Flash (Alert)
Abstract
Tivoli Workload Scheduler provides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed and enabled with Tivoli Workload Scheduler.
Tivoli Workload Scheduler uses by default the SSL protocol in some of its communications. It also provides default certificates to manage the SSL protocol. If you do not complete the steps listed in this Alert these communications will be broken after 10 February 2014.
If you do not customize SSL communication with your own certificates, Tivoli Workload Scheduler uses the default certificates that are stored in the default directories to communicate in SSL mode.
Content
The default certificates that were released with Tivoli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general availability expire on 10 February 2014.
If you did not customize them, they are still in use.
To understand if in your environment you are using default certificates, you can check for the actual expiration date of the installed certificates
and see if it is 10 February 2014. This check can be done using the procedure explained at:
http://www-01.ibm.com/support/docview.wss?uid=swg21592682
If you use the default certificates, and do not perform any actions before the expiration date, the connection between some Tivoli Workload Scheduler components is affected:
Distributed environment
· SSL Connection between the Dynamic Workload Console and master domain manager or backup master domain manager or agents installed with distributed connector.
· SSL Connection between the Job Scheduling Console and master domain manager or backup master domain manager or agents installed With distributed connector.
· SSL Connection between dynamic agents and the master domain manager or dynamic domain manager (only for Tivoli Workload Scheduler V8.5.1 or V8.6 with the dynamic features enabled).
· SSL Communication across the Tivoli Workload Scheduler network (only for the OpenSSL samples certificates provided with Tivoli Workload Scheduler V8.4.0, V8.5.0, V8.5.1, or 8.6.0 general availability).
· Custom integration based on Tivoli Workload Scheduler Java APIs (only if you create your own Java client to connect to Tivoli Workload Scheduler master domain manager or backup master domain manager or agents installed with distributed connector).
· Integration Workbench over SSL (only if you create and use applications for Tivoli Workload Scheduler in the Integration Workbench).
· Connection between the Job Brokering Definition Console and the master domain manager.
· HTTPS for the command-line clients (if you configured your remote command-lines (conman, composer) to validate the connection with the Tivoli Workload Scheduler server).
Distributed components in a z/OS environment
· Connection between the Dynamic Workload Console and the Tivoli Workload Scheduler z/OS connector.
· Connection between the Job Scheduling Console and the Tivoli Workload Scheduler z/OS connector.
· Custom integration based on Tivoli Workload Scheduler Java APIs (only if you create your own Java client to connect to the Tivoli Workload Scheduler z/OS connector).
· Communications between Tivoli Workload Scheduler for z/OS controllers and the Tivoli Workload Scheduler master domain manager, only if the remote engine workstations destination is defined by using the HTTPS value.
· Integration Workbench over SSL (only if you create and use applications for Tivoli Workload Scheduler in the Integration Workbench).
· Connection between the controller and the Tivoli Workload Scheduler agents for z/OS (z-centric agents), only if the z-centric agent destination is defined by using the HTTPS value.
· Connection between the Tivoli Workload Scheduler for z/OS controller and the Tivoli Workload Scheduler dynamic domain managers, only if the broker workstation destination is defined by using the HTTPS value.
Note: For more information about management of the expiration of the default certificates in a z/OS environment, see the TechNote 1628601.
Solving the problem
Note: The procedure to renew the default certificates described below in SOLUTION 1 or SOLUTION 2 is a list of steps.
You do not need to update your Tivoli Workload Scheduler environment with the procedure steps all at the same time, but you must perform the entire procedure before the certificates expire on 10 February 2014.
None of this step is disruptive and you can plan to include it in the scheduled maintenance window of the affected machine.
Ensure that the:
· Steps are run in the correct order as described in the procedure.
· Entire procedure is completed before the certificates expiration date.
You can solve the problem by using one of the two following solutions:
- SOLUTION 1:
Apply the latest fix pack (when available) to the affected components and follow the procedure described in the ReadMe provided with the fix pack:
-
If the version of all the Tivoli Workload Scheduler components in your environment is
8.2.0, no scenarios are affected.
- Download FixPack 7 from the Fix Central (http://www-933.ibm.com/support/fixcentral).
- To renew the default certificates perform the procedure described in 8.4.0-TWS-ReadMe-FP0007.
- Download FixPack 4 from the Fix Central (http://www-933.ibm.com/support/fixcentral).
- To renew the default certificates perform the procedure described in 8.5.0-TWS-ReadMe-FP0004.
- Download FixPack 2 from the Fix Central (http://www-933.ibm.com/support/fixcentral).
- To renew the default certificates perform the procedure described in 8.6.0-TWS-ReadMe-FP0002.
- SOLUTION 2:
If you do not want to apply the latest fix pack for Tivoli Workload Scheduler or there is no planned fix pack for the version you need, then you must run a manual procedure.
