FLASH ALERT: IBM Tape Drive CA certificates expiring in Guardium Key Lifecycle Manager

Notification

Risk classification

HIPER (High Impact and/or Pervasive)

Risk categories

Severe Performance Impact

Affected Domain

LTO and 3592 Tape Drives

Abstract

IBM Tape Drive SHA1 CA certificates (ibmrootca and realsubcacert) stored in the Guardium Key Lifecycle Manager truststore are expiring on 30 June 2026. Failure to renew these certificates before expiration will result in immediate communication failure between Guardium Key Lifecycle Manager and LTO/3592 tape drives using certificates signed by these CA authorities for SSL/TLS authentication.

Description

Impact of certificate expiration

CRITICAL: Once the certificates expire on 30 June 2026:

Tape drives currently communicating with Guardium Key Lifecycle Manager over SSL/TLS and using certificates signed by SHA1 based expiring CA certificates ibmrootca and realsubcacert will immediately stop communicating upon certificate expiration.
SSL/TLS handshake authentication will fail, preventing secure communication.
Tape drive operations requiring key management will be disrupted.
Disruption happens automatically at expiration (No restart or external trigger is required for the disruption to occur).

No disruption will occur if you are:

Using storage and non-storage devices that are NOT LTO or 3592 tape libraries.
NOT communicating with LTO and 3592 tape drives over SSL/TLS channel.
Using your own custom certificates for LTO and 3592 tape drives (not IBM Tape Drive CA signed certificates).
Using Tape Drive certificates that are not signed by SHA1 based expiring truststore CA certificates ibmrootca and realsubcacert for communication.

Note:

If you fall into any of the above categories, you may still want to complete the following steps:
- For Guardium Key Lifecycle Manager version 4.0.0, 4.1.0, 4.1.1: Steps 3 and 4 to remove the expiring/expired certificates.
- For Guardium Key Lifecycle Manager version 4.2.0, 4.2.1, and 5.x: Steps 3, 4, and 5 to remove the expiring/expired certificates and reset notification settings to reduce certificate expiry alerts.

Recommended Action

Complete the following procedure as per the installed Guardium Key Lifecycle Manager version.

Prerequisites

Administrative access to Guardium Key Lifecycle Manager UI.

Procedure for Guardium Key Lifecycle Manager version 4.0.0, 4.1.0, and 4.1.1

Download the renewed certificates.
- Download ibmTapeDrive2048.zip.
- Extract the archive to access:
  - ibmrootca.pem (renewed root CA certificate)
  - realsubcacert.pem (renewed subordinate CA certificate)
Import the renewed certificates.
- Login to Guardium Key Lifecycle Manager UI.
- Go to Configuration > Truststore > Add.
- Configure the import.
  - Certificate Alias: Enter the certificate name.
  - Click Browse to upload the certificates downloaded in .pem format in step 1.
  - Certificate type: Select DER.
- Click Add certificate.
Remove the old certificates (After 1 July 2026).
Note: Complete this step in the first week of July 2026 (after the old certificates expire).
1. Login to Guardium Key Lifecycle Manager UI.
2. Go to Configuration > Truststore
3. Select the following expired certificates.
  - ibmrootca
  - realsubcacert
4. Click Delete.
Restart the Liberty server to save all the changes. For more information, see Starting, stopping, restarting WebSphere Liberty.

Procedure for Guardium Key Lifecycle Manager version 4.2.0 and 4.2.1

Download the renewed certificates.
- Download ibmTapeDrive2048.zip.
- Extract the archive to access:
  - ibmrootca.pem (renewed root CA certificate)
  - realsubcacert.pem (renewed subordinate CA certificate)
Import the renewed certificates.
- Login to Guardium Key Lifecycle Manager UI.
- Go to Advanced Configuration > Client Device Certificates > Show preinstalled certificates > Import.
- Configure the import.
  - Certificate name: Enter the certificate name for ibmrootca.pem or realsubcacert.pem. For example, ibmrootca2048.
  - Upload certificate downloaded in .pem format in step 1.
  - Device Group: Select the device group which was using certificates signed by the expiring truststore CA certificates. Do not leave this field blank.
  - Check: Allow the server to trust this certificate with the associated client device.
- Click Import.
Adjust the notification settings (optional but recommended)
Complete the following steps to reduce frequent notifications and emails about expiring certificates:
1. Login to Guardium Key Lifecycle Manager UI.
2. Go to Advanced Configuration > Notification configuration > Notification.
3. Set Certificate expiry service frequency to 168 (hours).
  Note: This setting will affect notification frequency for all the expiring or expired certificates in Guardium Key Lifecycle Manager and not just tape drive certificates.
Remove the old certificates (After 1 July 2026).
Note: Complete this step in the first week of July 2026 (after the old certificates expire).
1. Login to Guardium Key Lifecycle Manager UI.
2. Go to Advanced Configuration > Client Device Certificates > Show preinstalled certificates.
3. Select the following expired certificates.
  - ibmrootca
  - realsubcacert
4. Click Delete.
5. Reset the notification settings in step 3 back to original value (recommended 24hours).
Restart the Liberty server to save all the changes. For more information, see Starting, stopping, restarting WebSphere Liberty.

Procedure for Guardium Key Lifecycle Manager version 5.x

Download the renewed certificates.
- Download ibmTapeDrive2048.zip.
- Extract the archive to access:
  - ibmrootca.pem (renewed root CA certificate)
  - realsubcacert.pem (renewed subordinate CA certificate)
Import the renewed certificates.
- Login to Guardium Key Lifecycle Manager UI.
- Go to Configuration > Encryption endpoint certificates > Show preinstalled certificates > Import certificates.
- Configure the import.
  - Certificate name: Enter the certificate name for ibmrootca.pem or realsubcacert.pem. For example, ibmrootca2048.
  - Upload certificate downloaded in .pem format in step 1.
  - Select Endpoint: Select the endpoint which was using certificates signed by the expiring truststore CA certificates. Do not leave this field blank.
  - Check: Allow the server to trust this certificate with the associated endpoint.
- Click Import.
Adjust the notification settings (optional but recommended).
Complete the following steps to reduce frequent notifications and emails about expiring certificates:
1. Login to Guardium Key Lifecycle Manager UI.
2. Go to Configuration > Notification settings > Notification.
3. Set Certificate expiry service frequency to 168 (hours).
  Note: This setting will affect notification frequency for all the expiring or expired certificates in Guardium Key Lifecycle Manager and not just tape drive certificates.
Remove the old certificates (After 1 July 2026)
Note: Complete this step in the first week of July 2026 (after the old certificates expire).
1. Login to Guardium Key Lifecycle Manager UI.
2. Go to Configuration > Encryption endpoint certificates > Show preinstalled certificates.
3. On the row of expiring certificate, click 3 dots for Options > Delete.
4. Delete the following expired certificates.
  - ibmrootca
  - realsubcacert
5. Reset the notification settings in step 3 back to original value (recommended 24hours).
Restart the Liberty server to save all the changes. For more information, see Starting, stopping, restarting WebSphere Liberty.

Date first published

18 June 2026

[{"Risk Classification":"HIPER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSWPVP","label":"IBM Guardium Key Lifecycle Manager"},"ARM Category":[{"code":"a8m0z000000cvdmAAA","label":"SKLM-\u003ESTORAGE DEVICES"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"3.0.0;3.0.1;4.0.0;4.1.0;4.1.1;4.2.0;4.2.1;5.0.0"}]

Tips

FLASH ALERT: IBM Tape Drive CA certificates expiring in Guardium Key Lifecycle Manager - Action required before 30 June 2026