SSL certificate hash transition from SHA1 to SHA2. ORA-28857

Abstract

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005. As part of their SHA-2 migration plan, Google, Microsoft and Mozilla have announced that they will stop trusting SHA-1 SSL certificates. Google will begin phasing out trust in SHA-1 certificates by the end of 2014, while Microsoft and Mozilla will begin phasing out trust for SHA-1 certificates in 2016.

Problem(s)

If you are using Google Chrome - some https websites or services using SHA1 will not be opened and you will likely get an error displayed in article image. Another situation that you may bump into is Oracle Wallet. Looks like Oracle up to 11.2.0.2 doesn’t support SHA-2 based certificates. If you have a 10.x wallet and website changed its certificate to SHA2 - you will not be able to import it - you will get an error "some trusted certificates could not be installed". See image attached.
Also when connecting to such a site using UTL_HTTP.REQUEST you will end up with an ORA error: "Request Failed: ORA-28857: Unknown SSL error".

Suggestions

Upgrade Java, Tomcat and Oracle.

Dates to remember

November 2014 - SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome 39.
December 2014 - SHA-1 SSL Certificates expiring after May 31, 2016 will show a warning in Chrome 40.
January 2015 - SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome 41.
January 1, 2016 - Microsoft ceases to trust Code Signing Certificates that use SHA-1.
January 1, 2017 - Mozilla Firefox and Microsoft ceases to trust SSL Certificates that use SHA-1.

Services currently supporting SHA2

Apache server 2.0.63+ with OpenSSL 0.9.8o+
Java based servers using Java 1.4.2+
OpenSSL based servers using OpenSSL 0.9.8o+
Oracle Wallet Manager 11.2.0.1+
Oracle Weblogic 10.3.1+

Leap second bug 2015. Linux/Centos, 100% CPU: Java, Oracle, OPMN, Tomcat

Oh dear, looks like there are services having serious issues with the Leap Second added last night. Read more about Leap Second 2015 in Wiki. Fix is simple:

# service ntpd stop; date -s "`date`";service ntpd start;

or

# /etc/init.d/ntpd stop; date -s "`date`"; /etc/init.d/ntpd start;

The problem occurred on an older Java/Oracle running webserver. All CPU's went 100% high. All services that had anything to do with JVM have gone bonkers: Tomcat, OPMN, Oracle, WebCache.

At first I disabled services that where failing and where not so important, but then all the others jumped to 100% CPU. It took some minutes before the situation was clear - all stuck services had one thing in common - JAVA. Once they went down, CPU went to idle. Ones who where prepared for this day did that 3 years ago. Happy restarting all the lazy admins.

Standalone Tomcat7 re-deployment for Oxalis

Its already a third time when I have to re-deploy Tomcat due to application, environment or even Tomcat issues.

Current system/situation:
- Centos 6.5
- Running Tomcat6, Tomcat7 (7.0.37). Integrated
- Difi Oxalis cant run in the same 'house' with Difi XML validator
- Difi Oxalis AS2 has mime issues running Tomcat 7.0.37-7.0.40
- Java available: 1.6, 1.7 (both JDK's and JRE's). Ref "update-alternatives --config java"

Quick cheat-sheet on how to re-deply Tomcat7 (7.0.55) with Oxalis config:

# cd /opt/
# wget http://apache.mirror.vu.lt/apache/tomcat/tomcat-7/v7.0.55/bin/apache-tomcat-7.0.55.tar.gz
# tar -xvf apache-tomcat-7.0.55.tar.gz
# mv apache-tomcat-7.0.55 tomcat7
# cd tomcat7
# export TOMCAT_HOME=/opt/tomcat7
# export CATALINA_HOME=/opt/tomcat7
# ant -Dtomcat.home=$TOMCAT_HOME -f /root/metro/metro-on-tomcat.xml install
# nano /opt/tomcat7/tomcat-users.xml

   <user username="manager" password="******" roles="manager"/>

# nano /opt/tomcat7/web.xml
    -- comment out all the welcome lines. cocoon needs this
    <welcome-file-list>
     <!--
        <welcome-file>index.html</welcome-file>.
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
     -->
    </welcome-file-list>     

