When good certificates go bad
Brian Kealy 110000T2V7 Visits (8570)
zAware is a helpful tool from IBM's System Technology Group which can let you know when applications in your z/OS environment are doing unusual things. It monitors your system log for messages that are, for you, statistically unusual. zAware's browser session can show you when unusual message traffic is brewing by presenting what it calls it's "anomaly score". For you to know about it, though, you have to either logon to zAware's browser interface and keep your eyes peeled or better yet let OMEGAMON XE on z/OS monitor zAware and alert you through situations that can sound an alarm or send a text message.
zAware uses the HTTPS secure logon process. z/OS based applications like the agents running in ITM Tivoli Enterprise Monitoring Server (TEMS) have to logon to zAware using the secure protocol just as someone opening a browser window does. z/OS Communication Manager provides a feature called Application Transparent Transport Layer Security or AT-TLS which when properly configured supports applications like ITM TEMS when negotiating the secure logon sequence. A critical component of this logon sequence is the verification of product certificates. The web server in zAware maintains a trust certificate that it exchanges with whatever tries to logon to it. This certificate typically has an expiration date after which it is should be considered invalid. Usually these certificates set their expiration date to be a year or more into the future. The z/OS platform must store the trust certificate for use every time an application wants to logon to zAware. On the z/OS side the certificate is configured into RACF for AT-TLS usage. This is explained in the OMEGAMON XE on z/OS Planning and Configuration Guide for version 5 Release 1.1 in chapter 6 in the topic named "Configuration for connection to an IBM zAware server". It is easy, however, to forget about the expiration date after the initial effort to configure AT-TLS and RACF. If the support personnel for zAware update its certificate without a matching change in each z/OS LPAR's RACF settings, applications like OMEGAMON XE on z/OS will fail to logon to zAware.
What to look for
When you look at the zAware workspace in the Enhanced 3270 User Interface the zAware Server Status would say AT-TLS Configuration Error like this
While not the only cause of this status the first and easiest thing to check is that the certificate stored with RACF matches the certificate provided by zAware. You can use a typical browser session to obtain a copy of the zAware appliance's trust certificate to see if it no longer matches what was stored in RACF. You will need to know the Uniform Resource Locator, or URL, for your zAware appliance. In the screen seen above that is the value in the zAware Location field (rp5
What to do
Armed with this URL value you can type this into your browser address field http
If you do this from a Windows 7 or above workstation you will want to start the browser session in Administrator mode so that you can save the certificate you find. Detailed steps for finding and saving the zAware appliance's trust certificate can be found in the OMEGAMON XE on z/OS Planning and Configuration Guide for version 5 Release 1.1 in chapter 6 in the topic named "Configuration for connection to an IBM zAware server". After following these steps you should end up with a certificate that when viewed using Notepad looks like this
This zAware appliance's certificate should match exactly what you configured into RACF when you installed OMEGAMON XE on z/OS version 5.1.1. If it does not match it is likely that your zAware administrator updated the appliance's certificate and this is why your OMEGAMON application is not logging on successfully. Just update your RACF with the appliance's new certificate. After refreshing your RACF settings your zAware workspace should be back in business.