Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing the SSL Process

99 views

Published on

An unusual number of recent news articles spotlighting SSL security flaws including HeartBleed, POODLE, and FREAK, has forced major security policy changes in communication software and compliance standards. In order to meet the future security challenges, and to continue providing business, this session will highlight how Rocket MV product family can help you to fortify your data communications, and meet compliance requirements of today and tomorrow.

Published in: Software
  • Be the first to comment

Managing the SSL Process

  1. 1. 1 Managing the SSL Process Nik Kesic Principal Technical Support Engineer
  2. 2. 2 Credits and Acknowledgements Presenters • Nik Kesic, Principal Technical Support Engineer Developers • Nik Kesic, Principal Technical Support Engineer • Jing Cui, Principal Software Engineer • John Jenkins, Senior Technical Support Engineer ©2015 Rocket Software, Inc. All Rights Reserved.
  3. 3. 3 Abstract  An unusual number of recent news articles spotlighting SSL security flaws including HeartBleed, POODLE, and FREAK, has forced major security policy changes in communication software and compliance standards. In order to meet the future security challenges, and to continue providing business, this session will highlight how Rocket MV product family can help you to fortify your data communications, and meet compliance requirements of today and tomorrow. ©2015 Rocket Software, Inc. All Rights Reserved.
  4. 4. 4 Agenda ©2015 Rocket Software, Inc. All Rights Reserved. SSL Vulnerabilities Trends/Industry standards U2 products & features Call for action Summary Resources
  5. 5. 5 MV Security Model ©2015 Rocket Software, Inc. All Rights Reserved. ADE SSL HADR SSO PKIAUDIT HIPAA PCI
  6. 6. 6 SSL
  7. 7. 7 SSL Agenda Application model Unsecure communication What is SSL? Why do we need SSL? How SSL works How is SSL supported in U2? Certificate generation Digital certificates Security Context Record (SCR) XAdmin: Managing SCR and U2 services
  8. 8. 8 Hypothetical Application Model @ID 104357 FNAME John LNAME Doe ADDRES S 4600 S Ulster St CITY Denver STATE CO ZIP 80237 PHONE 800-426-4357 DOB 12/31/1967 SSN 123-45-6789 Client Application U2 Server Extranet Internet U2 Server Telnet Client Intranet Firewall U2 Web Service
  9. 9. 9 Connect Connection Accepted Login: myuser MyUser01 Password: mypassword You are logged in Customer Data Unirpc/telnet protocol Client / Server: Unsecured Communication
  10. 10. 10 What is SSL? Protocol that provides privacy and reliability between two communicating applications U2 supports SSLv2, SSLv3,TLSv1,TLSv1.1, TLSv1.2 • SSL (Secure Sockets Layer)  V2, V3: No longer recommended • TLS (Transport Layer Security)  IETF standard, improvement on SSLv3  V1.0 no longer recommended  V1.1 recommended  V1.2 recommended
  11. 11. 11 SSL higher layer SSL record layer What is SSL? Protocol layer • Higher layer is used to encapsulate various application level protocols • Record layer layered on top of a reliable transport protocol (TCP) LDAPFTPTelnetHTTP IP TCP OTHER PROTOCOL LAYERS SSL/TLS
  12. 12. 12 Why Do We Need SSL? Goals of communication security • Confidentiality  Problem: Anyone can see clear text  Solution: Encrypt the text • Message Integrity  Problem: Someone might alter the data  Solution: Guarantee the message block is original • Endpoint Authentication  Problem: Not sure who you are talking with  Solution: Ensure the communication end point is the intended target
  13. 13. 13 Client / Server: Secure Communication Client Hello Server Hello Key Exchange Cipher Suite Negotiation Get Data Data Transfer Secure Data Transfer SSLHandshakeSSLDataTransfer Unirpc svc name Data Transfer Secure credentials
  14. 14. 14 How Is SSL Supported in U2? Server products • Basic engine – BASIC Extensions  Secure Sockets  Secure CallHTTP (HTTPS)  Secure Soap • Telnet server • Unirpc services
  15. 15. 15 How Is SSL Supported in U2? Client products • UOJ, UniJDBC, UniOLEDB, ODBC drivers, UniObjects • SBClient • wIntegrate • U2 Web Services – REST and SOAP • UODOTNET • U2 Web DE: 5.x • U2 Toolkit • U2 DBT resource view • SB/XA
