Updating IBM FileNet products that have Java security certificates.
Several IBM FileNet products which contain digitally signed jar files have certificates which expire on March 16, 2012. IBM has obtained updated digitial certificates and is in the process of applying the new certificate to the impacted jar files.
The expired certificates will only affect java applets, and there will be no impact to product functionality. A warning will be displayed informing the user that an expired certificate exists, and there will be an option to select “continue” as well as an option to remember the preference to continue. It is important to note that this is only a warning.
When will the current certificate expire?
The current Java Security certificate for IBM FileNet products will expire on March 16, 2012. The new certificates will be valid for three years, expiring on February 19, 2015.
What IBM FileNet products are affected?
· IBM FileNet P8 Application Engine (AE)
· IBM FileNet P8 Process Engine (PE)
· IBM FileNet P8 Content Engine (CE)
· IBM FileNet IDM Desktop/Web Services
· IBM FileNet IDM Desktop/Open Client
· IBM FileNet eProcess
· IBM FileNet WorkPlace XT
· IBM FileNet ACSAP R3/J2EE (Portlets only)
· IBM FileNet Image Service Resource Adapter (ISRA)
· IBM FileNet Integration for Microsoft Office (FIMO)
If your installed IBM FileNet product is not listed here, it does not require resigned modules.
What will happen if I do not apply a resigned patch?
The behavior of modules with expired certificates varies based on the nature of the module and the resources it is using. In general, if the digital certificate expires, the browser will display a Java message dialog advising the user that the certificate has expired. This dialog will at most be displayed once per browser session the first time the expired signed jar file needs to be downloaded to the client browser. If the client has java caching enabled, the message may not be displayed at all.
It is important to note that this message is simply a warning that is presented to the end users. Once the user selects "Run" the applet loads as expected. This certificate expiration will not cause any functional error within the applets.
Will IBM FileNet provide patches for the affected products?
IBM FileNet engineering will provide interim fixes or fix packs only for a specific set of release/patch levels of the affected products.
What are the interim fixes or fix pack releases for the affected products?
The attached PDF provides information for interim fixes and fix packs for each of the affected products. This document will be updated as further information becomes available.
Product versions identified in the PDF represent the minimum version that contains the new Java security certificate. All releases after the indicated version will contain the new certificate as well. This includes releases, fix packs and interim fixes.
What if the version/patch of my FileNet product is not on the support list?
You should plan to update each product to the specific versions identified in the attached PDF.
If that update is not desirable, then there are other options.
1. If you already have your own valid Java signed security certificate from a trusted certificate authority, you can sign the jar files using your own certificate. A list of the required files for each product can be obtained from IBM Support.
2. You can create a self signed Java security certificate and re-sign the jar files using this certificate.
3. You can request that specific jar files be re-signed on an exception basis. Note that engineering may not be able to resign your specific level, and the process may take some time. To request an exception case, please contact IBM Support for assistance. You will need to provide IBM Support with the following information:
· Business justification for the resign request stating (a) the reason why you can not upgrade to the required patch level, (b) if you have a plan for upgrading your system, (c) if you are currently under a support extension
· Release version and patch level of the product requested for resign
Where do I obtain the resigned patches?
The fixes referenced to in the attached PDF titled “IBM FileNet Product Tables" can be found on IBM Fix Central
How do we know the re-signed interim fixes and fix packs are compatible with our current installations?
The dependency matrices will be, or have been, updated to include the released re-signed interim fixes and fix patches. Also, the associated Readmes contain dependency information.
Compatibility matrices for P8
include the following products:
• IBM FileNet P8 Application Engine (AE)
• IBM FileNet P8 Process Engine (PE)
• IBM FileNet P8 Content Engine (CE)
• IBM FileNet WorkPlace XT products
Compatibility matrices for other
include the following products:
• IBM FileNet IDM Desktop/Web Services
• IBM FileNet IDM Desktop/Open Client
• IBM FileNet eProcess
What if I have other questions?
If you have any other questions about the Java re-certification for IBM FileNet products, please contact IBM Support, Directory of worldwide contacts or open a PMR on-line via the SR.