Tivoli Workload Scheduler default certificates needs to be renewed !

Flash (Alert)


Abstract

Tivoli Workload Scheduler provides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed and enabled with Tivoli Workload Scheduler.

The expiration date for TWS default certificates is February 10th 2014.

Tivoli Workload Scheduler uses by default the SSL protocol in some of its communications. It also provides default certificates to manage the SSL protocol. You need to complete as soon you could the steps listed in this Alert to avoid broken communications, that could randomly occur also before February 10th 2014.

If you do not customize SSL communication with your own certificates, Tivoli Workload Scheduler uses the default certificates that are stored in the default directories to communicate in SSL mode.

Content

The default certificates that were released with Tivoli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general availability expire on February 10 2014, but you must renewed them as soon you could due to the embedded WebSphere Application Server automatic renewing mechanism that generates new random certificates to use two months before the expiration date.The eWas embedded into TWS 8.3 did not automatically renew them so the procedure can be done before February 10th 2014.

Consequently you must complete the procedure (described in the section "Solving the problem") as soon you could.

To understand if in your environment you are using default certificates, you can check for the actual expiration date of the installed certificates and see if it is February 10 2014. This check can be done using the procedure explained at:
http://www-01.ibm.com/support/docview.wss?uid=swg21592682

If you use the default certificates, and do not perform any actions, the connection between some Tivoli Workload Scheduler components is affected.


Distributed environment

· SSL Connection between the Dynamic Workload Console and master domain manager or backup master domain manager or agents installed with distributed connector.

· SSL Connection between the Job Scheduling Console and master domain manager or backup master domain manager or agents installed With distributed connector.

· SSL Connection between dynamic agents and the master domain manager or dynamic domain manager (only for Tivoli Workload Scheduler V8.5.1 or V8.6 with the dynamic features enabled).

· SSL Communication across the Tivoli Workload Scheduler network (only for the OpenSSL samples certificates provided with Tivoli Workload Scheduler V8.4.0, V8.5.0, V8.5.1, or 8.6.0 general availability).

· SSL Communication for the Event Driven Workload Automation feature (only for the OpenSSL samples certificates provided with Tivoli Workload Scheduler V8.4.0, V8.5.0, V8.5.1, or 8.6.0 general availability).

· Custom integration based on Tivoli Workload Scheduler Java APIs (only if you create your own Java client to connect to Tivoli Workload Scheduler master domain manager or backup master domain manager or agents installed with distributed connector).

· Integration Workbench over SSL (only if you create and use applications for Tivoli Workload Scheduler in the Integration Workbench).

· Connection between the Job Brokering Definition Console and the master domain manager.

· HTTPS for the command-line clients, if you configured your remote command-lines (conman, composer, optman, sendevent) to validate the connection with the Tivoli Workload Scheduler server. These command-line clients includes also the command-line clients embedded in the FTA.



Distributed components in a z/OS environment

· Connection between the Dynamic Workload Console and the Tivoli Workload Scheduler z/OS connector.

· Connection between the Job Scheduling Console and the Tivoli Workload Scheduler z/OS connector.

· Custom integration based on Tivoli Workload Scheduler Java APIs (only if you create your own Java client to connect to the Tivoli Workload Scheduler z/OS connector).

· Communications between Tivoli Workload Scheduler for z/OS controllers and the Tivoli Workload Scheduler master domain manager, only if the remote engine workstations destination is defined by using the HTTPS value.

· Integration Workbench over SSL (only if you create and use applications for Tivoli Workload Scheduler in the Integration Workbench).

· Connection between the controller and the Tivoli Workload Scheduler agents for z/OS (z-centric agents), only if the z-centric agent destination is defined by using the HTTPS value.

· Connection between the Tivoli Workload Scheduler for z/OS controller and the Tivoli Workload Scheduler dynamic domain managers, only if the broker workstation destination is defined by using the HTTPS value.

Note: For more information about management of the expiration of the default certificates in a z/OS environment, see the TechNote 1628601.



Solving the problem

Note: The procedure to renew the default certificates described below in SOLUTION 1 or SOLUTION 2 is a list of steps.
You do not need to update your Tivoli Workload Scheduler environment with the procedure steps all at the same time.
None of this step is disruptive and you can plan to include it in the scheduled maintenance window of the affected machine.
Ensure that the:
· Steps are run in the correct order as described in the procedure.
· Entire procedure is completed before the certificates expiration date.

