Renewing default certificates for Tivoli Workload Scheduler

Transcription

1 IBM Tioli Workload Scheduler Renewing default certificates for Tioli Workload Scheduler Version

2

3 IBM Tioli Workload Scheduler Renewing default certificates for Tioli Workload Scheduler Version

4 Note Before using this information and the product it supports, read the information in Notices on page 75.

5 Contents Chapter 1. Scenarios affected by default certificates expiration Scenarios for the distributed enironment Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector Scenario: Connection between the Job Scheduling Console and agent with a distributed connector. 2 Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager Scenario: SSL Communication across the Tioli Workload Scheduler network Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs Scenario: Integration Workbench oer SSL... 4 Scenario: HTTPS for the command-line clients.. 4 Scenarios for distributed components in a z/os enironment Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller Scenario: Connection among dynamic domain managers and the z/os Controller Chapter 2. How to renew the default certificates Downloading the package Installing the package Package contents Scripts to renew the default certificates updtruststorecerts updkeystorecerts updtrustkeystorecerts Procedure to renew the default certificates in a distributed enironment Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector. 18 Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console Procedure to manage the default certificates for dynamic scheduling enironment Procedure to manage the default certificates for fault-tolerant agents and domain managers in the SSL enironment Procedure to manage the default certificates for the connector APIs Procedure to manage the default certificates for the Integration Workbench Procedure to manage the default truststore and keystore for command-line client Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector. 52 Procedure to renew the default certificates for distributed components used in a z/os enironment Procedure to renew the default certificates for z/os connector on a distributed system Procedure to manage the default certificates for Tioli Workload Scheduler for z/os agent (z-centric) Procedure to manage the default certificates for dynamic domain managers connected to the z/os Controller Notices Trademarks Index iii

6 i Renewing default certificates

7 Chapter 1. Scenarios affected by default certificates expiration Tioli Workload Scheduler proides a secure, authenticated, and encrypted connection mechanism for communication based on the Secure Sockets Layer (SSL) protocol, which is automatically installed with Tioli Workload Scheduler. Tioli Workload Scheduler also proides default certificates to manage the SSL protocol that is based on a priate and public key methodology. The following terminology is used: truststore In security, a storage object, either a file or a hardware cryptographic card, where public keys are stored in the form of trusted certificates, for authentication purposes in web transactions. In some applications, these trusted certificates are moed into the application keystore to be stored with the priate keys. keystore In security, a file or a hardware cryptographic card where identities and priate keys are stored, for authentication and encryption purposes. Some keystores also contain trusted or public keys. If you do not customize SSL communication with your own certificates, Tioli Workload Scheduler uses the default certificates that are stored in the default directories to communicate in SSL mode. The default certificates that were released with Tioli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general aailability expire on February 10, If Tioli Workload Scheduler uses the default certificates for SSL connections, the administrator must renew the default certificates for the following scenarios because they are affected by the expiration date: Scenarios for the distributed enironment. Scenarios for distributed components in a z/os enironment on page 4. Make sure that you update the default certificates in the correct order for these scenarios. For more information about how to do this, see Chapter 2, How to renew the default certificates, on page 7. Scenarios for the distributed enironment The following scenarios for the distributed enironment are affected by the expiration date: Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector on page 2 Scenario: Connection between the Job Scheduling Console and agent with a distributed connector on page 2 Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager on page 2 Scenario: SSL Communication across the Tioli Workload Scheduler network on page 3 1

8 Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4 Scenario: Integration Workbench oer SSL on page 4 Scenario: HTTPS for the command-line clients on page 4 Your enironment might include one or more of these scenarios. For more information about how to update the default certificates in the correct order for these scenarios, see Procedure to renew the default certificates in a distributed enironment on page 16. Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector The SSL communication between the Dynamic Workload Console and one of the following types of Tioli Workload Scheduler component is affected by the expiration date of the default certificates: Master domain manager. Backup master domain manager. Agent with distributed connector. If you do not modify the default certificates on the Dynamic Workload Console and on the distributed connector installed on the agent before the expiration date, the communication between the user interface and the connector is broken. In the Tioli Workload Scheduler distributed enironment, you can manage the Tioli Workload Scheduler database objects and plan objects using the composer and conman commands. Scenario: Connection between the Job Scheduling Console and agent with a distributed connector The SSL communication between the Job Scheduling Console and one of the following types of Tioli Workload Scheduler component is affected by the expiration date of the default certificates: Master domain manager. Backup master domain manager. Agent with distributed connector. If you do not modify the default certificates on the Job Scheduling Console and on the distributed connector installed on the agent before the expiration date, the communication between the user interface and the connector is broken. In the Tioli Workload Scheduler distributed enironment, you can manage the Tioli Workload Scheduler database objects and plan objects using the composer and conman commands. Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager The default certificates proided during Tioli Workload Scheduler installation, ensure the secure connection between the following componenets: Master domain manager and dynamic domain manager or backup dynamic domain manager. Master domain manager and dynamic agents. Dynamic domain manager and dynamic agents. 2 Renewing default certificates

9 Dynamic domain manager and backup dynamic domain manager. The SSL communication between the Broker Serer installed on the master domain manager and one of the following components is affected by the expiration date of the default certificates: Dynamic agents. Dynamic domain managers. Backup dynamic domain managers. Agent installed as default in the master domain manager. If you do not modify the default certificates in the Broker serer installed on the dynamic domain manager and on the dynamic agents before the expiration date, the communication between the dynamic domain manager and the dynamic agents is broken. The communication between the ResourceCLI command line installed on the dynamic domain manager and the Broker Serer installed on the master domain manager is also broken. Note: The dynamic domain manager and backup dynamic domain manager components are included in V8.6.0 and later. On Windows, UNIX, and Linux operating systems, the dynamic agent component is included in V8.5.1 and later. On IBM i operating systems, the dynamic agent component is included in V Scenario: SSL Communication across the Tioli Workload Scheduler network You can enable the SSL connection using OpenSSL Toolkit for the following components: Master domain manager and its domain managers Master domain manager and fault-tolerant agents in the master domain Master domain manager and backup master domain manager Domain manager and fault-tolerant agents that belong to that domain The SSL communication among agents V8.4.0, V8.5.0, V8.5.1, or V8.6.0 with related fix packs in the network is affected by the expiration date of the default certificates. If the ersion of the Tioli Workload Scheduler instance is V8.4.0 or an upgrade of V8.4.0 and related fix packs, the default certificates are located in the <INSTALL_DIR>\TWS\ssl\sslDefault directory; in other cases the default certificates are located in the <INSTALL_DIR>\TWS\ssl\OpenSSL directory. All Tioli Workload Scheduler administrators who use the OpenSSL default certificates for SSL communication must modify the certificates to maintain a working SSL enironment. Chapter 1. Scenarios affected by default certificates expiration 3

10 Note: The default GSKit certificates expiration date is not the "February 10, 2014" and administrators are not required to perform any recoery actions. Check periodically the GSKit certificates expiration date to keep the default certificates up-to-date. Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs If you hae an SSL connection that uses default certificates in a custom integration based on Tioli Workload Scheduler Jaa APIs V8.3.0, V8.4.0, V8.5.0, V8.5.1, or V8.6.0 with related fix packs, the communication does not work after the default certificates expiration date. Scenario: Integration Workbench oer SSL Integration Workbench is used to deelop custom plug-ins. If you hae an SSL connection that uses default certificates for the Integration Workbench V8.4.0, V8.5.0, V8.5.1, or V8.6.0 with related fix packs, the communication does not work after the default certificates expiration date. Scenario: HTTPS for the command-line clients You can hae one of the following scenarios: If you hae an SSL connection that uses default certificates between the command-line utilities (composer and conman) on the master domain manager and the connector: The ariable CLISSLSERVERAUTH=no in the master domain manager localopts file The communication continues to work after the default certificates expiration date. The ariable CLISSLSERVERAUTH=yes in the master domain manager localopts file The communication does not work after the default certificates expiration date. If you hae an SSL connection that uses default certificates between the remote command-line client and the master domain manager: The ariable CLISSLSERVERAUTH=no in the remote command-line client localopts file The communication continues to work after the default certificates expiration date. The ariable CLISSLSERVERAUTH=yes in the remote command-line client localopts file The communication does not work after the default certificates expiration date. Scenarios for distributed components in a z/os enironment The following scenarios for distributed components in a z/os enironment are affected by the expiration date: Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system on page 5. Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system on page 5. 4 Renewing default certificates

