1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE 8.0 RELEASE NOTES
  6. Release note

Red Hat CERTIFICATE SYSTEM 8.0 - RELEASE NOTES Release Note

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate
Red Hat Certificate System 8.0
Copyright © 2009 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative
Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation
of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In
accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you
must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not
to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,
the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other
countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Triangle Park, NC 27709 USA
1. New Features for Red Hat Certificate System 8.0 ..................................................................... 2
1.1. Certificate Renewal ...................................................................................................... 3
1.2. Improved Subsystem Cloning ........................................................................................ 3
1.3. Stronger SELinux Policies ............................................................................................ 3
System 8
with Updates for Errata RHBA 2001:0169
Ella Deon Lackey
Copyright © 2009 Red Hat, Inc.
July 22, 2009, updated on February 11, 2010
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 8.0 - RELEASE NOTES and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - RELEASE NOTES

Summary of Contents for Red Hat CERTIFICATE SYSTEM 8.0 - RELEASE NOTES

  • Page 1 Red Hat Certificate System 8 Red Hat Certificate System 8.0 with Updates for Errata RHBA 2001:0169 Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 2: Table Of Contents

    Red Hat Certificate System 8.0 1.4. Improved UTF8 Support ....................3 1.5. Enhanced Support for Third-Party ECC Modules ............3 1.6. Simplified Signed Audit Logging ..................4 1.7. New Windows Smart Card Login Profile for Tokens ............4 1.8. Enhanced Security Officer Mode and Enterprise Security Client Configuration ....4 1.9.

  • Page 3: Improved Utf8 Support

    Certificate Renewal 1.1. Certificate Renewal Certificate renewal for all Certificate System-issued certificates has been reintroduced using the new profile framework. There are a number of new profiles to use for renewal, including encryption and signing certificates for both standard use and on tokens, and server certificate renewal. New inputs have been added to manage certificate renewal, so corresponding renewal profiles can be created for custom enrollment profiles.

  • Page 4: Simplified Signed Audit Logging

    Red Hat Certificate System 8.0 1.6. Simplified Signed Audit Logging Audit log signing certificates are now created with all of the other default subsystem certificates as soon as a CA, DRM, OCSP, TKS, or TPS subsystem is configured. The log is also already configured and can be very easily enabled.

  • Page 5: Important Configuration Changes

    Important Configuration Changes 2. Important Configuration Changes There have been some significant changes to the structure and configuration of the Certificate System 8.0 installation, which are not directly related to new features in Certificate System 8.0. 2.1. Default Port Separation Starting in Certificate System 8.0, there are three SSL ports, one each for each of the user interfaces (agents, administrators, and end entities).

  • Page 6: Removing Mac Support For Enterprise Security Client

    Red Hat Certificate System 8.0 2.5. Removing Mac Support for Enterprise Security Client The Enterprise Security Client was previously supported on Apple Mac, but the smart card client is not currently supported on Mac for Certificate System 8.0. 3. Supported Platforms This section covers the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 8.0.

  • Page 7: Client Support

    Client Support • e2fsprogs (package) • firefox (package) On 64-bit Red Hat Enterprise Linux platforms, ensure that the 64-bit (x86_64) compat-libstdc ++ libraries are installed, and not only the 32-bit (i386) libraries. To confirm this, run the following command as root: rpm --qi compat-libstdc++ ---queryformat -'%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}.rpm\n' -| grep x86_64 Numerous libraries should be displayed.

  • Page 8: Supported Smart Cards

    Red Hat Certificate System 8.0 Platform Agent Services End User Pages Mac OS 10.x Agent services are not Firefox 2.x supported for Mac Table 3. Supported Web Browsers by Platform 3.4. Supported Smart Cards The Enterprise Security Client supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.

  • Page 9: Install The Required Jdk

    The Directory Server can be installed on Red Hat Enterprise Linux 5.3 32-bit, Red Hat Enterprise Linux 5.3 64-bit, or Solaris 9 Sparc 64-bit. Check that the Red Hat Directory Server is already installed. For example: yum info redhat-ds Installed Packages Name...

  • Page 10: Installing Mod_Nss

    Red Hat Certificate System 8.0 yum info httpd Installed Packages Name -: httpd Arch -: x86_64 Version: 2.2.3 Release: 1.4.el5 Size -: 2.9 M Repo -: installed Install Apache if it is not already available. For example: yum install httpd 4.5.

