At OpenText, the security and privacy of our customers' information is our top priority.
With recent advances in cryptographic attacks, network security experts have warned that using SHA-1 certificates could allow an attacker to spoof content, perform phishing attacks, or perform "man-in-the-middle" attacks.
Although this potential vulnerability is not with OpenText™ Trading Grid™, OpenText Information Exchange, OpenText EasyLink GMS or OpenText EasyLink ICC.Net, we are issuing this advisory as part of our ongoing effort to help maintain the highest levels of data integrity and security for our customers.
Read OpenText’s SHA-2 Certificate Migration Advisory
OpenText™ Trading Grid™ and Information Exchange customers:
OpenText™ EasyLink Customers:
Frequently Asked Questions
What is SHA-2?
SHA-2 is a cryptographic hash algorithm that was first published by the U.S. National Security Agency in 2001. SHA stands for Secure Hash Algorithm. SHA hash functions are used in security applications and protocols such as TLS and SSL, and in conjunction with public-key algorithms for both encryption and digital signatures.
Why is OpenText transitioning from SHA-1 to SHA-2 certificates?
With recent advances in cryptographic attacks, network security experts have warned that using SHA-1 certificates could allow an attacker to spoof content, perform phishing attacks, or perform “man-in-the-middle” attacks. Although this potential vulnerability is not with the OpenText™ Trading Grid™, OpenText Information Exchange, OpenText EasyLink GMS or OpenText EasyLink ICC.Net, we are moving to SHA-2 certificates as part of our ongoing effort to help maintain the highest levels of data integrity and security for our customers.
The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.
To find out if your internal systems support SHA-2, please visit: https://www.digicert.com/sha-2-compatibility.htm
What is OpenText doing to move to SHA-2?
OpenText will start renewing all certificates as SHA-2 when the current certificate expires. We plan to completely transition from SHA-1 to SHA-2 certificates by January 1, 2017, the date by which Microsoft® has announced they will cease their support for SHA-1 certificates. SHA-2 certificates will be issued by our current certificate authority Comodo.
Note: We reserve the right to upgrade pre-production environment certificates before they expire to allow customers time to test with their trading partners.
How does this affect me?
If you or your trading partner uses FTPS, AS2, RosettaNet, OFTP, MQ, AS3 or another protocol to establish a digitally signed or encrypted message exchange connection with the Trading Grid™, Information Exchange, EasyLink GMS, or EasyLink ICC.Net, OpenText recommends that you begin preparing to replace your SHA-1 certificates with SHA-2 certificates to enhance security protections.
What do I need to do?
To prepare for this change and help ensure a smooth certificate renewal process:
- Check with your service or software provider to ensure that your communications software supports SHA-2 certificates issued by Comodo.
- If yes, you will be ready to coordinate your transition to the more secure SHA-2 certificate when your current OpenText public key certificate expires.
- If no, and your current communications software provider is unable to assist you, please contact your OpenText Customer Manager to discuss the options available to you.
- Contact your trading partners and have them perform the same verification with their communications software providers to ensure that their communications software supports SHA-2 certificates issued by Comodo, our current certificate authority vendor.
Will the certificate renewal process change?
There will be no change to the certificate renewal processes. However, OpenText may renew certificates as SHA-2 prior to their expiration date to ensure compliance before the January 1, 2017 deadline.
What services are affected by this change?
This change affects all SSL browser certificates and certain communications protocols. If you connect to OpenText using a modern web browser, you will not be affected by the certificate upgrade.
Note: this does not currently affect SSH, PGP, or GPG encryption keys.
What protocols are affected by this change?
The following protocols are affected by the transition to SHA-2 certificates:
- SSL-FTP (FTPs)
- Sterling/IBM – Connect:Direct Secure Plus
My communications software cannot support SHA-2 certificates. What do I do?
Although OpenText recommends transitioning to SHA-2 certificates as the most effective way to help maintain data integrity and security, we understand that not all customers can support SHA-2 certificates.
If your software does not support SHA-2or self-signed certificates, the Certificates Exchange Team will work with you to provide an alternative for up to one year. After December 31, 2015, OpenText will no longer provide alternative certificate issuance options. Beginning in 2016, the Certificates Exchange team will disable all SHA-1 certificate issuance options requiring customers to move to a SHA-2 or self-signed certificate. If you are still unable to support SHA-2 certificates at that time, the Certificate Exchange team will work with you to implement a self-signed SHA-1 certificate.
Certificates Exchange Team
Telephone: 1-800-334-2255 x2378 (CERT)