|
On December 11, 2003, Sun Microsystems published a public alert
notification on their web site to inform their Java™ users
that the VeriSign root certificate, which is bundled with Sun's
various SDK and RTE releases, expired on January 7, 2004. For more
information and for a list of affected releases, see the
VeriSign root certificate expiration notice page.
If you are using an affected release, you can obtain new VeriSign
Class 2 Primary CA and VeriSign Class 3 Primary CA root certificates
from VeriSign and install the new certificates using the detailed
instructions below:
The instructions assume you are updating the Java SDK and use 1.3.1
as an example. You will need to adjust directory path names if you
are updating 1.2.2 or 1.3.0, or if you are updating the RTE.
If you are working with 1.2.2 or 1.3.0, the keytool command that
came with these versions is not able to handle the latest VeriSign
certificates and thus you'll have trouble at step 9 when you try
to include the new certificates. You should follow the instructions
below for installing the JSSE 1.0.3_02 prior to including the new
certificates. Once the JSSE is installed in your 1.2.2 or 1.3.0
kit, the keytool command will be able to include the proper certificates.
The 1.3.1 keytool command will work fine without any modifications.
The default trusted certificates file that comes with SDK is installed
in:
SYS$COMMON:[JAVA$131.JRE.LIB.SECURITY]CACERTS
Inserting new Certificates from VeriSign (OpenVMS Systems)
You will need system privileges to modify the cacerts file.
Also, to modify anything in the cacerts, you will need to have a
root password. The default password for cacerts is "changeit".
- Make a backup copy of the SYS$COMMON:[JAVA$131.JRE.LIB.SECURITY]CACERTS
file.
- To check the expiration date of the currently installed certificate(s),
run the following command:
@ SYS$COMMON:[JAVA$131.COM]JAVA$131_SETUP
@ keytool -list -v -alias verisignclass2ca -keystore -
SYS$COMMON:[JAVA$131.JRE.LIB.SECURITY]CACERTS
This should be the output. Notice that it expires on Jan 07, 2004.
The displayed time information is dependent on your time zone.
Alias name: verisignclass2ca
Creation date: Mon Jun 29 13:06:39 EDT 1998
Entry type: trustedCertEntry
O wner: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Serial number: ba5ac94c053b92d6a7b6df4ed053920d
Valid from: Sun Jan 28 19:00:00 EST 1996 until: Wed Jan 07 18:59:59
EST 2004
Certificate fingerprints:
MD5: EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
SHA1: A5:EC:73:D4:8C:34:FC:BE:F1:00:5A:EB:85:84:35:24:BB:FA:B7:27
- Got to the VeriSign website at http://www.verisign.com/support/roots.html
and download the roots.zip file containing root certificates.
You will be prompted to accept a statement of agreement.
- Unzip the downloaded roots.zip. (The zip/unzip tool is available
at
http://h71000.www7.hp.com/opensource/opensource.html)
@ unzip roots.zip
- Copy the two VeriSign files to a name with .cer as the extension.
@ set def [.VERISIGN_-_THAWTE_COMBINED_ROOTS.VERISIGN_ROOTS]
copy PCA2ss_v4.509 PCA2ss_v4_509.cer
copy PCA3ss_v4.509 PCA3ss_v4_509.cer
Note you will need to use the device and directory of where
these files are copied in step 9.
- Examine the files.
@ keytool -printcert -file PCA2ss_v4_509.cer
Make sure you get the following output.
Owner: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Serial number: 2d1bfc4a178da391ebe7fff58b45be0b
Valid from: Sun Jan 28 19:00:00 EST 1996 until: Tue Aug 01 19:59:59
EDT 2028
Certificate fingerprints:
MD5: B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
SHA1: 67:82:AA:E0:ED:EE:E2:1A:58:39:D3:C0:CD:14:68:0A:4F:60:14:2A
@ keytool -printcert -file PCA3ss_v4_509.cer
Make sure you get the following output.
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Sun Jan 28 19:00:00 EST 1996 until: Tue Aug 01 19:59:59
EDT 2028
Certificate fingerprints:
MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
- Verify the Hash (SHA1), Serial Number, and Operational End Period
from the following website:
» http://www.verisign.com/repository/root.html#c2pcag2
On the web page, scroll to the sections with the headings:
VeriSign Class 2 Primary CA
VeriSign Class 3 Primary CA
Note: The information in each section is supplied in triplets.
