the ssl problem and how to deploy sha2 certificates
TRANSCRIPT
![Page 1: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/1.jpg)
The SSL Problem & How To Deploy SHA2 Certificates
Mark MyersDirector - LDC [email protected]
Gabriella DavisTechnical Director - The Turtle [email protected]
![Page 2: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/2.jpg)
Who Are We?❖ Adminofallthingsandespecially
quitecomplicatedthingswherethefunis
❖ Workingwithsecurity,healthchecks,singlesignon,designanddeploymentofDomino,ST,Connec>onsandthingsthattheytalkto
❖ Stubbornandrelentlessproblemsolver
❖ LivesinLondonabouthalfofthe>me❖ [email protected]❖ twiDer:gabturtle
![Page 3: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/3.jpg)
Who Are We?❖ MemberoftheLondonDeveloperCo-
op❖ Co-writerofLDCViahDp://
www.ldcvia.com❖ IBMConnec>ons,Domino,Mobile
andWebdevelopment❖ Hireme!❖ Developerfromasupportbackground❖ 14+yearsonDomino,17+yearsinIT❖ Speakerat6xLotuspheres/Connects,
6xUKLUGs,1xILUG,3xBLUG/Engage
![Page 4: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/4.jpg)
Why This Session?• Encrypting and securing information is not just a thing you
add to complete a project, it’s a necessity• Information can be intercepted en route between client
and server or between servers• This can include credentials which can they expose
further information• The speed at which hackers are working around
encryption standards is growing, major attacks and vulnerabilities appear every week
• You need to understand where the vulnerabilities are, how to watch for them and how to protect against them
![Page 5: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/5.jpg)
Encryption and Certificates❖ What is Encryption?
❖ It is a process of making data unrecognizable
❖ Unless you have “key” to unlocking the data.
❖ Without the key, it should be imposable or more commonly unfeasible to read the data in a reasonable timeframe.
❖ What are Certificates?
❖ Digital Certificates are a way of trying to prove that the security “key” they contain actually belong to the person they were issued to.
❖ This is done via a trusted third party that both parties in communication can rely on.
![Page 6: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/6.jpg)
Let’s Talk Acronyms
![Page 7: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/7.jpg)
SSL❖ Stands for Secure Socket Layer
❖ A cryptographic protocol (A set of agreed rules for coding and decoding messages so as to keep those messages secure)
❖ Each version was replaced by another version due to security flaws and now is completely deprecated ( June 2015 by RFC 7568)
❖ Its death knell was the block cipher attack used by Poodle (see later slide) in 2014
❖ Replaced by...
![Page 8: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/8.jpg)
TLS❖ “Transport Layer Security”
❖ Like SSL it is cryptographic protocol (A set of agreed rules for coding and decoding messages so as to keep those messages secure)
❖ The successor to SSL (TLS 1.0 is actually SSL 3.1 but was renamed to mark the change to an open standard rather than Netscape's protocol)
❖ Currently has 3 versions 1.0, 1.1, 1.2 (1.3 in Draft)
❖ Like SSL it is a constantly changing protocol
![Page 9: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/9.jpg)
S/MIME❖ This is another protocol, this time for allowing email in the
MIME format (basically all SMTP mail) to be both signed or/and encrypted
❖ Signed: To ensure to your email recipients that you actually sent the email
❖ Encrypted: To protect the content from being read by other entities than the intended recipients.
❖ Just about the only intersystem security standard that all vendors can agree on.
![Page 10: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/10.jpg)
HTTPS❖ This is the transfer of data using the Hypertext Transfer
Protocol over a link secured be either SSL or TLS
❖ Provides:
❖ Bidirectional encryption of your data in transit
❖ A reasonable guarantee that you are talking to who you think you are.
❖ Defends against "Man in the Middle" and third party snooping attacks.
![Page 11: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/11.jpg)
SHA2❖ An upgrade to the popular hashing algorithm used by the
majority of SSL certificates
❖ Its predecessor SHA1 was found to be more insecure that was previously thought (not broken just not as secure)
❖ Microsoft Google and Mozilla all announced deprecation plans for SHA1
❖ When people talk about "SHA256" they are talking about one of the 6 hash functions with digests that make up the SHA2 family
![Page 12: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/12.jpg)
AES❖ “Advanced Encryption Standard”
❖ Based on 3 members of the Rijndael cipher family (developed by Joan Daemen and Vincent Rijmen) each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
❖ Used worldwide and a federal government standard
❖ It supersedes DES (Data Encryption Standard) which you can now brute force attack
![Page 13: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/13.jpg)
What Went Wrong … and keeps going wrong
![Page 14: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/14.jpg)
Man in the Middle Attack
❖ An attack where someone intercepts communication between two systems and acts as a proxy between the parties without either of them knowing
![Page 15: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/15.jpg)
Betty knows the internet is scary. She always clicks the link
She likes to shop and bank online
This is Betty
Betty gets emails telling her to click on a link and give her password
![Page 16: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/16.jpg)
Hank knows Betty will click on the link
.. and that it will be his fault if her money goes missing
This is Hank
Hank owns a bank He needs to keep Betty’s money safe.
