Open Enterprise Server and SHA2 signed certificates.

  • 7017122
  • 04-Jan-2016
  • 15-May-2016

Environment

Micro Focus Open Enterprise Server 11 (OES 11) Linux
Micro Focus Open Enterprise Server 2015 (OES 2015) Linux

Situation

Major web browser manufacturers are taking steps to begin phasing out SHA1 signed certificates.  Today, many web browsers are already no longer allowing the creation of new SHA1 signed certificates if they are valid beyond January 2017 (which is the final cut-off date for SHA1 support).

For example the Google Chrome browser is already showing this warning.

Resolution

The January 2016 eDirectory Hot patches for Open Enterprise Server 11 SP2  [1] and for Open Enterprise Server 2015 [2] will allow the servers to follow a CA signing algorithm using SHA2.

When the CA of the tree is recreated with SHA2 signing algorithm manually, all other servers will follow this (SHA2) signing algorithm with this fix, and thus create eDirectory server certificates using SHA2.

After the installation of the patch, and when required, the expectation is to recreate the current certificates using SHA2.
The eDirectory fix mentioned above will enable the default creation of SHA2 certificates.

[1] January 2016 OES11 SP2 eDirectory 8.8 SP8 Patch 6 Hot Patch 1 - 10860
[2] January 2016 eDirectory 8.8 SP8 Patch 6 Hot Patch 1 Update - OES 2015

Cause

End of life web browser support for SHA1 signed certificates requires SHA2 support in Open Enterprise Server.

Additional Information

Detailed Steps involved :

A) For the CA server which has this eDirectory patch installed.
1)    Apply eDirectory patch <patch_name> on the OES servers
2)    Restart eDirectory service
3)    Manual steps to delete the existing CA in tree and create a new CA with SHA2 as signing algorithm
       Follow step #1 to step #9 as detailed in in the "Detailed steps" section  of TID 7016877,
4)    Restart eDirectory service
       Run the command 'rcndsd restart' from the command line.
       This will recreate the eDirectory server certificates with SHA2 algorithm as CA is now recreated with SHA2 signing algorithm.
5)    Reboot the server
Note 1: A server reboot is required so that any other patches that were applied on the servers are also in effect post the restart.
Note 2: Multiple OES service consume eDirectory certificates, and these services need to be restarted to start using newer eDirectory certificates.
B) For any other servers which have this eDirectory patch :
1)    Apply eDirectory patch.
2)    Restart eDirectory service.
       Run the command 'rcndsd restart' from the command line.
       This will recreate the eDirectory server certificates with SHA2 algorithm, and following this process the CA is created using SHA2.
3)    Reboot the server.
Note 1: A server reboot is required so that any other patches that were applied on the servers are also in effect post the restart.
Note 2: Multiple OES service consume eDirectory certificates, and these services need to be restarted to start using newer eDirectory certificates.

How to verify if the server certificates are using SHA2 ?

Run the following command against the LDAP server to verify that the certificate now being used is using the SHA-2 signature:
openssl s_client -connect 192.168.211.21:636 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"

When the following output is returned : 'Signature Algorithm: sha256WithRSAEncryption',  this is a RSA signature being protected by a SHA256 (SHA-2) accompanying hash function.

The certificate file laid down on the filesystem can be verified with the following command:
"openssl x509 -in /etc/opt/novell/certs/SSCert.der -inform der -text -noout"

Please note: rcndsd restart and reboot of the server can’t be clubbed as one step due to timing issues (bug 956687).

Known Issues  #1:
Servers running certificates signed using SHA-1 and SHA-2 co-exist well together.

During in-house testing of implementing SHA-2 signed certificates, we have tested a mixed NetWare 6.5SP8  & OES2SP3 servers running with a SHA-1 signed server certificate in combination with OES11SP2 & OES2015 servers running a SHA-2 signed certificate, and the tree CA being SHA-2 signed.

When there are older OES servers (OES 11 SP1 or older versions) in a tree, it is recommended to delete the server certificates of that older server and create a new certificate with SHA-2 signing algorithm, similar as CA.

Known Issues  #2:
Post this eDirectory patch installation and recreating eDirectory certificates with SHA2 on a server that is running iFolder, the iFolder component will no longer work. Therefor, please do not recreate certificates signed using SHA2 when iFolder functionally is required.

The root cause for this problem is due to limitations that exist in the Mono code, and engineering is currently investigating different options to resolve this issue.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.