11 Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4 Scenario: Integration Workbench oer SSL on page 4 Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller. Scenario: Connection among dynamic domain managers and the z/os Controller on page 6 Note: You might hae one or more of these scenarios preiously described. To update default certificates in the correct order for these scenarios, see Procedure to renew the default certificates for distributed components used in a z/os enironment on page 57. Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system The SSL communication between the Dynamic Workload Console and the z/os connector installed in a distributed system is affected by the expiration date of the default certificates. If you do not modify the default certificates on the Dynamic Workload Console and the z/os connector before the expiration date, the communication between the user interface and the connector is broken. In a Tioli Workload Scheduler z/os enironment, you can manage the database objects and plan objects by using ISPF panels. Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system The SSL communication between the Job Scheduling Console and the z/os connector installed in a distributed system is affected by the expiration date of the default certificates. If you do not modify the default certificates on the Job Scheduling Console and the z/os connector before the expiration date, the communication between the user interface and the connector is broken. In a Tioli Workload Scheduler z/os enironment, you can manage the database objects and plan objects by using ISPF panels. Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller The SSL communication between the z/os Controller and the z-centric agent is affected by the expiration date of the default certificates. If you do not modify the default certificates on the z/os Controller and on the z-centric agent before the expiration date, the communication between the z/os Controller and the z-centric agent is broken. Note: On Windows, UNIX, and Linux operating systems, the z-centric agent component is included in V8.5.1 and later. On IBM i operating systems, the z-centric agent component is included in V Chapter 1. Scenarios affected by default certificates expiration 5

12 Scenario: Connection among dynamic domain managers and the z/os Controller The SSL communication between the z/os Controller and the dynamic domain managers is affected by the expiration date of the default certificates. If you do not modify the default certificates on the z/os Controller and on the dynamic domain managers before the expiration date, the communication between the z/os Controller and the dynamic domain managers is broken. Note: The dynamic domain manager and backup dynamic domain manager components are included in V8.6.0 and later. 6 Renewing default certificates

13 Chapter 2. How to renew the default certificates Downloading the package The default certificates released with the Tioli Workload Scheduler V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 general aailability components expire on February 10, Tioli Workload Scheduler proides a package that contains new default certificates and a set of scripts that you use to modify the old default certificates with the new ones, for each of the following ersions at each leel of fix pack: V8.3.0 V8.4.0 V8.5.0 V8.5.1 V8.6.0 For more information about how to download the package for the ersion you need to install, see Downloading the package. To download the package, perform the following procedure: 1. Go to IBM Fix Central support site. 2. Select Tioli as Product Group. 3. Select Tioli Workload Scheduler as Select from Tioli. 4. Depending on the ersion of the Tioli Workload Scheduler component you need to manage, select the package you want to download: Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES Tioli Workload Scheduler component V TIV-TWA-CERTIFICATES 5. Download the package you selected into the <PACKAGE_INSTALL_DIR> generic directory. The package contains the following.zip file: Package V8.3.0 updcertsscripts_830.zip Package V8.4.0 updcertsscripts_840.zip Package V8.5.0 updcertsscripts_850.zip 7

14 Installing the package Package V8.5.1 updcertsscripts_851.zip Package V8.6.0 updcertsscripts_860.zip After you downloaded the package into the generic <PACKAGE_INSTALL_DIR> directory, as described in Downloading the package on page 7, to install the package, perform the following procedure: 1. Extract the content of the updcertsscripts_<version_number>.zip file into the <PACKAGE_INSTALL_DIR> directory, where <VERSION_NUMBER> is the ersion of the Tioli Workload Scheduler component installed where you need to manage the default certificates. 2. On UNIX operating systems, to gie the correct read and write access to all files in the directory <PACKAGE_INSTALL_DIR>, run the following command: chmod -R 755 <PACKAGE_INSTALL_DIR> For more information about the package contents, see Package contents. Package contents If you installed the package as described in Installing the package, you hae the contents of the.zip file in the following directory: On Windows operating systems <PACKAGE_INSTALL_DIR>\updCertsScripts_<VERSION_NUMBER> On UNIX, Linux, and IBM i operating systems /<PACKAGE_INSTALL_DIR>/updCertsScripts_<VERSION_NUMBER> where <PACKAGE_INSTALL_DIR> is the package installation directory. <VERSION_NUMBER> is the ersion of the Tioli Workload Scheduler installed. The installation directory contains the following files and directories: New directory that contains new defaults certificates Old directory that contains old defaults certificates Scripts to manage new and old certificates: On Windows operating systems updtruststorescerts.bat updkeystorescerts.bat updtrustkeystorescerts.bat On UNIX, Linux, and IBM i operating systems updtruststorescerts.sh updkeystorescerts.sh updtrustkeystorescerts.sh For more information about scripts, see Scripts to renew the default certificates on page 9. 8 Renewing default certificates

15 Scripts to renew the default certificates The package proides a set of scripts that you use to manage and update the Tioli Workload Scheduler truststore and Tioli Workload Scheduler keystore related to the default certificates: updtruststorecerts. updkeystorecerts on page 12. updtrustkeystorecerts on page 15. updtruststorecerts The updtruststorecerts script checks the truststore in the default SSL location for the current instance of Tioli Workload Scheduler. If the default truststore is used, the script updates the contents and the final truststore is the concatenation of the old truststore and the new truststore. After modifying the truststore, if you do not immediately update the keystore for the default certificates, all the communication scenarios described in Chapter 1, Scenarios affected by default certificates expiration, on page 1, continue to work until the expiration date. If you store your own truststore in the SSL default directory, the installation process does not modify the truststore contents. The installation process checks if the checksum of the certificate is the checksum of the default certificate released at general aailability time. The script saes the default truststore old certificates with a.bck extension. Note: Run the script only when no Tioli Workload Scheduler instance processes are running. Run the script as Administrator on Windows operating systems, root on UNIX and Linux operating systems, and QSECOFR user on IBM i operating systems. The script syntax is: updtruststorescerts.bat "<INSTALL_DIR>" where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0 V8.4.0 <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientTrustFile.jks where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. Chapter 2. How to renew the default certificates 9

16 <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\ssl\sslDefault\TWSCertificateChainFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. V8.5.0 <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSTrustCertificates.cer <INSTALL_DIR>\TWS\ssl\sslDefault\ TWSCertificateChainFile.pem V8.5.1 <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientTrustFile.jks <INSTALL_DIR>\TWS\ITA\bin\TWSClientKeyStore.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSTrustCertificates.cer <INSTALL_DIR>\TWS\ssl\sslDefault\ TWSCertificateChainFile.pem V8.6.0 <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSSererTrustFile.jks <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSClientTrustFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientTrustFile.jks <INSTALL_DIR>\TWS\ITA\cpa\ita\cert\TWSClientKey Store.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSTrustCertificates.cer <INSTALL_DIR>\TWS\ssl\sslDefault\ TWSCertificateChainFile.pem (if the Tioli Workload Scheduler is upgraded from ersion and related FixPacks) The script also updates the <INSTALL_DIR>\TDWB\config\ BrokerWorkstation.properties file to include the new Common Name alue in the default truststore certificate that is SererNew. On UNIX operating systems: The script syntax is:./updtruststorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. 10 Renewing default certificates

17 The script installs the following new files: V8.3.0 V8.4.0 V8.5.0 V8.5.1 V8.6.0 <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientTrustFile.jks where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/ssl/sslDefault/TWSCertificateChainFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSTrustCertificates.cer <INSTALL_DIR>/TWS/ssl/sslDefault/ TWSCertificateChainFile.pem <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientTrustFile.jks <INSTALL_DIR>/TWS/ITA/TWSClientKeyStore.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSTrustCertificates.cer <INSTALL_DIR>/TWS/ssl/sslDefault/ TWSCertificateChainFile.pem <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSSererTrustFile.jks <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSClientTrustFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientTrustFile.jks <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/TWSClientKey Store.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSTrustCertificates.cer Chapter 2. How to renew the default certificates 11

18 <INSTALL_DIR>/TWS/ssl/sslDefault/ TWSCertificateChainFile.pem (if the Tioli Workload Scheduler is upgraded from ersion and related fix pack) The script also updates the <INSTALL_DIR>/TDWB/config/ BrokerWorkstation.properties file to include the new Common Name alue in the default truststore certificate which is SererNew. On IBM i operating systems: The script syntax is:./updtruststorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new file: V8.3.0, V8.4.0, V8.5.0, and V8.5.1 Not applicable. V8.6.0 <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_ca_certtws.pem If you installed Tioli Workload Scheduler V8.6.0 in the default directory, you run: updtruststorescerts.bat "C:\Program Files\IBM\TWA" On UNIX, Linux, and IBM i operating systems:./updtruststorescerts.sh /opt/ibm/twa updkeystorecerts The updkeystorecerts script checks the keystore in the default SSL location for the current instance of Tioli Workload Scheduler. If the default keystore is used, the script backs up the old keystore contents and adds the new keystore contents. The script saes the old certificates with a.bck extension. Note: Run the script only when no Tioli Workload Scheduler instance processes are running. Run the script as Administrator on Windows operating systems, root on UNIX and Linux operating systems, and QSECOFR user on IBM i operating systems. The script syntax is: updatekeystorescerts.bat "<INSTALL_DIR>" where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0 <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientKeyFile.jks 12 Renewing default certificates