You need to scan each section to match the Serial Number, SHA1
Number and Operational Period.
At this point, you are ready to modify the cacerts file.
- Delete the soon-to-be-expired certificates from cacerts.
@ set def SYS$COMMON:[JAVA$131.JRE.LIB.SECURITY]
@ keytool -delete -alias verisignclass2ca -keystore ./cacerts
@ keytool -delete -alias verisignclass3ca -keystore ./cacerts
- Include the new certificates that you have downloaded.
@ keytool -import -alias verisignclass2ca -file -
dev:[dir]PCA2ss_v4_509.cer -keystore ./cacerts
where "dev:[dir]" is the device and directory
from where you copied the VeriSign files with the .cer extension.
Answer yes to the question about it being a trusted certificate.
@ keytool -import -alias verisignclass3ca -file -
dev:[dir]PCA3ss_v4_509.cer -keystore ./cacerts
where "dev:[dir]" is the device and directory from where
you copied the VeriSign files with the .cer extension.
Answer yes to the question about it being a trusted certificate.
- Examine the cacerts file with the new certificates
@ keytool -list -v -alias verisignclass2ca -keystore ./cacerts
@ keytool -list -v -alias verisignclass3ca -keystore ./cacerts
Make sure the information is same as what you saw earlier
while printing the certificate from certificate file.
Installing the JSSE 1.0.3_02 (OpenVMS Systems)
- Download JSSE 1.0.3_02 from:
» http://java.sun.com/products/jsse/downloads/index.html
Domestic or global software could be downloaded as per the requirement.
The instructions are same for both domestic & global binaries.
- Unzip the downloaded file. (The zip/unzip tool is available
at
http://h71000.www7.hp.com/opensource/opensource.html)
Assuming one has downloaded Domestic binaries,
@ unzip jsse-1_0_3_02-do.zip
- Copy the 3 jar files from [.jsse1_0_3_02.lib] to
SYS$COMMON:[JAVA$122.JRE.LIB.EXT]
@ copy [.jsse1_0_3_02.lib]*.jar SYS$COMMON:[JAVA$122.JRE.LIB.EXT]
- Edit SYS$COMMON:[JAVA$122.JRE.LIB.SECURITY]JAVA.SECURITY to
include security.provider.2=com.sun.net.ssl.internal.ssl.Provider
@ set def SYS$COMMON:[JAVA$122.JRE.LIB.SECURITY] -
edit java.security
Add the following line
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
After adding your entry will look like
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
 |
|
|
The instructions assume you are running the J2SDK and use 1.3.1
as an example. You will need to adjust path names if you are running
1.2.2 or 1.3.0 or if you have the RTE installed.
If you are working with 1.2.2 or 1.3.0, the keytool command that
came with these versions is not able to handle the latest VeriSign
certificates and thus you'll have trouble at step 11 when you try
to include the new certificates. You should follow the instructions
below for installing the JSSE 1.0.3_02 prior to including the new
certificates. Once the JSSE is installed in your 1.2.2 or 1.3.0
kit, the keytool command will be able to include the proper certificates.
The 1.3.1 keytool command will work fine without any modifications.
The default trusted certificates file that comes with the J2SDK
is installed in:
/usr/opt/java131/jre/lib/security/cacerts
Inserting new Certificates from VeriSign (Tru64 UNIX Systems)
- Make a backup of the
/usr/opt/java131/jre/lib/security/cacerts
file
- To modify anything in cacerts, you will need to have a root
password. The default password for cacerts is changeit. Log in
as superuser with superuser privileges. All of the following commands
assume that you are in superuser mode.
- To check the expiration date of the currently installed certificate(s),
run following command:
keytool -list -v -alias verisignclass2ca -keystore
/usr/opt/java131/jre/lib/security/cacerts
This should be the output. Notice that it expires on Jan 07, 2004.
The displayed time information is dependent on your Time Zone.
