Renewing default certificates for Tivoli Workload Scheduler

Transcription

1 IBM Tioli Workload Scheduler Renewing default certificates for Tioli Workload Scheduler Version

2

3 IBM Tioli Workload Scheduler Renewing default certificates for Tioli Workload Scheduler Version

4 Note Before using this information and the product it supports, read the information in Notices on page 75.

5 Contents Chapter 1. Scenarios affected by default certificates expiration Scenarios for the distributed enironment Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector Scenario: Connection between the Job Scheduling Console and agent with a distributed connector. 2 Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager Scenario: SSL Communication across the Tioli Workload Scheduler network Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs Scenario: Integration Workbench oer SSL... 4 Scenario: HTTPS for the command-line clients.. 4 Scenarios for distributed components in a z/os enironment Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller Scenario: Connection among dynamic domain managers and the z/os Controller Chapter 2. How to renew the default certificates Downloading the package Installing the package Package contents Scripts to renew the default certificates updtruststorecerts updkeystorecerts updtrustkeystorecerts Procedure to renew the default certificates in a distributed enironment Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector. 18 Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console Procedure to manage the default certificates for dynamic scheduling enironment Procedure to manage the default certificates for fault-tolerant agents and domain managers in the SSL enironment Procedure to manage the default certificates for the connector APIs Procedure to manage the default certificates for the Integration Workbench Procedure to manage the default truststore and keystore for command-line client Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector. 52 Procedure to renew the default certificates for distributed components used in a z/os enironment Procedure to renew the default certificates for z/os connector on a distributed system Procedure to manage the default certificates for Tioli Workload Scheduler for z/os agent (z-centric) Procedure to manage the default certificates for dynamic domain managers connected to the z/os Controller Notices Trademarks Index iii

6 i Renewing default certificates

7 Chapter 1. Scenarios affected by default certificates expiration Tioli Workload Scheduler proides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed with Tioli Workload Scheduler. Tioli Workload Scheduler also proides default certificates to manage the SSL protocol that is based on a priate and public key methodology. The following terminology is used: truststore In security, a storage object, either a file or a hardware cryptographic card, where public keys are stored in the form of trusted certificates, for authentication purposes in web transactions. In some applications, these trusted certificates are moed into the application keystore to be stored with the priate keys. keystore In security, a file or a hardware cryptographic card where identities and priate keys are stored, for authentication and encryption purposes. Some keystores also contain trusted or public keys. If you do not customize SSL communication with your own certificates, Tioli Workload Scheduler uses the default certificates that are stored in the default directories to communicate in SSL mode. The default certificates that were released with Tioli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general aailability expire on February 10, If Tioli Workload Scheduler uses the default certificates for SSL connections, the administrator must renew the default certificates for the following scenarios because they are affected by the expiration date: Scenarios for the distributed enironment. Scenarios for distributed components in a z/os enironment on page 4. Make sure that you update the default certificates in the correct order for these scenarios. For more information about how to do this, see Chapter 2, How to renew the default certificates, on page 7. Scenarios for the distributed enironment The following scenarios for the distributed enironment are affected by the expiration date: Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector on page 2 Scenario: Connection between the Job Scheduling Console and agent with a distributed connector on page 2 Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager on page 2 Scenario: SSL Communication across the Tioli Workload Scheduler network on page 3 1