# cp /var/lib/tomcat7/webapps/*.war /opt/tomcat7/webapps/
# nano /opt/tomcat7/server.xml

  <connector port="8443" protocol="HTTP/1.1" sslenabled="true">
   maxThreads="150" scheme="https" secure="true"              
   clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,SSLv3,SSLv2Hello" keystoreFile=".keystore" keyAlias="tomcat"  keystorePass="******" />

# cp /usr/share/tomcat7/ssl_tomcat /opt/tomcat7/ -R
# cp /usr/share/tomcat7/.keystore /opt/tomcat7/
# sh bin/startup.sh

--- edit or create tomcat startup script

# nano /etc/init.d/tomcat7

  #!/bin/bash
  # description: Tomcat Start Stop Restart
  # processname: tomcat
  # chkconfig: 234 20 80
  PATH=$JAVA_HOME/bin:$PATH
  export PATH
  CATALINA_HOME=/opt/tomcat7

  # Define the tomcat username
  TOMCAT_USER="${TOMCAT_USER:-tomcat}"

  case $1 in
  start)
    sh $CATALINA_HOME/bin/startup.sh
  ;;
  stop)
    sh $CATALINA_HOME/bin/shutdown.sh
  ;;
  restart)
    sh $CATALINA_HOME/bin/shutdown.sh
    sh $CATALINA_HOME/bin/startup.sh
  ;;

     status)

         if [ -f "/var/run/${NAME}.pid" ]; then

 #           status ${NAME}

 #           RETVAL="$?"   

             read kpid < /var/run/${NAME}.pid

             if [ -d "/proc/${kpid}" ]; then

                 echo "${NAME} (pid ${kpid}) is running..."

                 RETVAL="0"   

             fi

         else

             pid="$(/usr/bin/pgrep -d , -u ${TOMCAT_USER} -G ${TOMCAT_USER}  java)"

             if [ -z "$pid" ]; then

 #               status ${NAME}     

 #               RETVAL="$?"

                 echo "${NAME} is stopped"

                 RETVAL="3"          

             else

             echo "${NAME} (pid $pid) is running..."

                 RETVAL="0"          

             fi

         fi

         ;;

     version)

         sh $CATALINA_HOME/bin/version.sh      

         ;;                

     *)                    

         echo "Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status|version}"

         RETVAL="2"

  esac

  exit 0   

# chmod 755 /etc/init.d/tomcat7
# chkconfig --add tomcat7
# chkconfig --level 234 tomcat7 on
# chkconfig --list tomcat7
# /etc/init.d/tomcat7 restart

Some explanations of the cheat-sheet:

- Tomcat7 was deployed as current stable Centos compatible version (7.0.37)

- wget url - download using preferred server

- Metro requirement - ref to Oxalis installation description, its just one .jar file stored in endorsed dir, it might as well be just copied from your old Tomcat installation

- passwords in '*******' - dont forget to replace with your passwords

- cocoon installation is optional

- please note that Tomcat 7.0.55 cant locate your .keystore and you have to define its path manually using tags "keystoreFile" and "keyAlias" which where not needed before

- sslEnabledProtocols is another fix related to SSLv2 beeing disabled in Java7 and OpenSSL 1.0.0+
- ssl_tomcat folder is optional

Tomcat7 startup. This account is currently not available.

There are a couple of possible causes and solutions online. Main problem is pretty obvious: tomcat user account.
One of the solutions tells:

Using a standard Tomcat installation and a tomcat user with no login shell, attempts to start Tomcat failed with a "This account is currently not available." message. However, the tomcat user shouldn't have a shell available as it's not a login account. Updating the tomcat6 command in/etc/init.d/tomcat6 to specify the shell when invoking Tomcat fixes this.

Some other solutions tell that account should be reset, password changed and shell set from nologin to bash. In all these cases you are making a security hole, tomcat account should be disabled in all cases. My suggestion would be to check if you had tomcat user defined before, for example when deploying tomcat6..  Then check if TOMCAT_HOME matches tomcat users home. If TOMCAT_HOME value is set to /usr/share/tomcat6 and you are starting tomcat7 - you will get the same error as with a locked account.