More on SHA-1 deprecation:



Similar documents
Is Your SSL Website and Mobile App Really Secure?

TELNET CLIENT 5.0 SSL/TLS SUPPORT

SSL BEST PRACTICES OVERVIEW

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Support Advisory: ArubaOS Default Certificate Expiration

SSL and Browsers: The Pillars of Broken Security

Support Advisory: ArubaOS Default Certificate Expiration

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

2014 IBM Corporation

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Chapter 7 Managing Users, Authentication, and Certificates

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

PowerChute TM Network Shutdown Security Features & Deployment

Secure Web Appliance. SSL Intercept

SSL Decryption Certificates

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

HP Device Manager 4.7

CHAPTER 7 SSL CONFIGURATION AND TESTING

USING SSL/TLS WITH TERMINAL EMULATION

Public Key Infrastructure (PKI)

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

WEB SERVICES CERTIFICATE GUIDE

How to Obtain an APNs Certificate for CA MDM

SSL Insight Certificate Installation Guide

Administering the Web Server (IIS) Role of Windows Server

Internet Script Editor (ISE)

GlobalSign Enterprise Solutions

How to configure SSL proxying in Zorp 3 F5

Step 2: Configure Secure Secure Standard End-User Guide Version: Effective Date: 12-Mar-2014

SSL Certificates 101

OpenADR 2.0 Security. Jim Zuber, CTO QualityLogic, Inc.

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

ERserver. iseries. Secure Sockets Layer (SSL)

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

FBCA Cross-Certificate Remover 1.12 User Guide

MAC Web Based VPN Connectivity Details and Instructions

How to configure SSL proxying in Zorp 6

Certificates for computers, Web servers, and Web browser users

2X SecureRemoteDesktop. Version 1.1

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Working with Portecle to update / create a Java Keystore.

SBClient SSL. Ehab AbuShmais

ERserver. iseries. Securing applications with SSL

HP LaserJet Pro Devices Installing 2048 bit SSL certificates

v7.8.2 Release Notes for Websense Content Gateway

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Setting Up SSL on IIS6 for MEGA Advisor

ShareFile Security Overview

Secure Transfers. Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3

Securing Remote Desktop Services in Windows Server 2008

Carillon eshop User s Guide

CHECK POINT MOBILE ACCESS VPN

Certificate Management

SSL Certificates and Bomgar

CA Nimsoft Unified Management Portal

What s Your HTTPS Grade? A Case Study of HTTPS/SSL at Mid Michigan Community College. Brandon bkish@midmich.edu

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Configuring Secure Socket Layer (SSL)

BEGINNERS GUIDE TO SSL CERTIFICATES: Making the BEST choice when considering your online security options

SSL Guide. (Secure Socket Layer)

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

Savitribai Phule Pune University

SSL/TLS: The Ugly Truth

How To Understand And Understand The Security Of A Key Infrastructure

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

How to Prepare Your Salesforce Service for Certificate Changes

HW/Lab 3: SSL/TLS. CS 336/536: Computer Network Security DUE 11am on Nov 16 (Monday)

2X Cloud Portal v10.5

Novell ichain Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

SSL SSL VPN

Web Security: Encryption & Authentication

Creating an Apple APNS Certificate

How To Get A Certificate From Digicert On A Pc Or Mac Or Mac (For Pc Or Ipa) On A Mac Or Ipad (For Mac) On Pc Or Pc Or Pb (For Ipa Or Mac) For Free

FileCloud Security FAQ

Installation Procedure SSL Certificates in IIS 7

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Basics of SSL Certification

Using Entrust certificates with VPN

SSL Server Rating Guide

BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

Secure IIS Web Server with SSL

Network Management Card Security Implementation

Using a custom certificate for SSL inspection

Managed Services PKI 60-day Trial Quick Start Guide

Exostar LDAP Proxy / Secure Setup Guide. This document provides information on the following topics:

ADFS Integration Guidelines

Tel: Tel: +44 (0) Comodo Group.

Configuration Guide. BES12 Cloud

Laboratory Exercises VI: SSL/TLS - Configuring Apache Server

McAfee Firewall Enterprise 8.2.1

WHITE PAPER Citrix Secure Gateway Startup Guide

Dashlane Security Whitepaper

Certificate Management for your ICE Server

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Transcription:

