원문:
Can IHS use SHA-2 (sha224, sha256, sha384, sha512) digest algorithms?
- Any version of IBM HTTP Server with GSKit 7.0.4.14 and later can use and/or validate SHA-2 certificate signatures at runtime.
- Only IBM HTTP Server 8.0 and later can use SSL ciphers that use a SHA-2 based digest, since such ciphers are valid only in TLSv1.2 which is not supported by GSKit 7 used in prior IHS releases.
- IHS 6.1 only supports command-line SHA-2 management with
gsk7capicmd, under GSKit 7.0.4.28 and later.
Ikeyman V7 and gsk7cmd used in this release do not support SHA-2, except to 'view' certificates which have been signed with a SHA-2 algorithm. - IHS 7.0 supports command-line SHA-2 management with
gsk7capicmdunder GSKit 7.0.4.28 and later, as well as in Ikeyman/gskcmd (V8) at any maintenance level. - IHS 8.0 and later supports SHA-2 certificate management with
gskcapicmdand Ikeyman/gskcmd (V8) at any maintenance level. - The WebSphere Administration Console certificate management panels can create SHA-2 CSR's and self-signed certificates after PM48805 (7.0.0.23, 8.0.0.3, and 8.5.5.0 and later).
- Ikeyman versions since 8.0.383 added support for additional elliptic curve signature algorithms: SHA2WithECDSA (i.
e. SHA256), SHA3WithECDSA (i.e. SHA384), andSHA5WithECDSA (i.e. SHA512) when creating certificate signing requests or self-signed certificates.
Earlier versions of Ikeyman can be updated by updating the Java installed with IHS.
Ikeyman 8.0.383 started shipping with Java versions: IBM Java 7.1 sr1, Java 7.0sr7, Java 6.26sr1fp8, Java 6.0sr15fp2. Applying a WASSDK interim fix that contains Java at these versions or newer as appropriate for your version of IHS (example: PI14303 or PI14305) over your IHS installation will update the Java (and Ikeyman) in IHS. - IHS 6.1, 7.0, 8.0 and later support using SHA-2 for certificate signing requests (CSR) and self-signed certificates, with certain restrictions.
Note that the algorithm used in the CSR does not directly influence the algorithm used in the resulting certificate chain.
Runtime issues
Certificate management issues
Global Security Kit (GSKit) supported versions for releases of IBM HTTP Server
The following are the minimum supported versions of the Global Security Kit (GSKit) for use with each referenced release of IBM HTTP Server. The GSKit can be installed as part of the IBM HTTP Server installation.
- IBM HTTP Server V6.1 releases*Supports Global Security Kit Version 7 only!
V6.1.0.0 ...............................................7.0.3.20 (or higher)
- IBM HTTP Server V7.0 releases*Supports Global Security Kit Version 7 only!
V7.0.0.0 ...............................................7.0.4.17 (or higher)
- IBM HTTP Server V8.0 releases*Supports Global Security Kit Version 8 only!
V8.0.0.0 ...............................................8.0.14.9 (or higher)
- IBM HTTP Server V8.5 releases*Supports Global Security Kit Version 8 only!
V8.5.0.0 ...............................................8.0.14.9 (or higher)
IBM HTTP Server V6.1
- Linux - /usr/local/ibm/gsk7/bin/
gsk7ver - AIX - /usr/opt/ibm/gsk7/bin/gsk7ver
- Solaris Operating System - /opt/ibm/gsk7/bin/gsk7ver
- HPUX - /opt/ibm/gsk7/bin/gsk7ver
- Win32 - \Program Files\IBM\gsk7\bin\gsk7ver.exe
IBM HTTP Server V7.0
- Win32 - <IHS Install Root>/bin/gsk7ver.bat
- Unix - <IHS Install Root>/bin/gsk7ver.sh
IBM HTTP Server V8.0 and V8.5
- Win32 - <IHS Install Root>/bin/gskver.bat
- Unix - <IHS Install Root>/bin/gskver.sh
Example output (Win32):
| C:\Program Files\IBM\gsk7\bin>gsk7ver.exe |
The command invokes all the GSKit shared libraries and displays the version information about each library.
Note: When running the GSKit version command on a Windows platform, you must ensure the GSKit library directory (e.g. c:\program files\ibm\gsk7\lib) is included in the PATH variable under system variables. Otherwise, the output from running the command will not be displayed.
댓글 없음:
댓글 쓰기