Impact of SSL certificate verification changes in Python 2.7.9

Secure Sockets Layer (SSL) certificate verification changes in Python 2.7.9 or later can impact IBM® Z Operations Analytics dashboards and the IBM zAware data gatherer. Python Enhancement Proposal (PEP) 476 changes the default behavior for HTTPS certificate verification in Python clients.

Symptom

For Python clients where PEP 476 is applied, the verification of self-signed certificates is usually unsuccessful, which prevents search results from showing in the web browser. The following message is shown:

CTGLA0630E : Application execution failed due to unknown 
error. An error occurred while executing GET /CSRFToken.

Before the application of PEP 476, Python clients that were using HTTPS did not present errors if the verification of self-signed certificates was unsuccessful.

For more information, see the following sources:

From the Python Software Foundation: PEP 476 -- Enabling certificate verification by default for stdlib http clients
For Red Hat® Enterprise Linux®: Certificate verification in Python standard library HTTP clients

Solution for use of the IBM zAware data gatherer

The IBM zAware data gatherer establishes HTTPS sessions with both the IBM zAware and IBM Operations Analytics - Log Analysis servers. By default, the data gatherer does not present an error if the verification of self-signed certificates is unsuccessful.

The environment variable PYTHONHTTPSVERIFY controls certificate verification. Before you run the zAwareDataGatherer.py script to enable certificate verification in the IBM zAware data gatherer, complete the following steps:

Set the value of PYTHONHTTPSVERIFY to 1, which specifies that, if certificate verification is unsuccessful, an error message is recorded in the log file, and the zAwareDataGatherer.py script ends.
If the value of PYTHONHTTPSVERIFY is not set, or is set to 0 (the default value), certificate verification is disabled for both the IBM zAware and IBM Operations Analytics - Log Analysis servers.
Add the IBM zAware and IBM Operations Analytics - Log Analysis certificates to the Python certificate store.

Solution for use of the IBM Z Operations Analytics dashboards

To simplify the base configuration of IBM Z Operations Analytics, SSL certificate verification is disabled.

If you want to enable SSL certificate verification for the IBM Z Operations Analytics dashboards, you can purchase an SSL certificate from a certificate authority (CA), and deploy it to the IBM Operations Analytics - Log Analysis keystore.

To enable certificate verification for the dashboards, complete the following steps:

In the IBM Operations Analytics - Log Analysis keystore, install the SSL certificate that you purchased from the CA.
For more information, see Configuring CA certificates for SSL in the Log Analysis documentation.
In the Python script CommonAppMod.py that is in each of the following four directories, set the value of the environment variable PYTHONHTTPSVERIFY to 1.
- LA_INSTALL_DIR/AppFramework/Apps/WASforzOSInsightPack_v3.2.0.0/CommonAppMod.py
- LA_INSTALL_DIR/AppFramework/Apps/zOSNetworkInsightPack_v3.2.0.0/CommonAppMod.py
- LA_INSTALL_DIR/AppFramework/Apps/SMFforzOSInsightPack_v3.2.0.0/CommonAppMod.py
- LA_INSTALL_DIR/AppFramework/Apps/SYSLOGforzOSInsightPack_v3.2.0.0/CommonAppMod.py
This example shows how this value must be set:
```
os.environ["PYTHONHTTPSVERIFY"] = "1"
```