Dear PTC Axeda Customer, This message specifies Axeda and IDM Agent upgrade requirements and timelines for transitioning Axeda Enterprise Server, Global Access Server (GAS), Policy Server, and Questra TotalAccess Server from SHA-1 to SHA-2 signed SSL domain certificate deployments. These security certificates are used for agent-to-server communication and are changing from SHA-1 encryption to a stronger encryption algorithm from the SHA-2 family, specifically the SHA-256 algorithm. Adopting SHA-256 requires changes by both PTC Axeda and our customers. Those agents that are configured to validate certificates must upgrade deployed agents to versions using OpenSSL 0.9.8L or later and must add the needed SHA-256 CA certificate chains to their agents certificate containers to successfully connect to servers using SHA-256 SSL domain certificates. Agents not configured to validate SSL certificates will successfully connect to servers using either SHA-1 or SHA-256 certificates. The majority of Axeda-hosted Enterprise Servers and all hosted GAS instances use SHA-1 certificates. Most GAS certificates will be upgraded to SHA-256 on June 1, 2016, as their SHA-1 certs near expiry. If agents are not at the required version with required SHA-256 DigiCert certificate chains, then they will not successfully connect to servers that use SHA-256 signed certificates. Agents not upgraded by June 1, 2016 will still be able to connect to gasbo6.axeda.com until January 1, 2017 at which time SHA-256 certs will be installed. SHA-1 certificates on Enterprise Servers with *.axeda.com URLs will begin expiring as early as June 1, 2016. Customers using custom domain certificates are advised to identify cert expiration dates and to contact their CA s immediately to seek extensions if needed. Some CA s will no longer offer SHA-1 certs or extensions as early as June 12, 2015. Agents configured to validate certificates must be updated before Enterprise SHA-1 certs expire to avoid loss of connectivity. To ensure stable, secure communications to your remote assets throughout this transition be advised of the recommendations and transition timelines outlined in the sections below. More on SHA-1 deprecation: The transition from SHA-1 to SHA-2 comes in response to recent advances in cryptographic attacks on SHA-1, a cryptographic hash algorithm used by certificate authorities (CAs) to sign SSL domain certificates. These developments have led to industry-wide actions to deprecate SHA-1 in favor of the higher-strength algorithms from the SHA-2 family, for example SHA-256. Google Online Security Blog: Gradually Sun-setting SHA-1 SHA1 Deprecation Policy - Windows PKI blog - Site Home - TechNet Blogs NIST Advisory Statement : http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf More on SSL/TLS protocol and SSL certificates: Transport Layer Security.

1. Agent Version and Agent Certificate Container Actions 2. Server Product SHA-2 Transition Axeda Enterprise Server, Questra Server, Questra TotalAccess Server Axeda Policy Server Axeda Global Access Server 1. Agent Version and Agent Certificate Container Actions The following table indicates recommended actions by agent version, depending on SHA-256 MAC support and presence of SHA-256 CA certificate chains within the agent installation package. Details are provided in subsequent sections. Table 1 - Recommended SHA-2 Readiness Actions For Axeda and IDM Agents Agent Version TLS Software Supports SHA-256 MAC IDM Agent prior to 5.2 - - Agent Update Required Check OpenSSL Version IDM Agent 5.2 and later OpenSSL 1.0.1g Yes No Axeda Agent Embedded (all versions) Axeda Agent 4.0 Axeda Agent 5.0 Axeda Agent 5.1 Axeda Agent 5.2 Axeda Agent 5.3.4 prior to build 287 Axeda Agent 5.3.4 build 287 and later Axeda Agent 6.1 prior to build 190 Axeda Agent 6.1 build 190 and later Axeda Agent 6.5.x Axeda Agent 6.6 Axeda Agent 6.6.3 Axeda Agent 6.8 Axeda Agent 6.8.1 build 958 and later - - OpenSSL 0.9.8k OpenSSL 0.9.8r OpenSSL 0.9.8l OpenSSL 0.9.8r OpenSSL 0.9.8r OpenSSL 1.0.1e OpenSSL 1.0.1g OpenSSL 1.0.1g OpenSSL 1.0.1m No Yes Check OpenSSL Version Yes No Certificate Chain Update Required Yes No