![Page 17: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/17.jpg)
Jazz is cool
Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of
hackers
Jazz is a system administrator
Jazz doesn’t sleep much
This is Jazz
![Page 18: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/18.jpg)
Harry is a jerk with no morals
He only cares about getting money and causing disruption
This is Harry
![Page 19: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/19.jpg)
Hi Betty ! Hi Betty !
181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWE
OU4
It’s all about the key. How strong is it? How secure is it? Is it even the right key?
Encryption
![Page 20: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/20.jpg)
Man in the middle
Hi Betty ! Bye Betty!
181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKG
ADJKGLD90FD9184053290532AJKGP
AURWEOU4
Bye BettyHi Betty !
![Page 21: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/21.jpg)
With SHA2 & Strong Keys
Hi Betty ! Hi Betty!
181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKGADJKGLD90FD9184053290532AJKGPAURWEOU4181939FJFUETJDAJGDAKSGDAJKL1GDAJKG
ADJKGLD90FD9184053290532AJKGP
AURWEOU4
!
***
![Page 22: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/22.jpg)
POODLE ❖ "Padding Oracle On Downgraded Legacy Encryption“
❖ An exploit that allowed attackers to trick a session to use SSL rather than TLS then during that session use a design flaw in SSL 3.0 to Snoop on the session
❖ What it did
❖ It allowed attackers to perform a man in the middle attack
❖ How it was stopped
❖ We all turned off SSL V3.0 on the servers (and were then grumbled at by people who used old browsers)
![Page 23: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/23.jpg)
ShellShock or Bashdoor❖ An Bug from the original version of Bash* allowed you
to launch child instances of Bash but supply your own variables
❖ What it did
❖ It allowed an attacker to execute bash commands on the target server
❖ How it was stopped
❖ Patched all servers running Bash
*A program that all lot of Unix-based systems use to execute command lines and command scripts
![Page 24: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/24.jpg)
Heartbleed❖ A "buffer over-read" vulnerability in the TLS heartbeat extension of OpenSSL
caused by a missing input validation check (but really by not enough peer review)
❖ What it did?
❖ Allowed an attacker to read up to 64 kilobytes of the servers active memory for each attack, memory that was very likely to contain secure information.
❖ How it was stopped?
❖ We updated all clients/servers to a patched version of OpenSSL
❖ Reissued all certificates where there was any chance they could have been compromised.
![Page 25: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/25.jpg)
Freak - “Factoring RSA Export Keys”❖ A vulnerability cased by the growth of cheap commuting power
❖ A "512-bit export-grade key“ now be broken with a bit of math's called the "Number Field Sieve algorithm"* and about ~ $150 of cloud computing
❖ What it did?
❖ Allowed the attacker to perform a man in the middle attack
❖ How it was stopped?
❖ We disabled "TLS export cipher suites" either by updating browsers, disabling the feature in servers or updating libraries that used them (such as OPENSSL to versions that did not)
*https://en.wikipedia.org/wiki/General_number_field_sieve
![Page 26: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/26.jpg)
Why Is This A Growing Problem?
![Page 27: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/27.jpg)
What’s Next?
❖ Who knows!! the important thing we have all learnt is that just because something has been around for a while is no guarantee of it being bomb proof.
❖ No system is perfect
❖ Open source software is a great concept, but relies on ACTIVE members picking at each others code and performing peer review.
❖ Closed Source relies on the competency of hidden processes and testers not succumbing to pressure to “Ship now”.
❖ Just remember there is always someone cleverer than you.
![Page 28: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/28.jpg)
So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date
How Do We Do That?
![Page 29: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/29.jpg)
Certificate Structures❖ Certificate authorities
❖ Private keys
❖ Trusted roots
❖ Generating a certificate
❖ You’ll need a keyfile
❖ You’ll need a request with all the details of your certificate
❖ You’ll need the trusted roots and intermediate certificates or your CA
❖ You’ll need the final certificate itself
![Page 30: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/30.jpg)
![Page 31: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/31.jpg)
![Page 32: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/32.jpg)
![Page 33: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/33.jpg)
File Extensions For Certificates❖ More Acronyms
❖ Certificate formats
❖ PEM (….. BEGIN CERTIFICATE….)
