search cancel

Required upgrade for Symantec VIP Services and VIP Integration for Microsoft AD FS customers

book

Article ID: 150947

calendar_today

Updated On:

Products

VIP Integrations

Resolution

What is happening?

With various platforms no longer accepting web server certificates that chain to the VeriSign PCA3 G5 root certificate, Symantec will be replacing the SSL certificate on all VIP Authentication service end-points and VIP Web Services API end-points. These new SSL certificates will chain to the DigiCert Global Root CA. This DigiCert root certificate is broadly embedded into the default trust root CA store of all popular web browsers, operating systems, and native programming platforms. 

As a result, organizations utilizing VIP Services API end-points must verify the application server(s) trusts the DigiCert Global Root CA certificate. 

When is this happening?

NEW DATE: The targeted date for this change has moved from December 2019 to  January 14, 2020, at 2:00 PM PST.  Subscribe to status updates here:

Symantec is providing email reminders 90, 60 and 30 days prior to the migration. This article is linked from those emails and contains the latest information. Changes to your environment should be implemented as soon as possible. 

Are my VIP components are affected?

► Pinned VIP Services applications: Certificate pinning is the process of associating a host with the expected certificate. Organizations using certificate pinning to the VeriSign PCA3 G5-chained certificates within their application should update the pinning hierarchy to trust the DigiCert Global Root CA.

► VIP Web Services: All application server(s) that connect to VIP Web Services API endpoints must trust the DigiCert Global Root CA certificate. 

► VIP AD FS Integrations: AD FS servers configured to use the VIP integration module for MFA must upgrade to VIP plugin version 9.9 or later. Click here for additional instructions.

► VIP SDK: Refer to this article.

► VIP Enterprise Gateway: No further action is required. Both root CAs are part of the Enterprise Gateway trust store. VIP certificates from VIP Manager are not affected.  

► VIP Integrations: Only the VIP Integration for AD FS servers is affected (Click here for additional instructions). 

► VIP Manager: The VIP Manager portal and VIP certificates through VIP Manager are not affected. Reissuing VIP certificates is not necessary. 

 

What URLs are affected?

VIP Provisioning Service:
   https://services.vip.symantec.com

VIP Authentication Service:
   https://goidservices-auth.vip.symantec.com
   https://services-auth.vip.symantec.com

VIP User Authentication Service:
   https://userservices-auth.vip.symantec.com
   https://messaging.vip.symantec.com

How can I verify the DigiCert Global Root CA?

A TLS connection can successfully be established to the following test URL. This URL chains to the same DigiCert Global Root CA (and intermediate CA):

https://test.vip.symantec.com

For your reference:

Existing PCA3 G5 root certificate currently used by VIP Services:

  • Common Name: VeriSign Class 3 Public Primary Certification Authority - G5
  • Full Subject name: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
  • Certificate Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a

Updated DigiCert Global Root CA certificate to be used by VIP Services:

  • Common Name: DigiCert Global Root CA
  • Full Subject name: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
  • Certificate Serial Number: 08 3b e0 56 90 42 46 b1 a1 75 6a c9 59 91 c7 4a
  • Certificate (download here):

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

─►Intermediate DigiCert SHA2 Secure Server CA 

  • Issued from: Common Name: DigiCert SHA2 Secure Server CA
  • Full Subject name: C = US, O = DigiCert Inc, CN = DigiCert Global Root CA
  • Certificate Serial Number: ‎01 fd a3 eb 6e ca 75 c8 88 43 8b 72 4b cf bc 91
  • This intermediate certificate is sent from the server with the SSL certificate.
  • Certificate:

-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
-----END CERTIFICATE-----