Agent Update Required The agent s security component must be at least OpenSSL version 0.9.8L in order to successfully validate SHA-256 signed certificates. Agent 5.3.4 build 287 is the earliest that meets this dependency. Earlier versions of the agent must be upgraded. Your agent s OpenSSL version can be determined using the OpenSSL version command as shown below. ~\Axeda\Gateway>openssl OpenSSL> version OpenSSL 1.0.1m-fips 19 Mar 2015 PTC Axeda recommends updating to the latest version of the Axeda and IDM Agent and the latest version of the Axeda Enterprise Server for long-term supportability and to take advantage of bug fixes and security patches. Agent 6.8.1 build 958 is the first agent version to include all SHA-256 CA certificate chains needed to validate CA signed *.axeda.com SSL domain certificates. Agent 6.8.1 build 958 or later versions provide out-of-the box capability to validate either SHA-1 or SHA-256 certs depending on which is presented by the server. Refer to the Axeda 6.8.x Connectivity Product support matrix for guidance on supported combinations of Axeda Agent and Enterprise Server version. Agent Update Not Required Deployments using Axeda Agent 5.3.4 build 287 and later are capable of SHA-256 MAC and so do not need version upgrade before installing of SHA-256 certs on Enterprise Server, GAS or Policy Server. CA Certificate Chain Update Required In addition to SHA-256 MAC support, agents must have the right SHA-256 CA cert chains within the agent s cert container to successfully validate SHA-256 CA signed certificates. A reference set of SHA-1 and SHA-2 certificate chains may be obtained from the Axeda Gateway Agent 6.8.1 installation packages available for download from either the Axeda FTP download site or PTC customer portal. To obtain.pem-encoded SHA-2 certificate chains for custom domains, contact your Certificate Authority. The openssl s_client command line tool may be used to confirm SHA-256 support and presence of SHA-256 cert chains as required to validate certs on a particular SSL domain. ~\Axeda\Gateway> openssl s_client -connect pentest.axeda.com:443 -verify 3 -CAfile [~\Axeda\Gateway ]\SSLCACert.pem --- Verify return code: 0 (ok) --- OpenSSL is SHA-256 compatible and correct cert chains are present. --- Verify return code: 7 (certificate signature failure) --- OpenSSL is not SHA-256 compatible. --- Verify return code: 27 (certificate not trusted) --- OpenSSL is SHA-256 compatible, but correct cert chains not present.

CA Certificate Chain Update Not Required Axeda Agent 6.8.1 and later include both SHA-1 and SHA-2 CA certificate chains for a reference set of trusted certificate authorities for *.axeda.com SSL domain certificates used on Axeda Enterprise and Global Access Servers hosted by PTC Axeda. 2. Server Products SHA-2 Transition GeoTrust, PTC Axeda's source of SHA-1 signed *.axeda.com domain certificates, and other certificate authorities have announced that SHA-1 signed certificates will not be offered after June 12, 2015. Before then, GeoTrust will extend SHA-1 certificate validity up to an additional year. After June 12, 2015, expired SHA-1 certificates must be replaced with SHA-2 certificates. To provide PTC Axeda customers as much time as possible for transition planning, all SHA-1 *.axeda.com domain certs have been extended through at least June 1, 2016. Customers deploying custom domain certificates should immediately contact their certificate authorities to extend expiration dates within this window of availability. To check the expiration date of your domain certificates, use your web browser to navigate to your Axeda Enterprise login page to check certificate information. For example, Chrome users may click on the lock symbol next to the URL and then click 'certificate information' to view the certificate chain and domain certificate expiration date as shown in the images below. Figure 1 Use a web browser to determine certificate expiration date.

Axeda Enterprise Server, Questra Server, Questra TotalAccess Servers Before installing SHA-256 certs on an Enterprise Server or TotalAccess Server, those agents configured to validate certificates must be at the required version and must have the correct SHA-256 CA certificate chains within the agent's certificate repository. Once the deployed agents meet these criteria, SHA-256 SSL domain certificates may be installed on your servers. Axeda Policy Server Once agent upgrade actions are completed on all assets within a given end-user network, the end user may replace expired SHA-1 CA signed certificates with SHA-256 certs and the Axeda Agent will be ready to validate them. Policy Server installations using self-signed certs require no changes. Axeda Global Access Server Global Access Servers within PTC Axeda's hosted network use GeoTrust SHA-1 signed domain certificates. GAS SHA-1 certificates on existing hosts will be replaced by SHA-256 DigiCert signed certificates on the schedule described in Table 2. Most GAS hosts will receive SHA-256 certificates on June 1, 2016. To provide extended GAS support for nonupdated beyond June 2016, transition of gas-bo6.axeda.com will be delayed to January 1, 2017. To avoid failed connections between SHA-2 GAS instances and non-updated agents, customers may disable SHA-256 GAS on their Enterprise Servers. To enable agent and platform testing prior to June 1, 2016, new GAS 6.8 instances with SHA- 256 certs will be deployed in August 2015 within regions as specified in Table 2. Questions Please address questions about SHA-1 retirement to PTC Axeda customer support via email at support@axeda.com or by phone at 866-462-9332.

Table 2 - GAS Network SHA-2 Transition Schedule GAS Host New GAS 6.8 Hosts: Australia Germany Hong Kong Japan Western US Eastern US UK gas-aus.axeda.com gas-sj4.axeda.com* ghuk1.axeda.com ghsj1.axeda.com ghjap1.axeda.com ghjap2.axeda.com gas-hk3.axeda.com* ghbos1-1.axeda.com ghsom1.axeda.com gas-bo3.axeda.com gas-bo4.axeda.com* gas-bo5.axeda.com* gas-de1.axeda.com* gas-de3.axeda.com gas-bo6.axeda.com gas-de2.axeda.com* * Restricted Access Hosts SHA-2 Deployment Date August 2015 June 1, 2016 January 1, 2017

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information