In the ongoing security battle arena, standards of protection are improving. What may have been an acceptable cipher suite last year may be less acceptable today. For many years a RSA certificate was considered the best. Now certificates using Elliptic Curves are considered superior as they require smaller keys for the same level of protection, are harder to break, and use less CPU when they are used.
Google wants to have digital certificates renewed every year rather than the two years it tends to be today. (From what I have read Certificate Authorities certificates can be around for years).
Your security team should be updating the user certificates regularly, so this should not be your problem. You need to review your servers and do regular “housekeeping” to bring them inline with current best practice. It is easy to forget a service which just sits there and runs, and so is a weak entry point to your environment.
The house keeping tasks:
- Ensuring your Certificate Authority certificates use current options: type of certificate, key size etc.
- Ensure the server’s certificate uses current options
- You restrict what certificates can be used to connect to the server. For example do not allow RSA certificate with RSA with a small key size.
In some enterprises you have one certificate which identifies you, and then have controls within each server which manage which users are allowed to connect. In other enterprises you may have a general certificate, plus a certificate for “monitoring” which has been signed by the “monitoring CA”. This makes it easier to control access – if your certificate does not have the “monitoring CA” you do not get into the server.
If you are an enterprise you are likely to have a process which automatically renews individual’s certificates. This is likely to be “go on-site, plug into the ethernet, ( so people cannot intercept your wireless), get a new certificate”. It is harder to renew your server’s certificates.
You will need steps along the lines of
- Strengthen your CA if required
- Generate a new, stronger, CA certificate; for example using Elliptic Curves instead of RSA
- Every machine needs to install the new CA certificate in the trust stores/browsers, alongside the old CA certificate. You need a period when both CA certificates are available to allow for a transition period, as you need to change both ends of the TLS connection.
- You can now deploy new individual certificates with their CA, to your users which go into their key store. Users connecting to a server with the new certificates will be validated with the server’s new CA. Users which have certificates with the old CA will continue to use the old CA.
- You need a new certificate for your web server. If this is using the new CA, then all end users will need to have the new CA in their trust store, so the web server certificate can be validated. If you are not using a new CA, then the existing CA can be used with no change.
- Once all the users have their new certificate, you can remove the old CA from the server and from the user’s trust stores/browsers. If a user tries to use the old certificate, if will fail to verify as the CA is no longer present.
Restricting what certificates and cipher suites can be used.
You can configure java security to restrict the certificates and cipher suites are used. For example enforce no RSA certificate, or RSA certificate with a key sizes < 2048 cannot connect to the web server. You configure java.security. See here.
(Not) Using TLS 1.3
The TLS standards are being improved, for example TLS 1.3 protocol has improved algorithms, which are faster and more secure than in TLS 1.2. The handshake has been improved, and weak algorithms have been dropped. Most browsers already support TLS v1.3.
In theory this is a simple matter of changing the protocol parameter from TLSv1.2 to TLSv1.3 and it will all magically work. This support is in java release 11. Unfortunately the java used by mqweb is not at this level (it it java version 8) so cannot support it. This means you have to make the changes yourself.
Change it, pray, answer the phone, and backout the change.
In an ideal world your server would produce a report of which certificates were used, with the Distinguished Name(the owner), what algorithms are used, and what CAs are used. You make a note of all those which need attention, get the certificates upgraded, and when all the certificates are good – you can enable the stronger functions and it will all work first time.
I have not been able to get this list from my servers.
What I expect will happen as you enable the stronger functions, is that people who are not ready, will stop working, and will report problems. You turn off the stronger functions, fix the machines which had problems and repeat until the phone stops ringing.
Some changes, for example changing java -D…. options in the jvm.options will require a server restart. Other changes within the mqwebuser.xml, may get picked up periodically (and so avoids the need to restart the server), but you may need to restart the server. On my laptop it takes over 10 seconds to stop and restart the server.
This upgrade process is very disruptive and does not provide a highly available server your enterprise needs. Think how many change requests you will need to submit before it all works! The best solution is to start with a very secure web server.