Are You Migrating Database certificates from SHA1 to SHA2

DBAs would have been already received or started receiving notification from their concerned security groups about decommissioning of SHA-1 certificates deployed on database and client servers . The good news is that most commonly used operating systems, browsers, mail clients and mobile devices already support SHA-2. We have put together a compatibility list for known SHA-2 support, as there are some older operating systems such as Windows XP SP2 that do not currently support SHA-2. In Database world various involved hardware and software specs are compatible with SHA-2 migration. Oracle version 11.2.0.3 and above are compatible with SHA-2 . There is a detailed document available on Oracle support portal which describe migration of certificates and should be easy to follow . DBA need to ensure all paper work and dependencies have been worked out properly before getting in to it .
The following list gives an overview of operating systems/browsers that currently support SHA-2:
Apple iOS 3.0+
Android 2.3+
Blackberry 5+
Internet Explorer 6+ (with Win XP SP3+)
Safari with Mac OS X 10.5+
Firefox 1.5+
Netscape 7.1+
Mozilla 1.4+
Opera 9.0+
Konqueror 3.5.6+
Mozilla based browsers sine 3.8+
OpenSSL 0.9.8o+
Java 1.4.2+ based products
Chrome 26+
Windows Phone 7+
The following list gives an overview of servers that currently support SHA-2:
 4D Server 14.01+
Apache server 2.0.63+ with OpenSSL 0.9.8o+
Barracuda Network Access Client 3.5+
Cisco ASA 5500 8.2.3.9+ for AnyConnect VPN Sessions; 8.4(2)+ for other functionalities
CrushFTP 7.1.0+
F5 BIG-IP 10.1.0+
IBM Domino Server2 9.0+ (Bundled with HTTP 8.5+)
IBM HTTP Server2 8.5+ (Bundled with Domino 9+)
IBM z/OS v1r10+
Java based servers using Java 1.4.2+
Mac OS X Server 10.5+
OpenSSL based servers using OpenSSL 0.9.8o+
Oracle Wallet Manager 11.2.0.3 and +
Oracle Weblogic 10.3.1+
SonicOS (SonicWALL) 5.9.0.0+
WebSphere MQ 7.0.1.4+
Windows Server 2008
Windows Server 2012
Windows Server 2003 SP2 +patch 938397
Implementation Plan – High Level
1. Check Environment for SHA-2 Certificate Support
The first step is to ensure that environment, including both software and hardware, will support SHA-2 certificates. Refer to the SHA-2 compatibility page for a list of supported hardware and software.
2. Find All SHA-1 Certificates
Find all of the SHA-1 certificates in respective network, regardless of issuer, by using scanning tools .
3. Generate New CSRs for Each SHA-1 Certificate
Generate new Certificate Signing Requests (CSR) for any certificates still using SHA-1 on the server where they are installed.
4. Install New SHA-2 Certificates
Once you receive your new certificates, install them on your server/database/middleware along with any additional intermediate certificates they require.
5. Test Certificate Installation
Validate the connectivity and sign off the implementation.

Be the first to comment

Leave a Reply

Your email address will not be published.


*