Starting with DX UIM 23.4.7 (CU7), tunnel certificates which were created with a hub prior to 23.4.0 will no longer be valid for UIM hub SSL tunnels.

This article describes how to validate the signature algorithm the certificates prior to upgrading to CU7 to ensure that your upgrade goes smoothly.

• DX UIM 23.4.6 or prior - preparing to upgrade to CU7
• SSL Tunnels in use

Certificates created prior to hub 23.4.0 were signed with the SHA1 algorithm whereas those created with 23.4.0+ use SHA384.  Starting with hub 23.4.7, the older SHA1 certificates will no longer be accepted.

There are a number of certificates which need to be validated, and the exact filenames will vary depending on the specific version of DX UIM that was installed when the certificates were created.

Each hub that is a tunnel server or client will have one or more .pem files located in the ($UIM_HOME)/hub/certs/ folder.   

Examples:

server.pem
ca.pem
cert##.pem
server.ca.ec.cert.pem
server.ec.key.pem

each of the files in this folder (including any .pem files not listed above) should be checked to ensure the signature algorithm shows SHA384.

Additionally, if you are running Secure Bus, there will be .pem files located in the ($UIM_HOME)/robot/certs/ folder which should also be validated.

Windows

For Windows hubs, open a command prompt to the appropriate certs/ folder and execute the following command:

certutil -dump filename.pem | findstr "Algorithm"

Look for the string sha384ECDSA in the output. 

If you see the string sha1RSA in the output it means the certificates are not valid for CU7 and must be replaced.

Linux

For Linux hubs, navigate in the shell/terminal to the appropriate certs/ folder and execute the following command:

openssl x509 -in filename.pem -text -noout | grep "Algorithm"

Look for "sha384" in the output.  The exact output may be something like "sha384WithECEncryption".

If you see "sha1" in the output, such as "sha1WithRSAEncryption" the certificates are not valid for CU7 and must be replaced.

Replacing invalid certificates

In order to replace the certificates, you must re-create the Tunnel Server CA and re-issue client certificates.  This will invalidate all existing client connections and they must be rebuilt.

The process for renewing the Tunnel Server CA is described here.

Additional information about the automation of the certificate distribution is available here.

The following is a Lua script which can be run inside the NAS GUI on the Primary Hub which may help to identify the certificates which are in need of replacement.

It may time out in a larger environment since it tries to query every hub, but in a small to medium environment this script should be helpful in identifying whether your certificates need replacement.

**this script is provided AS IS and is not supported, we are providing it here for convenience**

-- This script attempts to determine if there are tunnel client certificates in the hub/certs/ folder which
-- are not SHA-384 compliant.
-- No guarantees can be made that it does a perfect job, this script should not be taken as the final word
-- and all outputs should be verified.  It is intended only to be helpful in identifying the certificates which
-- need replacement but it is possible that it may miss some certificates.

-- if any hub is down this will be reported in the final output.

-- it does this by crawling each hub and performing the "tunnel_read_certificate" to check for certificates
-- with filenames of cert01.pem through cert10.pem and validates whether they are SHA384 or not.
-- most tunnel client certificates are cert02.pem or cert03.pem but in some cases it may be something like client1.pem or cert01.pem in which case the script will miss them, it is only able to catch the "cert##.pem" files

-- if such a certificate is found you must renew the Tunnel CA Certificate on the tunnel server which
-- issued that certificate, and re-issue and deploy all client certificates which were previously
-- issued by that server.  

-- see   https://knowledge.broadcom.com/external/article/265416/uim-how-to-renew-a-ca-server-certificat.html

-- script below--

-- Base64 decoder to convert PEM to Binary
local function b64decode(data)
    local b = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    data = string.gsub(data, '[^'..b..'=]', '')
    return (data:gsub('.', function(x)
        if (x == '=') then return '' end
        local r, f = '', (b:find(x) - 1)
        for i = 6, 1, -1 do r = r .. (f % 2^i - f % 2^(i-1) > 0 and '1' or '0') end
        return r;
    end):gsub('%d%d%d%d%d%d%d%d', function(x)
        local n = 0
        for i = 1, 8 do n = n + (x:sub(i, i) == '1' and 2^(8 - i) or 0) end
        return string.char(n)
    end))
end

-- function for binary SHA384 detection
function is_it_sha384(cert_pem)
    if not cert_pem or cert_pem == "" then return false end

    -- 1. Clean the PEM string to get just the Base64 data
    local clean_b64 = cert_pem:gsub(" %-%-%-%-%-BEGIN CERTIFICATE%-%-%-%-%-", "")
                               :gsub("%-%-%-%-%-END CERTIFICATE%-%-%-%-%-", "")
                               :gsub("%s", "")
    
    -- 2. Convert to binary bytes
    local binary_cert = b64decode(clean_b64)

    -- 3. Define the SHA384 OID byte sequences
    local ecdsa_sha384 = "\006\008\042\134\072\206\061\004\003\003"
    local rsa_sha384   = "\006\009\042\134\072\134\247\013\001\001\012"

    -- 4. Check if either sequence exists in the binary data
    if string.find(binary_cert, ecdsa_sha384, 1, true) or 
       string.find(binary_cert, rsa_sha384, 1, true) then
        return true
    end

    return false
end

-- 1. Get the list of hubs
local hubs = nimbus.request("hub", "gethubs")

if hubs then
    for key, value in pairs(hubs.hublist) do
        local addr = value.addr

        -- VERIFY HUB IS ALIVE FIRST
        local hub_up = nimbus.request(addr, "get_info")

        if hub_up then
            local hub_printed = false 

            -- Hub is up, now loop through the 10 potential certificates
            for certnum = 1, 10 do
                local args = pds.create()
                pds.putInt(args, "serial", certnum)

                local cert_status = nimbus.request(addr, "tunnel_read_certificate", args)

                if cert_status and cert_status.certificate then 
                    
                    if not hub_printed then
                        print(addr .. ":")
                        hub_printed = true
                    end

                    local certstatus = ""
                    local cert_str = cert_status.certificate
                    
                    -- Use our new binary detection logic
                    if is_it_sha384(cert_str) then
                        certstatus = "OK SHA-384"
                    else
                        certstatus = "NOT OK!"
                    end

                    if certnum < 10 then
                        print("  cert0" .. certnum .. ".pem: " .. certstatus)
                    else
                        print("  cert" .. certnum .. ".pem: " .. certstatus)
                    end
                end
            end -- end cert loop
        else
            print(addr .. ":")
            print("  ERROR: Hub is down or unreachable")
        end
    end -- end hub loop
end