APAR status
Closed as new function.
Error description
Customer has installed their own self-signed certificate for use with ITM. Currently, the certificate presented to the TEP client by the TEPS must always be verified and accepted by the end-user (at least once). The customer requires that if the TEP has already determined that the certificate is valid (i.e., the certificate is a valid X.509 formatted certificate with no errors or security-related problems), that the certificate be automatically accepted and stored in the TEP's local certificate datastore. The end-user should not be prompted to accept or reject the certificate under these circumstances. Environment: Linux platform
Local fix
The TEP user can accept the certificate permanently when prompted the first time.
Problem summary
Customer has installed their own self-signed certificate for use with ITM. Currently, the certificate presented to the TEP client by the TEPS must always be verified and accepted by the end-user (at least once). The customer requires that if the TEP has already determined that the certificate is valid (i.e., the certificate is a valid X.509 formatted certificate with no errors or security-related problems), that the certificate be automatically accepted and stored in the TEP's local certificate datastore. The end-user will not be prompted to accept or reject the certificate under these circumstances. Prior to this APAR the certificate presented to the TEP client by the TEPS must always be verified and accepted by the end-user (at least once). A certificate 'Security Alert' verification panel is shown to the TEP user for confirmation, and a response is required before a session can be successfully established between the TEP and TEPS. This verification panel is displayed even when the TEP has already determined that the certificate is valid, and will continue to be displayed whenever the TEP is launched and an attempt is made to establish a session with the TEPS, provided that the TEP end-user has not responded to permanently accept the certificate (which informs the TEP to store the certificate in a local certificate respository on the TEP client machine).
Problem conclusion
An enhancement was made to the TEP client to allow the customer to suppress the display of the certificate verification panel based on the following revised algorithm: 1) The following new TEP system property has been configured with a value of 'true'. Note that the specific TEP deployment script to update with this new property is dependent on the TEP deployment mode being used (JWS, Browser, or desktop) (See Install Actions below) tep.accept.trusted.certificates=true 2) The 'Not Before' and 'Not After' datetime fields found in the certificate are checked against the current datetime associated with the TEP client machine. If the current datetime is before the 'Not Before' datetime, or after the 'Not After' datetime, then the security alert will be displayed with the appropriate warning message. The TEP user will then need to decide whether the certificate will be accepted permanently,accepted for only the current login session, or rejected. 3) If the certificate being processed is determined to be the product-provided ITM default self-signed certificate, then the certificate will be considered valid, and the host address check (see step 4 below) will be skipped (Note: the TEPS host address is not included in the default ITM-provided certificate). 4) The host address used to fetch the certificate from the TEPS is compared for IP address equivalency to the host address specified in the certificate. The TEPS host address is retrieved from the system property ?cnp.http.url.host? associated with the TEP configuration. For this match to succeed, both host addresses must resolve to the same underlying IP addresses. If either host address is specified using a short hostname or FQDN, then the DNS will be consulted to resolve to an IP address for matching purposes. If the host addresses do not match, then the security alert will be displayed with an appropriate warning message. The TEP user will then need to decide whether the certificate will be accepted permanently, accepted for only the current login session, or rejected. 5) If the certificate validity checks associated with the datetime stamps and host addresses are successful (or, the default ITM self-signed certificate is being used), and the new TEP configuration property is enabled (see step 1 above), then the security alert will not be presented, and TEPS login processing will continue. The fix for this APAR is contained in the following maintenance packages: | service pack | 6.3.0.7-TIV-ITM-SP0001 Install Actions: For Java Webstart: 1. For each TEPS machine where the provisional patch has been applied, edit the file named $CANDLEHOME/config/tep.jnlpt for Unix/Linux TEPS or %CANDLE_HOME%\config\tep.jnlpt for Windows. 2. Add the following property statement to the <resources> section between the custom parameter comment markers: <!-- Custom parameters --> <property name="jnlp.tep.accept.trusted.certificates" value="true"/> <!-- /Custom parameters --> 3. Save the changes to the tep.jnlpt file. 4. Reconfigure the browser/JWS client component from the TEPS machine using the following command on Unix/Linux: <itm_home>/bin/itmcmd config -A cw or using "Manage Tivoli Enterprise Monitoring Services" (kinconfg.exe) on Windows. 5. After this command completes, verify that the new property has been successfully added to the file named $CANDLEHOME/<platform>/cw/tep.jnlp (Unix/Linux) or %CANDLE_HOME%\CNB\tep.jnlp (Windows) Configuration changes to the TEPS machine are now complete. 6. Before TEP client execution, clear the JAR cache on the machine(s) where the TEP JWS client will be launched using the following command: <jre_home>\bin\javaws -uninstall 7. If launching the TEP JWS client via the browser, then clear the browser?s cache as well to ensure that the most recent copy of the tep.jnlp file will be retrieved from the TEPS. This step is not required if launching the TEP JWS client from the command-line or desktop shortcut. For Browser Client: 1. Edit file $CANDLEHOME/ls3266/cw/applet.html (Unix/Linux) or %CANDLE_HOME%\CNB\applet.html (Windows) found on the TEPS machine(s). 2. Add the following property parameter to the end of the parameters array found towards the bottom of the file: 'tep.accept.trusted.certificates': 'true' (Note: Don?t forget to add a comma at the end of the parameter statement just above this new parameter). 3. Save the changes to the applet.html file. 4. Before test execution, clear the JAR cache on the machine where the TEP JWS client will be launched using the Java Control Panel. Also, clear the browser?s cache as well to ensure that the most current version of the applet.html file is executed. For Desktop Client: 1. Edit file %CANDLE_HOME%\CNP\cnp.bat (Windows) or $CANDLEHOME/bin/cnp.sh (Linux) found on the TEP client machine and locate the statement near the bottom that being with: set _CMD= (For windows) ${TEP_JAVA_HOME}/bin/java -Xms$INIT_HEAP_SIZE (For Linux) 2. Add the following property after the %CPATH% symbolic variable (make sure there is at least one space before and after the property being added): -Dtep.accept.trusted.certificates=true 3. Save the changes to the cnp.bat/cnp.sh file. 4. Launch the TEP Desktop client using the MTEMS panel, desktop shortcut, or command-line.
Temporary fix
Comments
APAR Information
APAR number
IJ03646
Reported component name
TEPS
Reported component ID
5724C04PS
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2018-01-26
Closed date
2019-05-07
Last modified date
2019-05-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEPS
Fixed component ID
5724C04PS
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 March 2023