Posted: 23 Nov 2015 16:17 EST Last activity: 25 Nov 2015 5:33 EST
Sha-1 to Sha-2 Certificate Migration
We currently are using SHA-1 SSL Certificates on the websphere and IHS servers where our Pega applications reside on. Currently we have multiple versions of PRPC in our environment 5.5 , 6.1 and 6.2. Since the Sha-1 will be retired at end of next year we are trying to determine if there are any know issues or incompatibilites with PRPC and Sha-2 SSL certs if they are deployed. I am sure that this issue is being discussed and would like to know whether we can deploy Sha-2 with out issue or are there setps that need to be taken before dploying any Sha-2 certs. Any information would be greatly appreciated.
Thank you very much for the quick response. Our inquiry is based on the fact the Sha-1 ssl certs will not be available after Dec.31, 2016 and Sha-1 SSL can not be purchased after Dec.31, 2015. So we are trying to identify whether there are any known issues, or any other clients have reported issues after moving to Sha-2 SSL certs and Pega PRPC applications in various versions 5.5 , 6.1, 6.2. This is an industry change that will affect all applications that use SSL. so we are trying to get a head and see if Pega has heard anything related to the mandatory conversion. Thanks for you time and help.
Yes we referring to the SSL Cert that reside on the websphere 7.0 IHS servers and also any client side certs that may be configured for a specific application be it in PRPC 5.5, 6.1, or 6.2. I guess the basic questions is does PRPC code have issues with Sha-2 algorithem? Has Pega done any type of testing along those lines. I would assume that must be some type of testing being done at PEGA to determine how the core components work on different platforms.
Posted: 5 years ago
Updated: 5 years ago
Posted: 24 Nov 2015 13:24 EST Updated: 24 Nov 2015 13:26 EST
So I am pretty sure that PRPC isn't even aware of the keypairs/certs used to facilitate SSL connections from a Browser->App/Web Servers: the Container should take care of all that.
When you talk about Client Certificates : do you mean Certificates installed in user's browsers that the App Server uses to Authenticate incoming connections ? If so : I would say the same applies - the Container itself should take care of those.
However: if there are also any 'internal' use of Certificates within the PRPC application itself (so PRPC has 'keystore' rules that can hold Certs/Keys for instance - used by things the SAML implementation) - then in my understanding - it's still a matter of defering this to a combination of the underlying JVM and Third Party libraries.
I quickly checked the release notes for Java: it looks like support for SHA-2 has been in there for a while : since 1.4.2 by the look of it:**
Support for the SHA-256, SHA-384, and SHA-512 hash algorithms was added to the Sun provider. For details see the cryptography architecture reference guide.
I doubt very much that you are running a JVM version older than 1.4.2; so the implementation of the SHA-2 algorithms should all be available at the JVM-level for both the App Server and any other Java Programs (such as PRPC).
I can't answer your questions regarding any testing that Pega may have done around this though: maybe somebody else can chip in here ?
**Actually: this is referring to the Sun JVM only of course; but I would have to hope other JVM Vendors provided similar-spec'd implementations as well (although I haven't checked): or they make use of other Security Jar Providers. (BouncyCastle etc).
Do you have any inbound service calls to your PRPC system ? It depends on the java version the other system uses. We recently upgrade from sha-1 to sha-2 certificates. There are no issues on PRPC system but we had an issue with a spring batch that calls our PRPC using a web service which is throwing ssl exception after the upgrade. The batch is using java6 version. Older java 6 versions don't have the root certificate for the sha-2 certificates. All we did is import the root certificate to java store or this can be fixed with latest java versions as well.
This scenario might not be applicable to you, just sharing my thoughts.
Thanks for the reply, greatly appreciated. You mentioned inbound service calls, can you provide an example of such a call? When you upgraded was the upgrade on Websphere IHS or another platform? I know we make soap service calls through webservices, was your issue with java and the root certificate at the webservice level?
my PRPC is on apache/tomcat where certificates are upgraded from sha-1 to sha-2. We have a spring-batch which makes a web service call to the PRPC. After the sha-2 certs are installed on PRPC server, batch service failed throwing SSLHandShakeException.. reason being that the old versions of java say java 6 (which my service is pointed to) in my case does not have the root certificate for sha-2. So we have explicitly imported the root certificate which resolved the issue. I think the latest versions of java comes with the sha-2 certificate within key store.
Pavan : you reminded me of something else which might be worth noting.
The JVM configuration file: "jre\lib\security\java.security" for later JVMs (I'm looking at a V7 version here) may explicitly disable older (deemed insecure) algorithms with a setting like this for instance:
So be careful if you end up with a mix of older and newer Certificates - and you upgrade a JVM to get newer CAs etc - you might find that the older Certs may start to get rejected, which may or may not be what you want.
Again: this is all outside of PRPC - but I just thought I would mention it in case.