You can solve the problem by using one of the two following solutions:

  • SOLUTION 1:
    Apply the latest fix pack (when available) to the affected components and follow the procedure described in the ReadMe provided with the fix pack. Note that this procedure includes also manual steps that must be completed after installing the fix pack.
    If the version of all the Tivoli Workload Scheduler components in your environment is 8.2.0, no scenarios are affected.

    If the version of all the Tivoli Workload Scheduler components in your environment is 8.3.0, no fix pack is released until the end of support of the version.

    If the version of all the Tivoli Workload Scheduler components in your environment is 8.4.0 and you plan to install the latest fix pack:
    1. Download FixPack 7 from the Fix Central (http://www-933.ibm.com/support/fixcentral) for Tivoli Workload Scheduler. Note: it is not available for Tivoli Dynamic Workload Console.
    2. To renew the default certificates perform the procedure described in 8.4.0-TWS-ReadMe-FP0007.

    If the version of all the Tivoli Workload Scheduler components in your environment is 8.5.0 and you plan to install the latest fix pack:
    1. Download FixPack 4 from the Fix Central (http://www-933.ibm.com/support/fixcentral) for Tivoli Workload Scheduler and (if affected) Tivoli Dynamic Workload Console. Note: it is not available for Tivoli Workload Scheduler for z/OS Connector.
    2. To renew the default certificates perform the procedure described in 8.5.0-TWS-ReadMe-FP0004.

    If the version of all the Tivoli Workload Scheduler components in your environment is 8.5.1 and you plan to install the latest fix pack:
    1. Download FixPack 5 from the Fix Central (http://www-933.ibm.com/support/fixcentral) for Tivoli Workload Scheduler and (if affected) Tivoli Dynamic Workload Console. Note: it is not available for Tivoli Workload Scheduler for z/OS Connector.
    2. To renew the default certificates perform the procedure described in 8.5.1-TWS-ReadMe-FP0005
      If the version of all the Tivoli Workload Scheduler components in your environment is 8.6.0 and you plan to install the latest fix pack:
      1. Download FixPack 2 from the Fix Central (http://www-933.ibm.com/support/fixcentral) for the affected components (Tivoli Workload Scheduler, Tivoli Dynamic Workload Console and Tivoli Workload Scheduler for z/OS Connector)
      2. To renew the default certificates perform the procedure described in 8.6.0-TWS-ReadMe-FP0002.

      Note1: TWS, TDWC and TWS for z/OS Connector 8.6 FP3 install the new certificates. Notice that components at this fix pack level communicates with all the other involved components where the first part of the procedure has been done.
      Note2: No new fix pack for Job Scheduling Console is released.
    • SOLUTION 2:
      If you do not want to apply the latest fix pack for Tivoli Workload Scheduler or there is no planned fix pack for the version you need, then you must run a manual procedure.

      Perform the following steps:
      1. Download the package <TWS_VERSION>-TIV-TWA-CERTIFICATES for the version you need from Fix Central
      (http://www-933.ibm.com/support/fixcentral).
      Where:
      <TWS_VERSION> is one of the following: 8.3.0, 8.4.0, 8.5.0, 8.5.1 or 8.6.0.
      2. Perform the procedure described in the "Renewing default certificates for Tivoli
      Workload Scheduler" (awscertsmst.pdf) document provided in the package.

    The new default certificates installed with TWS fixpacks or that you manually install as part of the procedure will expire on Nov, 9th 2032.
    See the following table for a summary of the affected release and the available options to address the issue:

      TWS Version Option 1 - Fix Pack (1) Option 2 - standalone package (2)
      8.1, 8.2.X Not affected Not affected
      8.3.0 Not Available - Use Option 2 8.3.0-TIV-TWS-CERTIFICATES
      8.4.0 8.4.0 FP7 8.4.0-TIV-TWS-CERTIFICATES
      8.5.0 8.5.0 FP4 8.5.0-TIV-TWS-CERTIFICATES
      8.5.1 8.5.1 FP5 8.5.1-TIV-TWS-CERTIFICATES
      8.6.0 8.6.0 FP2(3) 8.6.0-TIV-TWS-CERTIFICATES
      (1) For additional information, you can read the Fix Pack ReadMe
      (2) For additional information you can read the ReadMe file shipped with the standalone package
      (3) 8.6 FP3 automatically runs also the second step of the procedure. If you choose to use the 86 FP3 as solution, all the other components in the network affected by the TWS default certificates expiration, must be at a fix pack level listed in the above table (second column) before installing it Another option is that they have run the first script of the standalone package (listed in the third column).. For details see 86 FP3 ReadMe.



