on 06-21-2016 5:01 PM
What are folks doing to move from SHA-1 to SHA-2?
It looks like the IE browser will error with sha-1 certs next year and Chrome will give a warning message.
Higher-ups are asking about the need to move to sha-2 (sha256).
We have implemented NWSSO-2 with the saplogon client and secure logon server for SAPGUI , java and ABAP- WAS. We're creating our own certs, no CA's.
I can see the local and server certs are all sha-1, except the MS cert (sha256) that is on the client side used with the ADS server.
I'm not seeing any docs on how to generate the sha256 certificate; is this supported by NWSSO-2?
2.04 is where this where this option appears. We upgraded to 2.06 and it works fine- can specify sha256 on server and see the new sha256 certs being accepted on client.
Follow-up question: do we need to update the back-end server certs that are signed sha-1?
We can SSO into ABAP and WAS, Java...with the back-ends still using sha-1 now. I'm a bit concerned that the Java and WAS with IE will be an issue in the future.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Chris,
The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.
All certificates that will be used to secure browser-based communications need to be replaced. Certificates used for other types of applications should be reviewed on a cases-by-case basis.
The SCN Blog post below will help you better understand how to update the certificates in the AS ABAP system and which PSEs currently support the usage of SHA-2 algorithm:
Cheers,
Filipe Santos
This is a good blog for ABAP and the WAS back-ends. But I can't find details for Java.
I looked in Java configuration --> SSL-->Trusted CA's and see the Root cert from the Secure Login Server. So a simple import of the sh256 should do the trick?
The question is how do I get the Root from SLS sha256 cert for the Java server? I don't see where SLS can change the root to sha256. It shows as sha-1.
Do we use the certs that we change on the ABAP server, download and upload to Java?
Also, what do we do with the Root cert on the Secure Login Server that's SHA-1? Do we need another with SHA-2 if we're not doing SSO to this server...guess that would answer previous question if yes?
Thanks Marcus: Unfortunately, this will break our SSO to the backend systems; right?
What's the necessity of changing the root CA to sha256 if it never is transmitted over the network?
For that matter, why would the back-end certs need to be changed to sha256 if only the client cert (which is sha256) is being transmitted over the network?
Thanks Marcus.
We also noticed a few things with the back-ends.
The process recommended to recreate the backend cert to sha256 did NOT work for us (kept sha-1 sign)- we're guessing because we originally created them using Secude.
The browser when connecting to the WAS/Portals checks your client cert (sha256 now) as well as the backend cert.
For the WAS(icm), Chrome issues a warning on SHA-1 and the 2017 expiration date; interestingly, IE gives no warnings or errors.
We created a sub cert to the sha-1 ca on SLS server as type SSL Server and specified sha256 and imported into ABAP SSL- this worked fine: resolved the chrome warnings.
For the portal we have the same warnings with chrome, but it looks like the backend cert has to be a root ca. It appears the Portal just creates a trust: nwa-->configuration-->ssl-->Trusted CA's is where we see the sha-1 CA from the SLS server. So it looks like we need to replace the root ca (to sha256) on SLS just for the Portal?
My understanding replacing the SLS root ca- (creating with sha256) will break everything unless we call it the same as the sha-1 previous but we can't do that until everyone is off this sha-1 root ca . Is this correct?
What's the recommended plan to migrate the DEV/QAS and then PRD systems to sha256 if all these systems use the same SLS? Is there an approach besides a big bang?
Sorry- lots of questions, hope someone can guide us. We do have a ticket in with support as well as we are looking for some guidance.
Thanks,
Chris
Hi Chris, I think your detailed question was answered by Filipe.
But I would like to discuss how far deprecation of SHA1 by MS, Google and others will go.
Of what I read the deprecation will only hit certificates of CAs that are rolled out from Microsoft. So this would not hit self signed certificates and certificates of private CAs. But I don't feel sure about this. I cannot find anybody currently who feels sure about this. What do you think?
Regards,
Lutz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
https://gallery.technet.microsoft.com/Migrating-SHA-1-to-SHA-2-82ee3a4eHey Lutz:
This is the response we got back from Microsoft on May 12 of this year:
Hi Chris,
Secure Login Server supports the creation of SHA-2 certificates.
You should see a drop down list in User Certificate Configuration > User Certificate Properties > Signature Algorithm, providing SHA-1 and several SHA-2 with RSA.
Refer to the Thread below:
Secure Login Server and SHA256-based certificates | SCN
Cheers,
Filipe Santos
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.