OS/400 Alert: SSL Certificates

February 11, 2004 Shannon O'Donnell

If your shop is one of the thousands using digital certificates to enable secure transactions between your iSeries and users’ browsers, you may have recently experienced a problem with disabled certificate authorities. If not, chances are you will soon. Read on for more details. Also included in this issue is a list of a few of IBM’s recommended fixes for OS/400 licensed programs.

VERISIGN EXPIRES CERTIFICATE AUTHORITIES

On January 7, Verisign, a major worldwide provider of digital certificates, experienced a sudden surge in demand for verification of its clients’ certificate authorities. This check is performed by connecting to Verisign’s certificate revocation list (CRL) Web site, at crl.verisign.com. The CRL is a file that confirms a certificate authority’s status, identifying whether a particular certificate authority is valid. When the client HTTP servers were unable to connect to the CRL Web site, the certificate authority on the client system was flagged as expired. When the client system was finally able to connect to the site, several hours later, the certificate authority was also marked as expired since January 7.

Not all servers were affected immediately. That’s because, at least for OS/400 HTTP servers, the certificate authority is not generally validated unless the HTTP server itself is restarted, via an IPL or through a specific command to do so. And since many OS/400 shops don’t IPL except for scheduled maintenance, they have not yet experienced the failing of their certificate authority.

If your shop uses the Versign Class 3 certificate authority to process SSL digital certificates, and you have not IPL’d or otherwise restarted your HTTP server since before January 7, you should be aware that at some point you will need to take corrective action. This will entail deleting the current Verisign Class 3 certificate authority and an intermediate certificate authority you have installed on your OS/400 Server, and then downloading and installing the updated certificate authority and intermediate certificate authority from Verisign. For complete details, and for the location of the new, valid certificate authority from Verisign, go to the company’s Web site.

IBM’S RECOMMENDED FIX OF THE WEEK

IBM‘s recommended fix for V5R2 TCP/IP can be found on the Recommended Fixes Web site.

Recommended fixes are available for the V5R2 Telnet server.

Recommended fixes are available for Client Access.

Recommended fixes are available for AS/400 NetServer.

Recommended fixes are available for WebSphere Express 5.0.

THIS WEEK’S NASTY WINDOWS WORRIES

W32.HLLW.Deadhat is an interesting worm. It appears to be helping you by uninstalling the MyDoom virus, but then it actually installs a new virus and spreads that to all other computers on your network. Nasty.

Backdoor.OptixPro.13.C is a Trojan horse that gives a remote hacker full access to your computer over port 4001.

W32.Mimail.T@mm is another mass-mailing worm. Like most worms of this type, it attempts to mail itself to anyone found in your Outlook address book.

W32.HLLW.Gaobot.JB is a virus that attempts to spread itself to any network shares you may have mapped on your PC. Once again, a warning: Although it can’t be directly affected by viruses like these, the AS/400 Integrated File System can act as a repository for them.

VBS.Shania is another backdoor Trojan horse virus that allows access to your computer via Port 2414.

PTF’S AND FIXES FOR OS/400 AND RELATED PROGRAMS

IBM’s latest cumulative package for V5R2 customers came out January 21.

The latest HIPER package was released January 20, so you’ll want to grab this one if you’re not current.

The Database Group PTF was updated January 26.