A Replacing Certificate Signed Using MD5 Algorithm with Certificate Signed Using SHA-2 Algorithm

Oracle strongly recommends that you refrain from using a certificate signed with Message Digest 5 Algorithm (MD5), because the security of MD5 algorithm has been compromised. Therefore, you must replace the certificate signed using MD5 algorithm with a certificate signed with Secure Hashing Algorithm 2 (SHA-2). By default, certificates signed using MD5 algorithm are no longer supported in Oracle HTTP Server.

• How to Check whether Certificate Signed with MD5 Algorithm is Present in the Wallet?
  You can use the orapki utility to display whether your wallet contains a certificate signed with MD5 algorithm.
• Removing Certificate Signed with MD5 Algorithm from the Wallet
  If the Signature algorithm name is displayed equal to "MD5withRSA", it means that a certificate signed with MD5 algorithm is present in your wallet. You must replace this certificate with certificate signed using SHA2 algorithm.
• Adding Certificate Signed with SHA-2 Algorithm to the Wallet
  If you are using CA-signed user certificate that is signed with MD5 algorithm, contact your certificate authority to a get a new user certificate signed with SHA-2 algorithm and import it in to the wallet.
• Enabling Support for Certificate Signed with MD5 Algorithm in your 12.2.1.2 Oracle HTTP Server Deployment
  By default, support of certificate signed with MD5 algorithm has been removed because the security of MD5 algorithm is severely compromised. If you still want to use certificate signed using MD5 algorithm, you can enable the support for a certificate signed with MD5 algorithm by following the procedure in this section. However, enabling support for certificates signed using MD5 algorithm is not recommended.

A.1 How to Check whether Certificate Signed with MD5 Algorithm is Present in the Wallet?

You can use the orapki utility to display whether your wallet contains a certificate signed with MD5 algorithm.

To check whether MD5 certificate is present in your wallet:

1. Locate orapki and keytool path:
   (orapki) ORACLE_HOME/oracle_common/bin/orapki
   (Keytool) ORACLE_HOME/oracle_common/jdk/jre/bin
2. Set the JAVA_HOME environment variable as follows:
   export JAVA_HOME=ORACLE_HOME/oracle_common/jdk/jre/
3. Display the wallet contents by entering the following command:
   orapki wallet display -wallet wallet_location
   Sample command:
   ORACLE_HOME/oracle_common/bin/orapki wallet display -wallet /scratch/ohs12.2.1.x_install/walletohs2/
   Output:

   Oracle PKI Tool : Version 12.2.0.1.0
   Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
   
   Requested Certificates:
   User Certificates:
   Subject: CN=www.xyx.com,C=IN
   Trusted Certificates:
   Subject: CN=www.xyx.com,C=IN
   

4. Identify the domain name (DN) of the certificate present in the wallet. In this example, Subject of User Certificates is the DN of the certificate present in the wallet; which is "CN=www.xyx.com,C=IN".
5. Export the certificate present in the wallet as shown in the following example:
   orapki wallet export -wallet wallet_Location -dn 'DN_string' -cert certificate_file
   Sample command:
   ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet /scratch/ohs12.2.1.x_install/walletohs2/ -dn  'CN=www.xyx.com,C=IN' -cert wallet.cert
6. Use the keytool to check the signature algorithm used to sign the certificate_file that you exported in the previous step by entering the following command:
   ORACLE_HOME/oracle_common/jdk/jre/bin/keytool -printcert -file certificate_file
   Sample command:
   /scratch/ohs12.2.1.x_install/oracle_common/jdk/jre/bin/keytool -printcert -file wallet.cert
   Output:

   Owner: CN="Self-Signed Certificate for ohs3 ", OU=OAS, O=ORACLE, L=REDWOODSHORES, ST=CA, C=US
   Issuer: CN="Self-Signed Certificate for ohs3 ", OU=OAS, O=ORACLE, L=REDWOODSHORES, ST=CA, C=US
   Serial number: cd7081c47adb9ff867da01e3fe383e0f
   Valid from: Fri Jul 01 04:21:40 PDT 2016 until: Sat Jun 19 04:21:40 PDT 2066
   Certificate fingerprints:
    MD5: 89:4D:C4:B4:28:7E:D4:0A:93:CA:E4:97:0C:F0:CE:86
    SHA1: 53:FB:D6:58:0D:09:85:E9:6D:55:E2:92:E7:87:08:B8:65:92:15:9E
    Signature algorithm name: MD5withRSA
    Version: 1
   

   "Signature algorithm name: MD5withRSA" implies that MD5 algorithm is being used to sign the certificate present in the wallet.

A.2 Removing Certificate Signed with MD5 Algorithm from the Wallet

If the Signature algorithm name is displayed equal to "MD5withRSA", it means that a certificate signed with MD5 algorithm is present in your wallet. You must replace this certificate with certificate signed using SHA2 algorithm.