8 Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4 Scenario: Integration Workbench oer SSL on page 4 Scenario: HTTPS for the command-line clients on page 4 Your enironment might include one or more of these scenarios. For more information about how to update the default certificates in the correct order for these scenarios, see Procedure to renew the default certificates in a distributed enironment on page 16. Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector The SSL communication between the Dynamic Workload Console and one of the following types of Tioli Workload Scheduler component is affected by the expiration date of the default certificates: Master domain manager. Backup master domain manager. Agent with distributed connector. If you do not modify the default certificates on the Dynamic Workload Console and on the distributed connector installed on the agent before the expiration date, the communication between the user interface and the connector is broken. In the Tioli Workload Scheduler distributed enironment, you can manage the Tioli Workload Scheduler database objects and plan objects using the composer and conman commands. Scenario: Connection between the Job Scheduling Console and agent with a distributed connector The SSL communication between the Job Scheduling Console and one of the following types of Tioli Workload Scheduler component is affected by the expiration date of the default certificates: Master domain manager. Backup master domain manager. Agent with distributed connector. If you do not modify the default certificates on the Job Scheduling Console and on the distributed connector installed on the agent before the expiration date, the communication between the user interface and the connector is broken. In the Tioli Workload Scheduler distributed enironment, you can manage the Tioli Workload Scheduler database objects and plan objects using the composer and conman commands. Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager The default certificates proided during Tioli Workload Scheduler installation, ensure the secure connection between the following componenets: Master domain manager and dynamic domain manager or backup dynamic domain manager. Master domain manager and dynamic agents. Dynamic domain manager and dynamic agents. 2 Renewing default certificates

9 Dynamic domain manager and backup dynamic domain manager. The SSL communication between the Broker Serer installed on the master domain manager and one of the following components is affected by the expiration date of the default certificates: Dynamic agents. Dynamic domain managers. Backup dynamic domain managers. Agent installed as default in the master domain manager. If you do not modify the default certificates in the Broker serer installed on the dynamic domain manager and on the dynamic agents before the expiration date, the communication between the dynamic domain manager and the dynamic agents is broken. The communication between the ResourceCLI command line installed on the dynamic domain manager and the Broker Serer installed on the master domain manager is also broken. Note: The dynamic domain manager and backup dynamic domain manager components are included in V8.6.0 and later. On Windows, UNIX, and Linux operating systems, the dynamic agent component is included in V8.5.1 and later. On IBM i operating systems, the dynamic agent component is included in V Scenario: SSL Communication across the Tioli Workload Scheduler network You can enable the SSL connection using OpenSSL Toolkit for the following components: Master domain manager and its domain managers Master domain manager and fault-tolerant agents in the master domain Master domain manager and backup master domain manager Domain manager and fault-tolerant agents that belong to that domain The SSL communication among agents V8.4.0, V8.5.0, V8.5.1, or V8.6.0 with related fix packs in the network is affected by the expiration date of the default certificates. If the ersion of the Tioli Workload Scheduler instance is V8.4.0 or an upgrade of V8.4.0 and related fix packs, the default certificates are located in the <INSTALL_DIR>\TWS\ssl\sslDefault directory; in other cases the default certificates are located in the <INSTALL_DIR>\TWS\ssl\OpenSSL directory. All Tioli Workload Scheduler administrators who use the OpenSSL default certificates for SSL communication must modify the certificates to maintain a working SSL enironment. Chapter 1. Scenarios affected by default certificates expiration 3

10 Note: The default GSKit certificates expiration date is not the "February 10, 2014" and administrators are not required to perform any recoery actions. Check periodically the GSKit certificates expiration date to keep the default certificates up-to-date. Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs If you hae an SSL connection that uses default certificates in a custom integration based on Tioli Workload Scheduler Jaa APIs V8.3.0, V8.4.0, V8.5.0, V8.5.1, or V8.6.0 with related fix packs, the communication does not work after the default certificates expiration date. Scenario: Integration Workbench oer SSL Integration Workbench is used to deelop custom plug-ins. If you hae an SSL connection that uses default certificates for the Integration Workbench V8.4.0, V8.5.0, V8.5.1, or V8.6.0 with related fix packs, the communication does not work after the default certificates expiration date. Scenario: HTTPS for the command-line clients You can hae one of the following scenarios: If you hae an SSL connection that uses default certificates between the command-line utilities (composer and conman) on the master domain manager and the connector: The ariable CLISSLSERVERAUTH=no in the master domain manager localopts file The communication continues to work after the default certificates expiration date. The ariable CLISSLSERVERAUTH=yes in the master domain manager localopts file The communication does not work after the default certificates expiration date. If you hae an SSL connection that uses default certificates between the remote command-line client and the master domain manager: The ariable CLISSLSERVERAUTH=no in the remote command-line client localopts file The communication continues to work after the default certificates expiration date. The ariable CLISSLSERVERAUTH=yes in the remote command-line client localopts file The communication does not work after the default certificates expiration date. Scenarios for distributed components in a z/os enironment The following scenarios for distributed components in a z/os enironment are affected by the expiration date: Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system on page 5. Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system on page 5. 4 Renewing default certificates

