search cancel

Secure CORBA setup with custom certificates created with OpenSSL doesn't work on RHEL 8.x


Article ID: 239409


Updated On:


CA Spectrum DX NetOps


Trying to setup Secure CORBA with custom certificates according to the documentation:

Follow the steps and use the OpenSSL tool to generate the certificates, but the generated certificates doesn't work.

While Secure CORBA set up with the default self-signed certificates shipped with the product works fine.


OpenSSL on RHEL8 (OpenSSL 1.1.1k  FIPS 25 Mar 2021) is not supported.


Release : 21.2

Component : Spectrum OneClick

OS : Linux RHEL 8.x 


There is a known limitation with OpenSSL on RHEL 8.x (OpenSSL 1.1.1k  FIPS) due to Java compatibility.

Use OpenSSL tool from RHEL 7.x (OpenSSL 1.0.2k-fips) to create the keystore - this will work fine.

These are the currently tested and working environments for certificates generation with OpenSSL:

-RHEL 7.x with OpenSSL version 1.0.2k-fips.
-Windows Cygwin bash (shipped by Spectrum) with OpenSSL version: 1.0.2n

So for now, until the issue is resolved by Oracle/OpenSSL, customer can
Use Spectrum on Windows platform to generate certs.
Or keep an RHEL 7.x system available (in shutdown state) and use it to generate certificates when needed.


Additional Information

There is a ticket opened with Micro Focus for the component Visibroker. This problem is due to the compatibility issues introduced in OpenSSL 1.1.1x with Java8. OpenSSL 1.1.1x uses PKCS5 Version 2 algorithms and Java is unable to handle this version. So, they recommend to generate the certificates with an older version of OpenSSL until Oracle/OpenSSL address the issue.