19 V8.4.0 V8.5.0 V8.5.1 V8.6.0 where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\AppSerer\profiles\<PROFILENAME>\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\ssl\sslDefault\TWSPublicKeyFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.key <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.cer <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPublicKeyFile.pem <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\eWAS\profiles\twaprofile\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientKeyFile.jks <INSTALL_DIR>\TWS\ITA\bin\TWSClientKeyStore.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.key <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.cer <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPublicKeyFile.pem <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSSererKeyFile.jks <INSTALL_DIR>\eWAS\profiles\TIPProfile\etc\ TWSClientKeyFile.jks <INSTALL_DIR>\TDWB_CLI\certs\TWSClientKeyFile.jks <INSTALL_DIR>\TWS\ITA\cpa\ita\cert\TWSClientKey Store.kdb <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.key <INSTALL_DIR>\TWS\ssl\OpenSSL\TWSClient.cer <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPriateKeyFile.pem <INSTALL_DIR>\TWS\ssl\sslDefault\TWSPublicKeyFile.pem Chapter 2. How to renew the default certificates 13

20 The script syntax is:./updkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0 V8.4.0 V8.5.0 V8.5.1 <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientKeyFile.jks where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/AppSerer/profiles/<PROFILENAME>/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/ssl/sslDefault/TWSPriateKeyFile.pem <INSTALL_DIR>/ssl/sslDefault/TWSPublicKeyFile.pem where <PROFILENAME> is: twsprofile for master domain manager or backup master domain manager. twsconnprofile for distributed connector. <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.key <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.cer <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPriateKeyFile.pem <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPublicKeyFile.pem <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/eWAS/profiles/twaprofile/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientKeyFile.jks <INSTALL_DIR>/TWS/ITA/TWSClientKeyStore.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.key <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.cer <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPriateKeyFile.pem 14 Renewing default certificates

21 V8.6.0 <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPublicKeyFile.pem <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSSererKeyFile.jks <INSTALL_DIR>/eWAS/profiles/TIPProfile/etc/ TWSClientKeyFile.jks <INSTALL_DIR>/TDWB_CLI/certs/TWSClientKeyFile.jks <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/TWSClientKey Store.kdb <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.key <INSTALL_DIR>/TWS/ssl/OpenSSL/TWSClient.cer <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPriateKeyFile.pem <INSTALL_DIR>/TWS/ssl/sslDefault/TWSPublicKeyFile.pem On IBM i operating systems: The script syntax is:./updkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Scheduler. The script installs the following new files: V8.3.0, V8.4.0, V8.5.0, and V8.5.1 Not applicable. V8.6.0 <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_prtws.pem <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_certtws.pem <INSTALL_DIR>/TWS/ITA/cpa/ita/cert/ita_pubtws.pem If you installed Tioli Workload Scheduler V8.6.0 in the default directory, you run: updatekeystorescerts.bat "C:\Program Files\IBM\TWA" On UNIX, Linux, and IBM i operating systems:./updatekeystorescerts.sh /opt/ibm/twa updtrustkeystorecerts The updtrustkeystorecerts script runs first the updtruststorescerts and then the updkeystorescerts scripts to update the truststore and the keystore. The script saes the old certificates with a.bck extension. Note: Run the script only when no Tioli Workload Scheduler instance processes are running. Run the script as Administrator on Windows operating systems, root on UNIX and Linux operating systems, and QSECOFR user on IBM i operating systems. The script syntax is: updatetrustkeystorescerts.bat "<INSTALL_DIR>" Chapter 2. How to renew the default certificates 15

22 where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Automation. For a list of the files affected by this script, see the list for the updtruststorescerts and the updkeystorescerts scripts. The script syntax is:./updkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Automation. For a list of the files affected by this script, see the list for the updtruststorescerts and the updkeystorescerts scripts. On IBM i operating systems: The script syntax is:./updtrustkeystorescerts.sh <INSTALL_DIR> where <INSTALL_DIR> is the installation directory of the selected instance of Tioli Workload Automation. For a list of the files affected by this script, see the list for the updtruststorescerts and the updkeystorescerts scripts. If you installed Tioli Workload Scheduler V8.6.0 in the default directory, you run: updatetrustkeystorescerts.bat "C:\Program Files\IBM\TWA" On UNIX, Linux, and IBM i operating systems:./updatetrustkeystorescerts.sh /opt/ibm/twa Procedure to renew the default certificates in a distributed enironment To modify the default certificates for the scenarios described in Scenarios for the distributed enironment on page 1, follow the steps listed in Figure 1 on page 17. You do not need to update your Tioli Workload Scheduler enironment with the following procedure steps all at the same time, but you must perform the entire procedure before the certificates expire on February 10, Renewing default certificates

23 BEGIN at least one default certificate used in the MDM? NO YES procedure default truststore for MDM, BKM, agents with dist connector? DWC or JSC with default certificates?? Dynamic enironment with default certificates? NO NO NO? SSL across network with default certificates? YES procedure DWC/JSC YES procedure Dynamic enironment YES procedure SSL network? connector APIs with default certificates? NO? Integration Workbench with default certificates? NO CLIs with default certificates? NO YES YES YES procedure connector APIs procedure sdk procedure CLIs? At least one of the preious procedures performed? NO procedure default keystore for MDM, BKM, agents with dist connector END YES LEGENDA: MDM master domain manager BKM backup master domain manager DWC Dynamic Workload Console JSC Job Scheduling Console CLI command-line client Figure 1. Procedure to renew the default certificates in a distributed enironment Procedure to renew the default certificates in a distributed enironment Chapter 2. How to renew the default certificates 17

24 For each step in the list of procedures, if you hae the described configuration, perform the procedure and then proceed with the successie step: 1. If you use the default certificates in the master domain manager, perform the Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector. 2. If you hae the Dynamic Workload Console or Job Scheduling Console configured oer SSL with the default certificates, perform the Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console on page If you hae the dynamic enironment configured in SSL with the default certificates, perform the Procedure to manage the default certificates for dynamic scheduling enironment on page If you hae the SSL communication enabled in Tioli Workload Scheduler enironment with OpenSSL default certificates, perform the Procedure to manage the default certificates for fault-tolerant agents and domain managers in the SSL enironment on page If you use the connector APIs with the default certificates, perform the Procedure to manage the default certificates for the connector APIs on page If you use the Integration Workbench with the default certificates, perform the Procedure to manage the default certificates for the Integration Workbench on page If you use the command lines with the default certificates, perform the Procedure to manage the default truststore and keystore for command-line client on page If you performed any of the procedures listed in the steps 1 to 7, perform the Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector on page 52. Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector 18 Renewing default certificates

25 BEGIN 1. Modify the MDM truststore? Is BKM installed? NO YES 2. Modify the BKM truststore? Are agents installed with dist connector? NO YES 3. Modify the agents with connector truststore END Legenda: MDM master domain manager BKM backup master domain manager Figure 2. Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector Procedure to manage the default truststore for master domain manager, backup master domain manager, and agents with distributed connector 1. To modify the master domain manager truststore, perform the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the master domain manager is installed. Chapter 2. How to renew the default certificates 19

26 b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the master domain manager by running: If the master domain manager you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "stopappserer" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For the master domain manager V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the master domain manager by running: If the master domain manager you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas.sh If the master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" conman "startappserer" 20 Renewing default certificates

27 For more information about the command syntax, see User's Guide and Reference. 2. If the backup master domain manager is installed, to modify the backup master domain manager truststore, perform the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup master domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup master domain manager by running: If the backup master domain manager you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the backup master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Window, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "stopappserer" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For backup master domain manager V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the backup master domain manager by running: If the backup master domain manager you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas Chapter 2. How to renew the default certificates 21

28 22 Renewing default certificates If the backup master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" conman "startappserer" 3. Modify the truststore for the agents with distributed connector by performing the following steps for each type of workstation with static scheduling and distributed connectors: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the agent is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the agent with distributed connector by running: If the agent with distributed connector you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the agent with distributed connector you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs conman "stop" conman "stopmon" conman "shut; wait" stopwas.bat conman "stop" conman "stopmon" conman "shut; wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For agent with distributed connector V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the agent with distributed connector by running:

29 If the agent with distributed connector you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas If the agent you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs conman "start" conman "startmon" startwas.bat conman "start" conman "startmon" startwas For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console To manage the default certificates for user interfaces, for each step in the list, perform the procedure and then proceed with the successie step: 1. If the Dynamic Workload Console is installed and works with default certificates as described in Scenario: Connection between the Dynamic Workload Console and agent with a distributed connector on page 2, run Procedure to manage the default truststore and keystore for the Dynamic Workload Console. 2. If the Job Scheduling Console is installed and works with default certificates as described in Scenario: Connection between the Job Scheduling Console and agent with a distributed connector on page 2, run Procedure to manage the default truststore and keystore for the Job Scheduling Console on page 27. Procedure to manage the default truststore and keystore for the Dynamic Workload Console Chapter 2. How to renew the default certificates 23

