Mainframe Storage

 View Only

What do June 5, 2021 and 12/31/1999 have in common for z/OS Advanced Storage tools?

By Jim Porell posted Mon May 10, 2021 03:10 PM


While Year 2000 (Y2K) required a lot of preparation, June 5th, 2021 also requires action to replace TEP JAVA Certificate which will expire. The Tivoli Enterprise Portal (TEP) is used as a graphic user interface for several of the Advanced Storage Tools for z/OS. It is the same interface used for the OMEGAMON products. The TEP leverages JAVA files, which for security and code integrity purposes are signed with a certificate. Unfortunately, that Java Certificate will expire on June 5th.


What happens if you don’t update the certificate?

It’s not always the same for every environment, but typically, the end user at the TEP will get a message that says the certificate is expired and ask for action. If the user has administrative authority, they may be able to accept the expired certificate and continue work. Without admin authority, they may be forced to initial a service call within their business to get the exception handled and may not be able to leverage the TEP until the exception is processed.


Don’t wait until it’s too late.

Being proactive, there are two choices. Install a bunch of fix packs or have your JAR files submitted to IBM service to be re-signed and then get re-installed. That seems to be the easiest process. And since service updates can take 3-6 months to get into production, it’s probably the most expedient process as well.  


Using a PMR to get JAR files re-certified

Instructions from IBM:


Contact IBM support by opening a PMR/CASE requesting the updated certificate for Tivoli Enterprise Portal server (TEPS) support files. You will need to send the jar and zip files from your Tivoli Enterprise Portal Server (TEPS) located as follows:







Support will then update and return the jar files.


Once the jar files are returned from IBM support, copy the files back to the same location on the TEP server noted above in this document. After the jar files are copied back to the TEP server there is no further action needed on the TEP server side. The TEP server does not need to be reconfigured nor does it need to be restarted. On the TEP client side the java plugin jar cache should be cleared in order to force the download of the newly signed jar files to the client machine. This can be accomplished by going to Windows control panel and opening the java plugin control panel. From the "General" tab in the plugin control panel press the "Settings" button under the "Temporary Internet Files" heading, then press the "Delete Files" button. Once the delete is complete, restart the TEP client to force the download of the newly signed jar files from the TEP server.


Performing a service update to get JAR files re-certified

When this is done, you’ll get the certificates updated as well.


To resolve this, the following (not exhaustive list) of fix-packs are required to be installed into the TEP, and the associated Advanced Storage APARs.    The TEP maintenance must be installed first, and the z/OS software can be installed after that - and is not tied to the June 5 deadline.

Fixpack                         Storage  APAR                    PTF

For OMEGAMON for Storage 

5.5.0-TIV-KS3-IF0023            OA61197                          UJ05388

5.4.0-TIV-KS3-IF0018            OA61203                          UJ05497

5.3.0-TIV-KS3-IF0019            OA61312                          UJ05542


For Advanced Storage tools:

2.6.0-TIV-KRG-IF0001            PH36931                          UI75300

2.4.0-TIV-KRV-IF0003            PH36947                          UI75301

2.6.0-TIV-KRN-IF0003            PH36890                          UI75258

3.3.0-TIV-KRJ-FP0004            PH37021                          UI75302

2.6.0-TIV-KRH-IF0001            PH36891                          UI75298

3.3.0-TIV-KRK-IF0003            PH36929                          UI75299

This won’t be the last time that this action is required

Something else to consider. These expiring certificates were good for 3 years. Global security practices and various threat analysis tools say that they should only be two years now. As a result, these activities will need to be repeated in two years when this new certificate expires. But there’s another remediation.  When you replace your TEP with a z/OS hosted IZSME user interface, it provides similar function to the TEP, but doesn’t include the JAVA code.


I know this is very short notice, but if you are using the TEP in your environments, please consider this and try and take appropriate action as soon as possible.