11 Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4 Scenario: Integration Workbench oer SSL on page 4 Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller. Scenario: Connection among dynamic domain managers and the z/os Controller on page 6 Note: You might hae one or more of these scenarios preiously described. To update default certificates in the correct order for these scenarios, see Procedure to renew the default certificates for distributed components used in a z/os enironment on page 57. Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system The SSL communication between the Dynamic Workload Console and the z/os connector installed in a distributed system is affected by the expiration date of the default certificates. If you do not modify the default certificates on the Dynamic Workload Console and the z/os connector before the expiration date, the communication between the user interface and the connector is broken. In a Tioli Workload Scheduler z/os enironment, you can manage the database objects and plan objects by using ISPF panels. Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system The SSL communication between the Job Scheduling Console and the z/os connector installed in a distributed system is affected by the expiration date of the default certificates. If you do not modify the default certificates on the Job Scheduling Console and the z/os connector before the expiration date, the communication between the user interface and the connector is broken. In a Tioli Workload Scheduler z/os enironment, you can manage the database objects and plan objects by using ISPF panels. Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller The SSL communication between the z/os Controller and the z-centric agent is affected by the expiration date of the default certificates. If you do not modify the default certificates on the z/os Controller and on the z-centric agent before the expiration date, the communication between the z/os Controller and the z-centric agent is broken. Note: On Windows, UNIX, and Linux operating systems, the z-centric agent component is included in V8.5.1 and later. On IBM i operating systems, the z-centric agent component is included in V Chapter 1. Scenarios affected by default certificates expiration 5

12 Scenario: Connection among dynamic domain managers and the z/os Controller The SSL communication between the z/os Controller and the dynamic domain managers is affected by the expiration date of the default certificates. If you do not modify the default certificates on the z/os Controller and on the dynamic domain managers before the expiration date, the communication between the z/os Controller and the dynamic domain managers is broken. Note: The dynamic domain manager and backup dynamic domain manager components are included in V8.6.0 and later. 6 Renewing default certificates

13 Chapter 2. How to renew the default certificates Downloading the package The default certificates released with the Tioli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general aailability components expire on February 10, Tioli Workload Scheduler proides a package that contains new default certificates and a set of scripts that you use to modify the old default certificates with the new ones, for each of the following ersions at each leel of fix pack: V8.3.0 V8.4.0 V8.5.0 V8.5.1 V8.6.0 For more information about how to download the package for the ersion you need to install, see Downloading the package. To download the package, perform the following procedure: 1. Go to IBM Fix Central support site. 2. Select Tioli as Product Group. 3. Select Tioli Workload Scheduler as Select from Tioli. 4. Depending on the ersion of the Tioli Workload Scheduler component you need to manage, select the package you want to download: Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES 5. Download the package you selected into the <PACKAGE_INSTALL_DIR> generic directory. The package contains the following.zip file: Package V8.3.0 updcertsscripts_830.zip Package V8.4.0 updcertsscripts_840.zip Package V8.5.0 updcertsscripts_850.zip 7

