Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Document Version Release Date Details 3 01/06/2017 Updated document with additional details 2 12/06/2016 Updated document with additional details 1 10/24/2016 Original document release HPE Integrity Superdome 2 complex firmware version 4.1.8 or earlier uses SHA-1 for OA self-signed certificate. SHA-1 certificates may no longer be accepted by the latest versions of Firefox (FF) and Internet Explorer (IE) starting from January 1, 2017 (for some browsers, it may be later). Although most browsers will be offering a user-override process that will allow a SHA-1 certificate to be used after displaying a warning, the following can be expected if the system remains on these older firmware versions and a newer browser version is used: Users may not be able to securely access the OA Web GUI or iLO Vmedia using some of the newer browser versions after January 1, 2017 (or later). SSH to OA and iLO will not be affected by this issue. IRS is also unaffected. Note: January 1, 2017 is the earliest date where access may become restricted. Some browsers may continue to allow access for a longer period of time, depending on the vendor strategy. Based on the announcements available from the different browser vendors, the impact could be as follows. Note that this may be subject to change by the browser vendors. Browser SHA1 certificate impact to OA GUI IE8 Not affected IE10 (with update) Security warning, access allowed bypassing this warning IE11(with update) Security warning, access allowed bypassing this warning Firefox 39 Security warning, access allowed bypassing this warning Firefox 43+ Untrusted connection. (unclear if access will be blocked) From the information available at various web sources, the impact of using SHA1 certificates after January 1, 2017 is as follows: Most browsers will display a major security warning, but still allow the user to bypass the security warning and use the service. Users may not be blocked from using the web service. Some browsers will not change behavior until later in February 2017 If older versions of browsers are running, they will not be impacted in any way (see table above) For accurate and up to date information on browser behavior, refer to the websites for the respective browsers. Identifying which type of certificate is installed (SHA1 or SHA2 signature): View the certificate details in the browser running OA: the signature algorithm in Certificate details will indicate the type used: SHA256, SHA512 or SHA384 indicate that SHA2 was used.
Any HP Integrity Superdome 2 servers with Firmware Version 4.1.8 (or earlier).
The following options are available: Upgrade to HPE Integrity Superdome 2 firmware version 4.1.34 (or later) Import a SHA2 certificate so that any browser works securely (if running a firmware version that supports it, refer to the information below) Use older browser versions that continue allowing access, possibly after bypassing security warnings (see the table in the Description section above) Upgrade to HPE Integrity Superdome 2 server Firmware Version 4.1.34 (or later). If a firmware upgrade to version 4.1.34 (or later) is not possible and the Superdome 2 server is running with firmware version 2.53.0, the following procedures can be used to generate a SHA-256 OA certificate so that the latest versions of Internet Explorer (IE) and Firefox (FF) will function properly with the OA Web GUI. NOTE: Due to a known issue in Superdome 2 firmware versions after 2.53.0 that causes Onboard Administrator to not accept CA Certificates, this procedure only applies to version 2.53.0 and not to later versions. NOTE: Even with this workaround, IE and FF may not provide secure access with VMedia because the iLO certificate uses SHA-1 and a SHA-2 certificate cannot be generated without upgrading firmware to version 4.1.34. NOTE: The instructions are written for the OA Command Line Interface (CLI) because the GUI may not function beginning on January 1, 2017 with firmware verison 2.53.0 and the latest browser versions. Log into the OA CLI and execute the command, "generate certificate request." Fill out the required fields. See the "Certificate Administration" section of the OA user guide for the description of each field and recommendations. Copy the generated text, including the “-----BEGIN CERTIFICATE REQUEST-----“, and “-----END CERTIFICATE REQUEST-----“, into a file and save it. This file is called a CSR. Name it <oa#-name>.CSR. # is the OA bay number. Repeat steps 1 and 2 for each OA in the complex. Note: If enclosure IP mode is used, use the same common name (CN) for both OAs 1 and 2. This is to ensure that the CN matches exactly the fully qualified domain name (FQDN) used on the web browser. See "Certificate Administration" in the OA user guide for more information. Gather the CSR files and submit them to the Certificate Authority (CA) to generate SHA-256 certificates. Name them <oa#-name>.CRT. # is the OA bay number. Note: Only generate a SHA-256 certificate. Do not use any other algorithm for this workaround. Put the generated SHA-256 certificates in an FTP or HTTP server. On the active OA of the enclosure, execute DOWNLOAD OA CERTIFICATE # <URL> Where: # is the OA number <URL> is the FTP/HTTP path to the corresponding <oa#-name> CRT When the OA returns from a reboot, log into the OA CLI and run SHOW OA CERTIFICATE and verify that the information matches that of the <oa#-name> CRT generated by the CA. Test the GUI connection to the OA by using both IE and FF. NOTE: HPE recommends using a trusted certificate Authority (CA) to generate new OA SHA-256 certificates. However, a CA can be set up manually by using OpenSSL. The instructions assume there is already an OpenSSL installed on a Linux or Windows workstation. The following instructions will use Linux and OpenSSL version 1.0.1f. The commands should be the same for Windows/HP-UX and different versions of OpenSSL. Open a shell on Linux Create a directory to store all certificates. Name it Custom_CA mkdir Custom_CA Change directory to this Custom_CA cd Custom_CA Create a new directory under Custom_CA. Name it new_certs mkdir new_certs Create an index.txt file touch index.txt Create a serial.txt file and put 01 into it. echo 01 > serial.txt Use an editor and create a custom OpenSSL config file. Name it openssl.conf. Put the following text in the openssl.conf file and save it [ ca ] default_ca = ca_default [ ca_default ] dir = ./ certs = $dir new_certs_dir = $dir/new_certs database = $dir/index.txt serial = $dir/serial.txt #RANDFILE = $dir/ca.db.rand certificate = $dir/CA.crt private_key = $dir/CA.key default_days = 3650 default_crl_days = 30 default_md = sha256 preserve = no policy = generic_policy [ generic_policy ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 2048 Generate a new CA key openssl genrsa -out CA.key 2048 Generate a new CA certificate openssl req -new -x509 -days 3650 -key CA.key -out CA.crt -sha256 Generate an OA certificate using the OA CSR openssl ca -config ./openssl.conf –in <oa#-name>.csr –out <oa#-name>.crt Verify the new OA certificate. Make sure the signature algorithm shows sha256WithRSAEncryption. The CN matches the OA FQDN. openssl x509 -in igotcha.crt -noout –text Upload the certificate (.CRT) file in step 10 to the OA. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document . SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .