Tivoli Workload Scheduler for z/OS default certificates need to be renewed!

Flash (Alert)


Abstract

Tivoli Workload Scheduler default certificates expire on 10 February 2014.

The default certificates that were released with Tivoli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general availability expire on February 10 2014 and you need to complete as soon you could the steps listed in this Alert to avoid broken communications, that could randomly occur also before February 10th 2014.

Abstract

Tivoli Workload Scheduler for z/OS provides a secure, authenticated, and encrypted
connection mechanism for communication based on the Secure Sockets Layer (SSL)
protocol.

Tivoli Workload Scheduler uses by "default" the SSL protocol in some of its communications.

It also provides default certificates to manage the SSL protocol.

If you don't follow the instructions on following Alert these communications after February 10 2014 will be broken.

Tivoli Workload Scheduler for z/OS also provides default certificates to manage the SSL
protocol that is based on a private and public key methodology. A sample JCL
(called EQQRCERT) is provided to create a RACF keyring including those
certificates.

The same default certificates are provided with the TWS agent for z/OS. A sample JCL
(called EELCERT) is provided to create a RACF keyring including them.


Please refer to technote
http://www-01.ibm.com/support/docview.wss?uid=swg21653111

to verify
"How to check the expiration dates of the TWS z/OS default certificates. "

Content


Content/Submission

The default certificates that were released with Tivoli Workload Scheduler for z/OS
V8.5.1 and V8.6.0 general availability expire on 10 February 2014.


If you use the default certificates, and do not perform any actions before the
expiration date, the connection between the following Tivoli Workload Scheduler for z/OS and
Tivoli Workload scheduler components are affected:

  1. Connection between the Dynamic Workload Console and the Tivoli
    Workload Scheduler z/OS connector.
  2. Connection between the Job Scheduling Console and the Tivoli Workload
    Scheduler z/OS connector.
  3. Custom integration based on Tivoli Workload Scheduler Java APIs (only
    if you create your own Java client to connect to the Tivoli Workload Scheduler
    z/OS connector).
  4. (z-centric feature is used) The communication between the controller and the
    Tivoli Workload Scheduler agents for z/OS (z-centric agents), if the z-centric
    agent destination is defined using the HTTPS value.
  5. (Dynamic scheduling feature is used) The communications between the Tivoli
    Workload Scheduler for z/OS controller and the Tivoli Workload Scheduler
    dynamic domain managers, if the broker workstation destination is defined
    using the HTTPS value.
  6. (Cross dependencies feature is used) The communications between the Tivoli
    Workload Scheduler for z/OS controllers, if the remote engine workstation
    destination is defined using the HTTPS value.
  7. (Cross dependencies feature is used) The communications between Tivoli
    Workload Scheduler for z/OS controllers and the Tivoli Workload Scheduler
    master domain manager, if the remote engine workstations destination is defined
    using the HTTPS value.
  8. The communication between the Dynamic Workload Console and the Tivoli Workload
    Scheduler for z/OS controller if using the z/OS connector for WebSphere
    Application Server for System z.
  9. (The TWS agent for z/OS is used) The connection between the Tivoli Workload Scheduler
    Master Domain Manager and the agent for z/OS.

    The PTFs listed below must be installed to address the scenarios above numbered
    as 4,5,6,9.


Note: For more information about management of the expiration of the default
certificates in E2E z/OS environment, see the TechNote 1628636.

Solving the problem
--------------------------------

Note: The procedure to renew the default certificates described is a list of steps.

The new default certificates installed with TWS fixpacks or that you manually install as part of the procedure will expires on Nov, 9th 2032.

You do not need to update your Tivoli Workload Scheduler environment with the procedure steps all at the same time, but you must perform the entire procedure for all components before February 10 2014 .



All steps are disruptive and should be performed during a scheduled maintenance window for the affected machine.

Ensure that the:
· Steps are run in the correct order as described in the procedure.
· Entire procedure is completed before the certificates expiration date.

As already reported in the Content section the activation of the new certificates in the cases where a for z/OS connector
(installed on a distributed platform) is connected to:
  • Job Scheduling console;
  • Tivoli Dynamic Workload console;
  • Java API client

See this for zOS connector:

The new default certificates installed with TWS fixpacks or that you manually install as part of the procedure will expire on Nov, 9th 2032.
See the following table for a summary of the affected release of zOS Connector and the available options to address the issue:

TWS Version Option 1 - Fix Pack (1) Option 2 - standalone package (2)
8.3.0 Not Available - Use Option 2 8.3.0-TIV-TWS-CERTIFICATES
8.5.0 Not Available - Use Option 2 8.5.0-TIV-TWS-CERTIFICATES
8.5.1 Not Available - Use Option 2 8.5.1-TIV-TWS-CERTIFICATES
8.6.0 8.6.0 FP2 8.6.0-TIV-TWS-CERTIFICATES

(1) For additional information, you can read the the Fix Pack ReadMe
(2)
For additional information you can read the ReadMe file shipped with the standalone package
(3) 8.6 FP3 automatically runs also the second step of the procedure. If you choose to use the 86 FP3 as solution, all the other components in the network affected by the TWS default certificates expiration, must be at a fix pack level listed in the above table (second column) before installing it Another option is that they have run the first script of the standalone package (listed in the third column).. For details see 86 FP3 ReadMe.

