SDN replacement?
34 views
Skip to first unread message
Loyall, David
Mar 26, 2019, 10:49:43 AM3/26/19
to phi...@googlegroups.com
Hello, everyone!
Sorry, I've been inactive on this mailing list for some time. What's new?
Our state uses an SDN certificate stored in LDAP for payload encryption.
It's going to expire in August. Does anyone have any news about a replacement?
We'd be okay with creating our own certificate, but distribution via a major third party LDAP directory which various PHINMS clients are already configured to contact is a major feature of SDN. I don't know if Verisign will accept an upload of a certificate from us.
What are our options?
Cheers, thanks,
--David Loyall
Nebraska DOH
Sorry, I've been inactive on this mailing list for some time. What's new?
Our state uses an SDN certificate stored in LDAP for payload encryption.
It's going to expire in August. Does anyone have any news about a replacement?
We'd be okay with creating our own certificate, but distribution via a major third party LDAP directory which various PHINMS clients are already configured to contact is a major feature of SDN. I don't know if Verisign will accept an upload of a certificate from us.
What are our options?
Cheers, thanks,
--David Loyall
Nebraska DOH
Schneider, Edward (MNIT)
Mar 26, 2019, 10:59:33 AM3/26/19
to phi...@googlegroups.com
I don't know about August, but CDC did notify me (via DigiCert) of the forthcoming expiration of my prior PKI certificate in February, and processed a renewal, good for one year, that was to be stored in the DigiCert DBA Symantec (DBA Verisign?) LDAP query responder. I think that the renewal is in place there as of the end of last week... Otherwise I distributed copies of the public version of the cert for our exchange partners using that method instead of the LDAP query result for message encryption in their PHINMS folder-polling configurations.
Edward A. Schneider
Information Technology Specialist/Middleware Administration | Application Data Services Unit
Minnesota IT Services | Partnering with Minnesota Department of Health
625 North Robert St.
St. Paul, Minnesota 55164-0975
O: 651/201-4047
Information Technology for Minnesota Government | mn.gov/mnit
--
---
You received this message because you are subscribed to the Google Groups "PHINMS User Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phinms+un...@googlegroups.com.
For more options, visit https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&data=02%7C01%7Cedward.schneider%40state.mn.us%7Cb609e245e2ea41b26f0008d6b1fa48cd%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636892085848306290&sdata=41sMyZZBuZE4LPPq%2BRnC3FS7t2p%2BtT9BHfB%2FSBblUXw%3D&reserved=0.
Edward A. Schneider
Information Technology Specialist/Middleware Administration | Application Data Services Unit
Minnesota IT Services | Partnering with Minnesota Department of Health
625 North Robert St.
St. Paul, Minnesota 55164-0975
O: 651/201-4047
Information Technology for Minnesota Government | mn.gov/mnit
---
You received this message because you are subscribed to the Google Groups "PHINMS User Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phinms+un...@googlegroups.com.
For more options, visit https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Foptout&data=02%7C01%7Cedward.schneider%40state.mn.us%7Cb609e245e2ea41b26f0008d6b1fa48cd%7Ceb14b04624c445198f26b89c2159828c%7C0%7C1%7C636892085848306290&sdata=41sMyZZBuZE4LPPq%2BRnC3FS7t2p%2BtT9BHfB%2FSBblUXw%3D&reserved=0.
Schneider, Edward (MNIT)
Mar 26, 2019, 11:39:26 AM3/26/19
to phi...@googlegroups.com
Supplementary note as to the LDAP query responder: Some of our exchange partners had to delete their senderldapCache\cache files and restart PHINMS to get the current (new) certificate for message encryption in place on the date my old certificate expired.
Also, for those not knowing the trick: PHINMS doesn't independently check the message encryption certificate expiration date. So if you state the expiration date for an expiring certificate is later than it expires in fact, in the PHINMS console's secondary certificate entry, PHINMS will continue to decrypt incoming messages using the old cert (as a secondary key) until its PHINMS-recorded expiry. This furnishes some leeway to laggard exchange partners in substituting the new message encryption cert for an expired one. (A practical consideration, rather than the ideal state of affairs: better to fudge the expiration and get the data, than have the data delayed and manually re-sent.) This also alleviated a prior problem with LDAP query responses on the changeover date, where Symantec left the old, technically expired cert in place as primary for that day and put the new one as secondary, meaning that LDAP-sourced message encryption came in with the old encryption instead of the new that day. If PHINMS "expired" the secondary cert as of its actual expiration date and time, those changeover-day, old-cert messages would not decrypt.
Edward A. Schneider
Information Technology Specialist/Middleware Administration | Application Data Services Unit
Minnesota IT Services | Partnering with Minnesota Department of Health
625 North Robert St.
St. Paul, Minnesota 55164-0975
O: 651/201-4047
Information Technology for Minnesota Government | mn.gov/mnit
-----Original Message-----
From: phi...@googlegroups.com <phi...@googlegroups.com> On Behalf Of Loyall, David
Sent: Tuesday, March 26, 2019 9:50 AM
To: phi...@googlegroups.com
Subject: SDN replacement?
Also, for those not knowing the trick: PHINMS doesn't independently check the message encryption certificate expiration date. So if you state the expiration date for an expiring certificate is later than it expires in fact, in the PHINMS console's secondary certificate entry, PHINMS will continue to decrypt incoming messages using the old cert (as a secondary key) until its PHINMS-recorded expiry. This furnishes some leeway to laggard exchange partners in substituting the new message encryption cert for an expired one. (A practical consideration, rather than the ideal state of affairs: better to fudge the expiration and get the data, than have the data delayed and manually re-sent.) This also alleviated a prior problem with LDAP query responses on the changeover date, where Symantec left the old, technically expired cert in place as primary for that day and put the new one as secondary, meaning that LDAP-sourced message encryption came in with the old encryption instead of the new that day. If PHINMS "expired" the secondary cert as of its actual expiration date and time, those changeover-day, old-cert messages would not decrypt.
Edward A. Schneider
Information Technology Specialist/Middleware Administration | Application Data Services Unit
Minnesota IT Services | Partnering with Minnesota Department of Health
625 North Robert St.
St. Paul, Minnesota 55164-0975
O: 651/201-4047
Information Technology for Minnesota Government | mn.gov/mnit
-----Original Message-----
From: phi...@googlegroups.com <phi...@googlegroups.com> On Behalf Of Loyall, David
Sent: Tuesday, March 26, 2019 9:50 AM
To: phi...@googlegroups.com
Subject: SDN replacement?
Reply all
Reply to author
Forward
0 new messages