IBM Support

Signer's certificate used to sign the Host On-Demand applet V11.0.11 and earlier has expired

Question & Answer


Question

What happens when the certificate used to sign the IBM Rational Host On-Demand applet expires?

Cause

Clients are concerned that Host On-Demand client will no longer work properly if the signer certificate expires.

Answer

The certificate used to sign the IBM Rational Host On-Demand V11 applet will expire during the life cycle of the product. This has no affect on the functionality of the Host On-Demand clients, but with some levels of JRE the applet may not launch. Different browser (Internet Explorer and FireFox) and JRE combinations are producing different results. In some instances, the user is presented with the option to 'Allow' them to continue. Other instances are not allowing the applet to continue launching.

If at some point the certificate is stored in the Publishers list in the Java key store, you can view the certificate by opening the Java control panel, click on the Security tab. Then click on Certificates. The label for the most current certificate is:

IBM Canada Limited


In addition to the jars being signed, they are also time stamped. Applying a timestamp when you sign a JAR is strongly recommended, as it allows you to prove that IBM signed the JARs during the time interval that the code signing certificate was still valid. This allows your JARs to be validated after the certificate expires thereby prolonging the lifetime of your application.

The signer's certificate has to be valid only when the code is signed.


The purpose of this certificate is to sign the applet and has no bearing on the functionality or security functions of the product if the applet will launch. According to Java's security policy, only signed jar files or applets can be downloaded and executed using a browser. Signing the jar files for an applet provides the signer's information so the end user can choose to trust that applet or not. For further information about the signer's certificate, refer to Oracle's blog Signing code for the long-haul.

A new certificate has been used to sign the jar files for Host On-Demand 11.0.12 and higher which is now available on Fix Central to download. This certificate is valid from June 6, 2014 through September 5, 2017. If you are having difficulties launching the Host On-Demand client because of the expired signer's certificate, the recommendation is to upgrade to HOD 11.0.12 or higher.

[{"Product":{"code":"SSS9FA","label":"IBM Host On-Demand"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Documentation","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF020","label":"NetWare"},{"code":"PF025","label":"Platform Independent"},{"code":"PF012","label":"IBM i"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"11.0","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
02 August 2018

UID

swg21197292