More on SHA-1 deprecation:

Transcription

1 Dear PTC Axeda Customer, This message specifies Axeda and IDM Agent upgrade requirements and timelines for transitioning Axeda Enterprise Server, Global Access Server (GAS), Policy Server, and Questra TotalAccess Server from SHA-1 to SHA-2 signed SSL domain certificate deployments. These security certificates are used for agent-to-server communication and are changing from SHA-1 encryption to a stronger encryption algorithm from the SHA-2 family, specifically the SHA-256 algorithm. Adopting SHA-256 requires changes by both PTC Axeda and our customers. Those agents that are configured to validate certificates must upgrade deployed agents to versions using OpenSSL 0.9.8L or later and must add the needed SHA-256 CA certificate chains to their agents certificate containers to successfully connect to servers using SHA-256 SSL domain certificates. Agents not configured to validate SSL certificates will successfully connect to servers using either SHA-1 or SHA-256 certificates. The majority of Axeda-hosted Enterprise Servers and all hosted GAS instances use SHA-1 certificates. Most GAS certificates will be upgraded to SHA-256 on June 1, 2016, as their SHA-1 certs near expiry. If agents are not at the required version with required SHA-256 DigiCert certificate chains, then they will not successfully connect to servers that use SHA-256 signed certificates. Agents not upgraded by June 1, 2016 will still be able to connect to gasbo6.axeda.com until January 1, 2017 at which time SHA-256 certs will be installed. SHA-1 certificates on Enterprise Servers with *.axeda.com URLs will begin expiring as early as June 1, Customers using custom domain certificates are advised to identify cert expiration dates and to contact their CA s immediately to seek extensions if needed. Some CA s will no longer offer SHA-1 certs or extensions as early as June 12, Agents configured to validate certificates must be updated before Enterprise SHA-1 certs expire to avoid loss of connectivity. To ensure stable, secure communications to your remote assets throughout this transition be advised of the recommendations and transition timelines outlined in the sections below. More on SHA-1 deprecation: The transition from SHA-1 to SHA-2 comes in response to recent advances in cryptographic attacks on SHA-1, a cryptographic hash algorithm used by certificate authorities (CAs) to sign SSL domain certificates. These developments have led to industry-wide actions to deprecate SHA-1 in favor of the higher-strength algorithms from the SHA-2 family, for example SHA-256. Google Online Security Blog: Gradually Sun-setting SHA-1 SHA1 Deprecation Policy - Windows PKI blog - Site Home - TechNet Blogs NIST Advisory Statement : More on SSL/TLS protocol and SSL certificates: Transport Layer Security.

2 1. Agent Version and Agent Certificate Container Actions 2. Server Product SHA-2 Transition Axeda Enterprise Server, Questra Server, Questra TotalAccess Server Axeda Policy Server Axeda Global Access Server 1. Agent Version and Agent Certificate Container Actions The following table indicates recommended actions by agent version, depending on SHA-256 MAC support and presence of SHA-256 CA certificate chains within the agent installation package. Details are provided in subsequent sections. Table 1 - Recommended SHA-2 Readiness Actions For Axeda and IDM Agents Agent Version TLS Software Supports SHA-256 MAC IDM Agent prior to Agent Update Required Check OpenSSL Version IDM Agent 5.2 and later OpenSSL 1.0.1g Yes No Axeda Agent Embedded (all versions) Axeda Agent 4.0 Axeda Agent 5.0 Axeda Agent 5.1 Axeda Agent 5.2 Axeda Agent prior to build 287 Axeda Agent build 287 and later Axeda Agent 6.1 prior to build 190 Axeda Agent 6.1 build 190 and later Axeda Agent 6.5.x Axeda Agent 6.6 Axeda Agent Axeda Agent 6.8 Axeda Agent build 958 and later - - OpenSSL 0.9.8k OpenSSL 0.9.8r OpenSSL 0.9.8l OpenSSL 0.9.8r OpenSSL 0.9.8r OpenSSL 1.0.1e OpenSSL 1.0.1g OpenSSL 1.0.1g OpenSSL 1.0.1m No Yes Check OpenSSL Version Yes No Certificate Chain Update Required Yes No