14 Installing the package Package V8.5.1 updcertsscripts_851.zip Package V8.6.0 updcertsscripts_860.zip After you downloaded the package into the generic <PACKAGE_INSTALL_DIR> directory, as described in Downloading the package on page 7, to install the package, perform the following procedure: 1. Extract the content of the updcertsscripts_<version_number>.zip file into the <PACKAGE_INSTALL_DIR> directory, where <VERSION_NUMBER> is the ersion of the Tioli Workload Scheduler component installed where you need to manage the default certificates. 2. On UNIX operating systems, to gie the correct read and write access to all files in the directory <PACKAGE_INSTALL_DIR>, run the following command: chmod -R 755 <PACKAGE_INSTALL_DIR> For more information about the package contents, see Package contents. Package contents If you installed the package as described in Installing the package, you hae the contents of the.zip file in the following directory: On Windows operating systems <PACKAGE_INSTALL_DIR>\updCertsScripts_<VERSION_NUMBER> On UNIX, Linux, and IBM i operating systems /<PACKAGE_INSTALL_DIR>/updCertsScripts_<VERSION_NUMBER> where <PACKAGE_INSTALL_DIR> is the package installation directory. <VERSION_NUMBER> is the ersion of the Tioli Workload Scheduler installed. The installation directory contains the following files and directories: New directory that contains new defaults certificates Old directory that contains old defaults certificates Scripts to manage new and old certificates: On Windows operating systems updtruststorescerts.bat updkeystorescerts.bat updtrustkeystorescerts.bat On UNIX, Linux, and IBM i operating systems updtruststorescerts.sh updkeystorescerts.sh updtrustkeystorescerts.sh For more information about scripts, see Scripts to renew the default certificates on page 9. 8 Renewing default certificates

15 Scripts to renew the default certificates The package proides a set of scripts that you use to manage and update the Tioli Workload Scheduler truststore and Tioli Workload Scheduler keystore related to the default certificates: updtruststorecerts. updkeystorecerts on page 12. updtrustkeystorecerts on page 15. updtruststorecerts The updtruststorecerts script checks the truststore in the default SSL location for the current instance of Tioli Workload Scheduler. If the default truststore is used, the script updates the contents and the final truststore is the concatenation of the old truststore and the new truststore. After modifying the truststore, if you do not immediately update the keystore for the default certificates, all the communication scenarios described in Chapter 1, Scenarios affected by default certificates expiration, on page 1, continue to work until the expiration date. If you store your own truststore in the SSL default directory, the installation process does not modify the truststore contents. The installation process checks if the checksum of the certificate is the checksum of the default certificate released at general aailability time. The script saes the default truststore old certificates with a.bck extension. Note: Run the script only when no Tioli Workload Scheduler instance processes are running. Run the script as Administrator on Windows operating systems, root on UNIX and Linux operating systems, and QSECOFR user on IBM i operating systems. The script syntax is: updtruststorescerts.bat "<INSTALL_DIR>" where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0 V8.4.0 <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientTrustFile.jks where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. Chapter 2. How to renew the default certificates 9

16 <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\ssl\sslDefault\TWSCertificateChainFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. V8.5.0 <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSTrustCertificates.cer <INSTALL_DIR>\TWS\ssl\sslDefault\ TWSCertificateChainFile.pem V8.5.1 <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientTrustFile.jks <INSTALL_DIR>\TWS\ITA\bin\TWSClientKeyStore.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSTrustCertificates.cer <INSTALL_DIR>\TWS\ssl\sslDefault\ TWSCertificateChainFile.pem V8.6.0 <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientTrustFile.jks <INSTALL_DIR>\TWS\ITA\cpa\ita\cert\TWSClientKey Store.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSTrustCertificates.cer <INSTALL_DIR>\TWS\ssl\sslDefault\ TWSCertificateChainFile.pem (if the Tioli Workload Scheduler is upgraded from ersion and related FixPacks) The script also updates the <INSTALL_DIR>\TDWB\config\ BrokerWorkstation.properties file to include the new Common Name alue in the default truststore certificate that is SererNew. On UNIX operating systems: The script syntax is:./updtruststorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. 10 Renewing default certificates