30 BEGIN 1. Download and install the package 2. Stop the DWC 3. Modify the DWC truststore 4. Modify the DWC keystore 5. Start the DWC END Legenda: DWC Dynamic Workload Console Figure 3. Procedure to manage the default truststore and keystore for the Dynamic Workload Console Procedure to manage the default truststore and keystore for the Dynamic Workload Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Dynamic Workload Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the WebSphere Application Serer of the Dynamic Workload Console by running: stopwas.bat stopwas.sh 24 Renewing default certificates

31 For more information about the command syntax, see Tioli Workload Scheduler: Administration Guide > Administratie tasks > Application Serer tasks. 3. Modify the truststore by running: updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page Modify the keystore by running: updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page Start the Dynamic Workload Console by running: startwas.bat startwas.sh For more information about the command syntax, see Tioli Workload Scheduler: Administration Guide > Administratie tasks > Application Serer tasks. Note for Dynamic Workload Console V8.6 or later users: Note: For Dynamic Workload Console V8.6 or later, after you run the procedure, when you stop the WebSphere Application Serer for the first time, you are asked to accept the new client truststore for the Dynamic Workload Console. Follow the procedure Accepting the new Dynamic Workload Console truststore when you stop the WebSphere Application Serer for the first time. Accepting the new Dynamic Workload Console truststore when you stop the WebSphere Application Serer for the first time: After you run the Procedure to manage the default truststore and keystore for the Dynamic Workload Console on page 23, when you stop the WebSphere Application Serer for the first time, you are asked to accept the new client truststore for the Dynamic Workload Console. To accept the new truststore during the running of stopwas.bat on Windows operating systems and stopwas.sh on UNIX and Linux operating systems, reply "y" to the prompt Add signer to the trust store now? (y/n). On UNIX and LINUX operating systems: If you stop the WebSphere Application Serer for the first time on UNIX and Linux operating systems, by running the stopwas.sh script, you hae the following output: #./stopwas.sh -direct -user twsuser -password twsuser ADMU0116I: Tool information is being logged in file /opt/ibm/twatdwc/ewas/profiles/tipprofile/logs/serer1/stopserer.log Chapter 2. How to renew the default certificates 25

32 ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for serer: serer1 *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host is not found in trust store /opt/ibm/twatdwc/ewas/profiles/tipprofile/etc/twsclienttrustfile.jks. Here is the signer information (erify the digest alue matches what is displayed at the serer): Subject DN: CN=SererNew, OU=TWS, O=IBM, C=US Issuer DN: CN=SererNew, OU=TWS, O=IBM, C=US Serial number: Expires: Tue No 09 09:48:19 CET 2032 SHA-1 Digest: 5D:16:5D:17:3B:5F:BF:B7:EA:19:92:22:2D:36:53:1A:2F:9D:1B:26 MD5 Digest: DB:BA:A2:6D:0D:B6:A2:53:35:6D:32:6A:40:20:D5:36 Add signer to the trust store now? (y/n)y A retry of the request may need to occur if the socket times out while waiting for a prompt response. If the retry is required, note that the prompt will not be redisplayed if is entered, which indicates the signer has already been added to the trust store. ADMU3201I: Serer stop request issued. Waiting for stop status. ADMU4000I: Serer serer1 stop completed. If you stop the WebSphere Application Serer for the first time on Windows operating systems, by running the stopwas.bat script from the wastools directory, you hae the following output: C:\TWA2\wastools>stopWas.bat The serice is running. Serice failed to stop. stopserer return code -10 Run the stopwas.bat from the embedded WebSphere Application Serer binary directory and you hae the following output: C:\TWA2\eWAS\bin>stopSerer.bat serer1 ADMU0116I: Tool information is being logged in file C:\TWA2\eWAS\profiles\TIPProfile\logs\serer1\stopSerer.log ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for serer: serer1 *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host is not found in trust store C:/TWA2/eWAS/profiles/TIPProfile/etc/TWSClientTrustFile.jks. Here is the signer information (erify the digest alue matches what is displayed at the serer): Subject DN: CN=SererNew, OU=TWS, O=IBM, C=US Issuer DN: CN=SererNew, OU=TWS, O=IBM, C=US Serial number: Expires: Mon No 08 20:48:19 GMT-12: SHA-1 Digest: 5D:16:5D:17:3B:5F:BF:B7:EA:19:92:22:2D:36:53:1A:2F:9D:1B:26 MD5 Digest: DB:BA:A2:6D:0D:B6:A2:53:35:6D:32:6A:40:20:D5:36 Add signer to the trust store now? (y/n)y A retry of the request may need to occur if the socket times out while waiting for a prompt response. If the retry is required, note that the prompt will not be redisplayed if is entered, which indicates the signer has already been add ed to the trust store. ADMU3201I: Serer stop request issued. Waiting for stop status. ADMU4000I: Serer serer1 stop completed. 26 Renewing default certificates

33 Procedure to manage the default truststore and keystore for the Job Scheduling Console BEGIN 1. Download and install the package 2. Stop the JSC 3. Modify the JSC truststore 4. Modify the JSC keystore 5. Start the JSC END Legenda: JSC Job Scheduling Console Figure 4. Procedure to manage the default truststore and keystore for the Job Scheduling Console Procedure to manage the default truststore and keystore for the Job Scheduling Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Job Scheduling Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the Job Scheduling Console by closing the wizard. 3. Modify the truststore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\public\jsc\jscdefaulttrustfile.jks file to the directory <JSC_INSTALL_DIR>\keys where the <PACKAGE_INSTALL_DIR> is the directory Chapter 2. How to renew the default certificates 27

34 where you installed the certificates package and the <JSC_INSTALL_DIR> is the directory where you installed the Job Scheduling Console. 4. Modify the keystore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\private\jsc\jscdefaultkeyfile.jks file to the directory <JSC_INSTALL_DIR>\keys where <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package and <JSC_INSTALL_DIR> is the directory where you installed the Job Scheduling Console. 5. Start the Job Scheduling Console wizard. Procedure to manage the default certificates for dynamic scheduling enironment To manage the default certificates for the dynamic enironment, for each step in the list, perform the procedure and then proceed with the successie step: 1. Run Procedure to manage the default truststore for dynamic agents. 2. Run Procedure to manage the default keystore for dynamic agents on page If the Job Brokering Definition Console V8.5.1 is installed and works with default certificates, run Procedure to manage the default truststore and keystore for the Job Brokering Definition Console on page 36. Note: This procedure addresses the scenario described in Scenario: Connection among dynamic agents and the master domain manager or dynamic domain manager on page 2. Procedure to manage the default truststore for dynamic agents 28 Renewing default certificates

35 BEGIN? Is DDM installed? NO YES 1. Modify the DDM truststore? Is BDDM installed?? YES NO 2. Modify the BDDM truststore Is DA installed? NO YES 3. Modify the dynamic agent truststore END Legenda: DDM dynamic domain manager BDDM backup dynamic domain manager DA dynamic agent Figure 5. Procedure to manage the default truststore for dynamic agents Procedure to manage the default truststore for dynamic agents 1. If the dynamic domain managers are installed, to modify the dynamic domain managers truststore, perform the following steps for each dynamic domain manager: Chapter 2. How to renew the default certificates 29

36 a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the dynamic domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the dynamic domain manager by running: For dynamic domain manager V8.6.0 with related fix packs conman "stop" ShutdownLwa.bat conman "shut;wait" stopwas.bat conman "stop" ShutdownLwa conman "shut;wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For dynamic domain manager V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the dynamic domain manager by running: For dynamic domain manager V8.6.0 with related fix packs conman "start" StartUpLwa.bat startwas.bat conman "start" StartUpLwa startwas For more information about the command syntax, see User's Guide and Reference. For more information about the command, see User's Guide and Reference. 2. If backup dynamic domain managers are installed, to modify the backup dynamic domain managers truststore, perform the following steps for each backup dynamic domain manager: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup dynamic domain manager is installed. 30 Renewing default certificates

37 b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup dynamic domain manager by running: For backup dynamic domain manager V8.6.0 with related fix packs conman "stop" ShutdownLwa.bat conman "shut;wait" stopwas.bat conman "stop" ShutdownLwa conman "shut;wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For backup dynamic domain manager V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the backup dynamic domain manager by running: For backup dynamic domain manager V8.6.0 with related fix packs conman "start" StartUpLwa.bat startwas.bat conman "start" StartUpLwa startwas For more information about the command syntax, see User's Guide and Reference. 3. If dynamic agents are installed, to modify the dynamic agents truststore, perform the following steps for each dynamic agent: a. Log on as Administrator on Windows operating systems, or root on UNIX and Linux operating systems, or as QSECOFR user on IBM i operating systems, on the machine where the dynamic agent is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the dynamic agent by running: For dynamic agent V8.5.1 with related fix packs Chapter 2. How to renew the default certificates 31

