IJ03646: CUSTOMER REQUIRES THAT TEP AUTOMATICALLY ACCEPT VALID TEPS CERTIFICATE DURING LOGON PROCESSING

IBM Tivoli Monitoring 6.3.0 Fix Pack 7 Service Pack 1 (6.3.0.7-TIV-ITM-SP0001)

APAR status

• Closed as new function.

Error description

• Customer has installed their own self-signed certificate for
  use with ITM.  Currently, the certificate presented to the TEP
  client by the TEPS must always be verified and accepted by the
  end-user (at least once).  The customer requires that if the TEP
  has already determined that the certificate is valid (i.e., the
  certificate is a valid X.509 formatted certificate with no
  errors or security-related problems), that the certificate be
  automatically accepted and stored in the TEP's local certificate
  datastore.  The end-user should not be prompted to accept or
  reject the certificate under these circumstances.
  
  Environment:  Linux platform
  

Local fix

• The TEP user can accept the certificate permanently when
  prompted the first time.
  

Problem summary

• Customer has installed their own self-signed certificate for use
   with ITM.  Currently, the certificate presented to the TEP
  client by the TEPS must always be verified and accepted by the
  end-user (at least once).  The customer requires that if the TEP
   has already determined that the certificate is valid (i.e., the
   certificate is a valid X.509 formatted certificate with no
  errors or security-related problems), that the certificate be
  automatically accepted and stored in the TEP's local certificate
   datastore.  The end-user will not be prompted to accept or
  reject the certificate under these circumstances.
  
  Prior to this APAR the certificate presented to the TEP client
  by the TEPS must always be verified and accepted by the end-user
  (at least once).  A certificate 'Security Alert' verification
  panel is shown to the TEP user for confirmation, and a response
  is required before a session can be successfully established
  between the TEP and TEPS.  This verification panel is displayed
  even when the TEP has already determined that the certificate is
  valid, and will continue to be displayed whenever the TEP is
  launched and an attempt is made to establish a session with the
  TEPS, provided that the TEP end-user has not responded to
  permanently accept the certificate (which informs the TEP to
  store the certificate in a local certificate respository on the
  TEP client machine).
  

Problem conclusion

• An enhancement was made to the TEP client to allow the customer
  to suppress the display of the certificate verification panel
  based on the following revised algorithm:
  
  1) The following new TEP system property has been configured
  with a value of 'true'.
  
  Note that the specific TEP deployment script to update with this
  new property is dependent on the TEP deployment mode being used
  (JWS, Browser, or desktop) (See Install Actions below)
  
  tep.accept.trusted.certificates=true
  
  2) The 'Not Before' and 'Not After' datetime fields found in the
  certificate are checked against the current datetime associated
  with the TEP client machine. If the current datetime is before
  the 'Not Before' datetime, or after the 'Not After' datetime,
  then the security alert will be displayed with the appropriate
  warning message. The TEP user will then need to decide whether
  the certificate will be accepted permanently,accepted for only
  the current login session, or rejected.
  
  3) If the certificate being processed is determined to be the
  product-provided ITM default self-signed certificate, then the
  certificate will be considered valid, and the host address check
  (see step 4 below) will be skipped (Note: the TEPS host address
  is not included in the default ITM-provided certificate).
  
  4) The host address used to fetch the certificate from the TEPS
  is compared for IP address equivalency to the host address
  specified in the certificate.  The TEPS host address is
  retrieved from the system property ?cnp.http.url.host?
  associated with the TEP configuration.  For this match to
  succeed, both host addresses must resolve to the same underlying
  IP addresses.  If either host address is specified using a short
  hostname or FQDN, then the DNS will be consulted to resolve to
  an IP address for matching purposes.  If the host addresses do
  not match, then the security alert will be displayed with an
  appropriate warning message.  The TEP user will then need to
  decide whether the certificate will be accepted permanently,
  accepted for only the current login session, or rejected.
  
  5) If the certificate validity checks associated with the
  datetime stamps and host addresses are successful (or, the
  default ITM self-signed certificate is being used), and the new
  TEP configuration property is enabled (see step 1 above), then
  the security alert will not be presented, and TEPS login
  processing will continue.
  
  
  The fix for this APAR is contained in the following maintenance
  packages:
  
     | service pack | 6.3.0.7-TIV-ITM-SP0001
  
  Install Actions:
  
  For Java Webstart:
  
  1. For each TEPS machine where the provisional patch has been
     applied, edit the file named $CANDLEHOME/config/tep.jnlpt for
     Unix/Linux TEPS or %CANDLE_HOME%\config\tep.jnlpt for
     Windows.
  2. Add the following property statement to the <resources>
     section between the custom parameter comment markers:
  
     <!-- Custom parameters -->
     <property name="jnlp.tep.accept.trusted.certificates"
     value="true"/>
     <!-- /Custom parameters -->
  
  3. Save the changes to the tep.jnlpt file.
  4. Reconfigure the browser/JWS client component from the TEPS
     machine using the following command on Unix/Linux:
  
     <itm_home>/bin/itmcmd config -A cw
  
     or using "Manage Tivoli Enterprise Monitoring Services"
     (kinconfg.exe) on Windows.
  
  5. After this command completes, verify that the new property
     has been successfully added to the
     file named $CANDLEHOME/<platform>/cw/tep.jnlp (Unix/Linux) or
     %CANDLE_HOME%\CNB\tep.jnlp (Windows)
  
     Configuration changes to the TEPS machine are now complete.
  6. Before TEP client execution, clear the JAR cache on the
     machine(s) where the TEP JWS client will be launched using
     the following command: <jre_home>\bin\javaws -uninstall
  
  7. If launching the TEP JWS client via the browser, then clear
     the browser?s cache as well to ensure that the most recent
     copy of the tep.jnlp file will be retrieved from the TEPS.
     This step is not required if launching the TEP JWS client
     from the command-line or desktop shortcut.
  
  For Browser Client:
  
  1. Edit file $CANDLEHOME/ls3266/cw/applet.html (Unix/Linux) or
     %CANDLE_HOME%\CNB\applet.html (Windows) found on the TEPS
     machine(s).
  2. Add the following property parameter to the end of the
     parameters array found towards the bottom of the file:
  
   'tep.accept.trusted.certificates': 'true'
  
    (Note: Don?t forget to add a comma at the end of the parameter
           statement just above this new parameter).
  
  3. Save the changes to the applet.html file.
  
  4. Before test execution, clear the JAR cache on the machine
     where the TEP JWS client will be launched using the Java
     Control Panel. Also, clear the browser?s cache as well to
     ensure that the most current version of the applet.html file
     is executed.
  
  
  
  For Desktop Client:
  
  1. Edit file %CANDLE_HOME%\CNP\cnp.bat (Windows) or
     $CANDLEHOME/bin/cnp.sh (Linux) found on the TEP client
     machine and locate the statement near the bottom that being
     with:
  
    set _CMD=                                      (For windows)
    ${TEP_JAVA_HOME}/bin/java -Xms$INIT_HEAP_SIZE  (For Linux)
  
  2. Add the following property after the %CPATH% symbolic
     variable (make sure there is at least one space before and
     after the property being added):
  
     -Dtep.accept.trusted.certificates=true
  
  3. Save the changes to the cnp.bat/cnp.sh file.
  4. Launch the TEP Desktop client using the MTEMS panel, desktop
     shortcut, or command-line.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TEPS

• Fixed component ID

  5724C04PS

Applicable component levels