Announcement
In December 2016, open eir communicated to industry that the Unified Gateway (UG) needed to undergo a security model upgrade. That security model upgrade is now ready to go-live in production. All the backward-compatibility issues reported by Wholesale customers have now been addressed. We need all UG Web Services Operators to confirm that they are ready for the UG security change by the 13th of April, 2018. Once we have the confirmation from all the parties that they are ready we will announce the actual deployment date on UG.
Note1: By the nature of the change it must happen at the same time for all UG Web GUI and Web Services users. The change cannot be selectively applied. It must be applied to all users simultaneously.
Note2: Please note that the CA certificates that were circulated in December, 2016 are NOT the certificates that will be deployed on UG. The new CA certificates are attached to this communication pack. If you have already installed the certificates that were circulated in December, 2016 to your systems there is no need to remove them. You simply need to add newly circulated certificates to your certificate storage in addition to what you already have (please see further details below).
Note3: As it was advised previously all UG Web Services customers need to have UG CA authority certificates added to their software Trusted Root Certification Authorities storage ahead of the change. If this is not done then the customer software will stop working after UG security upgrade (please also see the section “What technologies does a UG Web Services client need to support the new UG security model?” for more details).
What will change on the night of the deployment?
UG Web GUI (at and UG Web Services (at will change as follows:
- UG servers will now support the latest security protocols: TLS 1.1 and TLS 1.2. UG will continue to support TLS 1.0 security protocol until further notice.
- New UG server certificates will be installed on the Web GUI and Web Services servers with the following characteristics:
- New UG server certificates will be signed by the new eircom CA certificate. The new CA certificates for UG OAO Test environment and Production environment are included with this communication pack and are NOTthe same as those circulated in December 2016.
- The new UG CA certificate will contain a 4096 bytes key and will be signed with the SHA-256 algorithm.
- The new server certificate will contain a 4096 bytes key, will be certified by new UG CA certificate and will be signed with the SHA-256 algorithm.
- Both UG GUI and UG Web Services will continue to support old client certificates that were issued prior to the UG security change, until their expiry date.
- After security change all newly issued client certificates for UG Web GUI and UG Web Services will be certified by the new UG CA certificate, will contain a 2048 bytes key, and will be signed by SHA-256 algorithm.
UG Web Services.
What does the change mean?
The upcoming UG security change is backwards compatible in so faras the technology permits. If your existing code supports both the existing UG security model and new UG security model then the only thing you need to do is to add the newly issued UG certificate to your Trusted Root Certification Authorities storage on your server, ahead of the UG security change. If this is done the UG security change should have no impact on your operation.
What technologies does a UG Web Services client need to support the new UG security model?
In order to ensure seamless transition the Web Services client needs to:
- Support 4096 key size certificates.
- Support latest security protocols, either TLS 1.2 (recommended) or TLS 1.1. If you do not support TLS 1.2 or TLS 1.1, you can continue using current TLS 1.0 for a limited time only.
- Have new UG CA certificated installed into you client Trusted Root Certification Authorities storage.
Note: UG CA certificates are different for each UG environment (OAO Test and Production). You need to have appropriate CA certificate installed according to the UG environment you are connected to. You can also have both CA certificates installed to all of you environments, which would guarantee connectivity to either of them.
If you are unsure if your client code supports new UG security model. How can you check?
As it was communicated in December 2016, the UG OAO Test environment ( has been configured for the new UG security model. If you are unsure about the compatibility of your code then you would need to test your code against the OAO test environment (using new URL, Web Services account credentials, and client certificate).
Note: if you have already tested your code against UG OAO Test environment since December 2016 there is no need to test it again. The only change that has been done to the OAO Test environment since December, 2016 was the change of the UG server and CA certificates that was done on the 12 of March, 2018. These new certificates are also included as part of this communication pack.
If you have different Web Services software for the old and new UG security model. What do you need to do?
In this case customers will need to align the deployment of their new Web Services client software with the change on UG. Please ensure that your new software is properly tested against the UG OAO Test environment ahead of the deployment.
UG Web GUI
How will the change impact UG Web GUI users?
The UG Web GUI security model is backwards compatible with the old UG security model as far as technology allows. All the latest versions of web browsers support the new UG security model and the old UG Web GUI client certificates will continue to work with the new UG security model.
Customers have an option of installing new UG CA certificate to the Trusted Root Certification Authority storage on all the browsers that are used to access UG Web GUI ahead of the UG security change. If this is done then the UG security change will be transparent to/unnoticed by the UG Web GUI User.
If you decide not to install UG CA certificate on the client PC’s ahead of the UG security change then each user will have to do it themselves after the UG security model is changed. The detailed instructions on how to do this using the most popular web browsers are included into the “How To…” document included as part of this communication pack.