Tivoli Workload Scheduler for z/OS provides the following PTFs for theTivoli
Workload Scheduler for z/OS controllers to activate the new default
certificates for the scenarios that are affected by the default certificates
expiration date:
  • UK91556 for Tivoli Workload Scheduler for z/OS V8.5.1.
  • UK90065 for Tivoli Workload Scheduler for z/OS V8.6.0.
  • UK83976 for the Tivoli Workload Scheduler agent for z/OS
For more information about the procedures that activate the new default
certificates, see the documentation provided with the PTFs:
  • PTF UK91556 includes a PDF document that describes the procedure to install and
    activate the new default certificates.
  • PTF UK90065 includes tracking comment data that lists the Tivoli Workload
    Scheduler for z/OS manuals that are updated to include the procedure that
    installs and activates the new default certificates.
  • PTF UK83976 includes tracking comment data that lists the Tivoli Workload
    Scheduler manuals that are updated to include the procedure that
    installs and activates the new default certificates.
The "NewDefaultCertificates_zConn_zWAS_860_Flash.pdf" document describes the
procedure to install and activate the new default certificates in the z/OS
connector for WebSphere Application Server for System z component. The new
default certificates provided for z/OS connector for WebSphere Application
Server for System z never expire. You can find the
"NewDefaultCertificates_zConn_zWAS_860_Flash.pdf" document in the Fix Central
repository ( http://www-933.ibm.com/support/fixcentral/),

Disabling eWAS automatic renewing mechanism
Starting after December 10 2013 and if you are not ready to perform the procedure described in the section "Solving the problem", you can disable the embedded WebSphere Application Server automatic renewing mechanism of the certificates. In this way you can continue to work until the expiration date of the Tivoli Workload Scheduler certificates (February 10 2014).
In order to disable it, perform the following steps on each machine that contains a Tivoli Workload Scheduler component embedding an eWAS - TDWC, MDM, BKM, agent with d/Connector, DDM, BDM, z/Connector):
- Stop the WebSphere Application Server
- create a backup copy of the security.xml file, located at:
<INST_DIR>/eWAS/profiles/<PROFILENAME>/config/cells/<CELLNAME>
- Edit the security.xml and search for a line like the following:
<wsCertificateExpirationMonitor ......... name="Certificate Expiration Monitor" autoReplace="true" deleteOld="true" ...... "/>
and delete the part of the line in strike-through.
- Restart the WebSphre Application Server



NEW STE Course:

An STE course is scheduled for TWS zOS customer on 18 Sept. In this course the Tivoli
Workload Scheduler IBM support team will hold a technical session to explain
the solution to the default certificates expiration problem.


TWS Certificates Expiration Procedure - How to Renewal
Start Date Duration Title

A new Support Technical Exchange course is being offered on Sept. 18, 2013. If you can not attend the live event, the playback recording will be available after the live event has taken place.

Sept. 18th 10 AM Live event link: http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg27038693
Playback link (available approximately 1-2 hours after the 9/18 event concludes): https://sas.elluminate.com/dr.jnlp?suid=D.7BDE1758280DA52FF1095F7148CE88&sid=2012136

Password: STETWSExpire 

Already Held courses:
Tivoli Technical Enablement Support Technical Exchange (STE) Offerings
April 10, 2013 to April 17, 2013 The 04/10 and 04/12 are for TWS Distributed customers. The 04/17 for TWS zOS Customers.



TWS Certificates Expiration Procedure - How to Renewal
Start Date Duration Title
04/10 2 Hours TWS Certificates expiration procedure how to manage
Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136
Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.6B75285E581CDE1559DDA731D0C9E6&sid=2012136
Password: STETWSCert
04/12 2 Hours TWS Certificates expiration procedure how to manage
Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136
Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.433F5BD05A52D09215EDC5134297E2&sid=2012136
Password: STETWSCert
04/17 2 Hours TWS zOS Certificates expiration procedure how to renewal
Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136
Playback Recording -
https://sas.elluminate.com/dr.jnlp?suid=D.D2E9F45BC3BB5304081A944E146178&sid=2012136
Password: STETWSzOSCert











Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Workload Scheduler for z/OS

Software version:

8.5.1, 8.6.0

Operating system(s):

z/OS

Reference #:

1628601

Modified date:

2014-04-15

Translate my page

Machine Translation

Content navigation