IBM Support

Certificates will need to be converted to use SHA256withRSA in WebSphere Application Server

Flashes (Alerts)


Abstract

Certficates will need to be converted to use the new minimal strength.

Content

Converting certificates to use SHA256withRSA in WebSphere Application Server

WebSphere Application Server default certificates are created with SHAwithRSA signature algorithm. SHA256withRSA is becoming the minimal strength accepted by certificates. Scanning tools are starting to flag SHAwithRSA certificates as unsecure and browsers will start warning when they are used. Browser vendors are reporting that some time in 2016 or 2017, they will issue patches that will completely block any server using SHA1 Digital Certificates. This advance notice is for you to plan action that you may need to take.

The new minimal strength generally accepted for personal certificates is 2048 in size and created with a signature algorithm of SHA256withRSA. This is the minimal strength required by SP800-131a. The WebSphere Application Server intends to create tooling to convert certificates to ones created with SHA256withRSA.

In the meantime, for version 7.0 and above tooling already exists to convert certificates to the SP800-131a specification, this tooling can be used to convert certificates without requiring users to configure to use SP800-131a. To convert these certificates with the Administrative console click Security > SSL certificate and key management > Manage FIPS. Then click Convert Certificates under Related Items on the right hand side. Select a Signature Algorithm and click apply/save to have the server certificates converted. For more information reference Transitioning to SP800-131 security standard in the Knowledge Center. You can also use the convertCertForSecurityStandard Admin Task as noted in the Knowledge Center to convert the certificates.

Please note: If you are converting a certificate to be signed with a new signature algorithm and there are keystores called "CMSKeyStore" in the configuration this error may be encountered:

A signer certificate with alias: CN=localhost, OU=Root Certificate, OU=localhostCell01, OU=localhostCellManager01, O=IBM, C=US already exists but it contains a different public key

This happens due to the provider being unable to write out the supporting chain of the new certificate. To work around this, users should discard the changes then go to the "CMSKeyStore" keystore and under that signer certificate remove the certificate with the alias in the message above. Once the certificate is removed the user can attempt to convert the certificates again.



The following video explains how to update your personal certificates using the wsadmin command:


If you are having issues with fullscreen mode on the above video please go directly to YouTube and watch the video in fullscreen mode. https://www.youtube.com/watch?v=e5esp4jpbco

The following video explains how to update your personal certificates using the Administration Console:


If you are having issues with fullscreen mode on the above video please go directly to YouTube and watch the video in fullscreen mode. https://www.youtube.com/watch?v=MkG6nuzJNWM

Customers using WebSphere Application Server (WAS) Version 6.0 and earlier are using Java 1.4.2 which does not have the support to use SHA256withRSA signed digital certificates. Customers will no longer be able to connect to the Application Server directly using a browser. Customers will need to front end the Application Server using a Web Server such as IBM HTTP Web Server configured with the WAS HTTP plugin. IBM highly recommends customers using WAS 6.1 or earlier releases to move to current releases (WAS 8.5 and above) as these new releases support strong encryption to improve safety and security.

Refer to this link for additional information on Potential Security concerns with WebSphere Application Server Versions 6.0 and 6.1 http://www-01.ibm.com/support/docview.wss?uid=swg21966229

Refer to this link for additional information concerning IBM HTTP Server and SHA-2 certificates http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#sha2


Change History:
11 June 2015: Original document published
15 June 2015: included link to knowledge center
20 August 2015: added link to youtube video
21 September 2015: added information about CMSKeystore
16 December 2015: added reference to APAR PI48460
05 May 2016: added direct link to You Tube
21 September 2016: added link to youtube video for admin console
05 October 2016: added link to IBM HTTP Server

Reference:
PI48460: FAILURE TO CONVERT CERTIFICATES WHEN CMS KEYSTORE IS PRESENT
http://www-01.ibm.com/support/docview.wss?uid=swg1PI48460

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;8.5;8.0;7.0;6.1;6.0.2;6.0","Edition":"Base;Developer;Enterprise;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21959568