38 ShutdownLwa.bat ShutdownLwa For dynamic agent V8.6.0 with related fix packs ShutdownLwa.bat On UNIX, Linux and IBM i operating systems: ShutdownLwa For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For dynamic agent V8.5.1 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. For dynamic agent V8.6.0 with related fix packs updtruststorescerts.bat On UNIX, Linux, and IBM i operating systems: updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the dynamic agent by running: For dynamic agent V8.5.1 with related fix packs StartUpLwa.bat StartUpLwa For dynamic agent V8.6.0 with related fix packs StartUpLwa.bat On UNIX, Linux, and IBM i operating systems: StartUpLwa For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default keystore for dynamic agents 32 Renewing default certificates

39 BEGIN? Is DA installed? NO YES 1. Modify the DA keystore? Is BDDM installed?? YES NO 2. Modify the BDDM keystore? Is DDM installed?? YES NO 3. Modify the DDM keystore END Legenda: DDM dynamic domain manager BDDM backup dynamic domain manager DA dynamic agent Figure 6. Procedure to manage the default keystore for dynamic agents Procedure to manage the default keystore for dynamic agents 1. If dynamic agents are installed, to modify the dynamic agents keystore, perform the following steps for each dynamic agent: Chapter 2. How to renew the default certificates 33

40 a. Log on as Administrator on Windows operating systems, as root on UNIX and Linux operating systems, or as QSECOFR user on IBM i operating systems, on the machine where the dynamic agent is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the dynamic agent by running: For dynamic agent V8.5.1 with related fix packs ShutdownLwa.bat ShutdownLwa For dynamic agent V8.6.0 with related fix packs ShutdownLwa.bat On UNIX, Linux, and IBM i operating systems: ShutdownLwa For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: For dynamic agent V8.5.1 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For dynamic agent V8.6.0 with related fix packs updkeystorescerts.bat On UNIX, Linux and IBM i operating systems: updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the dynamic agent by running: For dynamic agent V8.5.1 with related fix packs StartUpLwa.bat StartUpLwa For dynamic agent V8.6.0 with related fix packs StartUpLwa.bat On UNIX, Linux, and IBM i operating systems: StartUpLwa 34 Renewing default certificates

41 For more information about the command syntax, see User's Guide and Reference. 2. If backup dynamic domain managers are installed, to modify the backup dynamic domain managers keystore, perform the following steps for each backup dynamic domain manager: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup dynamic domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup dynamic domain manager by running: For backup dynamic domain manager V8.6.0 with related fix packs conman "stop" ShutdownLwa.bat conman "shut;wait" stopwas.bat conman "stop" ShutdownLwa conman "shut;wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: For backup dynamic domain manager V8.6.0 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the backup dynamic domain manager, by running: For backup dynamic domain manager V8.6.0 with related fix packs conman "start" StartUpLwa.bat startwas.bat conman "start" StartUpLwa startwas For more information about the command syntax, see User's Guide and Reference. 3. If dynamic domain managers are installed, to modify the dynamic domain managers keystore, perform the following steps for each dynamic domain manager: Chapter 2. How to renew the default certificates 35

42 a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems on the machine where the dynamic domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the dynamic domain manager by running: For dynamic domain manager V8.6.0 with related fix packs conman "stop" ShutdownLwa.bat conman "shut;wait" stopwas.bat conman "stop" ShutdownLwa conman "shut;wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: For dynamic domain manager V8.6.0 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the dynamic domain manager by running: For dynamic domain manager V8.6.0 with related fix packs conman "start" StartUpLwa.bat startwas.bat conman "start" StartUpLwa startwas For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default truststore and keystore for the Job Brokering Definition Console 36 Renewing default certificates

43 BEGIN 1. Download and install the package 2. Stop the JBDC 3. Modify the JBDC truststore 4. Modify the JBDC keystore 5. Start the JBDC END Legenda: JBDC Job Brokering Definition Console Figure 7. Procedure to manage the default truststore and keystore for the Job Brokering Definition Console Procedure to manage the default truststore and keystore for the Job Brokering Definition Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Job Brokering Definition Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the Job Brokering Definition Console by closing the Job Brokering Definition Console wizard. 3. Modify the truststore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\public\jsc\jscdefaulttrustfile.jks file to the directory <JBDC_INSTALL_DIR>\Certs, where the <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package and the <JBDC_INSTALL_DIR> is the directory where you installed the Job Brokering Definition Console. Chapter 2. How to renew the default certificates 37

44 4. Modify the keystore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\private\was\twsclientkeyfile.jks file file (priate key) to the directory <JBDC_INSTALL_DIR>\Certs, where <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package and <JBDC_INSTALL_DIR> is the directory where you installed the Job Brokering Definition Console. 5. Start the Job Brokering Definition Console wizard. Procedure to manage the default certificates for fault-tolerant agents and domain managers in the SSL enironment To manage the default certificates for SSL enironment, for each step in the list, perform the procedure and then proceed with the successie step: 1. Run Procedure to manage the default truststore for fault-tolerant agents and domain managers. 2. Run Procedure to manage the default keystore for fault-tolerant agents and domain managers on page 42. Note: This procedure addresses the scenario described in Scenario: SSL Communication across the Tioli Workload Scheduler network on page 3. Procedure to manage the default truststore for fault-tolerant agents and domain managers 38 Renewing default certificates

45 BEGIN? Is DM installed? NO YES 1. Modify the DM truststore? Is BDM installed?? YES NO 2. Modify the BDM truststore Is FTA installed? NO YES 3. Modify the FTA truststore END Legenda: DM domain manager BDM backup domain manager FTA fault-tolerant agent Figure 8. Procedure to manage the default truststore for fault-tolerant agents and domain managers Procedure to manage the default truststore for fault-tolerant agents and domain managers 1. If domain managers are installed, to modify the domain managers truststore, perform the following steps for each domain manager: Chapter 2. How to renew the default certificates 39

46 40 Renewing default certificates a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the domain manager by running: For domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX and Linux operating systems: conman "stop" conman "stopmon" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the dynamic domain manager by running: For domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" For more information about the command syntax, see User's Guide and Reference. 2. If a backup domain manager is installed, to modify the backup domain managers truststore, perform the following steps for each backup domain manager: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup domain manager by running: For backup domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "shut; wait"

47 For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For backup domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the backup domain manager by running: For backup domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" For more information about the command syntax, see User's Guide and Reference. 3. If fault-tolerant agents are installed, to modify the fault-tolerant agents truststore, perform the following steps for each fault-tolerant agent: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the fault-tolerant agent by running: For fault-tolerant agent V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the truststore by running: For fault-tolerant agent V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page 9. f. Start the fault-tolerant agent by running: Chapter 2. How to renew the default certificates 41

48 For fault-tolerant agent V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default keystore for fault-tolerant agents and domain managers 42 Renewing default certificates

49 BEGIN? Is FTA installed? NO YES 1. Modify the FTA keystore? Is BDM installed?? YES NO 2. Modify the BDM keystore? Is DM installed?? YES NO 3. Modify the DM keystore END Legenda: DM Domain Manager BDM Backup Domain Manager FTA fault-tolerant agent Figure 9. Procedure to manage the default keystore for fault-tolerant agents and domain managers Procedure to manage the default keystore for fault-tolerant agents and domain managers 1. If fault-tolerant agents are installed, to modify the fault-tolerant agents keystore, perform the following steps for each fault-tolerant agent: Chapter 2. How to renew the default certificates 43

50 44 Renewing default certificates a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the fault-tolerant agent by running: For fault-tolerant agent V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: For fault-tolerant agent V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the fault-tolerant agent by running: For fault-tolerant agent V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" For more information about the command syntax, see User's Guide and Reference. 2. If a backup domain manager is installed, to modify the backup domain managers keystore, perform the following steps for each backup domain manager: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup domain manager by running: For backup domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "shut; wait"

51 For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: For backup domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the backup dynamic domain manager by running: For backup domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" For more information about the command syntax, see User's Guide and Reference. 3. If domain managers are installed, to modify the domain managers keystore, perform the following steps for each domain manager: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the domain manager by running: For domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: For domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the dynamic domain manager by running: Chapter 2. How to renew the default certificates 45

52 For domain manager V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs: On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" For more information about the command syntax, see User's Guide and Reference. 46 Renewing default certificates

53 Procedure to manage the default certificates for the connector APIs BEGIN 1. Download and install the package 2. Find the path of the old certificates 3. Stop the client 4. Re-place the truststore and keystore 5. Start the client END Legenda: API connector APIs Figure 10. Procedure to manage the default certificates for the connector APIs Procedure to manage the default certificates for the connector APIs 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the client for theconnector APIs is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. Chapter 2. How to renew the default certificates 47

