While Year 2000 (Y2K) required a lot of preparation, June 5th, 2021 also requires action to replace TEP JAVA Certificate which will expire. The Tivoli Enterprise Portal (TEP) is used as a graphic user interface for several of the Advanced Storage Tools for z/OS. It is the same interface used for the OMEGAMON products. The TEP leverages JAVA files, which for security and code integrity purposes are signed with a certificate. Unfortunately, that Java Certificate will expire on June 5th.
What happens if you don’t update the certificate?
It’s not always the same for every environment, but typically, the end user at the TEP will get a message that says the certificate is expired and ask for action. If the user has administrative authority, they may be able to accept the expired certificate and continue work. Without admin authority, they may be forced to initial a service call within their business to get the exception handled and may not be able to leverage the TEP until the exception is processed.
Don’t wait until it’s too late.
Being proactive, there are two choices. Install a bunch of fix packs or have your JAR files submitted to IBM service to be re-signed and then get re-installed. That seems to be the easiest process. And since service updates can take 3-6 months to get into production, it’s probably the most expedient process as well.
Using a PMR to get JAR files re-certified
Instructions from IBM:
Contact IBM support by opening a PMR/CASE requesting the updated certificate for Tivoli Enterprise Portal server (TEPS) support files. You will need to send the jar and zip files from your Tivoli Enterprise Portal Server (TEPS) located as follows:
Support will then update and return the jar files.
Once the jar files are returned from IBM support, copy the files back to the same location on the TEP server noted above in this document. After the jar files are copied back to the TEP server there is no further action needed on the TEP server side. The TEP server does not need to be reconfigured nor does it need to be restarted. On the TEP client side the java plugin jar cache should be cleared in order to force the download of the newly signed jar files to the client machine. This can be accomplished by going to Windows control panel and opening the java plugin control panel. From the "General" tab in the plugin control panel press the "Settings" button under the "Temporary Internet Files" heading, then press the "Delete Files" button. Once the delete is complete, restart the TEP client to force the download of the newly signed jar files from the TEP server.
Performing a service update to get JAR files re-certified
When this is done, you’ll get the certificates updated as well.
To resolve this, the following (not exhaustive list) of fix-packs are required to be installed into the TEP, and the associated Advanced Storage APARs. The TEP maintenance must be installed first, and the z/OS software can be installed after that - and is not tied to the June 5 deadline.
Fixpack Storage APAR PTF
For OMEGAMON for Storage
5.5.0-TIV-KS3-IF0023 OA61197 UJ05388
5.4.0-TIV-KS3-IF0018 OA61203 UJ05497
5.3.0-TIV-KS3-IF0019 OA61312 UJ05542
For Advanced Storage tools:
2.6.0-TIV-KRG-IF0001 PH36931 UI75300
2.4.0-TIV-KRV-IF0003 PH36947 UI75301
2.6.0-TIV-KRN-IF0003 PH36890 UI75258
3.3.0-TIV-KRJ-FP0004 PH37021 UI75302
2.6.0-TIV-KRH-IF0001 PH36891 UI75298
3.3.0-TIV-KRK-IF0003 PH36929 UI75299
This won’t be the last time that this action is required
Something else to consider. These expiring certificates were good for 3 years. Global security practices and various threat analysis tools say that they should only be two years now. As a result, these activities will need to be repeated in two years when this new certificate expires. But there’s another remediation. When you replace your TEP with a z/OS hosted IZSME user interface, it provides similar function to the TEP, but doesn’t include the JAVA code.
I know this is very short notice, but if you are using the TEP in your environments, please consider this and try and take appropriate action as soon as possible.