AIOps: Monitoring and Observability - Group home

While Year 2000 (Y2K) required a lot of preparation, June 5^th, 2021 also requires action to replace TEP JAVA Certificate which will expire. The Tivoli Enterprise Portal (TEP) leverages JAVA files, which for security and code integrity purposes are signed with a certificate. Unfortunately, that Java Certificate will expire on June 5^th.

What happens if you don’t update the certificate?

It’s not always the same for every environment, but typically, the end user at the TEP will get a message that says the certificate is expired and ask for action. If the user has administrative authority, they may be able to accept the expired certificate and continue work. Without admin authority, they may be forced to initial a service call within their business to get the exception handled and may not be able to leverage the TEP until the exception is processed.

Don’t wait until it’s too late.

Being proactive, there are two choices. Install a bunch of fix packs or have your Jar files submitted to IBM service to be re-signed and then get re-installed. That seems to be the easiest process. And since service updates can take 3-6 months to get into production, it’s probably the most expedient process as well.  

Using a PMR to get JAR files re-certified

Instructions from IBM:

Contact IBM support by opening a PMR/CASE requesting the updated certificate for Tivoli Enterprise Portal server (TEPS) support files. You will need to send the jar and zip files from your Tivoli Enterprise Portal Server (TEPS) located as follows:

UNIX/Linux

<InstallDirectory>/<Architecture>/cw/classes

Windows

%CANDLE_HOME%\CNB\classes

Support will then update and return the jar files.

Once the jar files are returned from IBM support, copy the files back to the same location on the TEP server noted above in this document. After the jar files are copied back to the TEP server there is no further action needed on the TEP server side. The TEP server does not need to be reconfigured nor does it need to be restarted. On the TEP client side the java plugin jar cache should be cleared in order to force the download of the newly signed jar files to the client machine. This can be accomplished by going to Windows control panel and opening the java plugin control panel. From the "General" tab in the plugin control panel press the "Settings" button under the "Temporary Internet Files" heading, then press the "Delete Files" button. Once the delete is complete, restart the TEP client to force the download of the newly signed jar files from the TEP server.

Performing a service update to get JAR files re-certified

When this is done, you’ll get the certificates updated as well.

To resolve this, the following (not exhaustive list) of fix-packs are required to be installed into the TEP, and the associated OMEGAMON APARs.    The TEP maintenance must be installed first, and the OMEGAMON software can be installed after that - and is not tied to the June 5 deadline.

Fixpack                         OMEGAMON APAR           PTF

5.5.0-TIV-KC5-FP0005            OA61236                 UJ05468

5.5.0-TIV-KGW-FP0003            OA61239                 UJ05467

7.5.0-TIV-KMQ-FP0004            OA61198                 UJ05431

7.5.0-TIV-KQI-FP0004            OA61199                 UJ05432

5.4.0-TIV-KDP-FP0020            PH36052                 UI75129 

5.5.0-TIV-KS3-IF0023            OA61197 (OXES GA)       UJ05388       

5.4.0-TIV-KS3-IF0018            OA61203 (OXES GA-1)

5.3.0-TIV-KS3-IF0019            OA61312 (OXES GA-2) 

5.5.0-TIV-KIP-FP0005            OA61269                 UJ05399

5.5.0-TIV-KJJ-FP0003            OA61299                 UJ05460

5.4.0-TIV-KJJ-FP0006            OA61300

Following is for OMEGAMON for z/VM               

4.3.0-TIV-KVL-FP0006            OA61378

For OMEGAMON for z/OS and Networks, there are different service based on product levels.

5.6.0-IBM-RKZ-FP0009 (ZOS )      OA61164                UJ05364

5.3.0-TIV-KM5-FP0009 (zOS)       OA61156                UJ05434   
5.5.0-TIV-KM5-FP0007 (zOS)       OA61156                UJ05433   

5.6.0-IBM-RKN-FP0006 (Networks)  OA61166                UJ05365

5.3.0-TIV-KN3-FP0003 (Networks)  OA61154                UJ05233   
5.5.0-TIV-KN3-FP0007 (Networks)  OA61154                UJ05232   

This won’t be the last time that this action is required

Something else to consider. These expiring certificates were good for 3 years. Global security practices and various threat analysis tools say that they should only be two years now. As a result, these activities will need to be repeated in two years when this new certificate expires. But there’s another remediation.  When you replace your TEP with a z/OS hosted IZSME user interface, it provides similar function to the TEP, but doesn’t include the JAVA code.

I know this is very short notice, but if you are using the TEP in your environments, please consider this and try and take appropriate action as soon as possible.