  16. 16. 16 How Is SSL Supported in U2? Underlining technology for U2 SSL • OpenSSL: for engine & telnet/UniObject/UniODBC/SBClient/wIntegrate • JSSE: for UOJ, UniJDBC & U2 Web Services • sslStream: for .NET Clients & SB/XA
  17. 17. 17 Digital Certificates SHA1 now being discontinued SHA2 making its presence known Upgrade is important to meet the SHA2 presence ©2015 Rocket Software, Inc. All Rights Reserved.
  18. 18. 18 U2 Certificate Management XAdmin • Two-step process  Generate a Certificate Signing Request (CSR) using XAdmin, BASIC, or Java keytool  Obtain the certificate • Two ways to obtain a certificate  Provide CSR to a third-party Certificate Authority (CA) o Recommended for production environment  Use XAdmin to generate certificate o Suitable for development environment or “closed world” • Four types of certificate stores  OS-level files  Java key store  Windows Certificate Store  U2 Root Certificate Store
  19. 19. 19 Java Certificate Management keytool • Performs similar tasks to XAdmin SSL Configure  Certificate request (certreq)  Import of certificates (import) • Handles both key store and trust store • Used for Java clients & servers  UOJ, UniJDBC  U2 Soap server/Web Services Development tool • Extracting certificates from pkcs12
  20. 20. 20 Security Context Record (SCR) A structure used by U2 servers to store data for an SSL session Holds all U2 SSL related properties Encrypted & stored in U2 SCR store • _SECUCTX_(for UD), &SECUCTX& (for UV) • SCR store must exist locally in each account (not file pointer) ODBC client products do not use SCR • SSL Configuration Editor
  21. 21. 21 XAdmin: Managing SCR and U2 Services Two-step process • Create a Security Context Record (SCR) • Match the service to the SCR Pre-requisites to creating a SCR • Certificate(s)  Server: Requires its own certificate  Clients: Require CA-certificates to verify server • Private key  Servers: Required  Clients: Optional
  22. 22. 22 Summary for U2 SSL  SSL is for data transmission security  U2 supports SSL in (almost) all products  Two must-know things in setting up SSL for U2 • Certificates  CA and certificate hierarchies  4 types of certificate stores  Use of XAdmin, OpenSSL, Java keytool, SSL Editor • Security Context Record (SCR)  Associates certificates/private key to a server/client  Created by XAdmin, BASIC  Troubleshooting U2 SSL problems • Logging is available on all servers & clients • U2 BASIC: ProtocolLogging()
  23. 23. 23 Vulnerabilities, Trends, and Actions
  24. 24. 24 Vulnerabilities Heartbleed – patch to OpenSSL 1.0.1m ShellShock – U2 not affected Poodle – patch to OpenSSL 1.0.1m Freak – patch to OpenSSL 1.0.1m LogJam – patch to OpenSSL 1.0.1m ©2015 Rocket Software, Inc. All Rights Reserved.
  25. 25. 25 Trends & Industry Standards – Microsoft Microsoft policy change • Microsoft Root Certificate Program  SHA1 not allowed after January 1, 2016 • Disabled security protocols  SSL 3.0 will be disabled  TLSv1.0 questionable ©2015 Rocket Software, Inc. All Rights Reserved.
  26. 26. 26 Trends & Industry Standards - Java Oracle Java policy change • Starting with the January 20, 2015 Critical Patch Update releases • Java Runtime Environment has SSLv3 disabled by default • JDK 8u31 • JDK 7u75 • JDK 6u91 http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html ©2015 Rocket Software, Inc. All Rights Reserved.
  27. 27. 27 Java 8 Security Protocols Protocol Enabled by default for Client Enabled by default for Server SSLv3 No No TLSv1 Yes Yes TLSv1.1 Yes Yes TLSv1.2 Yes Yes ©2015 Rocket Software, Inc. All Rights Reserved.
  28. 28. 28 Trends & Industry Standards - PCI “…SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately.” ©2015 Rocket Software, Inc. All Rights Reserved.
  29. 29. 29 Trends & Industry Standards - HIPAA Follows NIST 800-52 • SSL v3 must not be used • TLS v1.0 ok for interoperability with non-government • TLS v1.1 & (TLS v1.2 recommended) • Only recommended ciphers to be used http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf ©2015 Rocket Software, Inc. All Rights Reserved.
  30. 30. 30 U2 Products and Features
