cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SHA-1 -->SHA-2

former_member315894
Explorer

on ‎06-21-2016 5:01 PM

0 Kudos

What are folks doing to move from SHA-1 to SHA-2?

It looks like the IE browser will error with sha-1 certs next year and Chrome will give a warning message.

Higher-ups are asking about the need to move to sha-2 (sha256).

We have implemented NWSSO-2 with the saplogon client and secure logon server for SAPGUI , java and ABAP- WAS.  We're creating our own certs, no CA's.

I can see the local and server certs are all sha-1, except the MS cert (sha256) that is on the client side used with the ADS server.

I'm not seeing any docs on how to generate the sha256 certificate; is this supported by NWSSO-2?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member315894
Explorer
‎07-15-2016 4:23 PM
0 Kudos

2.04 is where this where this option appears.  We upgraded to 2.06 and it works fine- can specify sha256 on server and see the new sha256 certs being accepted on client.

Follow-up question: do we need to update the back-end server certs that are signed sha-1?

We can SSO into ABAP and WAS, Java...with the back-ends still using sha-1 now.  I'm a bit concerned that the Java and WAS with IE will be an issue in the future.

Show replies
Show replies
former_member202592
Participant
‎07-15-2016 7:08 PM
0 Kudos

Hi Chris,

The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.

All certificates that will be used to secure browser-based communications need to be replaced. Certificates used for other types of applications should be reviewed on a cases-by-case basis.

The SCN Blog post below will help you better understand how to update the certificates in the AS ABAP system and which PSEs currently support the usage of SHA-2 algorithm:

Cheers,

Filipe Santos

former_member315894
Explorer
‎07-15-2016 8:59 PM
0 Kudos

Thanks Filipe.  We're planning to migrate all the back-end certs to sha256 now.

former_member315894
Explorer
‎07-20-2016 7:43 PM
0 Kudos

This is a good blog for ABAP and the WAS back-ends.  But I can't find details for Java. 

I looked in Java configuration --> SSL-->Trusted CA's and see the Root cert from the Secure Login Server.  So a simple import of the sh256 should do the trick?

The question is how do I get the Root from SLS sha256 cert for the Java server?  I don't see where SLS can change the root to sha256.  It shows as sha-1.

Do we use the certs that we change on the ABAP server, download and upload to Java?

Also, what do we do with the Root cert on the Secure Login Server that's SHA-1?  Do we need another with SHA-2 if we're not doing SSO to this server...guess that would answer previous question if yes?

kuhnen
Explorer
‎07-21-2016 8:33 AM
0 Kudos

Hi Chris,

if you are on the Certificate Management Tab, you cannot simply select the certifcate and change the  Signature Algorithm. You would need to create a new certificate (Button Issue Entry) and choose the sh256 algorithm. Moreover, sh256 is only supported since SP4.

Regars,

Marcus

former_member315894
Explorer
‎07-27-2016 4:35 PM
0 Kudos

Thanks Marcus: Unfortunately, this will break our SSO to the backend systems; right?

What's the necessity of changing the root CA to sha256 if it never is transmitted over the network?

For that matter, why would the back-end certs need to be changed to sha256 if only the client cert (which is sha256) is being transmitted over the network?

Former Member
‎07-27-2016 8:21 PM
0 Kudos

Although the certificate generated has a SHA256 Signature algorithm, the thumbprint algorithm remains as a SHA-1.  If you want everything SHA256 or stronger you have to start with a root of SHA256 or stronger.

former_member315894
Explorer
‎07-27-2016 8:40 PM
0 Kudos

Thanks Greg:  Odd, no matter what Root CA I use- sha-1 signature or the one I created as sha256- the fingerprints show sha-1.

Any clues why that is?

kuhnen
Explorer
‎07-28-2016 8:13 AM
0 Kudos

Hi Chris,

Important is that you see that the Signature algorithm is sha2....

The Certificate Fingerprint is always done with sha-1. They are independent of each other.

Regards,

Marcus

former_member315894
Explorer
‎07-28-2016 1:25 PM
0 Kudos

Thanks Marcus.

We also noticed a few things with the back-ends.

The process recommended to recreate the backend cert to sha256 did NOT work for us (kept sha-1 sign)- we're guessing because we originally created them using Secude.

The browser when connecting to the WAS/Portals checks your client cert (sha256 now) as well as the backend cert. 

For the WAS(icm), Chrome issues a warning on SHA-1 and the 2017 expiration date; interestingly, IE gives no warnings or errors. 

We created a sub cert to the sha-1 ca on SLS server as type SSL Server and specified sha256 and imported into ABAP SSL- this worked fine: resolved the chrome warnings.

For the portal we have the same warnings with chrome, but it looks like the backend cert has to be a root ca.  It appears the Portal just creates a trust: nwa-->configuration-->ssl-->Trusted CA's is where we see the sha-1 CA from the SLS server. So it looks like we need to replace the root ca (to sha256) on SLS just for the Portal?

My understanding replacing the SLS root ca- (creating with sha256) will break everything unless we call it the same as the sha-1 previous but we can't do that until everyone is off this sha-1 root ca .  Is this correct?

What's the recommended plan to migrate the DEV/QAS and then PRD systems to sha256 if all these systems use the same SLS?  Is there an approach besides a big bang?

Sorry- lots of questions, hope someone can guide us.  We do have a ticket in with support as well as we are looking for some guidance.

Thanks,

Chris

LutzR
Active Contributor
‎06-23-2016 8:47 AM
0 Kudos

Hi Chris, I think your detailed question was answered by Filipe.

But I would like to discuss how far deprecation of SHA1 by MS, Google and others will go.

Of what I read the deprecation will only hit certificates of CAs that are rolled out from Microsoft. So this would not hit self signed certificates and certificates of private CAs. But I don't feel sure about this. I cannot find anybody currently who feels sure about this. What do you think?

Regards,

Lutz

Show replies
Show replies
former_member315894
Explorer
‎06-23-2016 8:05 PM
0 Kudos

https://gallery.technet.microsoft.com/Migrating-SHA-1-to-SHA-2-82ee3a4eHey Lutz:

This is the response we got back from Microsoft on May 12 of this year:

former_member202592
Participant
‎06-23-2016 7:48 AM
0 Kudos

Hi Chris,


Secure Login Server supports the creation of SHA-2 certificates.


You should see a drop down list in User Certificate Configuration > User Certificate Properties > Signature Algorithm, providing SHA-1 and several SHA-2 with RSA.


Refer to the Thread below:

Secure Login Server and SHA256-based certificates | SCN


Cheers,

Filipe Santos

Show replies
Show replies
former_member315894
Explorer
‎06-23-2016 2:50 PM
0 Kudos

Thanks for your response Filipe.

Excuse my ignorance but I don't think I'm looking in the correct place.

I'm in the Secure Login Administration Console (slac) -->Certificate Management.

I'm suspecting that I need to upgrade; I'm on version 2.0, SP 3, patch 0.

Chris

Ask a Question