  • Page 11: Installing From An Iso

    Installing from an ISO http://server.example.com:9180/ca/admin/console/config/login?pin=Yc6EuvuY2OeezKeX7REk 4.7. Installing from an ISO Red Hat Certificate System 8.0 can also be downloaded from Red Hat Network as an ISO image. This ISO image contains an RPMS/ directory which can be used as a local yum repository. Place that RPMS/ directory on a web server and then configure yum to use that location as a Section 4.6, “Installing through yum”.

  • Page 12: Documentation With 8.0

    Red Hat Certificate System 8.0 • Some information on audit log signing has been added to the logs section of the Administrator's Guide. • The procedure for loading third-party ECC modules to provide ECC support has been added to the Installation Guide.

  • Page 13: Bugs Fixed In Certificate System 8.0

    Certificate System to Red Hat Certificate System 8.0. This manual is intended for Certificate System administrators. All of the latest information about Red Hat Certificate System and both current and archived https://www.redhat.com/docs/manuals/cert-system documentation is available at 6. Bugs Fixed in Certificate System 8.0 Along with the many new features and enhancements in Red Hat Certificate System 8.0, this release...
  • Page 14 Red Hat Certificate System 8.0 Bug Number Description 250188 During subsystem configuration, the Authority Key Identifier extension was not be genera 251226 Opening the CA console threw a null pointer exception referencing the CMSAdmin class b 251569 The search time limit for end-entities pages set in the web.xml file was being inconsisten 482935 process (ns-slapd) to reach 100% CPU.
  • Page 15 Bugs Fixed in Certificate System 8.0 Bug Number Description 478909 In some situations, the internal LDAP database for a CA could run out of connecti operations to get and set serial numbers. 480143 SELinux errors at the time an instance was created could potentially prevent the c TKS, or RA.

  • Page 16: Errata Releases For Certificate System 8.0

    Enterprise Security Client which allows administrators to set up a shared security database with common certificates that can be used when there are multiple Enterprise Security Client users on a single machine. This release also included fixes for these bugs: https://rhn.redhat.com/errata/rhel-certificate-system-8-errata.html...
  • Page 17 Errata Releases for Certificate System 8.0 Advisory Description Release Date • Bugzilla 530633. The Enterprise Security Client on Windows didn't recognize when a Gemalto token was inserted. • Bugzilla 530482. With a poor network connection, a blank screen would sometimes pop-up instead of the token enrollment window.
  • Page 18 Red Hat Certificate System 8.0 Advisory Description Release Date was not included in the TPS responses. • Bugzilla 533510. If signed audit logging was enabled for the TPS, then it was not possible to start the TPS instance. RHBA-2009:1602 This release added functionality November 25, 2009 to select signature digest algorithms (like SHA256 and...

  • Page 19: Known Issues

    • Web browsers, which are used by users to connect to the CA's end-entities pages Updating the system NSS packages on any system that hosts a Certificate System subsystem will take care of all subsystem communication. When the NSS packages are updated, the CA-RA and CA- https://rhn.redhat.com/errata/RHBA-2010-0169.html https://rhn.redhat.com/errata/RHBA-2010-0165.html...
  • Page 20 Secure EE Port = https://server.example.com:9444/ca/ee/ca Secure Admin Port = https://server.example.com:9445/ca/services EE Client Auth Port = https://server.example.com:9446/ca/eeca/ca PKI Console Port = pkiconsole https://server.example.com:9445/ca Tomcat Port = 9802 (for shutdown) --> <!-- DO NOT REMOVE -- End PKI Status Definitions ---> https://rhn.redhat.com/errata/RHBA-2010-0165.html...
  • Page 21 Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-Related Man-in-the-Middle Attack 2. Add a section for the new port. Make sure that the clientAuth value is set to true. (The port number and serverCertNickFile and passwordFile directives should all match your instance information.) <!-- Port Separation: EE Secure Client Auth Port Connector --->...
  • Page 22 Red Hat Certificate System 8.0 [ -"$head" == -"$secure_ee_client_auth_port_statement" -] -|| [ -"$head" == -"$secure_admin_port_statement" -] -|| [ -"$head" == -"$pki_console_port_statement" -] -|| [ -"$head" == -"$tomcat_port_statement" -] -; then echo -" $line" total_ports=`expr ${total_ports} + 1` done if [ ${total_ports} --eq 7 -] -; then return 0 Open the web.xml file.