  31. 31. 31 UniData Database and Versions 6.1.x > 7.3.6 • OpenSSL 0.9.7e • SSLv2, SSLv3, TLSv1 • SHA1 7.3.7 • OpenSSL 1.0.1m • SSLv2, SSLv3, TLSv1 • SHA1 and SHA2 8.1.x • OpenSSL 1.0.1m • SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 • SHA1 and SHA2 • Enhanced CRL • Windows release can enable or disable non- secure telnet
  32. 32. 32 UniVerse Database and Versions 11.1.x > 10.1.15 • OpenSSL 0.9.7e • SSLv2, SSLv3, TLSv1 • SHA1 11.2.0 • OpenSSL 1.0.1c • SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 • SHA1 and SHA2 11.2.0 > 11.2.4 • OpenSSL 1.0.1m • SSLv2, SSLv3, TLSv1 • SHA1 and SHA2 11.2.5 • OpenSSL 1.0.1m • SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 • SHA1 and SHA2 • Enhanced CRL
  33. 33. 33 udtconfig / uvconfig # Communication and security section # SSL_PROTOCOLS TLSv1,TLSv1.1,TLSv1.2 SSL_OPTIONS NO_TLS_FALLBACK_SCSV
  34. 34. 34 uvtelnetd/udtelnetd on UNIX/Linux /etc/inetd.conf uvssltelnet stream tcp nowait root /disk1/uv1125/bin/uvtelnetd uvtelnetd –d 3 -P sslv3+tlsv1+tlsv1.1+tlsv1.2 udssltelnet stream tcp nowait root /disk1/ud81/bin/udtelnetd udtelnetd –d 3 -P sslv3+tlsv1+tlsv1.1+tlsv1.2
  35. 35. 35 uvtelnetd/udtelnetd Registry on Windows
  36. 36. 36 U2 Clients - Programming using U2.Data.Client; … U2ConnectionStringBuilder conn_bldr = new U2ConnectionStringBuilder(); … conn_bldr.SslProtocols = "Tls12"; // check certificate revocation list conn_bldr.SslCheckCertificateRevocation = false; // check common name matches server name conn_bldr.SslIgnoreCertificateNameMismatch = true; // check certificate exists in root trust store conn_bldr.SslIgnoreIncompleteCertificateChain = true; …
  37. 37. 37 UODOTNET- Programming
  38. 38. 38 U2 Clients - ODBC U2 ODBC MSI Installer (32-bit/64-bit) New Registry Items • We have added SSL_PROTOCOLS REG_SZ TLSv1.1,TLSv1.2 • We have added SSL_OPTIONS REG_SZ TLS_FALLBACK_SCSV
  39. 39. 39 U2 Clients - ODBC U2 ODBC MSI installer (32-bit/64-bit) New registry items • SSL_PROTOCOLS REG_SZ TLSv1.1,TLSv1.2 • SSL_OPTIONS REG_SZ TLS_FALLBACK_SCSV
  40. 40. 40 U2 Clients - ODBC
  41. 41. 41 XAdmin 4.x.x Manages • Secure Socket Layer (SSL) • Audit • Advanced Data Encryption Menus support all new features in UniData 8.1.0 and UniVerse 11.2.5 Secure “Resource View”
  42. 42. 42 Root Certificate Store Takes away the mystery and complexity Secure CallHTTP and SOAP programming is simpler RCS is based on java 1.7 cacerts file Updates to .u2rcs repository is a regular administration task
  43. 43. 43 Root Certificate Store Manager  The rcsman utility manages the U2 Root Certificate Store  rcsman commands • List • Import • Export • Delete • Change password • help default certificate store file = .u2rcs
  44. 44. 44 Exporting Windows Trusted Root Certificates
  45. 45. 45 Root Certificate Store Import
  46. 46. 46 pkcs#12 / pfx Support  addCertificate(certPath, usedAs, format, algorithm, context, p12pass)  setPrivateKey(key, format, keyLoc, passPhrase, validate, context, p12pass)  analyzeCertificate(cert, format, result, p12pass)  SIGNATURE(algorithm, action, data, dataLoc, key, keyLoc, keyFmt, pass, sigIn, result, p12pass)  SSL property lists  U2 Root Certificate Store  rcsman utility  XAdmin
  47. 47. 47 .unisecurity cat .unisecurity uvtelnetd /disk1/uv1125/HS.SALES mysha1 "password" udtelnetd /disk1/ud81/demo mysha1 "password" # cat .unisecurity N0lIclNYcTNWV2gxaGdVMnNkU2FsdF+7g0V3hwz+IeGxZ7oT/LFLwESiBqQtYZnnkO2OJW8 HzSfe3v7IX1qMRa8Ry0bxiSeOK5CJzsDFRUku8sxKUqQM8U61ZwdrJpnfwdpwsCHxVsTKl+ P59WevZHO0vVHxWe/Scpt0SHVBHSDSCJh7chOmhg8yuzUI3Ho4iA/0me3v/mYRugFXHcze YpUkVqmzLL5jTU68qG2c#
  48. 48. 48 .unisecurity - XAdmin
  49. 49. 49 .unisecurity – secuconf Command secuconf • The secuconf command is used to encrypt, decrypt, or modify the information in the .unisecurity file • secuconf {-encrypt|-decrypt|-retag|-edit|-isencrypted}[-pass password|- newpass new password|-out outfile|-log logfile|- editor editor|-tag] cfgfile
  50. 50. 50 wIntegrate 6.3.7
  51. 51. 51 SBClient 6.3.3
  52. 52. 52 U2 DBTools Resource View
  53. 53. 53 Tips Ciphers • -cipher RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW • HIGH:!aNULL:!MD5:!EXP OpenSSL command line tool • OpenSSL s_server … • OpenSSL s_client …
