Picking up on this old thread.
The Sha1 expiration deadline is right around the corner, 06/30/17.
I've successfully imported the new SHA 256 wild card cert to Production LPAR, updated cert assignment for one app from SHA1 to SHA256, working ok.
I also had to import a new intermediate CA, SHA256.
Old root CA remained the same.
What is interesting is that the root CA for SHA256 cert is still SHA1.
Our network/security folks will be obtaining a new SHA256 cert in early 2017, since this cert also expires 06/30/17.
So I'll be repeating all these processes, again, for all LPARs, 1st quarter 2017.
I do have some questions and issues.
1) Within DCM, is there a method to see if a cert is SHA1 or SHA256?
I'm not seeing the sha details anywhere.
2) I need a tool or method to determine which cert is being used by a non HTTP SSL job/process.
HTTP SSL can be determined by viewing the security info presented by the browser.
The SSL trace only shows the SSL version and cipher used, not the cert info.
I asked IBM if the cert info could be added to the trace, answer was no, WAD.
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020594
3) The SSL trace is only valid for non-Java.
Also need a tool or method to determine SSL version, cipher, cert for Java SSL jobs/process.
4) How does one test each of the DCM applications that have a cert assigned to them?
Central Server, Database server, Data Queue Server, etc.
5) Within DCM, I'd like to delete old certs and CA, but have no idea which are used and where.
Because there is no tool for this, I've been told to just leave it, to many unknowns and possibility of production SSL failures.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Friday, January 23, 2015 2:16 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: DCM SSL sha1 / sha256 cert issues
1) There was an issue in getting the needed root and int CA from the iSeries to the PC. What normally should be a simple process, would not work.
Repeated CWBC01050 - The IBM I server application is not trusted.
It took quite an effort to export the root and int CA, then import into the PC keystore Is there a good knowledge base doc for this?
Once the necessary CA were imported to the PC, I tested a SHA1 cert with iSeries Access SSL. Working.
Then I upgraded DCM certificate assignment Application ID: QIBM_QTV_TELNET_SERVER to the new SHA256 cert, Working.
SHA256 cert installed, tested, working with 1 app.
2) I'd like to identify unneeded roots, int, CA and delete from the iSeries key store.
Any tips.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Steinmetz, Paul
Sent: Thursday, January 22, 2015 6:27 PM
To: 'Midrange Systems Technical Discussion'
Subject: RE: DCM SSL sha1 / sha256 cert issues
I applied SI55542 to a different playground LPAR.
I retested the .pfx import using CA authority, which original resulted in a blank label.
With SI 55542 applied, the CA authority import now results with a valid label.
Paul
-----Original Message-----
From: Steinmetz, Paul
Sent: Thursday, January 22, 2015 11:57 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: DCM SSL sha1 / sha256 cert issues
Pete,
Understood.
My question at this point, I don't have the new sha256 wc cert assigned to any apps in DCM.
So even though it is in the system store, nothing will use it till I assign it to an app.
What app would be the easiest and fastest to test.
Per IBM support, I believe the app has to be recycled in order to use the new cert.
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Thursday, January 22, 2015 11:47 AM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues
Dang...that only applies if the cert expires after 2016.....but you can look at the cert in Chrome (or any other browser) and it should tell you the cipher suite used.
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
On 1/22/2015 10:39 AM, Steinmetz, Paul wrote:
1) I restored the system store, DEFAULT.*DB, from backup.
2) I reimported the new wild card .pfx, selecting server certificate, this was successful.
Now I need to test the new wild card sha256 cert.
What is the easiest and fasted test for this?
Paul
-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
AHoerle@xxxxxxxxxxxxx
Sent: Thursday, January 22, 2015 9:16 AM
To: Midrange Systems Technical Discussion
Subject: Re: DCM SSL sha1 / sha256 cert issues
Paul,
We just updated to SHA2 certificates last month. We didn't run into any problems, but they were standard (not wildcard) certificates.
Good luck!
Amy Hoerle
System Administrator
Think Mutual Bank
5200 Members Pkwy NW, Box 5949
Rochester, MN 55901
507-536-5815 or
800-288-3425 Ext 5815
ahoerle@xxxxxxxxxxxxx
From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 01/21/2015 07:55 PM
Subject: DCM SSL sha1 / sha256 cert issues
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
I recently received a request from our security folks that we need to update/reissue our wildcard cert from sha1 to sha256 due to new browser requirements..
http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-
sha-1.html
I was given the new wildcard cert, (Int CA, cert, private key), but they failed to import to DCM.
I opened a PMR with IBM, to may a long story short, because DCM did not have the DCR, the cert will not import.
Per IBM support, you need to import the new certificate into the store which generated the DCR.
Once this is completed, export the certificate from the certificate store and then I will be able to import into a different store.
Our security folks sent me this link along with a new .pfx file
http://www-01.ibm.com/support/docview.wss?uid=nas8N1019818
I was reluctant to import using this method.
I normally import either .pem or .cer individually, never from a .pfx file.
The import was successful, new intermediate CA ok, however, the new sha256 cert had no label.
Because the new imported cert has no label, it is not useable, cannot delete, no fix available from IBM.
Problem is IBM doc above, N1019818, had you import the pfx into a CA.
When you import into a CA, there is no prompt for a label.
Instead, you should import into Server/Client, which will prompt to enter a label.
Cannot re-import, duplicate.
Current workaround from IBM.
Restore the DCM system store from backup. These would be the steps:
1. WRKLNK '/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB' and take
option 7 to rename. Call it DEFAULT.KDB.OLD 2. WRKLNK
'/qibm/UserData/ICSS/Cert/Server/DEFAULT.RDB' and take option 7 to
rename. Call it DEFAULT.RDB.OLD 3. Restore the
/qibm/UserData/ICSS/Cert/Server/DEFAULT.RDB and
/qibm/UserData/ICSS/Cert/Server/DEFAULT.KDB files from backup
There is a recent PTF, SI55542, which addresses the blank label issue.
I don't work with DCM and certs all that often, it is never fun.
Anyone else experiencing/dealing with the sha1 to sha256 cert, SSL, DCM issues?
Thank You
_____
Paul Steinmetz
IBM i Systems Administrator
Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071
610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home
psteinmetz@xxxxxxxxxx
http://www.pencor.com/
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.