54 2. Open the soap.client.props or ssl.client.props file to find the path of the TWSClientTrustFile.jks and TWSClientKeyFile.jks files. 3. Stop the client. 4. Modify the certificates, if the TWSClientTrustFile.jks and TWSClientKeyFile.jks files hae not been modified, by replacing them with the <PACKAGE_INSTALL_DIR>\TWS\updCertsScripts\New\TWSClientTrustFile.jks file and <PACKAGE_INSTALL_DIR>\TWS\DIR>\TWS\updCertsScripts\ New\TWSClientKeyFile.jks, where the <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package. 5. Start the client. Note: This procedure addresses the scenario described in Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4. Procedure to manage the default certificates for the Integration Workbench BEGIN 1. Download and install the package 2. Modify the SDK truststore 3. Modify the SDK keystore END Legenda: SDK Integration Workbench Figure 11. Procedure to manage the default certificates for the Integration Workbench Procedure to manage the default certificates for the Integration Workbench 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Integration Workbench is installed. 48 Renewing default certificates

55 b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Modify truststore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\public\was\twsclienttrust.jks file to the directory <SDK_INSTALL_DIR>\keys, where the <SDK_INSTALL_DIR> is the directory where you installed the Integration Workbench. 3. Modify keystore by copying the <PACKAGE_INSTALL_DIR>\TWS\updCertsScripts\ New\PRIVATE\WAS\TWSClientKeyfile.jks file to the directory <SDK_INSTALL_DIR>\keys, where the <SDK_INSTALL_DIR> is the directory where you installed the Integration Workbench. Note: This procedure addresses the scenario described in Scenario: Integration Workbench oer SSL on page 4. Procedure to manage the default truststore and keystore for command-line client Perform the following steps: 1. To modify the default certificates for the master domain manager command lines, composer and conman, perform the Procedure to manage the default truststore and keystore for master domain manager command-line client. 2. To modify the default certificates for the remote command-lines clients, perform the Procedure to manage the default truststore and keystore for remote command-line client on page 51. Procedure to manage the default truststore and keystore for master domain manager command-line client Chapter 2. How to renew the default certificates 49

56 BEGIN? CLISSLSERVERAUTH=yes in localopts? NO YES 1. Download and install the package 2. Find the old MDM CLIs certificates directory 3. Copy the new certificates from the package END Legenda: MDM CLIs comman-lines client in the master domain manager Figure 12. Procedure to manage the default truststore and keystore for the master domain manager command-line client In the master domain manager instance, you hae the following local command-lines: composer conman Procedure to manage the default truststore and keystore for the master domain manager command-line client If the ariable CLISSLSERVERAUTH=no in the localopts file of the master domain manager You do not perform any actions because the SSL connection continues to work. 50 Renewing default certificates

57 If the ariable CLISSLSERVERAUTH=yes in the localopts file of the master domain manager 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the master domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page In the localopts file of the master domain manager, note the alue of the ariable CLISSLSERVERCERTIFICATE where you store the certificate for the master domain manager: CLISSLSERVERCERTIFICATE=<RC_CERTS_DIR>\serer.crt 3. Copy the <PACKAGE_INSTALL_DIR>\TWS\updCertsScripts\New\PUBLIC\ WAS\sererPublic.arm file to the directory <RC_CERTS_DIR>, where the <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package and the <RC_CERTS_DIR> is the directory where you store the certificate for the master domain manager. Procedure to manage the default truststore and keystore for remote command-line client BEGIN 1. Download and install the package 2. Find the old CLI certificates directory 3. Copy the new CLI certificates from the package END Legenda: CLI remote comman-line client Figure 13. Procedure to manage the default truststore and keystore for the remote command-line client Chapter 2. How to renew the default certificates 51

58 Procedure to manage the default truststore and keystore for the remote command-line client If you hae remote command-lines installed for V8.3.0, V8.4.0, V8.5.0, V , and V8.6.0, for each command-line, perform the following steps: 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the remote command-line client is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page In the localopts file of the remote command-line client, note the alue of the ariable CLISSLSERVERCERTIFICATE where you store the certificate for the remote command-line client: CLISSLSERVERCERTIFICATE=<RC_CERTS_DIR>\serer.crt 3. Copy the <PACKAGE_INSTALL_DIR>\TWS\updCertsScripts\New\PUBLIC\WAS\ sererpublic.arm file to the directory <RC_CERTS_DIR>, where the <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package and the <RC_CERTS_DIR> is the directory where you store the certificate for remote command-line client. Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector 52 Renewing default certificates

59 BEGIN? Is BKM installed? NO YES 1. Modify the BKM keystore? Are agents installed with dist connector? NO YES 2. Modify the agents with connector keystore 3. Modify the MDM keystore END Legenda: MDM master domain manager BKM backup master domain manager Figure 14. Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector Procedure to manage the default keystore for master domain manager, backup master domain manager, and agents with distributed connector 1. If a backup master domain manager is installed, to modify the keystore on the backup master domain manager, perform the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the backup master domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the backup master domain manager by running: Chapter 2. How to renew the default certificates 53

60 If the backup master domain manager you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the backup master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "stopappserer" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: If the backup master domain manager you installed is V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the backup master domain manager by running: If the backup master domain manager you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas If the backup master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "start" conman "startmon" conman "startappserer" For more information about the command syntax, see User's Guide and Reference. 2. Modify the keystore on the agents with distributed connector, by performing the following steps for each type of workstation with static scheduling and distributed connectors: 54 Renewing default certificates

61 a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the agent is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the agent with distributed connector by running: If the agent with distributed connector you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the agent with distributed connector you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs conman "stop" conman "stopmon" conman "shut; wait" stopwas.bat conman "stop" conman "stopmon" conman "shut; wait" stopwas For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: If the agent with distributed connector you installed is V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page 12. f. Start the agent with distributed connector by running: If the agent with distributed connector you installed is V8.3.0 with related fix packs on Windows operating systems: conman "start" startwas.cmd on UNIX and Linux operating systems: conman "start" startwas Chapter 2. How to renew the default certificates 55

62 If the agent you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs conman "start" conman "startmon" startwas.bat conman "start" conman "startmon" startwas For more information about the command syntax, see User's Guide and Reference. 3. Modify the keystore in the master domain manager by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the master domain manager is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page 8. d. Stop the master domain manager by running: If the master domain manager you installed is V8.3.0 with related fix packs conman "stop" conman "shut; wait" stopwas.cmd conman "stop" conman "shut; wait" stopwas If the master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX, and Linux operating systems: conman "stop" conman "stopmon" conman "stopappserer" conman "shut; wait" For more information about the command syntax, see User's Guide and Reference. e. Modify the keystore by running: If the master domain manager you installed is V8.3.0, V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page Renewing default certificates

63 f. Start the master domain manager by running: If the master domain manager you installed is V8.3.0 with related fix packs conman "start" startwas.cmd conman "start" startwas.sh If the master domain manager you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs On Windows, UNIX and Linux operating systems: conman "start" conman "startmon" conman "startappserer" For more information about the command syntax, see User's Guide and Reference. Procedure to renew the default certificates for distributed components used in a z/os enironment If you use the default certificates in the z/os connector for the following scenarios perform the Procedure to renew the default certificates for z/os connector on a distributed system : Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system on page 5. Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system on page 5. Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4. Scenario: Integration Workbench oer SSL on page 4. If you use the default certificates for the Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller on page 5, perform the Procedure to manage the default certificates for Tioli Workload Scheduler for z/os agent (z-centric) on page 69. If you use the default certificates for the Scenario: Connection among dynamic domain managers and the z/os Controller on page 6, perform the Procedure to manage the default certificates for dynamic domain managers connected to the z/os Controller on page 73. Procedure to renew the default certificates for z/os connector on a distributed system To modify the default certificates for scenarios described in Scenarios for distributed components in a z/os enironment on page 4, follow the steps listed in Figure 15 on page 58. You do not need to update your Tioli Workload Scheduler enironment with the following procedure steps all at the same time, but you must perform the entire procedure before the certificates expire on February 10, Chapter 2. How to renew the default certificates 57

64 BEGIN? At least one default certificates used in the z/os connector? NO YES procedure default truststore for z/os connector? DWC or JSC with default certificates?? NO NO NO connector APIs with default certificates?? Integration Workbench with default certificates? YES procedure DWC/JSC YES procedure connector APIs YES procedure SDK? At least one of the preious procedures performed? NO YES procedure default keystore for z/os connector END LEGENDA: DWC Dynamic Workload Console JSC Job Scheduling Console SDK Integration Workbench Figure 15. Procedure to renew the default certificates for z/os connector on a distributed system Procedure to renew the default certificates for z/os connector on a distributed system 58 Renewing default certificates

