HPDBA0287E, FBTSTS012E, or HPDIA0100E errors in TFIM log

The most common cause is the certificate that the TFIM runtime uses to talk to the TAM environment with the TAM JRTE API is expired or incorrect. The application is no longer able to establish SSL communication with the IVACLD or Policy Server. A TAMeB Java application by default will attempt to renew its certificate once it reaches half-life. This attempt is only made when the TFIM runtime is restarted or the configuration is reloaded. The life time of the certificate is defined in the Policy Server when the TFIM application was configured. The attribute is in the Policy Server's [ssl] stanza,

# SSL certificate lifetime in days.
# This parameter is set by the mgrsslcfg utility.
ssl-cert-life = 365

and is set when the Policy Server is configured. In TAM 5.1, the default is 365 days. In TAM 6.0.0/6.1.0/6.1.1, the default is 1460 (4 years). It may be manually changed, but requires a restart of the Policy Server. This value is not increased when upgrading from TAM 5.1. If this value is changed after the TFIM runtime is configured the old certificate will still expire on the previous value, unless the TFIM runtime is reconfigured.

This is an easy thing to resolve and will not remove any existing TFIM federations or other configurations. This may cause a brief outage for all federations, when the TFIM runtime reloads.

The fix is to go to Domain Management -> Runtime Node Management select all the nodes, click unconfigure. This will prompt for the password for the configured user account in the Domain properties. Once this completes dismiss the option to reload the runtime for now and select all the nodes again, and press the configure button. This will again prompt for the password. Once this completes press the load configuration changes to Tivoli Federated Identity Manager runtime button and the runtime will start to use the new TAM API certificate and federations should start working again.