17 The script installs the following new files: V8.3.0 V8.4.0 V8.5.0 V8.5.1 V8.6.0 <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientTrustFile.jks where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/ssl/sslDefault/TWSCertificateChainFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSTrustCertificates.cer <INSTALL_DIR>/TWS/ssl/sslDefault/ TWSCertificateChainFile.pem <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientTrustFile.jks <INSTALL_DIR>/TWS/ITA/TWSClientKeyStore.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSTrustCertificates.cer <INSTALL_DIR>/TWS/ssl/sslDefault/ TWSCertificateChainFile.pem <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientTrustFile.jks <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/TWSClientKey Store.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSTrustCertificates.cer Chapter 2. How to renew the default certificates 11

18 <INSTALL_DIR>/TWS/ssl/sslDefault/ TWSCertificateChainFile.pem (if the Tioli Workload Scheduler is upgraded from ersion and related fix pack) The script also updates the <INSTALL_DIR>/TDWB/config/ BrokerWorkstation.properties file to include the new Common Name alue in the default truststore certificate which is SererNew. On IBM i operating systems: The script syntax is:./updtruststorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new file: V8.3.0, V8.4.0, V8.5.0, and V8.5.1 Not applicable. V8.6.0 <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_ca_certtws.pem If you installed Tioli Workload Scheduler V8.6.0 in the default directory, you run: updtruststorescerts.bat "C:\Program Files\IBM\TWA" On UNIX, Linux, and IBM i operating systems:./updtruststorescerts.sh /opt/ibm/twa updkeystorecerts The updkeystorecerts script checks the keystore in the default SSL location for the current instance of Tioli Workload Scheduler. If the default keystore is used, the script backs up the old keystore contents and adds the new keystore contents. The script saes the old certificates with a.bck extension. Note: Run the script only when no Tioli Workload Scheduler instance processes are running. Run the script as Administrator on Windows operating systems, root on UNIX and Linux operating systems, and QSECOFR user on IBM i operating systems. The script syntax is: updatekeystorescerts.bat "<INSTALL_DIR>" where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0 <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientKeyFile.jks 12 Renewing default certificates

19 V8.4.0 V8.5.0 V8.5.1 V8.6.0 where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\ssl\sslDefault\TWSPublicKeyFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.key <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.cer <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPublicKeyFile.pem <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientKeyFile.jks <INSTALL_DIR>\TWS\ITA\bin\TWSClientKeyStore.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.key <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.cer <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPublicKeyFile.pem <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientKeyFile.jks <INSTALL_DIR>\TWS\ITA\cpa\ita\cert\TWSClientKey Store.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.key <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.cer <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPublicKeyFile.pem Chapter 2. How to renew the default certificates 13

20 The script syntax is:./updkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0 V8.4.0 V8.5.0 V8.5.1 <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientKeyFile.jks where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/ssl/sslDefault/TWSPriateKeyFile.pem <INSTALL_DIR>/ssl/sslDefault/TWSPublicKeyFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.key <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.cer <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPriateKeyFile.pem <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPublicKeyFile.pem <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientKeyFile.jks <INSTALL_DIR>/TWS/ITA/TWSClientKeyStore.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.key <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.cer <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPriateKeyFile.pem 14 Renewing default certificates

