Red Hat Certificate System 8.0 Release Notes with Updates for Errata RHSA-2010:0838 Edition 8.0.
Red Hat Certificate System 8.0 Release Notes with Updates for Errata RHSA-2010:0838 Edition 8.0.7 Landmann rlandmann@redhat.
Legal Notice Copyright © 2009 Red Hat, Inc.. T his document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Table of Contents Table of Contents . . .New 1. . . . . .Features . . . . . . . . . .for . . .Red . . . . .Hat . . . .Certificate . . . . . . . . . . . System . . . . . . . . 8.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . 1.1. Certificate Renewal 3 1.2. Improved Subsystem Cloning 3 1.3. Stronger SELinux Policies 3 1.4. Improved UT F8 Support 3 1.5. Enhanced Support for T hird-Party ECC Modules 3 1.6. Simplified Signed Audit Logging 4 1.7.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 9.1.1. Apache Software Foundation 9.1.2. Mozilla Foundation 9.1.3. Red Hat 9.2. Copyrights for Certificate System Clients 9.2.1. Mozilla Foundation 9.2.2. e-gate Smart Card Drivers, Libraries, and Modules 9.2.3.
1. New Features for Red Hat Certificate System 8.0 T hese release notes contain important information related to Red Hat Certificate System 8.0 that may not be currently available in the Product Manuals. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. You should read these Release Notes in their entirety before deploying Red Hat Certificate System 8.0. 1. New Features for Red Hat Certificate System 8.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 Certificate System 8.0, although it does not ship with an ECC module, does support loading and using third-party ECC PKCS#11 modules with the CA. T he console can handle ECC-based SSL sessions, and the server generates and supports ECC certificates. 1.6.
2. Important Configuration Changes 2.1. Default Port Separation Starting in Certificate System 8.0, there are three SSL ports, one each for each of the user interfaces (agents, administrators, and end entities). T he web application folders are also separated, so each web service is independent and secure. T he pkicreate script has been updated to permit both separated and non-separated port configurations.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 pki_load, can be obtained from Red Hat support to send the certificate requests to httpclient. 3. Supported Platforms T his section covers the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 8.0. 3.1. Server Support T he Certificate System subsystems are supported on the following platforms: Red Hat Enterprise Linux 5.3 and later for x86 Red Hat Enterprise Linux 5.3 and later for x86_64 3.1.1.
3. Supported Platforms rpm -qi compat-libstdc++ --queryformat '%{NAME}-%{VERSION}%{RELEASE}.%{ARCH}.rpm\n' | grep x86_64 Numerous libraries should be displayed. 3.2. Client Support T he Enterprise Security Client is supported on the following platforms: Apple Macintosh OS X 10.5.8 and higher (Leopard) (Power PC, Intel) Microsoft Windows Vista 32-bit Microsoft Windows Vista 64-bit Microsoft Windows XP 32-bit Microsoft Windows XP 64-bit Red Hat Enterprise Linux 5.3 x86 Red Hat Enterprise Linux 5.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 T he Certificate System subsystems have been tested using the following tokens: Gemalto T OP IM FIPS CY2 64K token, both as a smart card and GemPCKey USB form factor key Gemalto Cyberflex e-gate 32K token (Red Hat Enterprise Linux and Mac systems) Safenet 330J Java smart card Smart card testing was conducted using the SCM SCR331 CCID reader.
4. Installing Red Hat Certificate System Subsystems After installing the JDK, run /usr/sbin/alternatives as root to insure that the proper JDK is available: /usr/sbin/alternatives --config java There are 3 programs which provide 'java'. Selection Command ----------------------------------------------1 /usr/lib/jvm/jre-1.4.2-gcj/bin/java + 2 /usr/lib/jvm/jre-1.6.0-openjdk/bin/java * 3 /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java 4.3.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 yum install httpd 4.5. Installing mod_nss Before installing the subsystem packages on Red Hat Enterprise Linux, first install or upgrade m od_nss. m od_nss is required for all Red Hat Certificate System packages, but is not included in the Red Hat Certificate System repositories, so make sure that the appropriate Red Hat Network channels are configured. yum install mod_nss 4.6.
5. D ocumentation for Certificate System 8.0 there are important changes and enhancements to the 8.0 documentation: 5.1. Documentation Changes in 8.0 T he Administrator's Guide has been reorganized and partially rewritten to have a better structure and flow to the content. T he intent of rewriting the Administrator's Guide is to make information easier and more intuitive to find. A new Installation Guide has been added to the doc set.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 Certificate System Installation Guide covers the installation process for all Certificate System subsystems. T his manual is intended for Certificate System administrators. Certificate System Administrator's Guide explains all administrative functions for the Certificate System. Administrators maintain the subsystems themselves, so this manual details backend configuration for certificate profiles, publishing, and issuing certificates and CRLs.
