No IBM Rational trial, server, or client access licenses available after installing or upgrading Java and/or listed products - CLM 6.0.5, 6.0.6, 6.0.6.1 only

Content

The License Key Management page on any of the affected products display this error:

CRJAZ1236I A development time license is being used is shown in the description.

The jts.log can show errors that are similar to these errors depending on the licenses that are applied.

2017-08-18 12:49:12,601 [ Default Executor-thread-99] WARN repository.service.internal.license.LicenseService - CRJAZ0942I The license key located at "bundleentry://xxx/inactive/ADI5_User_Trial.jar" could not be processed. For the cause of the problem, see the nested exception.
com.ibm.team.repository.common.TeamRepositoryException: CRJAZ0965I The file was not a valid server or client access license activation key.
at com.ibm.team.repository.service.internal.license.AbstractLicenseService.getPolicy(AbstractLicenseService.java:101)
at com.ibm.team.repository.service.internal.license.AbstractLicenseService.addLicense(AbstractLicenseService.java:108)
at com.ibm.team.repository.service.internal.license.AbstractLicenseService.loadLicenseState(AbstractLicenseService.java:211)
…

This change affects these versions and products:

Collaborative Lifecycle Management versions: 4.0.7, 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4. CLM consists of:

· IBM Rational Team Concert
· IBM Rational Requirements Composer and DOORS Next Generation
· IBM Rational Quality Manager
· IBM Rational Engineering Lifecycle Manager (6.0 and higher)

IBM Rational solution for systems and software engineering versions: 4.0.7, 5.0. 5.0.1, 5.0.2, 6.0
· IBM Rational Team Concert
· IBM Rational Requirements Composer, DOORS Next Generation
· IBM Rational Quality Manager
· IBM Rational Engineering Lifecycle Manager
· IBM Rational Rhapsody Design Manager

IBM IoT Continuous Engineering: 6.0.1, 6.0.2, 6.0.3, 6.0.4.
· IBM Rational Team Concert
· IBM Rational Requirements Composer , DOORS Next Generation
· IBM Rational Quality Manager
· IBM Rational Engineering Lifecycle Manager
· IBM Rational Rhapsody Design Manager

Cause:

As of April 2017 in http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
and in IBM documentation https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_May_2017, both IBM and Oracle Java versions 6, 7, 8 (and beta 9 if supported) published that MD5 signed jar files would be blocked from loading to prevent usage of weak algorithms or keys.

All the licenses, including the internal server and internal trial user licenses such as the QM Data Collector, Data Collection Component Internal, CCM Data Collector, Enterprise Developer trial licenses, and client access licenses generated from the License Key Center use MD5 signatures. Licenses that worked prior to the upgrade are no longer listed. Any license files signed with MD5 will not be loaded by default.

The specific versions of the JVM/JRE/JDK affected are:

• IBM 6.0.16.45 otherwise known as 6.0 SR16 FP45
• IBM 6.1.8.45 otherwise known as 6.1 SR8 FP45
• IBM 7.0.10.5 otherwise known as 7.0 SR4 FP5
• IBM 7.1.4.5 otherwise known as 7.1 SR4 FP5
• IBM 8.0.4.5 otherwise known as 8.0 SR4 FP5
• Oracle 1.6.0_151
• Oracle 1.7.0_141
• Oracle 1.8.0_131

Workarounds and Solutions:

As of CLM 6.0.2 iFix015 (available Dec 14, 2017) and 6.0.3 iFix010 (available January 30, 2018) and 6.0.4 iFix007 (available January 30, 2018), fixes for internal licenses affected by the new MD5 restriction are available. Ifixes for the versions are available on Fix Central and on jazz.net.
There are two steps required if the ifix solution is to be used:

1) Apply the entire iFix and follow the instructions in the readme.txt for the iFix. All internal licenses should function properly after this update.

2) In addition, external license keys need to be renewed on the Rational License Key Center and re-installed.
Go to the Rational License Key Center at https://www-01.ibm.com/software/rational/support/licensing/ and download updated versions of the license keys. Follow these instructions based on the type of license installed on the system:

1. Before upgrading, log in to the Jazz Team Server Admin at https://servername:port/jts/admin and go to Server > License Key Management. Make a note of the licenses installed on the server.
2. Log in to the IBM Rational License Key Center at https://www-01.ibm.com/software/rational/support/licensing/ and under License Management, click Return Keys.
3. Click the specific product link to return the license keys, and then click Return.
4. After the license is returned, click Get Keys.
5. Click the product link to generate the new licenses.
6. When prompted, fill in the required information and click Generate.
7. Download the new file that contains the new licenses.
   Note: For Token licenses, the only requirement is to download the jazztokens.zip file. Because there are no changes in the license.dat file, this file does not need to be downloaded again.
8. In the Jazz Team Server Admin, go to Server > License Key Management and reimport the new license files; click Add to add a license and accept the license agreement and complete the wizard.
   Note: This step can also be performed after the server is upgraded.

For Non-Term (Permanent) Floating and Authorized User licenses:

1. Before the upgrade, log in to Jazz Team Server Admin at https://servername:port/jts/admin and go to Server > License Key Management and make a note of the licenses installed on the server.
2. Log in to the IBM Rational License Key Center at https://www-01.ibm.com/software/rational/support/licensing/ and go to View keys by host or View keys by user.
3. Enter the information about the host or the user.
4. Select the product for which to generate the license.
5. Click View Licenses for Selected Product Lines.
6. Select the license and click View Details.
7. Click Download Keys.
8. In Jazz Team Server Admin, go to Server > License Key Management and reimport the new license files; click Add to add a license and accept the license agreement and complete the wizard.
   Note: This step can be performed after upgrading the server.
9. After installing the updated licenses, the product should be fully functional.

