Table of Contents
Advertisement
Quick Links
Red Hat Certificate
Copyright © 2009 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative
Commons Attribution-Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation
of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In
accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you
must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not
to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,
the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other
countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Triangle Park, NC 27709 USA
1. New Features in Red Hat Certificate System 7.3 ...................................................................... 2
1.1. Registration Authority ................................................................................................... 2
1.2. SCEP .......................................................................................................................... 3
1.3. Auto-enrollment Proxy .................................................................................................. 3
2. Platform Support ..................................................................................................................... 4
2.1. Server Support ............................................................................................................. 4
2.2. Client Support .............................................................................................................. 5
2.3. Other Required Software .............................................................................................. 5
2.4. Optional Server Hardware ............................................................................................ 5
2.5. Optional Client Hardware .............................................................................................. 6
3. Installation and Deployment Notes ........................................................................................... 6
System 7.3
Release Notes
Copyright © 2009 Red Hat, Inc.
April 10, 2010 (update)
1
Advertisement
Table of Contents
Related Manuals for Red Hat CERTIFICATE SYSTEM 7.3 - RELEASE NOTES
Summary of Contents for Red Hat CERTIFICATE SYSTEM 7.3 - RELEASE NOTES
-
Page 1: Table Of Contents
Red Hat Certificate System 7.3 Release Notes Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. -
Page 2: New Features In Red Hat Certificate System 7.3
Release Notes 3.1. Obtaining Packages ..................... 6 3.2. Installation Notes ......................6 3.3. Required JRE and JDK ....................7 3.4. TPS Subsystem Considerations ..................9 3.5. Directory Server Information ..................10 3.6. Source RPMs ......................10 4. Known Issues ........................10 4.1. -
Page 3: Scep
SCEP • Email notification on Certificate Request creation and approval 1.1.2. RA Roles The RA supports the following roles: • End Users - people who submit enrollment requests • RA Agents - privileged RA users who are responsible for daily operation such as request approval •... -
Page 4: Platform Support
Release Notes • When the CA issues a certificate, it is automatically installed into the requesting application AEP can issue certificates for domain controllers (including backup controllers), web servers, computers, and users. http://directory.fedoraproject.org/wiki/ For more information about this feature, see Auto_Enroll_Documentation. -
Page 5: Client Support
• Red Hat Enterprise Linux ES 4 for AMD64 and Intel EM64T 2.3. Other Required Software • Red Hat Directory Server 7.1. The source code and binaries for this component are available at https://rhn.redhat.com), through the Red Hat Directory Server 7.1 channel. • A web browser that supports SSL. -
Page 6: Optional Client Hardware
Red Hat Certificate System 7.3. 3.1. Obtaining Packages Red Hat Network (http://rhn.redhat.com) is the software distribution mechanism for most Red Hat customers. Account login information for Red Hat Network, including entitlements for the Red Hat Certificate System 7.3 release, is required to download this software from Red Hat Network. After logging into Red Hat Network, go to the appropriate Red Hat Certificate System 7.3 channel to... -
Page 7: Required Jre And Jdk
Tomcat, among other applications for the Certificate System. http:// Likewise, the IBM JDK must be present on Red Hat Enterprise Linux systems. See kbase.redhat.com/faq/FAQ_54_4667.shtm for more information. These packages are recommended for 32-bit Red Hat Enterprise Linux systems: •... - Page 8 Release Notes Description Errata RHSA-2007-0829 Bug #239660 CVE-2007-2435 javaws vulnerabilities Bug #250725 CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit Bug #250729 CVE-2007-2789 BMP image parser vulnerability Bug #242595 CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser Bug #250733 CVE-2007-3005 Unspecified vulnerability in Sun...
-
Page 9: Tps Subsystem Considerations
TPS Subsystem Considerations There are 2 programs which provide -'javac'. Selection Command ----------------------------------------------- -/usr/lib/jvm/java-1.5.0-bea/bin/javac *+ 2 -/usr/lib/jvm/java-1.5.0-ibm/bin/javac 3.3.2. Required JRE and JDK for Sun Solaris http://java.com/ The recommended version is Sun JDK and JRE 5.0 Update 24. This is available from en/download/manual.jsp#sol. -
Page 10: Directory Server Information
Release Notes 3.5. Directory Server Information All subsystems require access to Red Hat Directory Server 7.1 on either the local machine (if it is also a 32-bit Red Hat Enterprise Linux platform) or a remote machine (acceptable platforms are 32-bit Red Hat Enterprise Linux 4, 32-bit Solaris 9 for SPARC, or 64-bit Solaris 9 for SPARC). - Page 11 Procedure 1. For the CA Update the NSS packages by installing the system nss packages. up2date nss Before making any edits to the CA configuration, back up the following files: https://rhn.redhat.com/errata/RHBA-2010-0170.html https://rhn.redhat.com/errata/RHBA-2010-0165.html...