To remove certificates signed with MD5 algorithm from your wallet:

1. Enter the following command to remove a user certificate signed using MD5 algorithm:
   orapki wallet  remove -wallet wallet_location -dn 'DN_string' -user_cert -auto_login_only
   Sample command:
   /scratch/ohs12.2.1.x_install/oracle_common/bin/orapki wallet remove -wallet /scratch/ohs12.2.1.x_install/walletohs2/ -dn 'CN=www.xyx.com,C=IN' -user_cert -auto_login_only
   Output:

   Oracle PKI Tool : Version 12.2.0.1.0
   Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
   

2. If the user certificate is a self-signed certificate, you need to remove it from the "trusted certificate" and the "requested certificate" list by entering the following commands:
   orapki  wallet  remove  -wallet  wallet_location -dn  'DN_string' -trusted_cert  -auto_login_only
   orapki  wallet  remove  -wallet  wallet_location -dn  'DN_string' -cert_req  -auto_login_only
   Sample command:
   /scratch/ohs12.2.1.x_install/oracle_common/bin/orapki wallet remove -wallet /scratch/ohs12.2.1.x_install/walletohs2/ -dn 'CN=www.xyx.com,C=IN' -trusted_cert -auto_login_only
   Output:

   Oracle PKI Tool : Version 12.2.0.1.0
   Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
   

3. If a wallet has trusted certificate or a certificate request which is signed using MD5 algorithm, remove that certificate by entering the following commands:
   orapki wallet remove -wallet wallet_location -dn 'DN_string' -trusted_cert -auto_login_only remove cert request
   orapki wallet remove -wallet wallet_location -dn 'DN_string' -cert_req -auto_login_only

A.3 Adding Certificate Signed with SHA-2 Algorithm to the Wallet

If you are using CA-signed user certificate that is signed with MD5 algorithm, contact your certificate authority to a get a new user certificate signed with SHA-2 algorithm and import it in to the wallet.

To add self-signed certificate, signed using SHA-2 algorithm:

1. If certificate is self-signed, enter the following command to add self-signed certificate signed using SHA-2 algorithm:
   orapki wallet add -wallet wallet_Location  -dn 'DN_String' -keysize 2048 -sign_alg sha256  -self_signed -validity 9125 -auto_login_only
   Sample command:
   /scratch/ohs12.2.1.x_install/oracle_common/bin/orapki wallet add -wallet /scratch/ohs12.2.1.x_install/walletohs2/ -dn 'CN=www.xyx.com,C=IN' -keysize 2048 -sign_alg sha256  -self_signed -validity 9125 -auto_login_only
2. Add trusted certificate signed using SHA-2 algorithm to wallet by entering the following command:
   orapki -wallet add -wallet wallet_location -trusted_cert -cert certificate_file -auto_login_only
3. Add user certificate signed using SHA-2 algorithm to wallet by entering the following command:
   orapki -wallet add -wallet wallet_location -user_cert -cert certificate_file -auto_login_only

The operation is successful if you see Signature algorithm name equal to "SHA256withRSA" when you print your certificate file. Following is a sample output:

Owner: CN=www.xyx.com, C=IN
Issuer: CN=www.xyx.com, C=IN
Serial number: f689ec6986c70f973138962eb2f0e5f9
Valid from: Wed May 11 04:01:24 PDT 2016 until: Sat Oct 27 04:01:24 PDT 2018
Certificate fingerprints:
   MD5:  D7:0F:CB:00:A7:04:33:DA:2F:8A:AD:C9:2A:9E:DF:26
   SHA1: D4:6C:51:DB:53:B5:F5:C7:60:8D:8B:95:68:E6:B0:5E:E8:00:ED:DF
   SHA256: B1:EF:73:98:EA:6A:1A:60:FF:1F:10:89:8C:B8:16:63:71:03:1B:6E:38:D1:2D:AE:E9:BD:3E:13:BE:AF:A0:76
   Signature algorithm name: SHA256withRSA
   Version: 1

A.4 Enabling Support for Certificate Signed with MD5 Algorithm in your 12.2.1.2 Oracle HTTP Server Deployment

By default, support of certificate signed with MD5 algorithm has been removed because the security of MD5 algorithm is severely compromised. If you still want to use certificate signed using MD5 algorithm, you can enable the support for a certificate signed with MD5 algorithm by following the procedure in this section. However, enabling support for certificates signed using MD5 algorithm is not recommended.

To enable support for a certificate signed with MD5 algorithm:

1. For Standalone Oracle HTTP Server deployment:
   1. Stop the Oracle HTTP Server instance and the Node Manager.
   2. Change to the following staging directory:
      (UNIX) ORACLE_HOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/
      (Windows) ORACLE_HOME\user_projects\domains\base_domain\config\fmwconfig\components\OHS\ohs1\
   3. Open the ohs.plugins.nodemanager.properties file in edit mode and add the following line:
      environment.ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES = 1
   4. Restart the Node Manager and the Oracle HTTP Server instance.
2. For Managed Oracle HTTP Server deployment:
   1. Stop the Oracle HTTP Server instance, Node Manager, and the WebLogic Server.
   2. Change to the following staging directory:
      (UNIX) ORACLE_HOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/
      (Windows) ORACLE_HOME\user_projects\domains\base_domain\config\fmwconfig\components\OHS\ohs1\
   3. Open the ohs.plugins.nodemanager.properties file in edit mode and add the following line:
      environment.ORACLE_SSL_ALLOW_MD5_CERT_SIGNATURES = 1
   4. Restart the WebLogic Server, Node Manager, and the Oracle HTTP Server instance.

You must perform this procedure on each Oracle HTTP Server instance.