  • Page 23: List Of Known Issues In Red Hat Certificate System 8.0

    List of Known Issues in Red Hat Certificate System 8.0 attributeTypes: ( SecureEEClientAuthPort-oid NAME -'SecureEEClientAuthPort' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN -'user defined' -) dn:cn=schema changetype: modify delete: objectClasses objectClasses: ( pkiSubsystem-oid NAME -'pkiSubsystem' DESC -'CMS defined class' SUP top STRUCTURAL MUST ( cn $ Host $ SecurePort $ SubsystemName $ Clone -) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort $ UnSecurePort -) X-ORIGIN -'user defined' -)
  • Page 24 Red Hat Certificate System 8.0 Bug Number Description Certificate System group has not already been added member. 223391 If there are multiple enrollment operations using the tp when server-side key generation is enabled in the TPS DRM connection can time out before the TPS can gen keys.
  • Page 25 List of Known Issues in Red Hat Certificate System 8.0 Bug Number Description currently only provided in the CA. It will be add next release. 237305 The CA subsystem in Certificate System does requests that have been previously submitted. an error message similar to the following: 1706.http-9080-Processor24 -- [20/Apr/2007: [20] [3] CEP Enrollment: Enrollment failed: duplicate transaction ID.
  • Page 26 Red Hat Certificate System 8.0 Bug Number Description running Red Hat Certificate System upgrade their loca Server to Red Hat Directory Server 8.0 on the same m 491438 If the TPS server is unavailable, then the Enterprise Se Client opens a blank screen in security officer mode ra returning an error message that the server is unreacha 498299 The tokendb.allowedTransitions parameter in t...
  • Page 27 List of Known Issues in Red Hat Certificate System 8.0 Bug Number Description unindexed searches returned for Certificate Sy operations are improperly labeled index search really indexed VLV searches (related to Red H bug 507460). The remainder of the unindexed very low etimes for the searches and should no affect Certificate System performance.
  • Page 28 Red Hat Certificate System 8.0 Bug Number Description java.io.FileNotFoundException when submitting the CR request to a CA. 509804 Installing or migrating instances on a Safenet Chrysali LunaSA HSM could fail. SSL connections from the sub begin failing after a short period of time and the conne not be re-established.

  • Page 29: Copyright And Third-Party Acknowledgments

    Copyright and Third-Party Acknowledgments Bug Number Description 523568 On Windows XP and Vista systems, logging in Security Client using LDAP authentication can is stored using the SSHA hash and has the exc or dollar sign ($) characters. Table 7. Known Issues 9.

  • Page 30: Copyrights For Portions Of The Server

    Red Hat Certificate System 8.0 9.1. Copyrights for Portions of the Server 9.1.1. Apache Software Foundation Red Hat Certificate System TPS subsystems require a locally-installed Apache 2.0.x HTTP server. Although a local copy of this server is generally installed as part of the operating system (with its corresponding license located in /usr/share/doc/httpd-version/LICENSE, the latest version of this server is available at http://httpd.apache.org.

  • Page 31: Copyrights For Certificate System Clients

    Copyrights for Certificate System Clients https://rhn.redhat.com 9.2. Copyrights for Certificate System Clients These are the copyrights and third-party acknowledgments for portions of Red Hat Certificate System 8.0 clients. 9.2.1. Mozilla Foundation USE AND AVAILABILITY OF OPEN SOURCE CODE. Portions of the Product were created using source code governed by the Mozilla Public License (MPL).
  • Page 32 Red Hat Certificate System 8.0 Software errors will be corrected. Schlumberger's sole obligation and liability under this limited warranty shall be, at Schlumberger's option, to remedy any substantial non-performance of the Software to the functional descriptions set forth in its applicable documentation. If Schlumberger is unable to satisfy the foregoing limited warranty obligations during the Warranty Term, then Schlumberger shall, upon Customer's written request for termination of this Agreement, refund to Customer all sums paid to Schlumberger for the licensing of the Software hereunder.
  • Page 33 Copyrights for Certificate System Clients 9.2.3. MUSCLE Drivers, Libraries, and Modules • MUSCLE smart card middleware and applets Copyright 1999-2002 David Corcoran. Copyright 2002 Schlumberger Network Solution. All rights reserved. • MUSCLE smart card middleware and applets: Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.

This manual is also suitable for:

Certificate system 8.0 - administration

Table of Contents