SHA2 certificates should not be overwriten after running the OMi Configuration Wizard with old SHA1

SHA2 certificates should not be overwriten after running the OMi Configuration Wizard with old SHA1

there is a CORRECT procedure how to do this migration:

https://softwaresupport.softwaregrp.com/doc/KM03187187

OBM Certificate Migration, SHA-1 to SHA-2/SHA-3

 

In order to migrate OMi certificates from SHA1 to SHA2 you need to follow the steps below provided by CPE:

Ø Enable smart card authentication using config-server-wizard. – (if you are not using smart Card Authentication)
Ø Check if everything is working fine.
Ø Follow below steps to migrate SHA1 signed certificates to SHA2 signed certificates:


1. Create new SHA2 signed CA certificate on OMi
· Move to a stronger RSA key size on the OMi server as well as managed nodes by setting ASYMMETRIC_KEY_LENGTH configuration under sec.cm namespace
# ovconfchg -ns sec.cm -set ASYMMETRIC_KEY_LENGTH 4096
· Set HASH_ALGO configuration under sec.core namespace to desired and supported hash algorithm on OMi server
# ovconfchg -ns sec.core -set HASH_ALGO eSHA512  - is it eSHA512 or SHA512
· A tool called MigrateAsymKey is shipped with OvSecCs 11.10.035 that take two parameters “-createCAcert” and “-createNodecert”. Where can I find this tool
· Run MigrateAsymkey tool with “-createCAcert” option, this creates new CA certificate for 3072 RSA key size, signed using hash algorithm configured.
# /opt/OV/lbin/seccs/install/MigrateAsymKey.sh -createCAcert


2. Update trusted certificates on all OMi agents
· Update trusted certificates, using “ovcert -updatetrusted” command.
# ovcert -updatetrusted


3. Issue new sever node certificate on OMi
· Create new node certificate for local agent and other keystores using MigrateAsymkey tool with “-createNodecert” option.
# /opt/OV/lbin/seccs/install/MigrateAsymKey.sh –createNodecert


4. Migrate all OMi Agents to new certificates and redeploy all policies afterwards (per node) – why policy redeployment is required
· To have the nodes with only SHA512 certificates follow below steps
· Remove all existing certificates on the node using “ovcert -remove” command.
· Ensure HASH_ALGO and ASYMMETRIC_KEY_LENGTH is the same as the OMi Server
# ovconfchg -ns sec.core -set HASH_ALGO eSHA512
# ovconfchg -ns sec.cm -set ASYMMETRIC_KEY_LENGTH 4096
· Request for new certificate using “ovcert -certreq” command and grant the same from OMi server.
# ovcert –certreq
· Grant the certificate request from OMi Server.
After having new certificates on the Nodes, OMI setup will not be fully operational until all the policies have been redeployed. What would happen if I miss to redeploy policies on the nodes
Redeployment is required to override the policies with new certificates.


5. After all the agents are migrated remove old CA cert from server trust stores and do update trusted on all agents

However in case you run the Confugration Wizard the changes will be overwriten:
Note: Please don’t run config-server-wizard after migrating from SHA1 to SHA2. This will override the new SHA2 certificates with old SHA1 certificates and that is where services setup takes more time.

 

SHA2 certificates should not be overwriten after running the OMi Configuration Wizard with old SHA1 certificate.

PLEASE NOTE: 

there is a CORRECT procedure how to do this migration:

https://softwaresupport.softwaregrp.com/doc/KM03187187

OBM Certificate Migration, SHA-1 to SHA-2/SHA-3

Tags (3)
7 Comments
Micro Focus Expert
Micro Focus Expert
Status changed to: Waiting for Votes
 
Frequent Contributor.. sanitin Frequent Contributor..
Frequent Contributor..
A vulnerability exists in X.509 certificates which, when signed via MD5, may allow for phishing attacks. Similar vulnerabilities now affect SHA-1 certificates as well.
Hope MF is going to release a patch to address this security vulnerability .
Acclaimed Contributor.. KAKA_2 Acclaimed Contributor..
Acclaimed Contributor..

However in case you run the Confugration Wizard the changes will be overwriten:

>>>>> We faced the same issue 2 days ago so please avoid running config wizard if one has migrated certifcates from sha1 to sha2. 

this seems to be a defect and not idea i believe.

Frequent Contributor.. sanitin Frequent Contributor..
Frequent Contributor..

KAKA,

Yes, it is defect and MF suggested to put in idea for this , but in my view this has to be a fix incorporated in future release or in some patch as it does not make sense to implement this again and again in case configuration wizard is ran..

Acclaimed Contributor.. KAKA_2 Acclaimed Contributor..
Acclaimed Contributor..

Same issue is faced when we upgraded OMi from 10.62 to latest release 2018.11 (10.71). -KAKA-

Acclaimed Contributor.. KAKA_2 Acclaimed Contributor..
Acclaimed Contributor..

It seems that Document has one crucial step missing. certificates which we see on Omi servers using overt -list are stored in OMi Database as well. so when one run the config Wizard, it read the information from DB (which are still old SHA1 cert) and this will overwrite SHA2 certifcates.

to avoid this upon completion of all the steps and communication testing you must run "\HPBSM\opr\bin\opr-configure-certificates.bat –il"

HTH
-KAKA-

Micro Focus Expert
Micro Focus Expert
Status changed to: Delivered

This is a CORRECT procedure how to do this migration:

https://softwaresupport.softwaregrp.com/doc/KM03187187

OBM Certificate Migration, SHA-1 to SHA-2/SHA-3

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.