Alias name: verisignclass2ca
Creation date: Mon Jun 29 10:06:39 PDT 1998
Entry type: trustedCertEntry
Owner: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Serial number: ba5ac94c053b92d6a7b6df4ed053920d
Valid from: Sun Jan 28 16:00:00 PST 1996
until: Wed Jan 07 15:59:59 PST 2004
Certificate fingerprints:
MD5: EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
SHA1: A5:EC:73:D4:8C:34:FC:BE:F1:00:5A:EB:85:84:35:24:BB:FA:B7:27
- Set your PATH to point at Java 1.3 so the keytool command can
be used in later steps.
export PATH=/usr/opt/java131/bin:$PATH
- Go to the VeriSign website at http://www.verisign.com/support/roots.html
and download the roots.zip file containing root certificates.
You will be prompted to accept a statement of agreement.
- Unzip the downloaded roots.zip into
/tmp.
cd /tmp
unzip roots.zip
- Copy the two VeriSign files to a name with .cer as the extension.
cd "VerSign - Thawte Combined Roots/VerSign_Roots"
cp PCA2ss_v4.509 /tmp/PCA2ss_v4.509.cer
cp PCA3ss_v4.509 /tmp/PCA3ss_v4.509.cer
- Examine the files.
keytool -printcert -file /tmp/PCA2ss_v4.509.cer
Make sure you get the following output.
Owner: OU=Class 2 Public Primary Certification Authority, O="VerSign,
Inc.", C=US
Issuer: OU=Class 2 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Serial number: 2d1bfc4a178da391ebe7fff58b45be0b
Valid from: Sun Jan 28 16:00:00 PST 1996
Valid until: Tue Aug 01 16:59:59 PDT 2028
Certificate fingerprints:
MD5: B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
SHA1: 67:82:AA:E0:ED:EE:E2:1A:58:39:D3:C0:CD:14:68:0A:4F:60:14:2A
keytool -printcert -file /tmp/PCA3ss_v4.509.cer
Make sure you get the following output.
Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Serial number: 70bae41d10d92934b638ca7b03ccbabf
Valid from: Sun Jan 28 16:00:00 PST 1996
Valid until: Tue Aug 01 16:59:59 PDT 2028
Certificate fingerprints:
MD5: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
- Verify the Hash (SHA1), Serial Number, and Operational Period
from the following website:
» http://www.verisign.com/repository/root.html#c2pcag2
On the web page, scroll to the sections with the headings:
VeriSign Class 2 Primary CA
VeriSign Class 3 Primary CA
Note: The information in each section is supplied in triplets.
You need to scan each section to match the Serial Number, SHA1
Number and Operational Period.
At this point, you are ready to modify the cacerts file.
- Delete the soon-to-be expired certificates from cacerts.
cd /usr/opt/java131/jre/lib/security/
keytool -delete -alias verisignclass2ca -keystore ./cacerts
keytool -delete -alias verisignclass3ca -keystore ./cacerts
- Include the new certificates that you have downloaded.
keytool -import -alias verisignclass2ca -file
/tmp/PCA2ss_v4.509.cer -keystore ./cacerts
Answer yes to the question about it being a trusted certificate.
keytool -import -alias verisignclass3ca -file
/tmp/PCA3ss_v4.509.cer -keystore ./cacerts
Answer yes to the question about it being a trusted certificate.
- Examine the cacerts file with the new certificates.
keytool -list -v -alias verisignclass2ca -keystore ./cacerts
keytool -list -v -alias verisignclass3ca -keystore ./cacerts
Make sure the information is the same as what you saw earlier
while printing the certificate from the certificate file.
Installing the JSSE 1.0.3_02 (Tru64 UNIX Systems)
- Download JSSE version 1.0.3_02 from
» http://java.sun.com/products/jsse/downloads/index.html
Domestic or global software could be downloaded as per the requirement.
The instructions are same for both domestic & global binaries.
- Unzip the downloaded file in /tmp
Assuming one has downloaded Domestic binaries,
cd /tmp
unzip jsse-1_0_3_02-do.zip
- Copy 3 jar files (jcert.jar, jnet.jar, and jsse.jar) from
jsse1.0.3_02/lib to /usr/opt/java122/jre/lib/ext
cd jsse1.0.3_02/lib
cp *.jar /usr/opt/java122/jre/lib/ext
- Edit /usr/opt/java122/jre/lib/security/java.security to include
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
cd /usr/opt/java122/jre/lib/security/
chmod +w java.security
vi java.security
=> Add the following line
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
=> After adding your entry will look like
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
chmod -w java.security
|
Printable
version