    See the following table for a summary of affected components:

    Question Option 1 - Fix Pack Option 2 - standalone package
    NO QUESTION
    Perform always
    First install the fix pack on the MDM and BKM and then run the second step of the entire procedure for MDM and BKM (1) Run stand-alone
    package procedure for MDM and BKM (2)
    TDWC/JSC is installed? · First install the fix pack on the DWC and then run the second step of the entire procedure for TDWC (1).
    · Copy certificates from MDM to JSCs
    · Run stand-alone package procedure for TDWC (2)
    · Copy certificates from MDM to JSCs
    Dynamic feature is used? · Install the fix pack on the dynamic agents, DDMs, BDMs and then run the second step of the entire procedure for dynamic agents, DDMs, BDMs(1).
    · Copy the certificates from MDM to JBDC.
    · Run standalone package procedure for dynamic agents, DDMs and BDMs (2).
    · Copy the certificates from MDM to JBDC.
    TWS API integration is used? · Copy certificates from MDM to the clients.
    · Install FP on the Integration Workbench.
    · Copy certificates from MDM to the clients
    · Copy certificates from MDM to the Integration Workbench.
    SSL used for EDWA?
    Verify it checking if in optman ls the value of evenProcessorEIFSSLPort is not zero
    Install FP on DMs and FTAs and then run the second step of the entire procedure for DMs and FTAs. Run standalone package procedure for DMs and FTAs (2)
    SSL on TWS network with sample certificates is used?
    Verify if in the TWS CPU definition there is the keyword "securitylevel" set to any value.
    Install FP on DMs and FTAs and then run the second step of the entire procedure for DMs and FTAs. Run standalone package procedure for DMs and FTAs (2)
    Remote CLI is installed and localopts file contains CLISSLSERVERATH=yes? (3) Copy certificates from MDM to the remote CLI machine Copy certificates from MDM to the remote CLI machine
    (1) You do not need to install the fix pack and run the second step of the procedure all at the same time, but you must perform the entire procedure before the certificates expire on February 10, 2014.
    (2) You do not need to run the standalone package procedure on all machine at the same time, but you must perform the entire procedure before the certificates expire on February 10, 2014.
    (3) The command lines in this tables are conman, composer, sendevent, optman and includes also the ones that are embedded in the FTA used for submission or sending events to the MDM.

    Note: If you run the procedure on your machines, and then apply the Tivoli Workload Scheduler Fix Packs, the new certificates are maintained on the machine, with the exception of the certificates used in the SSL Communication when the cpu definition of the workstation contains a keyword "securitylevel" set to any value.
    Consequently if you are using the SSL communication among the TWS network and you apply the following fixpacks, you must re-run the procedure.
    Affected FixPacks:
    - 8.3: no fixpack affected
    - 8.4: all the delivered fixpacks (1-7)
    - 8.5 all the delivered fixpacks (1-4)
    - 8.5.1: all the delivered fixpack, but the last one (1-4, 5 has not the issue)
    - 8.6: all the delivered fixpack, but the last one (1-2, 3 has not the issue)

    Note: if, for any reason, you are going to apply the procedure after the certificate expiration date (February, 10) the only available option is the OPTION2, because the OPTION1 (that includes the FixPack installation) could fail.

    Disabling eWAS automatic renewing mechanism for versions 8.4, 8.5.0, 8.5.1, 8.6
    If customer have Tivoli Workload Scheduler v. 8.3 no actions are required.
    For the other versions, before February 10th 2014 and if you are not ready to perform the procedure described in the section "Solving the problem", you can disable the embedded WebSphere Application Server automatic renewing mechanism of the certificates. In this way you can continue to work until the expiration date of the Tivoli Workload Scheduler certificates (February 10th 2014).
    In order to disable it, perform the following steps on each machine that contains a Tivoli Workload Scheduler component embedding an WebSphere Application Server - TDWC, MDM, BKM, agent with d/Connector, DDM, BDM, z/Connector):