Note: After following the steps specified above, the license file that is generated and downloaded will have the same name as the original license you generated. The content was updated Nov 15, 2017 for all 5.0 and 6.0 licenses.
These licenses are compatible with all versions of Java -- those that now block MD5-signed files and the earlier versions that do not block MD5 content. Upgrading multiple servers that have different versions of 6.0.x and ifixes and use the same updated floating licenses should not cause a conflict.
------------------------------------------------------------------------------------------------------------------------------------------------------------

If the server and all affected applications can be upgraded to 6.0.5 and new licenses applied, the reported problem should not occur.

------------------------------------------------------------------------------------------------------------------------------------------------------------

Note: If some applications such as CCM, QM, or RDNG cannot be upgraded and run at a level that does not include the updated internal licenses, the primary JTS must use the workaround listed below until 6.0.5 or an iFix that corrects the license issue is applied to the lower level applications.
For example, if upgrading from 6.0.4 to 6.0.5 and only JTS is upgraded, any additional servers that run other applications such as CCM, QM, or RDNG that are still at the 6.0.4 level will still have an MD5 signature. These applications will not load. The primary JTS server must use the workaround listed below until 6.0.4 ifix007 (or 6.0.5) can be applied to the other applications. The primary JTS server loads the licenses and is responsible for checking authorization of the other applications.

------------------------------------------------------------------------------------------------------------------------------------------------------------

If unable to upgrade to an iFix where this is resolved or 6.0.5, a temporary workaround by either editing the product or editing Java is provided. Please note that the recommendation is to upgrade the product with new licenses and the new RTC build. The workaround is provided when an upgrade or change in java level is not currently possible.

1. Log in to the application server that was upgraded. Stop the application server and the applications.
2. Go to the jre/lib/security directory.
3. Edit the java.security file.
4. Search the file for jdk.jar.disabledAlgorithms.
5. Remove the MD5 entry such as jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
6. Save the file.
7. Restart the application server.
8. Repeat steps 1-7 on each server where applications are installed.
9. Log back into the JTS Administration page as an administrator and check the JTS License Key Management page.
   1. If the installation is in WebSphere Application Server, go to <WAS_Install_Dir>/AppServer/java_<version>/jre/lib/security where java_<version> is similar to java_1.8.64
   2. If the installation is using a Liberty or Tomcat installation, go to <CLM_Install_Dir>/server/jre/lib/security. The entry to review is jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024. All licenses should be shown and users should be able to connect with no license errors.

Temporary workaround for Rational server running on z/os:

On z/OS, there are several options for a workaround to resolve the issue based on whether or not Liberty or WebSphere Application Server is being used.

If Liberty is being used, edit the java.security file directly in the java installation directory referenced by the Liberty server.
It is therefore possible to :

• perform a similar edit as in #1 in the java directory imbedded in the WAS install or
• add this edited property to WAS_HOME/properties/java.security. Note that this java.security file is by default a symbolic link to the WAS install directory.

It is possible to make a local file copy in the WAS profile to replace the symbolic link and then just make edits in the local copy.

1. Stop the application server and the RTC applications.
2. Go to the …java/lib/security/java.security file in the common install directory, such as /usr/lpp/java/J7.1_64/lib/security/java.security
3. Edit the java.security file.
4. Search the file for jdk.jar.disabledAlgorithms.
   The entry to review is jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
5. Remove the MD5 entry such as jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
6. Save the file.
7. Restart the application server.

With Liberty, if option one is not feasible, create a copy of java.security and point java.options to the edited file.

1. Make a copy of java.security and save the file somewhere on the system, for example etc/jazz603.
2. Ensure the User Id under which the server runs has read and execute permissions to this file.
3. Edit the file as described above in #1.
4. Save java.security.
5. If your system is using Liberty, edit the jvm.options file in the /u/jazz603/wlpuser/servers/clmserver directory (or the appropriate directory for your Liberty server and work directory structure).
6. Add an entry such as -Djava.security.properties=file:///etc/jazz603/java.security that points to the updated java.security file.
7. Restart the server.

With WebSphere Application Server, the java.security file in the WebSphere java directory is supplemented by a java.security file in the application server profile itself.
 

Temporary workaround for Rational server running on IBM i:

To resolve as a temporary workaround through Java whether being used by the application server or as standalone JVM for the product installed on IBM i:

1.  Log in to the application server that was upgraded. Stop the application server and the applications.
2.  Identify the specific JVM being used by the server by opening JTS Administration page as Jazz Admin and go to Server/Server Status/Server VM and note the version and bit type of the JVM used.
3.  Go to the WAS Admin and open WebSphere application servers/[RTC_AppServerName]/Java SDKs.  Note the one that is set to true.
Copy the path under the active JVM.
On IBM i, this will be /QOpenSys/QIBM/ProdData/JavaVM/[jdk version]/[32 or 64bit]/jre/lib



4.  Connect to the IBM i and navigate to /QOpenSys/QIBM/ProdData/JavaVM/[jdk version]/[32 or 64bit]/jre/lib/security/java.security
5. With wrklnk edit the java.security file.
6. Search the file for jdk.tls.disabledAlgorithms
    jdk.tls.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
7. Remove the MD5 entry such as
    jdk.tls.disabledAlgorithms=MD2, RSA keySize < 1024
8. Save the file.
9. Repeat steps 1-8 on each server where applications are installed.
10. Restart the application server.
11. Log back into the JTS Administration page as an administrator and check the JTS Administration License Key Management page. All licenses should be shown and users should be able to connect with no license errors.