JR49893: IBM PROCESS DESIGNER IS INSTALLED WITH A KEYSTORE WITH AN EXPIRED CERTIFICATE

Version 8.5 Refresh Pack 5 for the IBM Business Process Manager products
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products

APAR status

• Closed as program error.

Error description

• In the current default configuration, IBMProcess Designer comes
  with a keystore that has an expired certificate.
  This negatively affects the user's ability to enable two-way
  authentication and customize authentication for a subset of
  users.
  
  PRODUCTS AFFECTED:
  IBM Business Process Manager (BPM) Advanced
  IBM BPM Standard
  IBM BPM Express
  

Local fix

• Users can manually make changes to the installed Process
  Designer client before they customize authentication, as
  follows:
  
  1. Delete the file key.p12 in the <PD Install Root>\etc
  directory.
  2. Remove the #KeyStore Information section that references the
  keystore from the ssl.client.props file in the <PD Install
  Root>\resources directory:
  # KeyStore information
  com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
  com.ibm.ssl.keyStore=etc/key.p12
  com.ibm.ssl.keyStorePassword={xor}CDo9Hgw=
  com.ibm.ssl.keyStoreType=PKCS12
  com.ibm.ssl.keyStoreProvider=IBMJCE
  com.ibm.ssl.keyStoreFileBased=true
  3. Remove the following three lines that reference the keystore
  from the eclipse.ini file in the <PD Install Root> directory:
  -Djavax.net.ssl.keyStoreType=PKCS12
  -Djavax.net.ssl.keyStore=./etc/key.p12
  -Djavax.net.ssl.keyStorePassword=WebAS
  

Problem summary

• This issue affects users of IBM Process Designer who connect to
  Process Center using a proxy with the configuration value
  SSLVerifyClient optional_no_ca. The Process Designer default
  configuration comes with a keystore file that contains an
  expired certificate. Users who want to enable two-way
  authentication are blocked  by the expired certificate in the
  keystore file.
  

Problem conclusion

• A fix is available for IBM BPM 8.5.0.1 that removes the key.p12
  file and removes a section that references the keystore from the
  ssl.client.props and eclipse.ini Process Designer configuration
  files. The product will no longer provide a default keystore
  file in Process Designer.  On Fix Central
  (http://www.ibm.com/support/fixcentral), search for JR49893:
  
      1. Select IBM Business Process Manager with your edition
  from the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.
      2. Select APAR or SPR, enter JR49893, and click Continue.
  
  When you download fix packages, ensure that you also download
  the readme file for each fix. Review each readme file for
  additional installation instructions and information about the
  fix.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM ADVANCED

• Fixed component ID

  5725C9400

Applicable component levels

• R850 PSY

     UP