Unify published a newsletter, regarding access to the OpenScape Business systems when using self-signed certificates. This newsletter can be found below, but we have noticed that many people have questions regarding this topic so, we want to make things more clear via this way.
Please read this information exactly and take the necessary pre-cautions to be sure you will be able to access the OSBiz systems of your customers via Web based management after January 1st, 2024!
The original Technical newsletter of Unify:
Please note that web browsers and operating systems have introduced stricter security rules in recent months.
In many cases, this will prevent access to systems with outdated insecure certificates from January 1, 2024.
- You are not affected if your systems was configured according to the specifications in the security checklist.
- You are not affected if your systems are with SSP and updated to V3R3.
In all other cases you have to update the SSL certificate manually before Jan 1st, 2024.
Some technical background for better understanding:
SSL certificates are essential to ensure private and secure communication between clients and the communication server. SSL certificates must be customer-specific, trustworthy and time-limited in order to meet the security requirements of current client environments (operating systems, web browsers and other communication solutions such as Microsoft Teams).
When you first install OpenScape Business, it generates a temporary self-signed SSL certificate. Such certificates are not considered sufficiently secure by newer client environments and must therefore be replaced by a customer-specific trustworthy certificate, as specified in the security checklist for OpenScape Business.
For many OSBiz systems that were originally installed with older software releases (before V3R2) and were not yet provided with customer-specific certificates, the temporary SSL certificate will expire on January 1st, 2024. Web-based clients in particular including the Admin Portal will no longer be usable with newer web browsers and operating systems. It is strongly recommended to exchange such certificates in a timely manner.
The right way to do this is to install a trustworthy SSL certificate, which can be obtained from numerous trustworthy certification authorities (CA = Certification Authority).
Whether an OSBiz is still using an outdated insecure self-signed SSL certificate (with an expiration date of January 1, 2024) can be checked using a web browser to the login page of the admin portal. If this connection is marked as unsafe in the address bar at the top left, you should click on this warning and view the contents of the certificate.
If it is not possible to install a trusted certificate before 01.01.2024, then the self-signed certificate can be renewed as a temporary workaround via Admin Portal. Under Expert Mode - Security - SSL a new self-signed certificate can be generated and activated.
Finally, we would like to remind you again that OSBiz systems which were configured according to the rules of the OpenScape Business Security Checklist are not affected.
What does this exactly mean?
- OpenScape Business is standard using a self-signed certificate to ensure a secure connection between clients (this can be WBM, but also other web clients) and the system.
- In systems with older software these self-signed certificates will expire on January 1st, 2024. This results in the fact that you will always get a message that the website is not secure, but after accepting the message you can enter the system.
- New web browsers (or other clients) will refuse access to the system when the certificate is expired. This means that many systems with older software cannot be reached anymore via WBM from January 1st, 2024.
- Unify of course advises to use real certificates from a trustworthy certification authority. But for that the customer will need to buy a valid certificate and it needs to be renewed every year. For many customers and partners this is not easy.
- To overcome the problem that systems cannot be reached anymore after January 1st, 2024, there are 3 options:
- Don't use the self-signed certificates but real certificates of a trustworthy CA.
- Upgrade the system to the latest V3R3. After the upgrade the self-signed certificate will be valid until January 1st, 2032. Of course, you will still get the message that the website is unsecure due to the fact you are using a self-signed certificate.
- If you cannot upgrade the system to V3R3, you can also create a new self-signed certificate and upload it again to the system. This newly generated certificate will also be valid until January 1st, 2032.
How to check the end date of self-signed certificate in the system?
If you open the admin portal of the OSBiz via WBM, you will get a message in the address bar of the browser that the site is not secure.
Click on this message and then click on the message “certificate is not valid”. A new window will be opened with the validity date of the certificate.
How to extend the date of the self-signed certificate?
Upgrade to V3R3 and the end date of the self-signed certificate will be January 1st, 2032.
If the system cannot be upgraded, then please perform the steps below to generate and upload a new self-signed certificate (You can also see that in the attached movie):
- Go to Expert mode – Telephony server – security via WBM
- Under SSL go to “certification generation”
- Enter the following parameters.
- A name for the new certificate
- A number for the new certificate (2 or higher)
- Please check the start and end date of the new certificate. The start date should be the day you generate the certificate. The end date is 10 years later
- Organization (e.g. use part of customer’s name)
- Organization Unit (e.g. use part of customer’s name)
- Common name (e.g. use part of customer’s name)
- Click op apply. You will get a message that the certificate is successfully created.
- Under Certificate management – server certificates, you will find the new generated self-signed certificate. Select this certificate and activate it.
- Take care: the tomcat will restart when you activate the certificate. This means teher is no WBM acces possible for a short while and all clients using WSI (myportal to go, myPortal@work,...) cannot be used during the restart.
- After the restart, you can check the new end date of the self-signed certificate.