❖ CRT
❖ CER
❖ KEY
❖ DER binary
❖ PFX or P12
❖ ….CSR (certificate signing request)
❖ OpenSSL can convert most certificate forms to most others
![Page 34: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/34.jpg)
OpenSSL❖ An open source library of SSL and TLS cryptography
❖ Available for most platforms
❖ Developed and managed by https://www.openssl.org
❖ repository for downloads on https://github.com/openssl/openssl
❖ Create certificates
❖ Convert certificates
❖ Extract certificates
![Page 35: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/35.jpg)
HERE BE TIGERS
![Page 36: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/36.jpg)
Installing OpenSSL - For the brave❖ https://www.openssl.org/source/
❖ ftp://ftp.openssl.org/source/ previous version
❖ ftp://ftp.openssl.org/source/old older versions
❖ Download the compressed file and extract
❖ Read the ReadME for instructions e.g run
❖ INSTALL Linux, Unix, etc.
❖ INSTALL.W32 Windows (32bit)
❖ INSTALL.W64 Windows (64bit)
❖ https://wiki.openssl.org/index.php/Compilation_and_Installation
![Page 37: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/37.jpg)
Installing OpenSSL Under Windows❖ I found the easiest solution (as an Admin)
is to install the pre built Windows executable from Shining Light - there are other’s out there
❖ https://slproweb.com/products/Win32OpenSSL.html
❖ Download the most recent “lite” version
❖ Currently 1.0.2h (Win32OpenSSL_Light-1_0_2h)
![Page 38: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/38.jpg)
![Page 39: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/39.jpg)
![Page 40: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/40.jpg)
Installing OpenSSL For Linux
❖ For Linux many distros come with a pre compiled version of OpenSSL
❖ yum install openssl
❖ each OS may have its own method for configuration
![Page 41: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/41.jpg)
Let’s Create Some Certificates
![Page 42: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/42.jpg)
Domino – Creating A SHA2 Certificate❖ Domino no longer uses the Secure Server Certificate
database to generate keyfiles or merge certificates
❖ We use a combination of OpenSSL and an IBM utility for Domino called kyrtool
❖ download kyrtool from IBM Fixcentral http://ibm.co/1SAYX5E
❖ copy it to your Notes or Domino program directory
❖ The program files must be 9.0.1 FP3 or higher
![Page 43: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/43.jpg)
Domino – Creating A SHA2 Certificate❖ We need to decide the size of the key pair we want to create
❖ the larger the key pair the harder it is to decrypt
❖ not all software systems support the largest key pairs
❖ If using Windows set the environment variable for OpenSSL first
❖ Set OpenSSL_Conf=c:\openssl\bin\openssl.cfg
❖ verify openssl.cfg actually exists in that directory
❖ To create a 4096 key pair
❖ c:\openssl\bin\openssl genrsa -out mynewserver.key 4096
![Page 44: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/44.jpg)
Create a Certificate Signing Request ❖ When buying a new certificate this sends to your CA
❖ openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr
❖ note that we are requesting a SHA2 certificate
❖ the CSR will be verified by the CA when you submit it so you can check that it’s right
❖ if not you can recreate it by running the command again
![Page 45: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/45.jpg)
![Page 46: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/46.jpg)
MyNewServer.CSR❖ -----BEGIN CERTIFICATE REQUEST-----
❖ MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG
❖ A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw
❖ JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG
❖ SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+
❖ CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp
❖ R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/
❖ JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj
❖ GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN
❖ GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe
❖ nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC
❖ o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n
❖ IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E
❖ Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1
❖ 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE
❖ H4btBohD7B6fiqdozsOsvN1s
❖ -----END CERTIFICATE REQUEST-----
![Page 47: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/47.jpg)
Now Comes The Domino Bit❖ We have to create a keyring file in a format Domino will be able to read
❖ For that we use the kyrtool we downloaded from FixCentral
❖ From your Notes program directory
❖ kyrtool create -k c:\notes\data\mynewserver.kyr -p <passwordyouwanttouse>
❖ this will create two files
❖ mynewserver.kyr
❖ mynewserver.sth (this is the stashed password that unlocks the keyring)
![Page 48: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/48.jpg)
Nearly There…❖ We have our keyring file
❖ We have sent our request for a certificate, generated off our new key pair to our CA
❖ When the CA sends the certificate back we can merge the new certificate into our keyring file
❖ we need to merge ALL the certificates, root, intermediate and server into a single “key” file
❖ c:\openssl\bin\type mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt
![Page 49: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/49.jpg)
Last Step
❖ We now add our new txt file with all the certificates in it into our new Domino keyring
❖ c:\ibm\notes\kyrtool import all -k c:\notes\data\mynewserver.kyr -i c:\openssl\bin\mynewserver.txt
❖ That’s it. We now have a shiny keyring pair to use with our Domino server
![Page 50: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/50.jpg)
Installing A SHA2 Certificate Under Domino
❖ Install Using Internet Site Documents
❖ The first keyring file in the Internet Site docs view that matches the server configuration “wins”.
