Micro Focus Expert
Micro Focus Expert
113 views

(SM) Support Tip: "SHA2 hashing algorithm should be used instead of SHA1 for SSL"

SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the ability to crack SHA1 has also increased. Due to this the industry has been transitioning from SHA-1 to SHA-2. With these recent security concerns about the SHA-1 signature and it's deprecation Hewlett-Packard Enterprise recommends that when creating TLS/SSL certificates for use with Service Manager - and associated products - that the SHA-2 algorithm be used.

It is important to note that beginning with Service Manager minor release the out-of-the-box keystore, located at <SM SERVER>\Server\RUN\srv.keystore, will be removed from the installer and no longer be present. This is not detrimental to the overall performance of the Service Manager product and should not generate concern as srv.keystore is not used with Trusted-Sign-On with SSL (i.e. SSL/TSO). Customers who do not use the out-of-the-box srv.keystore will not be affected.

To assist Service Manager Administrators in determining which algorithm (i.e. SHA-1 or SHA-2) is being used in the currently deployed SSL certificates for SSL/TSO the following command can be run:

Command: keytool -list -v -keystore <name of keystore>
Example: keytool -list -v -keystore smsrv.keystore

Output from the above command would look something similar to the sample below. Note the BOLDED areas indicating SHA-1

Creation date: Jun 15, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=SM7SERVER, OU=SM Server, O=HP, L=SD, ST=CA, C=US
Issuer: CN=HP ServiceManager Private CA, OU=BTO SM Software, O=Hewlett-Packard Co., L=San Diego, ST=CA, C=US
Serial number: d5e0999f9e542c3e
Valid from: Tue Jun 15 14:46:04 PDT 2010 until: Mon Jun 15 14:46:04 PDT 2015
Certificate fingerprints:
MD5: 33:59:E7:29:02:16:92:13:C6:FC:EE:E5:01:2E:7C:D0
SHA1: 8D:AD:FB:6E:22:20:B7:DF:8C:26:39:4E:60:0D:36:C7:6E:C9:A0:74
SHA256: AF:D8:B6:30:E0:32:71:2C:01:99:9C:38:9E:A5:81:59:0A:25:B5:CC:92:
95:70:49:73:07:26:79:0C:1B:51:76
Signature algorithm name: SHA1withRSA
Version: 1

Certificate[2]:
Owner: CN=HP ServiceManager Private CA, OU=BTO SM Software, O=Hewlett-Packard Co., L=San Diego, ST=CA, C=US
Issuer: CN=HP ServiceManager Private CA, OU=BTO SM Software, O=Hewlett-Packard Co., L=San Diego, ST=CA, C=US
Serial number: 85eab4ced53794ad
Valid from: Tue Jun 15 14:45:35 PDT 2010 until: Mon Jun 15 14:45:35 PDT 2015
Certificate fingerprints:
MD5: BB:2B:FB:9A:23:5A:36:79:34:23:1C:71:2F:5D:E8:8E
SHA1: C8:E2:48:F2:87:2A:A8:5C:EB:8A:F9:B9:49:CD:94:5D:32:0A:52:54
SHA256: 2A:36:73:99:01:2D:03:A4:34:29:10:6C:26:AC:7D:B4:D3:F1:D1:A0:9F:
98:CF:2C:4C:D7:5A:AB:73:65:39:42
Signature algorithm name: SHA1withRSA
Version: 3

Creating self-signed certificates are not the focus of this knowledge document. Hewlett-Packard Enterprise recommends consulting with your Security or PKI organization for details on proper certificate creation. For a primer on creating certificates there are a plethora of websites dedicated to the generation of these files. Here are some examples:

‘The Most Common Java Keystore Commands’: https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
‘OpenSSL Essentials: Working with SSL certificates, private keys, and CSRs’: https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

Note: For further information on SHA1 deprecation please see: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

 

Labels (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.