6. Bugs Fixed in Certificate System 8.0 T able 5. Fixed Bugs Bug Number Description 209213 T here was a random error in the Enterprise Security Client that when an enrolled card was inserted and removed, the Reset Password window would not allow users to type in a new password. 211053 T here Enterprise Security Client would not restart on Microsoft Windows Vista after the machine was rebooted, so the client would have to be started manually.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 482935 process (ns-slapd) to reach 100% CPU. 253323 When using the Certicom PKCS #11 module with the OCSP, the OCSP failed to start because the OCSP signing certificate nickname was missing in the database token configuration. 253657 When attempting to enroll 64K smart cards in the T PS, key generation failed, causing the enrollment process to fail. T his is resolved with the newest CoolKey applet.
6. Bugs Fixed in Certificate System 8.0 445436 Searching for certificates through the Revoke Certificates page in the CA's agent services reported a bad search filter. T he schema used for search filter generation have been updated to enhance the filtering options. 458499 T he Unique Subject Name Constraint rejected requests with duplicate subject names even if the existing certificate was revoked or expired (when the duplicate name should have been allowed).
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 indexed key version. 491000 T rying to format or re-enroll a formatted security officer token caused the Enterprise Security Client to throw error 28 on the format window because the command to revoke the existing certificates failed. 491185 All of the schema and elements implemented according to RFC 2256 have been updated to RFC 5280.
7. Errata Releases for Certificate System 8.0 T able 6. Errata Releases Advisory Description Release Date RHSA-2010-0837 T his erratum introduces bug fixes and enhancements for SCEP operations. November 12, 2010 CVE-2010-3868 — T he certificate authority allowed unauthenticated users to request the one-time PIN in an SCEP request to be decrypted.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 encryption and hash algorithms. RHBA-2010-0701 T his erratum introduces enhancements for certificate and token policy settings. September 17, 2010 Bugzilla #609331. It was possible to change the status of a token marked as permanently lost or destroyed using the T PS administrative user interface.
7. Errata Releases for Certificate System 8.0 special security officer mode of esc did not function on Mac. Security officer mode allows designated users to perform in-person token enrollments, as added security. Bugzilla #239891.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 cryptographic functions expected of smart cards were not possible. For instance, an encrypted email could not be sent with 2048bit keys. RHBA-2010:0169 T his update supplies a fix to a vulnerability in the T LS/SSL protocols that could allow a specific type of man-in-themiddle attack. T his errata (and related configuration changes) make all Certificate System subsystems compliant with RFC 5746.
7. Errata Releases for Certificate System 8.0 helpful error message has been added to the client. Bugzilla 523568. Smart cards could not be enrolled using LDAP authentication when the passwords where stored using the password storage scheme. RHBA-2009:1665 T hese packages included an enhancement which allows a subsystem to be configured to prompt for subsystem passwords rather than reading them out of the plaintext password.conf file. New instances can have the password.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 Bugzilla 351162 RHBA-2009:1596 T his update addresses Bug 505682 - Allow configuration of NSS OCSP cache settings. New parameters are enabled to allow user-defined cache sizes, OCSP check times, and timeout periods for OCSP responses. November 19, 2009 RHBA-2009:1443 T his release had enhancements for ECC support, including extending support on Firefox for ECC enrollments and adding support for ECC POP.
8. Known Issues T LS Renegotiation Attack" provides additional details about this flaw. In Certificate System, this kind of session renegotiation occurs if a user connects to an end-entity port that doesn't require client authentication, but then attempts to submit a certificate enrollment form for an enrollment profile that requires client authentication. T he Certificate System server requests and then parses a client certificate for the user.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 a. At the top of the file, replace the PKI status definitions with the following section, with the correct hostname and ports. Replace all the lines with the exact excerpt because there are important spacing differences in the definitions.
8. Known Issues 4. Modify the /etc/init.d/instance_name initialization script to read the new status definitions. a. At line 242, replace the following lines. Replace all the lines with the exact excerpt below because there are important differences in whitespace in the quoted strings.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 7. Edit the profile selection template to use the URL for the new secure end-entities client authentication services port. For example, assuming the default end-entities client authentication SSL port of 9446: vim /var/lib/instance_name/webapps/ca/ee/ca/ProfileSelect.template ... original ... uri = 'profileSubmitSSLClient'; ... update ... uri = 'https://server.example.com:9446/ca/eeca/ca/profileSubmitSSLClient'; 8.
8. Known Issues T hese are known issues in the 8.0 release of Red Hat Certificate System. When available, workarounds are included.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 T able 7. Known Issues Bug Number Description Workaround 223299 If a T KS master key is generated on a SafeNet LunaSA HSM, server-side key generation fails with the following error in the T KS debug log: Do not use LunaSA HSMs to generate keys for the T KS subsystem.
