Download
Abstract
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration.
Download Description
PK42863 resolves the following problem:
ERROR DESCRIPTION:
The Interim fix install for PK34093 contains a couple of packaging errors:
1. PK34093 fails to install if the APAR is packaged to a CIP. When this condition happens, the following error is logged:
(Apr 2, 2007 2:02:02 PM), Process, com.ibm.ws.install.ni.ismp.installtoolkitbridge.ISMPInstallToolkitBridge ForNIFramework, wrn, Config action failed:
10FupdateSecurityConfig -
/usr/local/WebSphere/AppServer/properties/version/nif/config/update/6.1.0.5-WS-WAS-IFPK34093/install/10FupdateSecurityConfig.ant
----------------------------------------------------------------
2. PK34093 won't be installable to OS/400 platform. When this condition happens, the following error is logged:
(Mar 30, 2007 8:51:52 PM), Install, com.ibm.ws.install.ni.ismp.actions.SetExitCodeAction, msg1,
CWUPI0000I: EXITCODE=2
----------------------------------------------------------------
LOCAL FIX:
None
PROBLEM SUMMARY
USERS AFFECTED:
All users of servers installed with IBM® WebSphere® Application Server version 6.1.
PROBLEM DESCRIPTION:
The default self-signed certificate on version 6.1 servers has a life span of 1 year. By default every 28 days the server checks and reports the status of certificate expiration. By default 60 days before a self-signed certificate expires, the threshold period, the certificate will get replaced automatically.
While administrative clients will handle the certificate replacement by retrieving the new signer certificate fine, other services like WebServer will not. In the case of a WebServer the extracting of the signer certificate is manual. So the automatic replacement of it's certificate can cause an outage of the service.
RECOMMENDATION:
None
Servers self-signed certificate will get replaced 60 days before they expire. That means about 10 months after the self-signed certificate gets created. This will cause a server outage on services like WebServer where the managing of the client signer certificate is a manual step. So this change will extend the life span of the default self-signed certificate to 15 years and provide addition warning time before certificates are automatically replaced.
PROBLEM CONCLUSION:
With this fix, a couple of things are being done to prevent service outages:
1. A prenotification message will start appearing 90 days before the threshold period. Warning user that certificates will get replaced when in the expiration threshold.
2. The default self-signed certificate life span is extended to 15 years.
Note: this is only applicable for a profile which will be created after applying this APAR fix.
PK34093 Interim Fix is superseded by this APAR fix.
Note: This fix is not required if PK34093 fix was already applied. This fixes an Interim Fix packaging problem only
Fixpack 6.1.0.7 has included the equivalent fix of this APAR under PK34093.
Please refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24015797