❖ Avoid too many wildcard or duplicate Internet Site Documents
❖ What can you use it for
❖ HTTPS (Traveler, Websites)
❖ S/MIME (encrypted mail)
❖ TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3)
❖ DIIOP as of 9.0.1 FP5
![Page 51: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/51.jpg)
More Domino SSL
❖ Remove weak ciphers from the site documents
❖ Add Disable_SSLV3=1 to the notes.ini on the server
❖ Domino support TLS 1.2 now
❖ SSL_DISABLE_TLS_10
❖ https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2
![Page 52: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/52.jpg)
Working With WebSphere Certificates❖ WebSphere installs with its own keystores for each cell
and node you add
❖ The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default
❖ The cell keystores are found in
❖ /profiles/Dmgr01/config/cells/{cellname}/trust.p12
❖ /profiles/Dmgr01/config/cells/{cellname}/key.p12
![Page 53: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/53.jpg)
Accessing The SSL Configuration❖ Login to the WebSphere ISC
❖ Security - SSL Certificate and Key Management
![Page 54: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/54.jpg)
![Page 55: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/55.jpg)
Adding A New Certificate To WebSphere❖ Go to the CellDefaultTrustStore if the certificate existing on another server
already you can “Retrieve from port”
❖ Add your root and intermediate certificates here
![Page 56: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/56.jpg)
Personal Certificate Request❖ The simplest way to generate a
WAS certificate
❖ create a CSR in WAS
❖ “receive” it into WAS when sent from the CA
❖ you can’t “receive” a certificate you didn’t request
![Page 57: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/57.jpg)
WebSphere and 4096 Key Length Certificates
❖ A 4096 certificate can generate an error when attempting to add to WebSphere
❖ “RSA premaster secret”
❖ You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported
![Page 58: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/58.jpg)
The Unrestricted Policy Files
❖ ibm.co/1JZGs3z
![Page 59: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/59.jpg)
Exporting A Certificate From WebSphere
❖ Export a WAS certificate so that it can be imported onto other systems
❖ Such as a keyfile database generated by ikeyman and used by IBM HTTP Server
![Page 60: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/60.jpg)
Working With Ikeyman❖ There are different versions of ikeyman that create
keyfile databases recognised by different products
❖ Look in the program directory for your installed product to find the right one
❖ For IBM HTTP Server the file is in /IBM/HTTPServer/bin
❖ On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface
![Page 61: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/61.jpg)
Working With IKeyMan - Signer Certificates
❖ Import the WebSphere certificate we extracted earlier
❖ Add root and intermediate certificates
![Page 62: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/62.jpg)
Working With IKeyman - Personal Certificates
![Page 63: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/63.jpg)
Editing httpd.conf to add SSL configuration❖ Example content
❖ LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
❖ Listen 0.0.0.0:443
❖ <VirtualHost *:443>
❖ SSLEnable
❖ SSLProtocolDisable SSLv2
❖ </VirtualHost>
❖ KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb
❖ SSLDisable
❖ Restart IHS - use netstat to see if 443 is active and listening
❖ Check IHS logs for SSL errors
❖ If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate
![Page 64: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/64.jpg)
SSL and Development
❖ Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment.
❖ If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment
❖ Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server
![Page 65: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/65.jpg)
Testing SSL On Your Site❖ https://www.ssllabs.com/ssltest/
![Page 66: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/66.jpg)
❖ You can’t stay ahead of the hackers but you must be vigilant and keep up
❖ Have a plan for monitoring
❖ Have a plan for lock down at the first appearance of exposure
❖ Have a plan to fix the vulnerability
❖ Have a plan to identify what information may be compromised
❖ Have a plan to make that information of as little value as possible
What Else?
![Page 67: The SSL Problem and How to Deploy SHA2 Certificates](https://reader033.vdocument.in/reader033/viewer/2022061307/58adc2c11a28ab56468b58e3/html5/thumbnails/67.jpg)
Resources
❖ Working with OpenSSL https://www.feistyduck.com/books/openssl-cookbook/
❖ Creating SHA2 For Domino http://turtleblog.info/2015/06/22/creating-sha-2-4096-ssl-certificates-for-domino/
❖ Unrestricted policy files for WebSphere http://www-01.ibm.com/support/docview.wss?uid=swg21663373