ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Secure CORBA setup with custom certificates created with OpenSSL doesn't work on RHEL 8.x

book

Article ID: 239409

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Trying to setup Secure CORBA with custom certificates according to the documentation:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/21-2/administrating/oneclick-administration/oneclick-administration-pages.html

Follow the steps and use the OpenSSL tool to generate the certificates, but the generated certificates doesn't work.

While Secure CORBA set up with the default self-signed certificates shipped with the product works fine.

Cause

OpenSSL on RHEL8 (OpenSSL 1.1.1k  FIPS 25 Mar 2021) is not supported.

Environment

Release : 21.2

Component : Spectrum OneClick

OS : Linux RHEL 8.x 

Resolution

There is a known limitation with OpenSSL on RHEL 8.x (OpenSSL 1.1.1k  FIPS) due to Java compatibility.

Use OpenSSL tool from RHEL 7.x (OpenSSL 1.0.2k-fips) to create the keystore - this will work fine.


These are the currently tested and working environments for certificates generation with OpenSSL:

-RHEL 7.x with OpenSSL version 1.0.2k-fips.
-Windows Cygwin bash (shipped by Spectrum) with OpenSSL version: 1.0.2n

So for now, until the issue is resolved by Oracle/OpenSSL, customer can
Use Spectrum on Windows platform to generate certs.
Or keep an RHEL 7.x system available (in shutdown state) and use it to generate certificates when needed.

 

Additional Information

There is a ticket opened with Micro Focus for the component Visibroker. This problem is due to the compatibility issues introduced in OpenSSL 1.1.1x with Java8. OpenSSL 1.1.1x uses PKCS5 Version 2 algorithms and Java is unable to handle this version. So, they recommend to generate the certificates with an older version of OpenSSL until Oracle/OpenSSL address the issue.