65 For each step in the list of procedures, if you hae the described configuration, perform the procedure and then proceed with the successie step: 1. If you use the default certificates in the z/os connector, perform the Procedure to manage the default truststore for the z/os connector. 2. If you use default certificates for Scenario: Connection between the Dynamic Workload Console and the z/os connector in a distributed system on page 5 or Scenario: Connection between the Job Scheduling Console and the z/os connector on a distributed system on page 5 or both, perform Procedure to manage the default truststore and keystore for the Dynamic Workload Console and Job Scheduling Console on page If you use the z/os connector APIs with the default certificates, perform the Procedure to manage the default certificates for the connector APIs on page If you use the Integration Workbench with the default certificates, perform the Procedure to manage the default certificates for the Integration Workbench on page If you performed any of the procedures listed in the steps 1 to 4, perform the Procedure to manage the default keystore for the z/os connector on page 68. Procedure to manage the default truststore for the z/os connector BEGIN 1. Download and install the package 2. Stop the z/os connector 3. Modify the z/os connector truststore 4. Start the z/os connector END Figure 16. Procedure to manage the default truststore for the z/os connector Perform the following steps: 1. Download and install the package by performing the following actions: Chapter 2. How to renew the default certificates 59

66 a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the z/os connector is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the z/os connector. 3. Modify the truststore by running: If the Dynamic Workload Console you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page Start the z/os connector. Procedure to manage the default truststore and keystore for the Dynamic Workload Console 60 Renewing default certificates

67 BEGIN 1. Download and install the package 2. Stop the DWC 3. Modify the DWC truststore 4. Modify the DWC keystore 5. Start the DWC END Legenda: DWC Dynamic Workload Console Figure 17. Procedure to manage the default truststore and keystore for the Dynamic Workload Console Procedure to manage the default truststore and keystore for the Dynamic Workload Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Dynamic Workload Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the WebSphere Application Serer of the Dynamic Workload Console by running: stopwas.bat stopwas.sh Chapter 2. How to renew the default certificates 61

68 For more information about the command syntax, see Tioli Workload Scheduler: Administration Guide > Administratie tasks > Application Serer tasks. 3. Modify the truststore by running: updtruststorescerts.bat updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page Modify the keystore by running: updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page Start the Dynamic Workload Console by running: startwas.bat startwas.sh For more information about the command syntax, see Tioli Workload Scheduler: Administration Guide > Administratie tasks > Application Serer tasks. Note for Dynamic Workload Console V8.6 or later users: Note: For Dynamic Workload Console V8.6 or later, after you run the procedure, when you stop the WebSphere Application Serer for the first time, you are asked to accept the new client truststore for the Dynamic Workload Console. Follow the procedure Accepting the new Dynamic Workload Console truststore when you stop the WebSphere Application Serer for the first time on page 25. Accepting the new Dynamic Workload Console truststore when you stop the WebSphere Application Serer for the first time: After you run the Procedure to manage the default truststore and keystore for the Dynamic Workload Console on page 23, when you stop the WebSphere Application Serer for the first time, you are asked to accept the new client truststore for the Dynamic Workload Console. To accept the new truststore during the running of stopwas.bat on Windows operating systems and stopwas.sh on UNIX and Linux operating systems, reply "y" to the prompt Add signer to the trust store now? (y/n). On UNIX and LINUX operating systems: If you stop the WebSphere Application Serer for the first time on UNIX and Linux operating systems, by running the stopwas.sh script, you hae the following output: #./stopwas.sh -direct -user twsuser -password twsuser ADMU0116I: Tool information is being logged in file /opt/ibm/twatdwc/ewas/profiles/tipprofile/logs/serer1/stopserer.log 62 Renewing default certificates

69 ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for serer: serer1 *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host is not found in trust store /opt/ibm/twatdwc/ewas/profiles/tipprofile/etc/twsclienttrustfile.jks. Here is the signer information (erify the digest alue matches what is displayed at the serer): Subject DN: CN=SererNew, OU=TWS, O=IBM, C=US Issuer DN: CN=SererNew, OU=TWS, O=IBM, C=US Serial number: Expires: Tue No 09 09:48:19 CET 2032 SHA-1 Digest: 5D:16:5D:17:3B:5F:BF:B7:EA:19:92:22:2D:36:53:1A:2F:9D:1B:26 MD5 Digest: DB:BA:A2:6D:0D:B6:A2:53:35:6D:32:6A:40:20:D5:36 Add signer to the trust store now? (y/n)y A retry of the request may need to occur if the socket times out while waiting for a prompt response. If the retry is required, note that the prompt will not be redisplayed if is entered, which indicates the signer has already been added to the trust store. ADMU3201I: Serer stop request issued. Waiting for stop status. ADMU4000I: Serer serer1 stop completed. If you stop the WebSphere Application Serer for the first time on Windows operating systems, by running the stopwas.bat script from the wastools directory, you hae the following output: C:\TWA2\wastools>stopWas.bat The serice is running. Serice failed to stop. stopserer return code -10 Run the stopwas.bat from the embedded WebSphere Application Serer binary directory and you hae the following output: C:\TWA2\eWAS\bin>stopSerer.bat serer1 ADMU0116I: Tool information is being logged in file C:\TWA2\eWAS\profiles\TIPProfile\logs\serer1\stopSerer.log ADMU0128I: Starting tool with the TIPProfile profile ADMU3100I: Reading configuration for serer: serer1 *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host is not found in trust store C:/TWA2/eWAS/profiles/TIPProfile/etc/TWSClientTrustFile.jks. Here is the signer information (erify the digest alue matches what is displayed at the serer): Subject DN: CN=SererNew, OU=TWS, O=IBM, C=US Issuer DN: CN=SererNew, OU=TWS, O=IBM, C=US Serial number: Expires: Mon No 08 20:48:19 GMT-12: SHA-1 Digest: 5D:16:5D:17:3B:5F:BF:B7:EA:19:92:22:2D:36:53:1A:2F:9D:1B:26 MD5 Digest: DB:BA:A2:6D:0D:B6:A2:53:35:6D:32:6A:40:20:D5:36 Add signer to the trust store now? (y/n)y A retry of the request may need to occur if the socket times out while waiting for a prompt response. If the retry is required, note that the prompt will not be redisplayed if is entered, which indicates the signer has already been add ed to the trust store. ADMU3201I: Serer stop request issued. Waiting for stop status. ADMU4000I: Serer serer1 stop completed. Chapter 2. How to renew the default certificates 63

70 Procedure to manage the default truststore and keystore for the Job Scheduling Console BEGIN 1. Download and install the package 2. Stop the JSC 3. Modify the JSC truststore 4. Modify the JSC keystore 5. Start the JSC END Legenda: JSC Job Scheduling Console Figure 18. Procedure to manage the default truststore and keystore for the Job Scheduling Console Procedure to manage the default truststore and keystore for the Job Scheduling Console 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Job Scheduling Console is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the Job Scheduling Console by closing the wizard. 3. Modify the truststore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\public\jsc\jscdefaulttrustfile.jks file to the directory <JSC_INSTALL_DIR>\keys where the <PACKAGE_INSTALL_DIR> is the directory 64 Renewing default certificates

71 where you installed the certificates package and the <JSC_INSTALL_DIR> is the directory where you installed the Job Scheduling Console. 4. Modify the keystore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\private\jsc\jscdefaultkeyfile.jks file to the directory <JSC_INSTALL_DIR>\keys where <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package and <JSC_INSTALL_DIR> is the directory where you installed the Job Scheduling Console. 5. Start the Job Scheduling Console wizard. Chapter 2. How to renew the default certificates 65

72 Procedure to manage the default certificates for the connector APIs BEGIN 1. Download and install the package 2. Find the path of the old certificates 3. Stop the client 4. Re-place the truststore and keystore 5. Start the client END Legenda: API connector APIs Figure 19. Procedure to manage the default certificates for the connector APIs Procedure to manage the default certificates for the connector APIs 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the client for theconnector APIs is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Renewing default certificates

73 2. Open the soap.client.props or ssl.client.props file to find the path of the TWSClientTrustFile.jks and TWSClientKeyFile.jks files. 3. Stop the client. 4. Modify the certificates, if the TWSClientTrustFile.jks and TWSClientKeyFile.jks files hae not been modified, by replacing them with the <PACKAGE_INSTALL_DIR>\TWS\updCertsScripts\New\TWSClientTrustFile.jks file and <PACKAGE_INSTALL_DIR>\TWS\DIR>\TWS\updCertsScripts\ New\TWSClientKeyFile.jks, where the <PACKAGE_INSTALL_DIR> is the directory where you installed the certificates package. 5. Start the client. Note: This procedure addresses the scenario described in Scenario: Custom integration based on Tioli Workload Scheduler Jaa APIs on page 4. Procedure to manage the default certificates for the Integration Workbench BEGIN 1. Download and install the package 2. Modify the SDK truststore 3. Modify the SDK keystore END Legenda: SDK Integration Workbench Figure 20. Procedure to manage the default certificates for the Integration Workbench Procedure to manage the default certificates for the Integration Workbench 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Integration Workbench is installed. Chapter 2. How to renew the default certificates 67

