IT16953: STORAGE RESOURCE AGENT TO USE CERTIFICATES SHA-256 FROM SHA1

IBM Spectrum Control V5.2.15 (August 2017)
IBM Spectrum Control V5.2.15.2 (November 2017)
IBM Spectrum Control V5.2.16 (March 2018)
IBM Spectrum Control V5.2.17 (May 2018)

APAR status

• Closed as fixed if next.

Error description

• Current methodology with Storage Resource Agent utilizes SHA1
  certification.
  APAR created to Investigate SHA-256 certification with Storage
  Resource Agent deployments.
  
  RECREATE STEPS:
  
  Install Storage Resource Agent and view certificates utilizing
  SHA1 algorithm.
  
  ________________________________________________________________
  
  DB2 Version used for Server: N/A
  The defect is against component: 5608TPC00
  Server/Manager build/release (TPC): 5.2.7
  Agent build/release (TPC):
  Server/Manager (OS):  Windows 2012 SE
  Agent (OS):
  ________________________________________________________________
  
  Problem as described by customer: Storage Resource Agents do not
  use SHA-256 certificates
  Initial customer impact (low/med/high):  med
  

Local fix

• TBD
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Spectrum Control 5.2.x users with Storage Resource       *
  * Agents deployed                                              *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * Current methodology with Storage Resource Agent (SRA)        *
  * utilizes SHA1 certification.  This APAR is created to        *
  * investigate SHA-256 certification with Storage Resource      *
  * Agent deployments.                                           *
  *                                                              *
  * While upgrading Spectrum Control, the upgrade of the         *
  * certificates will happen automatically and without           *
  * interruption, because the trust is established based on the  *
  * CA certificate which signed the certificates that are used   *
  * by the Data Server & SRA. Since the old as well as the new   *
  * certificates will be signed by the same CA certificate,      *
  * there's no impact. However, this only applies to Spectrum    *
  * Control environments that currently use the default 2048 bit *
  * certificates. Spectrum Control environments that still use   *
  * older default certificates (1024 bit length) or Spectrum     *
  * Control environments that have been configured for custom    *
  * certificates cannot be "upgraded" automatically.  In this    *
  * case, the installer will show an appropriate message at      *
  * upgrade time.                                                *
  *                                                              *
  * Additional information:                                      *
  *                                                              *
  *  - IBM Spectrum Control provides default SSL certificates    *
  * for communication between the Data server and Storage        *
  * Resource agent.                                              *
  *  - IBM Spectrum Control Version 5.2.2 (and higher) uses SSL  *
  * certificates with 2048-bit encryption keys whereas previous  *
  * versions of IBM Spectrum Control used 1024-bit encryption    *
  * keys.                                                        *
  *  - If you upgrade IBM Spectrum Control from a version        *
  * earlier than 5.2.2, your SSL certificates are not updated    *
  * automatically.                                               *
  *  - If you want to use 2048-bit encryption keys with previous *
  * versions of IBM Spectrum Control, you must replace the       *
  * default SSL certificates with custom SSL certificates.       *
  *                                                              *
  * Reference documentation:                                     *
  *                                                              *
  * Preparing for an upgrade                                     *
  * https://www.ibm.com/support/knowledgecenter/SS5R93_5.2.14/co *
  * m.ibm.spectrum.sc.doc/fqz0_t_upgrading_prepare.html          *
  *                                                              *
  * Replacing default SSL certificates with custom certificates  *
  * https://www.ibm.com/support/knowledgecenter/SS5R93_5.2.14/co *
  * m.ibm.spectrum.sc.doc/fqz0_r_create_custom_certificate_ssl.h *
  * tml                                                          *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * Apply fix maintenance when available                         *
  ****************************************************************
  

Problem conclusion

• The fix for this APAR is targeted for the following maintenance
  package:
  
  | refresh pack | 5.2-TIV-TPC-RP0015 - target August 2017
  
  Fixed in IBM Spectrum Control 5.2.15
  
  http://www.ibm.com/support/docview.wss?&uid=swg21320822
  
  The target dates for future refresh packs do not represent a
  formal commitment by IBM. The dates are subject to change
  without notice.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels