Platform Manager certificate patch release notes
As platform manager certificates provided by IBM expire after 8 January 2022, you must update them before that date. Without applying this patch in time, you will not be able to run ap commands. After the patch is successfully applied, the certificates expiration date is extended to 100 years.
Normally, the certificates are updated automatically during upgrades. However, if the system was not upgraded for a long time, the certificates expiration date might be missed and cause the platform manager to stop working. You must run regenerate_certificates.py script to renew the Platform Manager certificates.
Running the patch is mandatory for any 1.0.x Cloud Pak for Data System. When you run the script, you can select not to update the certificates and only update the Call Home file, but it is not recommended.
- REST certificates that are used for externally accessible REST API (for example: ap commands use this API).
- Cluster certificates that are used for internal platform management communication, no endpoint accessible externally uses them.
Before you begin
- The patch is applicable to any 1.0.x Cloud Pak for Data System version.
- The estimated run time is 5-15 minutes, depending on the system size. Platform Manager is stopped, but the applications remain online. Database remains online.
- The patch is executed by running an interactive regenerate_certificates.py script that guides you through the process.
- If the certificate patch is applied and you want to upgrade to any later 1.0.x version, the platform management certificates (both, REST and cluster) are retained. However, Call Home TrustList.jks file gets overwritten in the upgrade process. You will have to rerun the script to update only the Call Home TrustList.jks file after the upgrade.
-
If your system has FIPS enabled, or SELinux is set to enforcing, you must disable FIPS and set SELinux to permissive before applying the patch. Upgrade does not preserve this configuration and fails if not disabled. apupgrade verifies this before upgrading. The settings must be re-enabled after the upgrade. For more information on these settings, see Configuring FIPS on pre-2.0.2 Cloud Pak for Data System and Configuring SELinux on Cloud Pak for Data System.
- If your system has any non-NPS nodes disabled due to not being reachable, you can still run this script to apply certificates on other nodes. The script will report all unreachable nodes (along with NPS nodes) and prompt you to continue. To proceed, type y in 5. You will have to run the script again to apply certificates on these non-NPS unreachable nodes, after they become reachable.
root
. Either log in as root
directly, or
use the command su -
. The su root
command does not work and causes
the process to fail.Procedure
Applying the patch on a system with expired certificates
If the certificates on your system already expired, you can still apply the patch. However, some workaround steps are required because Platform Manager is not fully operational in this state. After applying the procedure as described above, the system comes online, but there might be nodes marked disabled and Db2 is down (if db2wh service is installed). To overcome the situation, you need to run the following steps:
Procedure
Known issues
- regenerate_certificates.py script fails with the following error:
UnicodeEncodeError: 'ascii' codec can't encode character u'\u2018' in position 60: ordinal not in range(128)
-
Workaround:
- Add the following lines:
in regenerate_certificates.py script after thereload(sys) sys.setdefaultencoding('UTF8')
import sys
line. - Rerun the script.
- Add the following lines: