Kronos is implementing security changes that affect customers using Kronos 4500 time clock and Kronos Intouch terminals using the SHA-1 hashing algorithm. On January 1st 2016, the Certificate Authorities will no long issue trusted public certificates that use the SHA-1 hashing algorithm. The change is mandated by the C/A browser Forum industry group to improve Internet security as SHA-1 hashing algorithm has become more vulnerable over time.
The changes will be implemented starting January first, meaning the Kronos 4500 and Kronos InTouch terminals that support SHA-1 certificates will continue to function properly until the certificates expire. Customers using SHA-1 certificates should review their Kronos time clock configurations and plan to replace the certificates before the expiration date. The best practice is to replace the SHA-1 certificates with SHA-2 certificates for the corresponding Kronos devices. Not all Kronos device part numbers can run software or firmware versions that support SHA-2; therefore it is crucial to ensure your Kronos device is compatible.
Device Type |
Part Number |
SHA-2 Support |
Software/Firmware Required for SHA-2 |
Kronos 4500 |
8602000-xxx
|
No |
New Time Clock Needed |
Kronos 4500 |
8602004-xxx
|
Yes |
02.03.16 and greater |
Kronos 4500 |
8602800-0xx through -4xx |
Yes |
02.03.16 and greater |
Kronos 4500 |
8602800-5xx through -9xx
|
Yes |
03.00.16 and greater |
Kronos Intouch |
ALL |
Yes |
01.00.01 and greater |
Solution:
Customers must validate all terminals support SHA-2 hashing algorithm by confirming the firmware version currently installed supports SHA-2 certificates. If the terminals do not meet the firmware requirement and the part number supports the required firmware, load the latest firmware using the chart above as a guideline.
If you use Workforce Central application in the Kronos Cloud environment, please refer to KB60011 for specific instructions.
If your Workforce Central application is not hosted in the Kronos Cloud environment (on premise or hosted elsewhere), please refer to KB60010 for specific instructions.