Product Support Notice

PSN # PSN005275u Avaya Proprietary – Use pursuant to the terms of your signed agreement or company policy.
Original publication date: 16-July-2019. Severity/risk level High Urgency Immediately

Name of problem Changing the validity of the Certificates issued by the System Manager Certificate Authority (CA)
Products affected
Avaya Aura® System Manager: Release 6.3.x, 7.x, 8.0.x and 8.1.x release
Problem description

Overview:
There are new certificate requirements for Android Q and iOS 13 Operating Systems that affect Avaya Equinox® for Android and
iOS.

Android Q

In the new release of Android Q, which is currently in Beta, Google is dropping support for SHA1 and SHA-2CBC signature
algorithms. If any servers used by the Avaya Equinox client have identity certificates signed using these signature algorithms, the
client will not be able to connect to those servers.

iOS13 and macOS 10.15

Apple announced new requirements for trusted certificates in iOS13 and macOS10.15 both of which are currently in beta:

•TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048bits. Certificates using RSA
key sizes smaller than 2048 bits are no longer trusted for TLS.
•TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed
certificates are no longer trusted for TLS.
•TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS
names in the Common Name of a certificate are longer trusted.
See https://support.apple.com/en-us/HT210176 for complete details including requirements for new server certificates.

Additionally, for the new iOS and macOS operating systems, Identity Certificates generated after July 1st, 2019 must not have a
lifespan longer than 825 days. If you are using an Identity Certificate that has a lifespan of more than 825 days and it was issued
before July 1st, 2019, you are not affected by this problem. However, any new Identity Certificate that you generate after July 1st, 2019
mush have a validity which less than 825 days.

How is System Manager affected?

As described above, there are 2 problems. The first problem is related to having CA or identity certificate that use SHA1 signing
algorithms. And the Second problem is related to the Certificate Validity length. Both issues have been described below and the
resolution to both these issues are different. You may be affected by this problem if you are using the System Manager Certificate
Authority (CA) to generate Identity Certificates that are used by your SIP entities (example Session Manager) and/or Endpoints such
as Avaya Equinox® for Android and iOS. If you are using a 3rd party Certificate Authority or your own Certificate Authority on all
your devices, then you need not remediate System Manager, however you need to confirm that the certificates in use comply with the
new requirements stated above. Please refer PSN005407u for more details.

If you are affected by the SHA1 CA issue, then you must remediate it first before remediating the validity problem.

SHA1 Certificates: How to confirm if your CA is SHA1

If your System Manager is on Release 6.3.x or if it was upgraded to 7.0.x / 7.1.x / 8.0.x or 8.1.x from an older 6.x release, then the CA
that you have in System Manager will most likely be a SHA1 CA.
Important Note: only compare the highlighted values shown in the screenshots. All screenshots are for illustration purpose only and
were taken from an Avaya internal lab system, so some value will not be the same as what you may have.

1. Login to System Manager with “and” user or a user with System Administrator role
2. Navigate to Home / Services / Security / Certificates
3. Click on Authority
a. If you are on System Manager Release 6.x as soon as you click on the “Authority” link you will see a page like what
is shown in the below screenshot (Screenshot 1). On this page click on the “View Certificate” link.

Screenshot 1

After clicking on the “View Certificate” link you will see a pop-up as shown below which will show you the details of the CA
certificate that you have. In the certificate look for the “Public Key” and “Signature Algorithm”

If one or both these values are same as what is shown in the screenshot below (Screenshot 2) then you need to replace/update your
CA.
Screenshot 2

© 2019 Avaya Inc. All Rights Reserved. Page 2

 b. If you are on System Manager release 7.x or later after clicking on the “Authority” link you need to click on the “CA
Structure & CRLs” link on the left-hand side to get to the page. Sample screenshot below (Screenshot 3).

Once you are on the “CA Structure & CRLs” page click on the “View Certificate” link which will pop-up a page
that will show you the details of the CA certificate. In the certificate look for the “Public Key” and “Signature
Algorithm”. If one or both these values are same as what is shown in the screenshot above (Screenshot 2) then you
need to replace/update your CA.

Screenshot 3

In some cases, if your CA is setup as a subordinate CA you will see more than 1 entry on the page. In such cases please check all the
Certificates.

If you have a SHA1 CA and you are impacted by this problem because you have Avaya Equinox® for Android and iOS then and you
need to update / replace the CA then see the Resolution section on how to update your CA.

Certificate Validity Problem

If you are using the System Manager Certificate Authority (CA) to generate Identity Certificates that are used by your SIP entities
(example Session Manager) and/or Endpoints such as Avaya Equinox® for Android and iOS then any Identity Certificate issued by
the System Manager CA after July 1st 2019 with a validity of more than 825 days will not work with applications running on Android
Q or iOS. Please note that existing Identity Certificates that were issued before July 1st, 2019 that have a validity of more than 825
days will be allowed to age out. They are not affected.

System Manager Releases 7.1.x or 8.0.x or 8.1.x by default issues certificates with a validity of 1186 days.