  54. 54. 54 Certificate Management Tool - CMT These statements represent Rocket Software’s current intentions. Rocket development plans are subject to change or withdrawal without further notice. Any reliance on these statements is at the relying party’s sole risk and will not create any liability or obligation for Rocket
  55. 55. 55 CMT– What It Does Convert files from PKCS#12(pfx) < > PKCS#8(pem) Test SSL connections as client or server or both Create Java Key Store (JKS) Import and export in JKS View certificates in pfx, pem, jks ©2015 Rocket Software, Inc. All Rights Reserved.
  56. 56. 56 CMT Get from GitHub Create certificate request Create self signed certificate Create JKS Fire up SSL server using self-signed FIRE up SSL client and communicate to server ©2015 Rocket Software, Inc. All Rights Reserved.
  57. 57. 57 Call for Action - Upgrade UniVerse and UniData using OpenSSL 1.0.1m • UniVerse 11.2.4 • UniVerse 11.2.5 Strongly Preferred • UniData 7.3.7 • UniData 8.1.0 Strongly Preferred ©2015 Rocket Software, Inc. All Rights Reserved.
  58. 58. 58 Call for Action - Upgrade wIntegrate 6.3.7 SBClient 6.3.3 ODBC 32/64 bit build UCC-3156 U2 Client Toolkit • U2 Data Client • UODOTNET U2 DB TOOLS 4.x ©2015 Rocket Software, Inc. All Rights Reserved.
  59. 59. 59 Summary  Data confidentiality, integrity, and availability are under pressure  Advanced Persistent Threat (APT)  Compliance to security auditing are a necessity and complex  Upgrading is more urgent than ever to meet compliance  Rocket Software is committed to meet the security technical challenges and changes
  60. 60. 60 A Look into the Future TLSv1.3 – RFC-5246 • September 2015, TLS 1.3 is a working draft • Based on the earlier TLS 1.2 specification SHA3 (Secure Hash Algorithm 3) • SHA-3 is not meant to replace SHA-2, as no significant attack on SHA-2 • The SHA-3 standard was released by NIST on August 5, 2015 These statements represent Rocket Software’s current intentions. Rocket development plans are subject to change or withdrawal without further notice. Any reliance on these statements is at the relying party’s sole risk and will not create any liability or obligation for Rocket
  61. 61. 61 Additional Resources  Find further information • U2 documentation http://www.rocketsoftware.com/resource/u2-technical-documentation  Links • https://www.rocketsoftware.com • https://technet.microsoft.com/ • https://www.oracle.com • https://openssl.org • https://www.hhs.gov • http://www.rocketsoftware.com/training-and-professional-services/rocket-u2  Contacts • u2askus@rocketsoftware.com • u2support@rocketsoftware.com ©2015 Rocket Software, Inc. All Rights Reserved.
  62. 62. 62 Disclaimer THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. IN ADDITION, THIS INFORMATION IS BASED ON ROCKET SOFTWARE’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY ROCKET SOFTWAREWITHOUT NOTICE. ROCKET SOFTWARE SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: • CREATING ANY WARRANTY OR REPRESENTATION FROM ROCKET SOFTWARE(OR ITS AFFILIATES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS); OR • ALTERING THE TERMS AND CONDITIONS OF THE APPLICABLE LICENSE AGREEMENT GOVERNING THE USE OF ROCKET SOFTWARE. ©2015 Rocket Software, Inc. All Rights Reserved.
  63. 63. 63 Trademarks and Acknowledgements The trademarks and service marks identified in the following list are the exclusive properties of Rocket Software, Inc. and its subsidiaries (collectively, “Rocket Software”). These marks are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. Not all trademarks owned by Rocket Software are listed. The absence of a mark from this page neither constitutes a waiver of any intellectual property rights that Rocket Software has established in its marks nor means that Rocket Software is not owner of any such marks. Aldon, CorVu, Dynamic Connect, D3, FlashConnect, Pick, mvBase, MvEnterprise, NetCure, Rocket, SystemBuilder, U2, U2 Web Development Environment, UniData, UniVerse, and wIntegrate Other company, product, and service names mentioned herein may be trademarks or service marks of others. ©2015 Rocket Software, Inc. All Rights Reserved.
  64. 64. 64

×