PK42863; 6.1.0.5: (correction) need prenotification on expiring certificate

Download

Abstract

The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration.

Download Description

PK42863 resolves the following problem:

ERROR DESCRIPTION:
The Interim fix install for PK34093 contains a couple of packaging errors:

1. PK34093 fails to install if the APAR is packaged to a CIP. When this condition happens, the following error is logged:

(Apr 2, 2007 2:02:02 PM), Process, com.ibm.ws.install.ni.ismp.installtoolkitbridge.ISMPInstallToolkitBridge ForNIFramework, wrn, Config action failed:

10FupdateSecurityConfig -
/usr/local/WebSphere/AppServer/properties/version/nif/config/update/6.1.0.5-WS-WAS-IFPK34093/install/10FupdateSecurityConfig.ant
----------------------------------------------------------------

2. PK34093 won't be installable to OS/400 platform. When this condition happens, the following error is logged:

(Mar 30, 2007 8:51:52 PM), Install, com.ibm.ws.install.ni.ismp.actions.SetExitCodeAction, msg1,
CWUPI0000I: EXITCODE=2
----------------------------------------------------------------

LOCAL FIX:
None

PROBLEM SUMMARY

USERS AFFECTED:
All users of servers installed with IBM® WebSphere® Application Server version 6.1.

PROBLEM DESCRIPTION:
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically.

While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.

RECOMMENDATION:
None

Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.

PROBLEM CONCLUSION:
With this fix, a couple of things are being done to prevent service outages:
1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold.

2. The default self-signed certificate life span is extended to 15 years.
Note: this is only applicable for a profile which will be created after applying this APAR fix.

PK34093 Interim Fix is superseded by this APAR fix.

Note: This fix is not required if PK34093 fix was already applied. This fixes an Interim Fix packaging problem only

Fixpack 6.1.0.7 has included the equivalent fix of this APAR under PK34093.

Please refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"8176","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK42863/readme.txt"}]

Off

          [{"DNLabel":"6.1.0.1-WS-WAS-IFPK42863","DNDate":"05-11-2007","DNLang":"US English","DNSize":"55481","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK42863/6.1.0.1-WS-WAS-IFPK42863.pak","DNURL_FTP":null,"DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK42863/6.1.0.1-WS-WAS-IFPK42863.pak"},{"DNLabel":"6.1.0.3-WS-WAS-IFPK42863","DNDate":"05-11-2007","DNLang":"US English","DNSize":"62197","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK42863/6.1.0.3-WS-WAS-IFPK42863.pak","DNURL_FTP":null,"DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK42863/6.1.0.3-WS-WAS-IFPK42863.pak"},{"DNLabel":"6.1.0.5-WS-WAS-IFPK42863","DNDate":"05-11-2007","DNLang":"US English","DNSize":"62316","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK42863/6.1.0.5-WS-WAS-IFPK42863.pak","DNURL_FTP":null,"DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK42863/6.1.0.5-WS-WAS-IFPK42863.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF012","label":"IBM i"}],"Version":"6.1.0.1;6.1.0.2;6.1.0.3;6.1.0.5","Edition":"Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PK42863

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24015797

Tips