System Manager 6.3.x and 7.0.x releases are not affected but this issue since in these releases of System Manager, by default, the
System Manager CA issues identity certificates with a validity of 730 days which well within the range. If you are on System Manager
6.3.x or 7.0.x and you have not changed these default settings, there is no need for further action. If you upgrade such a System
Manager VM to release 7.1.x or 8.0.x or 8.1.x at a future point in time, then you need to follow the instructions mentioned below to
remediate the system at that point in time.

If you are using System Manager Releases 7.1.x or 8.0.x or 8.1.x see the Resolution section below on how to remediate this situation.
If you are using Avaya Equinox® for Android and iOS you must take action before July 1st 2019 so that any auto/manual renewal of
certificates does not cause any service interruption.

Resolution

Note: Avaya does not recommend using Certificates that are generated using weak signing algorithms such as SHA1 or using
certificates that are valid for a duration more than what is recommended by the latest Security guidelines prevalent in the Industry.

© 2019 Avaya Inc. All Rights Reserved. Page 3

How to update your CA to SHA2 / 2048
Follow instructions in the Administering System Manager Guide (https://downloads.avaya.com/css/P8/documents/101058238) to
change your CA to SHA2 signing algorithm / 2048 key size. Looks for Section with title “Overview of System Manager root certificate
authority created usingSHA256withRSA signing algorithm and 2048 key size” (page 1174 – page number subject to change).

Make sure you read through the complete instructions before starting. Even though this document corresponds to release 8.1 the
section talks about what needs to be done for release 6.3.x as well.

We recommend running the utility referenced in the Administering System Manager Guide in a phased manner. Running the utility in
a phased manner allows you to obtain the new root CA certificate after the first phase (option 1) and distribute the certificate to all the
TLS connected elements before selecting option 2. Note that the ability to run the utility in a phased manner is only available starting
release 7.0.1.3 of System Manager so make sure you are on the latest service pack of 7.0.x or 7.1.x / 8.x before you start.

If you have any questions, please reach out to Avaya Support.

How to change the Validity length of the Identity Certificates Issues by the System Manager CA?

As mentioned earlier if you have a SHA1 CA then you need to first change the CA to a SHA2 certificate before changing the validity.

1. Login to System Manager Web console with user having administrative privileges. It is recommended that “admin” user be
used for this activity.
2. Take a System Manager backup. If possible also take a snapshot of the System Manager Virtual Machine.
3. Go to Home / Services / Security / Certificates.
4. Click on Authority.
5. Click on Certificate Profiles.
6. Click on Edit button associated with profile "ID_CLIENT"
7. Change the value associated with field "Validity(*y *mo *d) or end date of the certificate " to 730d.
8. Click on Save button.
9. Perform same steps (5 to 7) for ID_CLIENT_SERVER and ID_SERVER Profiles.

Note1 – Do not change any other parameter other than what is mentioned in the instructions above.
Note2 – After making this change any identity certificate issued/renewed(auto/manual) by System Manager CA will be valid for 730
days (2 years).
Note3 – If you upgrade your 6.x or 7.0.x System Manager to release 7.1.x or 8.0.x or 8.1.x at a future point in time, then you need to
follow the instructions mentioned above to remediate the system at that point in time

To renew System Manager CA issued certificate please refer section "Renewing identity certificates" in System Manager admin guide.

7.1.x release - https://downloads.avaya.com/css/P8/documents/101038510 (page#1173)

8.0.x release: https://downloads.avaya.com/css/P8/documents/101050409 (page#1162)
8.1.x release: https://downloads.avaya.com/css/P8/documents/101058238 (page#1162)

Workaround or alternative remediation

N/A

Remarks
Avaya does not recommend using Certificates that are generated using weak signing algorithms such as SHA1 or using certificates
that are valid for a duration more than what is recommended by the latest Security guidelines prevalent in the Industry.

The default validity length for System Manager issues Identity Certificates will change in a future release of System Manager

Also refer PSN005407u.

© 2019 Avaya Inc. All Rights Reserved. Page 4

Patch Notes
The information in this section concerns the patch, if any, recommended in the Resolution above.
Backup before applying the patch
N/A
Download
N/A

Patch install instructions Service-interrupting?

N/A N/A
Verification
N/A
Failure
Contact Avaya Support.
Patch rollback instructions
N/A

Security Notes
The information in this section concerns the security risk, if any, represented by the topic of this PSN.
Security risks
N/A
Avaya Security Vulnerability Classification
Not Susceptible
Mitigation
N/A

If you require further information or assistance, please contact your Authorized Service Provider or visit
support.avaya.com. There you can access more product information, chat with an Agent, or open an online
Service Request. Support is provided per your warranty or service contract terms unless otherwise specified in
the Avaya support Terms of Use.
Disclaimer:
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED “AS IS”.
AVAYA INC., ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY
REFERRED TO AS “AVAYA”), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE,
AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE
SECURITY OR VIRUS THREATS TO CUSTOMERS’ SYSTEMS.IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY
DAMA GES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED
ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS
PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA
PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS
WITH AVAYA.

All trademarks identified by ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are
the property of their respective owners.

© 2019 Avaya Inc. All Rights Reserved. Page 5