Read on for fixes and remedies
These changes have two areas of impact on Teamcenter:
1. Coding signing in the Java Applets (SSO, OTW and thin client) and Microsoft Office Add-ins
2. Runtime https/ssl communications
Note: Teamcenter binaries such as C++ or Java executables and C++ shared libraries and DLLs are not affected by this announcement. For example, the Teamcenter server process and Teamcenter FMS cache processes (FSC/FCC) are not affected.
References:
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx
https://technet.microsoft.com/en-us/library/security/2880823.aspx
https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1
Oracle has finally commented on this (November 16):
https://blogs.oracle.com/java-platform-group/entry/strengthening_signatures_part_2
REMEDY:
PART 1: Code signing (Java applets and .NET Microsoft integrations):
• Tc11.2.x
o Java Applets changed to use only SHA-256 certificates at Tc11.2.0
o Microsoft Office Add-ins changed to use SHA-256 certificates at Tc11.2.0. Note: Word and Powerpoint down grade these to SHA-1 due to our support of MS Office 2010 and .NET 4.0… currently Microsoft says this is working as expected since Microsoft Office is currently not validating certificates.
• Tc10.1.x
o We will add a time stamp to our SHA-1 certificates for all .NET Microsoft Office Add-ins.
Note: Currently, Microsoft has told us they have no plan for Microsoft Office to validate add-in certificates, but this could change at any time.
To cover the possibility of Microsoft Office will validate add-in certificates, a future patch will be made available with SHA-256 certificates for all .NET Microsoft Office Add-ins.
o Java Applets are signed with SHA-256 certificates in all service packs and patches built after — July 2013–
Note: From the Oracle link provided above, Oracle Java will continue to accept SHA-1 signed applets at least through early 2016. Our testing indicates it is the JVM used by the browser that will do the certificate validation of the Java Applets rather than the underlying Microsoft OS and/or browser.
o The following Tc10.1.x patches are the first patches to contain updated certificates Microsoft Office Add-ins. The Java Applets with
SHA-256 certificates are in these patches, but also in any other patches after July 2013:
Tc10.1.1.2_a01_9
Tc10.1.2.1_a01_7
Tc10.1.2.2_a01_6
Tc10.1.2.3_a01_7
Tc10.1.3_a01_4
Tc10.1.3.1_a01_4
Tc10.1.3.2_a01_5
Tc10.1.4_a01_4
Tc10.1.4.1_a01_2
Tc10.1.4.2_a01_1
• Tc9.1.x
o We will add a time stamp to SHA-1 certificates for our .NET Microsoft integrations only.
Note: Currently, Microsoft has told us they have no plan for Microsoft Office to validate add-in certificates, but this could change at any time.
Due to Visual Studio limitations, we have no plans to provide SHA-256 Certificates for the versions of MS Office supported by Teamcenter 9.1.x..
o Java Applets will be signed with SHA-256 certificates for all patches built after — July 2013–
Note: From the Oracle link provided above, Oracle Java will continue to accept SHA-1 signed applets at least through early 2016. Our testing indicates it is the JVM used by the browser that will do the certificate validation of the Java Applets rather than the underlying Microsoft OS and/or browser.
o The following Tc9.1.x patches are the first patches to contain updated certificates Microsoft Office Add-ins. The Java Applets with
SHA-256 certificates are in these patches, but also in any other patches after July 2013:
Tc9.1.2.6_a01_7
Tc9.1.2.7_a01_7
Tc9.1.2.8_a01_8
Tc9.1.2.10_a01_6
Tc9.1.3.3_a01_3
Tc9.1.3.4_a01_3
• Older releases
o As these releases are out of standard support, there are no plans to provide patches to anything older than those releases listed above. But as noted above, Microsoft Office and Java will continue to support
the older SHA-1 certificates through at least early 2016 and possibly to the end of 2017.
PART 2: HTTPS/SSL communications:
All Teamcenter COTS and customized clients plus Third Party integrations work well with SHA-256 certificates. There is one known issue with
customized integrations which use the gSOAP library embedded in the Teamcenter server.
• We plan to upgrade the gSOAP third party library to a version that supports SHA-256 certificates
o These upgrades are targeted for Tc10.1.6 and Tc11.2.2 together with an upgrade of the TcCrypto library
[Update 2017] – the upgrade of gSOAP only went into Tc11.2.2.1 and fully functional in Tc11.2.3. We recommend customers upgrade to Tc11.2.3 or later
if using Global Services or have customizations using gSOAP or WDSL or AI Web Services.
o There are no plans for these upgrades for any older versions than mentioned above
For reference: The Java applets which will get new certificates are:
• Teamcenter Security Services (SSO)
o teamcenter_sso_applib.jar
o teamcenter_sso_common.jar
o teamcenter_sso_loginapplets_applet.jar
• FMS Upload/Download
o fscproxy.jar
o UploadApplet.jar
• Document Management AppLauncher
o applauncher.jar
o applauncher.js
o AppLauncherApplet.jar
• OTW Installer
o otw_installer.jar
• Visualization
o MultiViewer.jar
o ViewerAppletLauncher.jar