3 Agent Update Required The agent s security component must be at least OpenSSL version 0.9.8L in order to successfully validate SHA-256 signed certificates. Agent build 287 is the earliest that meets this dependency. Earlier versions of the agent must be upgraded. Your agent s OpenSSL version can be determined using the OpenSSL version command as shown below. ~\Axeda\Gateway>openssl OpenSSL> version OpenSSL 1.0.1m-fips 19 Mar 2015 PTC Axeda recommends updating to the latest version of the Axeda and IDM Agent and the latest version of the Axeda Enterprise Server for long-term supportability and to take advantage of bug fixes and security patches. Agent build 958 is the first agent version to include all SHA-256 CA certificate chains needed to validate CA signed *.axeda.com SSL domain certificates. Agent build 958 or later versions provide out-of-the box capability to validate either SHA-1 or SHA-256 certs depending on which is presented by the server. Refer to the Axeda 6.8.x Connectivity Product support matrix for guidance on supported combinations of Axeda Agent and Enterprise Server version. Agent Update Not Required Deployments using Axeda Agent build 287 and later are capable of SHA-256 MAC and so do not need version upgrade before installing of SHA-256 certs on Enterprise Server, GAS or Policy Server. CA Certificate Chain Update Required In addition to SHA-256 MAC support, agents must have the right SHA-256 CA cert chains within the agent s cert container to successfully validate SHA-256 CA signed certificates. A reference set of SHA-1 and SHA-2 certificate chains may be obtained from the Axeda Gateway Agent installation packages available for download from either the Axeda FTP download site or PTC customer portal. To obtain.pem-encoded SHA-2 certificate chains for custom domains, contact your Certificate Authority. The openssl s_client command line tool may be used to confirm SHA-256 support and presence of SHA-256 cert chains as required to validate certs on a particular SSL domain. ~\Axeda\Gateway> openssl s_client -connect pentest.axeda.com:443 -verify 3 -CAfile [~\Axeda\Gateway ]\SSLCACert.pem --- Verify return code: 0 (ok) --- OpenSSL is SHA-256 compatible and correct cert chains are present. --- Verify return code: 7 (certificate signature failure) --- OpenSSL is not SHA-256 compatible. --- Verify return code: 27 (certificate not trusted) --- OpenSSL is SHA-256 compatible, but correct cert chains not present.

4 CA Certificate Chain Update Not Required Axeda Agent and later include both SHA-1 and SHA-2 CA certificate chains for a reference set of trusted certificate authorities for *.axeda.com SSL domain certificates used on Axeda Enterprise and Global Access Servers hosted by PTC Axeda. 2. Server Products SHA-2 Transition GeoTrust, PTC Axeda's source of SHA-1 signed *.axeda.com domain certificates, and other certificate authorities have announced that SHA-1 signed certificates will not be offered after June 12, Before then, GeoTrust will extend SHA-1 certificate validity up to an additional year. After June 12, 2015, expired SHA-1 certificates must be replaced with SHA-2 certificates. To provide PTC Axeda customers as much time as possible for transition planning, all SHA-1 *.axeda.com domain certs have been extended through at least June 1, Customers deploying custom domain certificates should immediately contact their certificate authorities to extend expiration dates within this window of availability. To check the expiration date of your domain certificates, use your web browser to navigate to your Axeda Enterprise login page to check certificate information. For example, Chrome users may click on the lock symbol next to the URL and then click 'certificate information' to view the certificate chain and domain certificate expiration date as shown in the images below. Figure 1 Use a web browser to determine certificate expiration date.

5 Axeda Enterprise Server, Questra Server, Questra TotalAccess Servers Before installing SHA-256 certs on an Enterprise Server or TotalAccess Server, those agents configured to validate certificates must be at the required version and must have the correct SHA-256 CA certificate chains within the agent's certificate repository. Once the deployed agents meet these criteria, SHA-256 SSL domain certificates may be installed on your servers. Axeda Policy Server Once agent upgrade actions are completed on all assets within a given end-user network, the end user may replace expired SHA-1 CA signed certificates with SHA-256 certs and the Axeda Agent will be ready to validate them. Policy Server installations using self-signed certs require no changes. Axeda Global Access Server Global Access Servers within PTC Axeda's hosted network use GeoTrust SHA-1 signed domain certificates. GAS SHA-1 certificates on existing hosts will be replaced by SHA-256 DigiCert signed certificates on the schedule described in Table 2. Most GAS hosts will receive SHA-256 certificates on June 1, To provide extended GAS support for nonupdated beyond June 2016, transition of gas-bo6.axeda.com will be delayed to January 1, To avoid failed connections between SHA-2 GAS instances and non-updated agents, customers may disable SHA-256 GAS on their Enterprise Servers. To enable agent and platform testing prior to June 1, 2016, new GAS 6.8 instances with SHA- 256 certs will be deployed in August 2015 within regions as specified in Table 2. Questions Please address questions about SHA-1 retirement to PTC Axeda customer support via at support@axeda.com or by phone at

6 Table 2 - GAS Network SHA-2 Transition Schedule GAS Host New GAS 6.8 Hosts: Australia Germany Hong Kong Japan Western US Eastern US UK gas-aus.axeda.com gas-sj4.axeda.com* ghuk1.axeda.com ghsj1.axeda.com ghjap1.axeda.com ghjap2.axeda.com gas-hk3.axeda.com* ghbos1-1.axeda.com ghsom1.axeda.com gas-bo3.axeda.com gas-bo4.axeda.com* gas-bo5.axeda.com* gas-de1.axeda.com* gas-de3.axeda.com gas-bo6.axeda.com gas-de2.axeda.com* * Restricted Access Hosts SHA-2 Deployment Date August 2015 June 1, 2016 January 1, 2017