21 V8.6.0 <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPublicKeyFile.pem <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientKeyFile.jks <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/TWSClientKey Store.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.key <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.cer <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPriateKeyFile.pem <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPublicKeyFile.pem On IBM i operating systems: The script syntax is:./updkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0, V8.4.0, V8.5.0, and V8.5.1 Not applicable. V8.6.0 <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_prtws.pem <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_certtws.pem <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_pubtws.pem If you installed Tioli Workload Scheduler V8.6.0 in the default directory, you run: updatekeystorescerts.bat "C:\Program Files\IBM\TWA" On UNIX, Linux, and IBM i operating systems:./updatekeystorescerts.sh /opt/ibm/twa updtrustkeystorecerts The updtrustkeystorecerts script runs first the updtruststorescerts and then the updkeystorescerts scripts to update the truststore and the keystore. The script saes the old certificates with a.bck extension. Note: Run the script only when no Tioli Workload Scheduler instance processes are running. Run the script as Administrator on Windows operating systems, root on UNIX and Linux operating systems, and QSECOFR user on IBM i operating systems. The script syntax is: updatetrustkeystorescerts.bat "<INSTALL_DIR>" Chapter 2. How to renew the default certificates 15

22 where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Automation. For a list of the files affected by this script, see the list for the updtruststorescerts and the updkeystorescerts scripts. The script syntax is:./updkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Automation. For a list of the files affected by this script, see the list for the updtruststorescerts and the updkeystorescerts scripts. On IBM i operating systems: The script syntax is:./updtrustkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Automation. For a list of the files affected by this script, see the list for the updtruststorescerts and the updkeystorescerts scripts. If you installed Tioli Workload Scheduler V8.6.0 in the default directory, you run: updatetrustkeystorescerts.bat "C:\Program Files\IBM\TWA" On UNIX, Linux, and IBM i operating systems:./updatetrustkeystorescerts.sh /opt/ibm/twa Procedure to renew the default certificates in a distributed enironment To modify the default certificates for the scenarios described in Scenarios for the distributed enironment on page 1, follow the steps listed in Figure 1 on page 17. You do not need to update your Tioli Workload Scheduler enironment with the following procedure steps all at the same time, but you must perform the entire procedure before the certificates expire on February 10, Renewing default certificates

23 BEGIN at least one default certificate used in the MDM? NO YES procedure default truststore for MDM, BKM, agents with dist connector? DWC or JSC with default certificates?? Dynamic enironment with default certificates? NO NO NO? SSL across network with default certificates? YES procedure DWC/JSC YES procedure Dynamic enironment YES procedure SSL network? connector APIs with default certificates? NO? Integration Workbench with default certificates? NO CLIs with default certificates? NO YES YES YES procedure connector APIs procedure sdk procedure CLIs? At least one of the preious procedures performed? NO procedure default keystore for MDM, BKM, agents with dist connector END YES LEGENDA: MDM master domain manager BKM backup master domain manager DWC Dynamic Workload Console JSC Job Scheduling Console CLI command-line client Figure 1. Procedure to renew the default certificates in a distributed enironment Procedure to renew the default certificates in a distributed enironment Chapter 2. How to renew the default certificates 17

24 For each step in the list of procedures, if you hae the described configuration, perform the procedure and then proceed with the successie step: 1. If you use the default certificates in the master domain manager, perform the Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector. 2. If you hae the Dynamic Workload Console or Job Scheduling Console configured oer SSL with the default certificates, perform the Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console on page If you hae the dynamic enironment configured in SSL with the default certificates, perform the Procedure to manage the default certificates for dynamic scheduling enironment on page If you hae the SSL communication enabled in Tioli Workload Scheduler enironment with OpenSSL default certificates, perform the Procedure to manage the default certificates for fault-tolerant agents and domain managers in the SSL enironment on page If you use the connector APIs with the default certificates, perform the Procedure to manage the default certificates for the connector APIs on page If you use the Integration Workbench with the default certificates, perform the Procedure to manage the default certificates for the Integration Workbench on page If you use the command lines with the default certificates, perform the Procedure to manage the default truststore and keystore for command-line client on page If you performed any of the procedures listed in the steps 1 to 7, perform the Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector on page 52. Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector 18 Renewing default certificates