8. Known Issues though the tokens contain Phone Home URLs. 235150 T he T KS sub-system start and stop scripts currently do not check that the package is installed before attempting to execute. 236857 In the RA agent page, the RA attempts to retrieve revocation information for a certificate that the agent does not have the rights to see. T his is not an issue at present and can be ignored. 237050 T here can be numerous File does not exist errors in the RA error logs.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 456701 453051 483359 T he default signing algorithm used by the CA cannot be successfully changed in the CA configuration or when setting up the CA. T he default is hard-coded to MD5withRSA. When trying to renew a subsystem certificate using the certificate wizard tool in the Java console (pkiconsole), the certificate renewal fails and the console throws a Java exception, such as UNKNOWNEXCEPTION-java.util.
8. Known Issues 499014 When trying to renew a DRM certificate using the certificate wizard tool in the Java console (pkiconsole), the certificate renewal fails and the DRM crashes. T he console relied on the old policy framework to renew certificates, but the policy framework was replaced by a new profile framework in Certificate System 7.2. T herefore, the renewal feature in the console is broken.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 chcon -t textrel_shlib_t '/usr/lib/libsbgs e2.so' 2. T hen change the default file context files on the system so that the updated context is preserved even if the system is fully relabel. semanage fcontext -a -t textrel_shlib_t '/usr/lib/libsbgs e2.so' 3. Reload the ECC module; this should be successful. modutil -dbdir /var/lib/pkica/alias/ nocertdb -add certicom libfile /usr/certicom/li b/libsbcpgse.
8. Known Issues Misc { NetscapeCustomize=1023 ; } Additionally, these two lines must be removed: AppIdMajor=2; AppIdMinor=4; 511327 T rying to set up a T PS using a Safenet Chrysalis-IT LunaSA HSM fails with an error indicating that the password to access the HSM was incorrect or that the CA was unavailable. Safenet Chrysalis-IT LunaSA HSM tokens cannot be used to set up the T PS.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 2. Open the CS.cfg file and change the authType value to the client authentication setting. vim /var/lib/pkica/conf/CS.cfg authType=sslclien tauth 3. Open the server.xm l file and change the clientAuth value to true for the admin port, in the admin connector entry. vim /var/lib/pkica/conf/server.x ml ....
8. Known Issues a. Open the user's console directory. /userdirectory/. redhat-idmconsole b. Create new security databases. certutil -N -d . c. Export the administrator user certificate from your browser and save it to a .p12 file, such as /tm p/adm in.p1 2. d. Copy the administrator user certificate .p12 file to the console directory, and use pk12util to import it into the security databases. cp -p /tmp/admin. p12 /userdirectory/. redhat-idmconsole # pk12util i ./admin.p12 -d /userdirectory/.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 certificate from the base 64-blob associated with the admin user cert. certutil -A -d . -n ca -t CT,C,C i ./ca.crt 6. T he next time you run pkiconsole, it prompts for you to supply the security database password and admin certificate to allow client authentication. pkiconsole https://server.ex ample.com:9445/c a 513450 T he CA is missing the configuration to support the Authority Information Access extension for CRLs.
8. Known Issues vim /var/lib/pkica/conf/CS.cfg ca.crl.MasterCRL. extension.Authori tyInformationAcce ss.accessLocation 0=http://hostname :9180/ca/ocsp ca.crl.MasterCRL. extension.Authori tyInformationAcce ss.accessLocation Type0=URI ca.crl.MasterCRL. extension.Authori tyInformationAcce ss.accessMethod0= ocsp ca.crl.MasterCRL. extension.Authori tyInformationAcce ss.class=com.nets cape.cms.crl.CMSA uthInfoAccessExte nsion ca.crl.MasterCRL. extension.Authori tyInformationAcce ss.critical=false ca.crl.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 Administrator's Guide. 523568 On Windows XP and Vista systems, logging into the Enterprise Security Client using LDAP authentication can fail if the password is stored using the SSHA hash and has the exclamation point (!) or dollar sign ($) characters. T he exclamation point (!) and dollar sign ($) characters must be properly escaped for a user to bind successfully to the Enterprise Security Client.
9. Copyright and Third-Party Acknowledgments http://jakarta.apache.org/tomcat/index.html. 9.1.2. Mozilla Foundation Red Hat Certificate System uses version 4.2 of the Java™ Security Services (JSS) libraries from the Mozilla Project. If any problems are found in these specific libraries, the source code and build instructions for the latest version of and, potentially, the binary images for newer versions are available at http://www.mozilla.org/projects/security/pki/jss/index.html.
Red Hat Certificate System 8.0 Red Hat Certificate System 8.0 Mozilla Project. If any problems are found in these specific libraries, the source code and build instructions for the latest version of these libraries and, potentially, binary images for newer versions are available at http://www.mozilla.org/projects/nspr/index.html. Red Hat Enterprise Security Client also uses the Network Security Services (NSS) libraries from the Mozilla Project.
9. Copyright and Third-Party Acknowledgments Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