74 b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Modify truststore by copying the <PACKAGE_INSTALL_DIR>\TWS\ updcertsscripts\new\public\was\twsclienttrust.jks file to the directory <SDK_INSTALL_DIR>\keys, where the <SDK_INSTALL_DIR> is the directory where you installed the Integration Workbench. 3. Modify keystore by copying the <PACKAGE_INSTALL_DIR>\TWS\updCertsScripts\ New\PRIVATE\WAS\TWSClientKeyfile.jks file to the directory <SDK_INSTALL_DIR>\keys, where the <SDK_INSTALL_DIR> is the directory where you installed the Integration Workbench. Note: This procedure addresses the scenario described in Scenario: Integration Workbench oer SSL on page 4. Procedure to manage the default keystore for the z/os connector BEGIN 1. Download and install the package 2. Stop the z/os connector 3. Modify the z/os connector keystore 4. Start the z/os connector END Figure 21. Procedure to manage the default keystore for the z/os connector Procedure to manage the default keystore for the z/os connector 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the z/os connector is installed. 68 Renewing default certificates

75 b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the z/os connector. 3. Modify the keystore by running: If the Dynamic Workload Console you installed is V8.4.0, V8.5.0, V8.5.1, and V8.6.0 with related fix packs updkeystorescerts.bat updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page Start the z/os connector. Procedure to manage the default certificates for Tioli Workload Scheduler for z/os agent (z-centric) To manage the default certificates for Tioli Workload Scheduler for z/os agent (z-centric), for each step in the list of procedures, perform the procedure and then proceed with the successie step: 1. Run Procedure to manage the default truststore for Tioli Workload Scheduler for z/os agent (z-centric). 2. Run Procedure to manage the default keystore for Tioli Workload Scheduler for z/os agent (z-centric) on page If the Job Brokering Definition Console V8.5.1 exists and works with default certificates, run Procedure to manage the default truststore and keystore for the Job Brokering Definition Console on page 36. Note: This procedure addresses the scenario described in Scenario: Connection between Tioli Workload Scheduler for z/os agent (z-centric agent) and z/os Controller on page 5 only for the Tioli Workload Scheduler for z/os agent (z-centric). For the z/os Controller, see the z/os Controller documentation. Procedure to manage the default truststore for Tioli Workload Scheduler for z/os agent (z-centric) Chapter 2. How to renew the default certificates 69

76 BEGIN 1. Download and install the package 2. Stop the z-centric 3. Modify the z-centric truststore 4. Start the z-centric END Figure 22. Procedure to manage the default truststore for the Tioli Workload Scheduler for z/os agent (z-centric) 70 Renewing default certificates Procedure to manage the default truststore for the Tioli Workload Scheduler for z/os agent (z-centric) 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Tioli Workload Scheduler for z/os agent (z-centric) is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the Tioli Workload Scheduler for z/os agent (z-centric) by running: If the Tioli Workload Scheduler for z/os agent (z-centric) you installed is V8.5.1 and V8.6.0 with related fix packs ShutdownLwa.bat On UNIX, Linux, and IBM i operating systems: ShutdownLwa For more information about the command syntax, see User's Guide and Reference. 3. Modify the truststore by running:

77 If the Tioli Workload Scheduler for z/os agent (z-centric) you installed is V8.5.1 and V8.6.0 with related fix packs updtruststorescerts.bat On UNIX, Linux and IBM i operating systems: updtruststorescerts.sh For more information about the command syntax, see updtruststorecerts on page Start the Tioli Workload Scheduler for z/os agent (z-centric) by running: If the Tioli Workload Scheduler for z/os agent (z-centric) you installed is V8.5.1 and V8.6.0 with related fix packs StartUpLwa.bat On UNIX, Linux, and IBM i operating systems: StartUpLwa For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default keystore for Tioli Workload Scheduler for z/os agent (z-centric) Chapter 2. How to renew the default certificates 71

78 BEGIN 1. Download and install the package 2. Stop the z-centric 3. Modify the z-centric keystore 4. Start the z-centric END Figure 23. Procedure to manage the default keystore for the Tioli Workload Scheduler for z/os agent (z-centric) Procedure to manage the default keystore for the Tioli Workload Scheduler for z/os agent (z-centric) 1. Download and install the package by performing the following actions: a. Log on as Administrator on Windows operating systems, or as root on UNIX and Linux operating systems, on the machine where the Tioli Workload Scheduler for z/os agent (z-centric) is installed. b. Download the ersion of the package that you need, as described in Downloading the package on page 7. c. Install the package, as described in Installing the package on page Stop the Tioli Workload Scheduler for z/os agent (z-centric) by running: If the Tioli Workload Scheduler for z/os agent (z-centric) you installed is V8.5.1 and V8.6.0 with related fix packs ShutdownLwa.bat On UNIX, Linux, and IBM i operating systems: ShutdownLwa For more information about the command syntax, see User's Guide and Reference. 3. Modify the keystore, by running: 72 Renewing default certificates

79 If the Tioli Workload Scheduler for z/os agent (z-centric) you installed is V8.5.1 and V8.6.0 with related fix packs updkeystorescerts.bat On UNIX, Linux, and IBM i operating systems: updkeystorescerts.sh For more information about the command syntax, see updkeystorecerts on page Start the Tioli Workload Scheduler for z/os agent (z-centric) by running: If the Tioli Workload Scheduler for z/os agent (z-centric) you installed is V8.5.1 and V8.6.0 with related fix packs StartUpLwa.bat On UNIX, Linux, and IBM i operating systems: StartUpLwa For more information about the command syntax, see User's Guide and Reference. Procedure to manage the default certificates for dynamic domain managers connected to the z/os Controller To manage the default certificates for dynamic domain managers connected to the z/os Controller, follow the procedure described in Procedure to manage the default certificates for dynamic scheduling enironment on page 28. Note: This procedure addresses the scenario described in Scenario: Connection among dynamic domain managers and the z/os Controller on page 6. For the z/os Controller, see the z/os Controller documentation. Chapter 2. How to renew the default certificates 73

80 74 Renewing default certificates

81 Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user's responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan, Ltd , Nihonbashi-Hakozakicho, Chuo-ku Tokyo , Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm websites are proided for conenience only and do not in any manner sere as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. 75

82 IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/ Burnet Road Austin, TX U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equialent agreement between us. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of indiiduals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is aailable on the Web at "Copyright and trademark information" at copytrade.shtml. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Goernment Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Toralds in the United States, other countries, or both. 76 Renewing default certificates

83 Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of The Minister for the Cabinet Office, and is registered in the U.S. Patent and Trademark Office UNIX is a registered trademark of The Open Group in the United States and other countries. Jaa and all Jaa-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. Notices 77

84 78 Renewing default certificates

85 Index A APIs certificates 47, 66 C certificates APIs 47, 66 command-line client 49 dynamic workload console 23, 60 Integration Workbench 48, 67 Job Brokering Definition Console 36 Job Scheduling Console 27, 64 remote command-line client 51 zosconn 59 command-line client certificates 49 contents Package 8 D default certificates dynamic enironment 28 procedure 16, 57 scripts 9 SSL enironment 38 Tioli Workload Scheduler for z/os agent 69 default keystore dynamic enironment 32 Tioli Workload Scheduler for z/os agent (z-centric) 71 distributed connector keystore 52 truststore 18 Downloading package 7 dynamic enironment default certificates 28 default keystore 32 Tioli Workload Scheduler for z/os agent (z-centric) 69 truststore 28 dynamic workload console certificates 23, 60 I Installing package 8 Integration Workbench certificates 48, 67 J Job Brokering Definition Console certificates 36 Job Scheduling Console certificates 27, 64 K keystore distributed connector 52 SSL enironment 42 zosconn 68 P package download 7 installing 8 Package contents 8 procedure default certificates 16, 57 R remote command-line client certificates 51 S Scripts to renew default certificates 9 SSL enironment default certificates 38 keystore 42 TrustStore 38 T Tioli Workload Scheduler for z/os agent default certificates 69 Tioli Workload Scheduler for z/os agent (z-centric) default keystore 71 truststore distributed connector 18 dynamic enironment 28 Tioli Workload Scheduler for z/os agent (z-centric) 69 TrustStore SSL enironment 38 U updkeystorecerts 12 updtrustkeystorecerts 15 updtruststorecerts 9 Z zosconn certificates 59 keystore 68 79

86 80 Renewing default certificates

87

88 Product Number: 5698-WSH Printed in USA