 3 years. Global security practices and various threat analysis tools say that they should only be two years now. As a result, these activities will need to be repeated in two years when this new certificate expires. But there’s another remediation. When you replace your TEP with a z/OS hosted IZSME user interface, it provides similar function to the TEP, but doesn’t include the JAVA code.
I know this is very short notice, but if you are using the TEP in your environments, please consider this and try and take appropriate action as soon as possible.