Perform the following steps:
1. Download the package <TWS_VERSION>-TIV-TWA-CERTIFICATES for the version you need from Fix Central
(http://www-933.ibm.com/support/fixcentral).
Where:
<TWS_VERSION> is one of the following: 8.3.0, 8.4.0, 8.5.0, 8.5.1 or 8.6.0.
Workload Scheduler" (awscertsmst.pdf) document provided in the package.
If the version of all the Tivoli Workload Scheduler components in your environment is 8.3.0, no fix pack is released until the end of support of the version.
If the version of all the Tivoli Workload Scheduler components in your environment is 8.4.0 and you plan to install the latest fix pack:
If the version of all the Tivoli Workload Scheduler components in your environment is 8.5.0 and you plan to install the latest fix pack:
If the version of all the Tivoli Workload Scheduler components in your environment is 8.5.1 and you plan to install the latest fix pack that includes the procedure to renew the default certificates, wait for the release of the latest fix pack in 2Q 2013.
Note: No new fix pack for Job Scheduling Console is released.
The new default certificates installed with TWS fixpacks or that you manually install as part of the procedure will expire on Nov, 9th 2032.
See the following table for a summary of the affected release and the available options to address the issue:
| TWS Version | Option 1 - Fix Pack (1) | Option 2 - standalone package (2) |
| 8.1, 8.2.X | Not affected | Not affected |
| 8.3.0 | Not Available - Use Option 2 | 8.3.0-TIV-TWS-CERTIFICATES |
| 8.4.0 | 8.4.0 FP7 | 8.4.0-TIV-TWS-CERTIFICATES |
| 8.5.0 | 8.5.0 FP4 | 8.5.0-TIV-TWS-CERTIFICATES |
| 8.5.1 | 8.5.1 FP5 (3Q 2013) | 8.5.1-TIV-TWS-CERTIFICATES |
| 8.6.0 | 8.6.0 FP2 | 8.6.0-TIV-TWS-CERTIFICATES |
(2) For additional information you can read the ReadMe file shipped with the standalone package
See the following table for a summary of affected components:
| Question | Option 1 - Fix Pack | Option 2 - standalone package |
| NO QUESTION Perform always |
First install the fix pack on the MDM and BKM and then run the second step of the entire procedure for MDM and BKM (1) | Run stand-alone package procedure for MDM and BKM (2) |
| TDWC/JSC is installed? | · First install the fix pack on the DWC and then run the second step of the entire procedure for TDWC (1). · Copy certificates from MDM to JSCs |
· Run stand-alone package procedure for TDWC (2) · Copy certificates from MDM to JSCs |
| Dynamic feature is used? | · Install the fix pack on the dynamic agents, DDMs, BDMs and then run the second step of the entire procedure for dynamic agents, DDMs, BDMs(1). · Copy the certificates from MDM to JBDC. |
· Run standalone package procedure for dynamic agents, DDMs and BDMs (2). · Copy the certificates from MDM to JBDC. |
| TWS API integration is used? | · Copy certificates from MDM to the clients. · Install FP on the Integration Workbench. |
· Copy certificates from MDM to the clients · Copy certificates from MDM to the Integration Workbench. |
| SSL on TWS network with sample certificates is used? "nm SSL port" or "nm SSL full port" different from 0 in localopts |
Install FP on DMs and FTAs and then run the second step of the entire procedure for DMs and FTAs. | Run standalone package procedure for DMs and FTAs (2) |
| Remote CLI is installed and localopts file contains CLISSLSERVERATH=yes? | Copy certificates from MDM to the remote CLI machine | Copy certificates from MDM to the remote CLI machine |
(2) You do not need to run the standalone package procedure on all machine at the same time, but you must perform the entire procedure before the certificates expire on February 10, 2014.
A STE course is scheduled for TWS customers on April 10 and 12, 2013. In this course the Tivoli Workload Scheduler IBM support team will hold a technical session to explain the solution to the default certificates expiration problem.
TWS Customers Courses
| 04/10 | 2 Hours | TWS Certificates expiration procedure how to manage Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136 Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.6B75285E581CDE1559DDA731D0C9E6&sid=2012136 Password: STETWSCert |
| 04/12 | 2 Hours | TWS Certificates expiration procedure how to manage Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136 Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.433F5BD05A52D09215EDC5134297E2&sid=2012136 Password: STETWSCert |
| 04/17 | 2 Hours | TWS zOS Certificates expiration procedure how to renewal Live Event - https://sas.elluminate.com/d.jnlp?sid=2012136 Playback Recording - https://sas.elluminate.com/dr.jnlp?suid=D.D2E9F45BC3BB5304081A944E146178&sid=2012136 Password: STETWSzOSCert |
| 04/05 | 2 Hours | TWS Certificates expiration procedure how to renewal Live Event - https://sesuite.tivlab.austin.ibm.com/sesuite/build?section=coursehighlight&nav=attend&course=20130301093359151 |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.