The OneClick java jre certificate for CA Spectrum is set to expire on March 8, 2019

Document ID : KB000127181
Last Modified Date : 15/03/2019
Show Technical Document Details
Introduction:
The CA Spectrum OneClick java certificate is going to expire on Friday, March 8 2019.  What fixes are available to update the java certificate if a corporate policy does not allow applications to run with an expired certificate?

 
Environment:
This applies to all supported CA Spectrum platform (Linux, Solaris and Windows)
Instructions:
**The updated certificate has been included in 10.3.1 out of the box.

The CA Spectrum OneClick java certificate has been updated in the following patches:

10.2.0 - Spectrum_10.02.00.PTF_10.2.072
10.2.1 - Spectrum_10.02.01.PTF_10.2.1108
10.2.2 - Spectrum_10.02.02.PTF_10.2.242
10.2.3 - Spectrum_10.02.03.PTF_10.2.371
10.3.0 - Spectrum_10.03.00.PTF_10.3.016
10.3.1 - The certificate was updated in the release so no patch is needed at this time.

The hotfix patches are available here:

ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/

username:  anonymous
password:  your email address

The updated certificate will expire in April of 2020 (due to licensing restrictions).  You can either upgrade to 10.3.1 or install the patch for the version of Spectrum you are running. If you do not install one of these patches you can still use the OneClick client without any configuration changes.  Starting with CA Spectrum release 10.1, the tomcat jar files have been timestamped in accordance with the certificate. The certificate has expired, it has not been revoked so in a typical java deployment we do not expect any interruptions as the certificate is valid.  You will be able to launch the OneClick console without needing to install the patches.  The patch is only needed if your company has a policy that does not allow you to run java applications with an expired certificate.

In addition to this, the Device Certification packs need to be considered:

Device Certification Packs:

The certification packs have been rebuilt for those that have already installed the java certificate patch for 10.2.3 and 10.3.0.  If you are running a version between 10.1.0 and 10.2.2, or you are running 10.3.1, this does not apply to you.  Here is what you need to do dependent upon your situation if you are running 10.2.3 or 10.3.0.  
1.    You do not need to install the jre certificate patch and have not installed the Device Certification Pack but need to:
          a.    Only install the original device certification pack for the release you are on:

10.02.03.Cert_Pack_004
10.3.0.Cert_Pack_001*

*do not install this Device Certification pack on 10.3.1.

2.  You do not need to install the jre certificate patch and have already installed the Device Certification Pack:
          a.    Do not install any patches.  You do not need the updated jre or device certification patch.

3.    You do need to install the jre certificate patch and also need to install the Device Certification Pack:
          a.    Install the jre certificate patch, then install the updated Device Certification pack noted below.

4.    You do need to install the jre certificate patch and have already installed the original Device Certification Pack:
          a.    Install the jre certificate patch, then install the updated Device Certification pack noted below.

5.    You have already installed the jre certificate patch and had to remove jar files to allow the OneClick client to launch:
          a.    Install the updated Device Certification pack noted below.

The updated Device Certification pack based on the Spectrum versions are:

10.2.3 - Spectrum_10.02.03.Cert_Pack_005
10.3.0 - 10.3.0.Cert_Pack_002*

*do not install this Device Certification pack on 10.3.1.

The updated device certification packs are available on the ca ftp server in their respective folders:

ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/

NOTE: In CA Spectrum 10.2.1, if the Spectrum_10.02.01.Cert_Pack_002 is installed, the Spectrum_10.02.01.PTF_10.2.1108 patch cannot be installed, because it does not include the new jar files added in Device Certification Pack (Spectrum_10.02.01.Cert_Pack_002). You have to upgrade to 10.2.3, then install Spectrum_10.02.03.BMP_10.2.302, then install Spectrum_10.02.03.PTF_10.2.371, and then install Spectrum_10.02.03.Cert_Pack_005.

 

Additional Information:
Please take note that most of the patches listed above do have an additional requirement of a bi monthly patch. The bi monthly patches are also available at the same ftp.ca.com site:

ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/

The bi monthly patches must be installed on all OneClick and SpectroSERVER machines.  The patches listed above for the java jre update are OneClick only patches, and only need to be installed on the OneClick servers.

If you are running a Spectrum release prior to 10.1, then you will need to either upgrade to 10.3.0 and apply the 10.3.1 patch, or configure your java security settings to not check for validity as noted in the bottom of this technical document:

https://comm.support.ca.com/kb/the-oneclick-java-certificate-for-ca-spectrum-is-set-to-expire-on-october-16-2016/kb000040586
 
 
IMPORTANT NOTE: Once the PTF is applied then ensure that all workstation Java caches are cleared once (or using Java option without temporarily caching the application) to ensure fresh Java library download to update the workstation.