Problem

Odette announced that on the 1^st of July the TSL will be updated to start using the SHA-2 algorithm for its signature.

The certificates will still get downloaded from http://www.odette.org/tsl/TSL_OFTP2.xml , this link will not change.

Impact

If your system calls the UPDATE_TSL_STORE workflow or uses “jtood updateTSLstore” to update Odette TSL certificates, this might no longer work after Odette makes the algorithm change.

An error will be returned when connecting to this URL and any potential TSL certificate updates will not be ported into TSIM.

There is no impact on the runtime environment !

Solutions

This change from Odette has been addressed in TSIM, TSL using the SHA-2 algorithm for the signature is supported starting with SP23 P3, SP24 P4, SP25 P1 (already available on the support portal) and will also be included in upcoming Service Packs.

If you are unable to update to one of the above versions, there is also the option to manually configure “jtood updateTSLstore” to download the TSL certificates from a different URL, pointing to the TSL certificates signed with SHA-1.

The steps to follow are listed below:

1. Locate the “params” file corresponding to the IS instance you are running OFTP from. (ex. param/is/n0is0/oftp/params)
2. Change the parameter tsl_url from tsl_url=http://www.odette.org/tsl/TSL_OFTP2.xml to tsl_url=<new_url>
3. Activate the OFTP2-Serv. from the corresponding slave.
4. Run “jtood updateTSLstore” again if necessary. To force a reimport of the certificates, delete the file $ACTISEDI/param/tslLastUpdate.upd. TSIM checks http://www.odette.org/TSL/TSL_OFTP2.UPD for a timestamp of the latest update and compares this file to it to see if a reimport is necessary.

Odette have announced that they will keep a URL which will contain the TSL certificates signed with SHA-1 (previous algorithm) and provided us with below URL as backup, this is the URL that will need to be used for <new_url> parameter in the above sequence

https://www.odette.org/TSL/TSL_OFTP2_SHA1.XML

Please note that there is no information on how long this backup-URL (for the TSL certificates signed with SHA-1) will exist so it is highly recommended to consider upgrading your system to one of the referenced SPs/Patches.

Also please be advised that the above SPs/Patches do not make any configuration changes, if you implement the above manual change and then upgrade to one of the referenced SPs/Patches, the config changes will need to be manually reverted (set back tsl_url=http://www.odette.org/tsl/TSL_OFTP2.xml )