Main Nav

Our SSL certificate (located on an F5 load balancer) used when accessing our LDAP 
directories is about to expire.  The directory is Oracle (ne Sun) and the certificate
is Verisign 1024 bits.  The F5 does SSL termination.  There are several hundred 
hosts that bind to the directory on a given day, many representing major systems.

While arranging for testing, we are also trying to gauge the client system (wide variety)
impact of updating to 

(a) a Verisign 2048 bit cert
or
(b) an InCommon 2048 bit cert

While InCommon would our preference, our highest priority is to minimize the number of
client systems/applications that need manual certificate updates.

Anyone have recent experience (or sage advice) with such a maneuver?

Thanks - Gary

Comments

While not recent (this is a few years ago now), when we switched our LDAP SSL cert from Thawte to InCommon, we had several Java apps blow up because older Sun JVM packages did not trust the AddTrust External CA Root by default. I would expect this to be less of a problem now, unless you still have Java apps calling your server and using now really old (an unsupported) JVMs. On 4/26/2013 9:12 AM, Gary Chapman wrote: > Our SSL certificate (located on an F5 load balancer) used when accessing > our LDAP > directories is about to expire. The directory is Oracle (ne Sun) and > the certificate > is Verisign 1024 bits. The F5 does SSL termination. There are several > hundred > hosts that bind to the directory on a given day, many representing major > systems. > > While arranging for testing, we are also trying to gauge the client > system (wide variety) > impact of updating to > > (a) a Verisign 2048 bit cert > or > (b) an InCommon 2048 bit cert > > While InCommon would our preference, our highest priority is to minimize > the number of > client systems/applications that need manual certificate updates. > > Anyone have recent experience (or sage advice) with such a maneuver? > > Thanks - Gary -- %% Christopher A. Bongaarts %% cab@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %%
Message from atlunde@panix.com

On 4/26/2013 9:12 AM, Gary Chapman wrote: > While arranging for testing, we are also trying to gauge the client > system (wide variety) > impact of updating to There have been enough updates to Verisign's CAs over time that I think it is a wash, you should expect to need update your trusted CAs in the client systems in either case. -- Albert Lunde albert-lunde@northwestern.edu atlunde@panix.com (address for personal mail)
I can echo Christopher's experiences with switching a directory server to InCommon. The majority of the blowups we had were java-based. Do you have a sense of how many of the clients are using a java cacerts file? -Mike
We had several more problems changing between Verisign roots (2-3 years ago) than moving to InCommon (recently). I think that the improved experiences were: -Partially due to all the Java-vulnerability press coverage and subsequent client-side updates that probably updated their cacerts bundle -Mostly due to increased understanding by customers that they really need to test against the new ssl config that we put up before we turn off the old ssl config. some of them missed testing opportunities for the Verisign changes because they assumed the best and got burned. Bert Bee-Lindgren, Identity Management & Middleware IT/EIS :: Georgia Tech :: 811 Marietta, Across from Richard Tanner (Cube 230 on Fridays) W: 877-237-8251 :: SMS: 402-237-8251 :: AIM: BertBeeLindgren https://mail.gatech.edu/home/bl17?fmt=freebusy (my availability) ----- Original Message ----- > From: "Mike Osterman" > To: IDM@LISTSERV.EDUCAUSE.EDU > Sent: Friday, April 26, 2013 11:51:15 AM > Subject: Re: [IDM] LDAP - SSL certificate expiration > > I can echo Christopher's experiences with switching a directory > server to InCommon. The majority of the blowups we had were > java-based. Do you have a sense of how many of the clients are using > a java cacerts file? > > -Mike > >
>  how many of the clients are using a java cacerts file?

Truly not known.  No doubt many of the applications in use are Java-based, but they are
under highly distributed management, so our IdM group knows nothing about app details in
the vast majority of cases.

Thanks to everybody who replied, by the way!

- Gary Chapman / NYU


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.