25 BEGIN 1. Modify the MDM truststore? Is BKM installed? NO YES 2. Modify the BKM truststore? Are agents installed with dist connector? NO YES 3. Modify the agents with connector truststore END Legenda: MDM master domain manager BKM backup master domain manager Figure 2. Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector 1. To modify the master domain manager truststore, perform the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the master domain manager is installed. Chapter 2. How to renew the default certificates 19

26 b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the master domain manager by running: If the master domain manager you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "stopappserer" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For the master domain manager V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the master domain manager by running: If the master domain manager you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas.sh If the master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" conman "startappserer" 20 Renewing default certificates

27 For more information about the command syntax, see User's Guide and Reference. 2. If the backup master domain manager is installed, to modify the backup master domain manager truststore, perform the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup master domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup master domain manager by running: If the backup master domain manager you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the backup master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Window, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "stopappserer" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For backup master domain manager V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the backup master domain manager by running: If the backup master domain manager you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas Chapter 2. How to renew the default certificates 21

28 22 Renewing default certificates If the backup master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" conman "startappserer" 3. Modify the truststore for the agents with distributed connector by performing the following steps for each type of workstation with static scheduling and distributed connectors: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the agent is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the agent with distributed connector by running: If the agent with distributed connector you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the agent with distributed connector you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs conman "stop" conman "stopmon" conman "shut; wait" stopwas.bat conman "stop" conman "stopmon" conman "shut; wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For agent with distributed connector V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the agent with distributed connector by running:

29 If the agent with distributed connector you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas If the agent you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs conman "start" conman "startmon" startwas.bat conman "start" conman "startmon" startwas For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console To manage the default certificates for user interfaces, for each step in the list, perform the procedure and then proceed with the successie step: 1. If the Dynamic Workload Console is installed and works with default certificates as described in Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector on page 2, run Procedure to manage the default truststore and keystore for the Dynamic Workload Console. 2. If the Job Scheduling Console is installed and works with default certificates as described in Scenario: Connection between the Job Scheduling Console and agent with a distributed connector on page 2, run Procedure to manage the default truststore and keystore for the Job Scheduling Console on page 27. Procedure to manage the default truststore and keystore for the Dynamic Workload Console Chapter 2. How to renew the default certificates 23

30 BEGIN 1. Download and install the package 2. Stop the DWC 3. Modify the DWC truststore 4. Modify the DWC keystore 5. Start the DWC END Legenda: DWC Dynamic Workload Console Figure 3. Procedure to manage the default truststore and keystore for the Dynamic Workload Console Procedure to manage the default truststore and keystore for the Dynamic Workload Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Dynamic Workload Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the WebSphere Application Serer of the Dynamic Workload Console by running: stopwas.bat stopwas.sh 24 Renewing default certificates

31 For more information about the command syntax, see Tioli Workload Scheduler: Administration Guide > Administratie tasks > Application Serer tasks. 3. Modify the truststore by running: updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page Modify the keystore by running: updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page Start the Dynamic Workload Console by running: startwas.bat startwas.sh For more information about the command syntax, see Tioli Workload Scheduler: Administration Guide > Administratie tasks > Application Serer tasks. Note for Dynamic Workload Console V8.6 or later users: Note: For Dynamic Workload Console V8.6 or later, after you run the procedure, when you stop the WebSphere Application Serer for the first time, you are asked to accept the new client truststore for the Dynamic Workload Console. Follow the procedure Accepting the new Dynamic Workload Console truststore when you stop the WebSphere Application Serer for the first time. Accepting the new Dynamic Workload Console truststore when you stop the WebSphere Application Serer for the first time: After you run the Procedure to manage the default truststore and keystore for the Dynamic Workload Console on page 23, when you stop the WebSphere Application Serer for the first time, you are asked to accept the new client truststore for the Dynamic Workload Console. To accept the new truststore during the running of stopwas.bat on Windows operating systems and stopwas.sh on UNIX and Linux operating systems, reply "y" to the prompt Add signer to the trust store now? (y/n). On UNIX and LINUX operating systems: If you stop the WebSphere Application Serer for the first time on UNIX and Linux operating systems, by running the stopwas.sh script, you hae the following output: #./stopwas.sh -direct -user twsuser -password twsuser ADMU0116I: Tool information is being logged in file /opt/ibm/twatdwc/ewas/profiles/tipprofile/logs/serer1/stopserer.log Chapter 2. How to renew the default certificates 25