- Page 12 Release Notes • /var/lib/instance_name/conf/server.xml • /var/lib/instance_name/web-apps.ee/ca/ee/ca/ProfileSelect.template Open the server.xml file. vim -/var/lib/instance_name/conf/server.xml In the server.xml file, change the clientAuth directive in the agent connector to true. <Connector name="Agent" port="9443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="SSL" Open the profile selection template.
- Page 13 Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-Related Man-in-the-Middle Attack First, in the CA, edit the CS.cfg file to contain the connector information with the agent's SSL port. For example: vim -/var/lib/rhpki-ca/conf/CS.cfg ca.connector.KRA.port=10443 Then, for the DRM, open the server.xml file. vim -/var/lib/rhpki-kra/conf/server.xml Change the clientAuth directive in the agent connector to true.
- Page 14 Release Notes On Linux systems only. For an existing subsystem, edit the init script to preload the system NSS library rather than dirsec-nss. vim -/etc/init.d/instance_name Remove the line: LD_PRELOAD="/usr/lib64/dirsec/libssl3.so ${LD_PRELOAD}" Replace it with the following: LD_PRELOAD="/usr/lib64/libssl3.so ${LD_PRELOAD}" On 32-bit systems, the path is /usr/lib/. Restart the subsystem.
-
Page 15: Manually Adding A New Port To The Ra
Go to the new <VirtualHost ...> entry, and change the value of NSSVerifyClient from optional to none. Save and exit. Edit the CS.cfg file: Search for service.securePort and add the following line below it: service.secureEePort=12891 Save and exit. Open the document root directory: https://bugzilla.redhat.com/show_bug.cgi?id=229246 https://bugzilla.redhat.com/show_bug.cgi?id=233274... -
Page 16: Viewing Enterprise Security Client Diagnostics Logs
$BASE_DIR/xulrunner & Go to /Applications/ESC.app/Contents/MacOS. Run ./esc.sh. View the logs in the Enterprise Security Client or in the user's profile directory. On Windows: Open the C:\Program Files\RedHat\ESC directory. Create an esc.bat file, as follows: @echo off SET NSPR_LOG_MODULES- tray:2,coolKeyLib:2,coolKey:2,coolKeyNSS:2,coolKeySmart:2,coolKeyHandler:2 set NSPR_LOG_FILE=%USERPROFILE%\Application Data\RedHat\ESC\esc.log esc.exe... -
Page 17: Other Known Issues
Other Known Issues 4.4. Other Known Issues These are other known issues in Red Hat Certificate System 7.3, with workarounds when appropriate. Bug Number Description Workaround 224612 During installation, there are RA SQLite dependency errors on 64-bit systems. This bug is caused by a configuration issue on the machine that the 64-bit RA was being installed on. - Page 18 Release Notes Bug Number Description Workaround again, the correct serial number will be shown. This will be fixed in the next release. 237042 The TPS may refuse to enroll a new token if there are multiple In the TPS agent page, delete token entries for the same user.
-
Page 19: Documentation
Documentation 5. Documentation The Red Hat Certificate System 7.3 documentation includes the following manuals: • Certificate System Administrator's Guide explains all administrative functions for the Certificate System, such as adding users, creating and renewing certificates, managing smart cards, publishing CRLs, and modifying subsystem settings like port numbers. •... - Page 20 Red Hat Certificate System requires a complete Red Hat Directory Server 7.1 binary, and the open source portion of Certificate System is available at the following URL: https://rhn.redhat.com Copyrights and third-party acknowledgments for portions of Red Hat Certificate System 7.3 clients...
- Page 21 Copyright and Third-Party Acknowledgments Red Hat Enterprise Security Client also uses the Netscape Portable Runtime (NSPR) libraries from the Mozilla Project. If any problems are found in these specific libraries, the source code and build instructions for the latest version of these libraries and, potentially, binary images for newer versions are available at the following URL: http://www.mozilla.org/projects/nspr/index.html Red Hat Enterprise Security Client also uses the Network Security Services (NSS) libraries from...
- Page 22 Release Notes Schlumberger shall, upon Customer's written request for termination of this Agreement, refund to Customer all sums paid to Schlumberger for the licensing of the Software hereunder. These are Customer's sole and exclusive remedies for any breach of warranty. WARRANTY DISCLAIMER.
-
Page 23: Document History
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 7. Document History Revision 7.3.4 April 10, 2010 Ella Deon Lackey dlackey@redhat.com Revising JRE/JDK section to recommend version from the latest errata updates. Revision 7.3.3 March 25, 2010 Ella Deon Lackey dlackey@redhat.com Adding information on applying Errata 2010:0170 and reconfiguring subsystems.