Updated Cryptographic Modules in Host Access Management and Security Server

  • 7021635
  • 28-Mar-2017
  • 02-Mar-2018

Environment

Host Access Management and Security Server version 12.4 Update 1 or higher

Situation

Beginning in version 12.4 Update 1 (12.4.1), Host Access Management and Security Server uses the Bouncy Castle provider for keystore operations. This technical note describes the changes.

In this note:

Why were the cryptographic modules changed?
What changed in Management and Security Server?
What do I need to do?

Resolution

Why were the cryptographic modules changed?

Management and Security Server uses both internal and third-party FIPS-certified cryptographic libraries to perform various keystore and TLS operations.

In anticipation of the RSA BSAFE cryptography library reaching End of Primary Support (EOPS) in January 2017, Management and Security Server was re-configured to use the Bouncy Castle provider for keystore operations.

We also want to allow all customers to more easily use TLS 1.2 without requiring PKI Manager. The cryptographic changes support that ability.

What changed in Management and Security Server?

Here is an overview of what changed.

File extensions

Beginning in version 12.4 Update 1 (12.4.1), Management and Security Server generates keystores using the .bcfks (bouncy castle fips keystore) extension. The BCFKS store type was developed by Bouncy Castle to be FIPS Compliant. MSS can still import PKCS#12 keystores, including files with these extensions:

  • .p12 files, processed by the RSA BSAFE JCE provider JsafeJCE
  • .pfx files, maintained by the Baltimore/ASCJ provider ASCJ

Certificate Signing Request

The Administrative WebStation no longer provides the capability to generate a Certificate Signing Request (CSR). Instead, you can contact the CA directly. See Generating a Certificate Signing Request (CSR).

Security Proxy Server

An upgrade of the Security Proxy Server to version 12.4 Update 1 (12.4.1) may automatically select a certificate for use with the existing ciphers defined for a port.

Note: The ciphers previously configured for a given port will still be configured. Only the certificate will be auto-selected and associated with that port.

What do I need to do?

If either of these options apply to you, follow the steps below. If not, no further action is required.


Using the Security Proxy Server

When you upgrade from Management and Security Server 12.4 to a later version, including and update , you need to synchronize the Security Proxy as follows:

  1. Open the Security Proxy Wizard.
  2. On the Proxies tab, review the cipher suites and the auto-selected certificates for each security proxy server port.
  3. Click Save and then Export.

This action synchronizes the Security Proxy with the MSS administrative server.

Generating a Certificate Signing Request (CSR)

To request a signed SSL certificate from a Certificate Authority (CA), choose a method:

  • Use the HTTPS Certificate Utility, installed with Management and Security Server.

On the "Select a certificate action" screen, select Generate a new private key and Certificate Signing Request and proceed through the screens. Click Help for assistance.

After you receive the CA-signed certificate, return to this utility to import the certificate together with the private key that was generated by the utility.

For more details, see the product Help: in the Administrative WebStation, click Security Setup > Certificates tab. On the Help page, scroll to and click How to Generate a Certificate Signing Request (CSR).

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2900.