32 ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for serer: serer1 *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host is not found in trust store /opt/ibm/twatdwc/ewas/profiles/tipprofile/etc/twsclienttrustfile.jks. Here is the signer information (erify the digest alue matches what is displayed at the serer): Subject DN: CN=SererNew, OU=TWS, O=IBM, C=US Issuer DN: CN=SererNew, OU=TWS, O=IBM, C=US Serial number: Expires: Tue No 09 09:48:19 CET 2032 SHA-1 Digest: 5D:16:5D:17:3B:5F:BF:B7:EA:19:92:22:2D:36:53:1A:2F:9D:1B:26 MD5 Digest: DB:BA:A2:6D:0D:B6:A2:53:35:6D:32:6A:40:20:D5:36 Add signer to the trust store now? (y/n)y A retry of the request may need to occur if the socket times out while waiting for a prompt response. If the retry is required, note that the prompt will not be redisplayed if is entered, which indicates the signer has already been added to the trust store. ADMU3201I: Serer stop request issued. Waiting for stop status. ADMU4000I: Serer serer1 stop completed. If you stop the WebSphere Application Serer for the first time on Windows operating systems, by running the stopwas.bat script from the wastools directory, you hae the following output: C:\TWA2\wastools>stopWas.bat The serice is running. Serice failed to stop. stopserer return code -10 Run the stopwas.bat from the embedded WebSphere Application Serer binary directory and you hae the following output: C:\TWA2\eWAS\bin>stopSerer.bat serer1 ADMU0116I: Tool information is being logged in file C:\TWA2\eWAS\profiles\TIPProfile\logs\serer1\stopSerer.log ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for serer: serer1 *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host is not found in trust store C:/TWA2/eWAS/profiles/TIPProfile/etc/TWSClientTrustFile.jks. Here is the signer information (erify the digest alue matches what is displayed at the serer): Subject DN: CN=SererNew, OU=TWS, O=IBM, C=US Issuer DN: CN=SererNew, OU=TWS, O=IBM, C=US Serial number: Expires: Mon No 08 20:48:19 GMT-12: SHA-1 Digest: 5D:16:5D:17:3B:5F:BF:B7:EA:19:92:22:2D:36:53:1A:2F:9D:1B:26 MD5 Digest: DB:BA:A2:6D:0D:B6:A2:53:35:6D:32:6A:40:20:D5:36 Add signer to the trust store now? (y/n)y A retry of the request may need to occur if the socket times out while waiting for a prompt response. If the retry is required, note that the prompt will not be redisplayed if is entered, which indicates the signer has already been add ed to the trust store. ADMU3201I: Serer stop request issued. Waiting for stop status. ADMU4000I: Serer serer1 stop completed. 26 Renewing default certificates

33 Procedure to manage the default truststore and keystore for the Job Scheduling Console BEGIN 1. Download and install the package 2. Stop the JSC 3. Modify the JSC truststore 4. Modify the JSC keystore 5. Start the JSC END Legenda: JSC Job Scheduling Console Figure 4. Procedure to manage the default truststore and keystore for the Job Scheduling Console Procedure to manage the default truststore and keystore for the Job Scheduling Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Job Scheduling Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the Job Scheduling Console by closing the wizard. 3. Modify the truststore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\public\jsc\jscdefaulttrustfile.jks file to the directory <JSC_INSTALL_DIR>\keys where the <PACKAGE_INSTALL_DIR> is the directory Chapter 2. How to renew the default certificates 27