    • Stop the WebSphere Application Server
    • create a backup copy of the security.xml file, located at:
    v. 8.4: <INST_DIR>/appserver/profiles/<PROFILENAME>/config/cells/<CELLNAME>
    v. 8.5.0, 8.5.1, 8.6: <INST_DIR>/eWAS/profiles/<PROFILENAME>/config/cells/<CELLNAME>
    • Edit the security.xml and search for a line like the following:
    <wsCertificateExpirationMonitor ......... name="Certificate Expiration Monitor" autoReplace="true" deleteOld="true" ...... "/>
    and delete the part of the line in strike-through.
    • Restart the WebSphre Application Server


    Troubleshooting
    Before the expiration of the certificates (but close to it) on all the WebSphere-based servers (MDM, BKM, TDWC, DDM, BDM, z/Connector and d/Connector) if the procedure has not been completed, you can find the following warning messages:
    [2/05/14 14:07:31:326 EDT] 0000001e KeyStoreManag W CWWSS5189W: The certificate, which is owned by CN=Server, O=IBM, C=US, uses the server alias, and is located in the /opt/IBM/TWA/eWAS/profiles/twaprofile/etc/TWSServerKeyFile.jks keystore, expires in 5 days.

    After the expiration of the certificates the communication among these WebSphere servers (TDWC-MDM communication, or TDWC-z/Connector communication) or between one of them and its clients (MDM-JSC communication or MDM-d/agents communication)
    is interrupted, and on the WebSphere based server you can find:
    [2/14/14 18:48:24:092 EDT] 4a7a6588 KeyStoreKeyLo E WSEC5181E: The certificate ("CN=Server, O=IBM, C=US") with alias "server" from keystore "opt/IBM/TWA/eWAS/profiles/twaprofile/etc/TWSServerKeyFile.jks" has expired: java.security.cert.CertificateExpiredException: NotAfter: Mon Feb 10 14:33:24 EDT 2014 at com.ibm.security.x509.CertificateValidity.valid(Unknown Source)

    If the procedure has not been run properly, you can find messages like the following on the WebSphere-based servers:
    [8/30/11 15:42:24:198 EDT] 4a7a6688 WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE : A signer with SubjectDN "CN=Client, O=IBM, C=US" was sent from target host:port "unknown:0". The signer may need to be added to local trust store "/opt/IBM/TWA/eWAS/profiles/twaprofile/etc/TWSServerTrustFile.jks" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found"

    On the dynamic agents either if the certificate has been expired or if the procedure has not been run properly, you can find messages like the following:
    2013-05-27 16:12:18.373+02:00|10824|5704|IBM-IT675678|AWSITA081E The agent can not send the resource information to "IBM-IT675678:31116/JobManagerRESTWeb/JobScheduler/resource" (IBM-IT675678:31116/JobManagerRESTWeb/JobScheduler/resource%27). The error is: "CURL error 35"


    IBM Support tranining session:

    STE Courses
    All Sessions already held has been recorded.
    See the table below for further details.

    TWS Customers Courses

    09/18 2 Hours TWS default certificates expires on Feb 14 2014: Procedure on how to renewal them
    A new Support Technical Exchange course is being offered on Sept. 18, 2013. If you can not attend the live event, the playback recording will be available after the live event has taken place.

    Sept. 18th 10 AM Live event link: http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg27038693
    Playback link (available approximately 1-2 hours after the 9/18 event concludes): https://sas.elluminate.com/dr.jnlp?suid=D.7BDE1758280DA52FF1095F7148CE88&sid=2012136
    Password: STETWSExpire
    04/10 2 Hours TWS Certificates expiration procedure how to manage
    Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136
    Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.6B75285E581CDE1559DDA731D0C9E6&sid=2012136
    Password: STETWSCert
    04/12 2 Hours TWS Certificates expiration procedure how to manage
    Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136
    Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.433F5BD05A52D09215EDC5134297E2&sid=2012136
    Password: STETWSCert
    04/17 2 Hours TWS zOS Certificates expiration procedure how to renewal
    Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136
    Playback Recording -
    https://sas.elluminate.com/dr.jnlp?suid=D.D2E9F45BC3BB5304081A944E146178&sid=2012136
    Password: STETWSzOSCert

    Rate this page:

    (0 users)Average rating

    Add comments

    Document information


    More support for:

    Tivoli Workload Scheduler

    Software version:

    8.3, 8.4, 8.5, 8.5.1, 8.6

    Operating system(s):

    Platform Independent

    Reference #:

    1628636

    Modified date:

    2014-05-23

    Translate my page

    Machine Translation

    Content navigation