SSL breaks on Nov 24 (TM1 SSL Certificates Expire on 24 November)

[David Usherwood]

Quite surprised to be the first poster to get this out....
http://www.infocat.co.uk/blog/2016/8/31 ... n-required

[lotsaram]

Quite surprised to be the first poster to get this out....
http://www.infocat.co.uk/blog/2016/8/31 ... n-required

Yes this is real. We have been working on, working with IBM for weeks to months now to try and speed up the process and get out new certificates and an info pack to customers on the steps required to install the new certificates. At least it looks like the process will be simple, but we need to remember that IBM isn't the only large corporate with slow internal process and approvals. The more time we have to get customers across this the better.

[moby91]

Quite surprised to be the first poster to get this out....
http://www.infocat.co.uk/blog/2016/8/31 ... n-required

Ahem. A year ago he informed us. He warned us. It seems no one paid attention.


http://www.tm1forum.com/viewtopic.php?t=11929#p57111

Part 11 - The SSL Certificate

Of course, what happens when this rapidly approaching date (10 years after the certificate start date, which is why I said "2006" above) ticks over is something I do not want to think about:

[David Usherwood]

I believe Alan is off the grid at the moment on a well-deserved break - so his opportunity to say (mainly to IBM) 'I told you so' will have to wait.

[kangkc]

UseSSL=F

Worse scenario ?

[BrianL]

IBM has been shipping updated SSL certificates for a while. They're just not the default. The 'v2' certificates expire in 2022 and contain a 2048 bit key instead of the default 1024 bits.

Using these certificates is a much better option than disabling SSL, and is one you can already start testing/deploying today if you don't want to wait for official patches.

http://www-01.ibm.com/support/docview.w ... wg21697266

[stephen waters]

Ahem. A year ago he informed us. He warned us. It seems no one paid attention.

Mmmm... A valid warning from Alan but it was buried in a very long technical doc!

We have emailed all our customers warning them very explicitly that, if they do nothing, their TM1 install will stop working. And we used that bold colour to help them notice!

[declanr]

We have emailed all our customers warning them very explicitly that, if they do nothing, their TM1 install will stop working. And we used that bold colour to help them notice!

Come on Stephen - no one reads emails anymore; I am waiting for the 24th/25th November being TM1forum's highest post count day in history!

[lotsaram]

UseSSL=F

Worse scenario ?

Actually not so much.
As the keys for the IBM default certs are publicly available anyone who really wanted to could decrypt communication sent with them. Using the IBM default certs is really no better than not using SSL.

[tomok]

UseSSL=F

Worse scenario ?

Actually not so much.
As the keys for the IBM default certs are publicly available anyone who really wanted to could decrypt communication sent with them. Using the IBM default certs is really no better than not using SSL.

If you are running your TM1 behind a firewall then why the need to encrypt traffic? Even if you aren't, how's anyone going to make sense out of a TM1 driven packet anyway? It would just be a packet of numbers/data, with no context.

[George Regateiro]

Come on Stephen - no one reads emails anymore; I am waiting for the 24th/25th November being TM1forum's highest post count day in history!

Funny since this similar thing happened to Applix a ways back, except it caught them by surprise. That incident is how I found the old Applix forum to begin with.

[stephen waters]

Come on Stephen - no one reads emails anymore; I am waiting for the 24th/25th November being TM1forum's highest post count day in history!

Declan,
We will be sending repeat emails With bigger and louder fonts UNTIL THEY NOTICE

[lotsaram]

If you are running your TM1 behind a firewall then why the need to encrypt traffic? Even if you aren't, how's anyone going to make sense out of a TM1 driven packet anyway? It would just be a packet of numbers/data, with no context.

I don't just tend to agree i absolutely agree.
My issue is with knucklehead IT types who insist on using SSL as "our corporate IT policy insists all server client communication must use SSL" but who then don't change the certs. As this is really just window dressing and doesn't actually add any security.

[kangkc]

On second thought UseSSL=F may not work as Admin server may not able to function due to expired cert.

[David Usherwood]

Looks like you can set the Admin server to work with non SSL connections:
https://www.ibm.com/support/knowledgece ... SL_N12010F

[kangkc]

You can only set to use ONLY SSL client (False) or both Non-SSL and SSL (True).
Doesn't seems to have a way to disable SSL totally.

At the moment installing V2 certs seems to be the only way before a new 1024 certs are made available via fix.

[u970700]

Hi all,

We are currently still on version 9.5.2 FP3, and not planning to move to 10.x until 2017. I have a few burning questions hopefully someone can answer...

I imagine that there'd be a few of us haven't jumped to the version 10.x bandwagon yet, and since 9.5.2 is not supported by IBM anymore, has anyone actually installed the new v2 certs in 9.5.2 environment (assuming the new certs is still compatible)?

Our current tm1admsrv.ini:

Code: Select all

[TM1]
SupportNonSSLClients=True

Our current tm1s.cfg:

Code: Select all

UseSSL=F

Based on the above, is it just a matter of importing the v2 cert in MMC, without the need to update the configuration file of tm1admsrv.ini and tm1s.cfg? Are there any gotchas to watch out for?

I just want to get some thoughts and feedback before diving in with the testing the above.

Cheers.

Ray

[Steve Vincent]

You can only set to use ONLY SSL client (False) or both Non-SSL and SSL (True).
Doesn't seems to have a way to disable SSL totally.

At the moment installing V2 certs seems to be the only way before a new 1024 certs are made available via fix.

As luck would have it I've only just installed a new TM1 server to replace an existing one, so i had an area to test this without getting in the way of normal operations.

My testing backs up your statement, even if i told the server to not use SSL it refused to show it to a client until they, the admin server and the tm1 server itself had all been changed to the 2048 certificates. Server updates are easy enough, but here any automated changes to the client are a nightmare to arrange. We'll be left with having to communicate what the clients need to do and hoping they can follow those instructions. Assuming they read them at all...

[BrianL]

At the moment installing V2 certs seems to be the only way before a new 1024 certs are made available via fix.

Not entirely true. You could always take the more secure path and use your own certificates. Not that IBM makes this easy either, but when done right is more secure than using the same shared keys as thousands of other customers.

[paulsimon]

Hi

I have clients using 9.5 and 10.1.

Unless anyone has a work around for 9.5 that is a problem that I will need to try out myself. Fortunately I think that there is a test server that I can use.

On 10.1 the original installation notes only refer to dh512.pem and dh1024.pem. The dh2048.pem that is present in 10.2.2 is not there for 10.1.1. Presumably this means that 10.1.1 did not support the 2048 bit encryption required for the new certificate and that a fix pack is needed.

I searched the IBM support site but I haven't been able to find a fix pack for 10.1.1 where the release notes say that it can use the v2 certificates. Has anyone else managed to find the fix pack? IBM have tried to improve the Support Site recently but it clearly needs more work, and I think for something like this they should be going out to customers more proactively.

Regards

Paul Simon