Home
/
Red Hat
/
CERTIFICATE 7.3 RELEASE NOTES
/
Release Note

Red Hat CERTIFICATE 7.3 RELEASE NOTES, Release Note

Share

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

Page: 15 / 24

Red Hat CERTIFICATE 7.3 RELEASE NOTES Release Note Download Page 15

Manually Adding a New Port to the RA

15

4.2. Manually Adding a New Port to the RA

An SSL port must be added to the RA's

nss.conf

file to allow client authentication. This is is

described in

Bug 229246

8

.

The default RA server has an optional port for performing SSL client authentication. It is expected that
the agent and administration users will select the appropriate certificate to perform SSL authentication
when asked, while users will just cancel out of the certificate selection process, if asked. The problem
with this approach is that if an user cancels out of the certificate selection process, and chooses to
renew a certificate (

Bug 233274

9

), then the certificate selection process is automatically skipped, thus

causing an error during certificate renewal.

This forces an user who wishes to renew a certificate to select the certificate to be renewed the first
time they are asked to authenticate. This is awkward. To avoid this, provide a second port to handle
only end-entity operations.

1. Open the configuration directory:

cd -/var/lib/rhpki-ra/conf

2. Edit the

nss.conf

file:

a. At the top, add another

Listen

line with a different port. For example:

Listen 0.0.0.0:12889

b. Search for an existing

<VirtualHost ...>

</VirtualHost>

container, copy the entire

container and paste it at the end. Change the new container's port number to the new port.
For example:

<VirtualHost _default_:12891>

c.

Go to the original

<VirtualHost ...>

entry, and change the value of

NSSVerifyClient

from

optional

to

require

.

d. Go to the new

<VirtualHost ...>

entry, and change the value of

NSSVerifyClient

from

optional

to

none

.

e. Save and exit.

3. Edit the

CS.cfg

file:

a. Search for

service.securePort

and add the following line below it:

service.secureEePort=12891

b. Save and exit.

4. Open the document root directory:

8

https://bugzilla.redhat.com/show_bug.cgi?id=229246

9

https://bugzilla.redhat.com/show_bug.cgi?id=233274

«
...
13
14
15
16
17
...
»

Summary of Contents for CERTIFICATE 7.3 RELEASE NOTES

Page 1: ...e law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive Raleigh NC 27606 2072 USA Phone ...

Page 2: ...ed Hat Certificate System 1 New Features in Red Hat Certificate System 7 3 1 1 Registration Authority Red Hat Certificate System 7 3 supports a stand alone Registration Authority RA which supports the automatic issue of certificates to devices and servers The RA subsystem is a front end subsystem to the Certificate Authority CA and it performs local authentication requestor information gathering a...

Page 3: ...Certificate Request is pending SCEP specifies two modes of operation RA mode CA mode In RA mode the enrollment request is encrypted with the RA signing certificate In CA mode the request is encrypted with the CA signing certificate The current Certificate System RA adn CA subsystems are implement so that SCEP is only supported in CA mode 1 3 Auto enrollment Proxy Red Hat Certificate System 7 3 sup...

Page 4: ...S 4 for AMD64 and Intel EM64T Sun Solaris 9 for SPARC 64 bit 2 1 1 Server Requirements Component Details CPU Intel 2 0 GHz Pentium 4 or faster RAM 1 GB required Hard disk storage space Total is approximately 5 GB Total transient space required during installation 1 GB Hard disk storage space required for installation Space required to set up configure and run the server approximately 2 GB Addition...

Page 5: ...oft Windows XP Professional i386 Red Hat Enterprise Linux AS 4 i386 Red Hat Enterprise Linux ES 4 i386 Red Hat Enterprise Linux AS 4 for AMD64 and Intel EM64T Red Hat Enterprise Linux ES 4 for AMD64 and Intel EM64T 2 3 Other Required Software Red Hat Directory Server 7 1 The source code and binaries for this component are available at https rhn redhat com through the Red Hat Directory Server 7 1 c...

Page 6: ...e code for Red Hat Directory Server 7 1 is included with the ISO image downloaded for the 32 bit Red Hat Enterprise Linux version Red Hat Certificate System itself is not yet open source Red Hat Enterprise Linux systems can upgrade or download Red Hat Certificate System using up2date 3 2 Installation Notes Packages are non relocatable The Red Hat Certificate System base packages can not be install...

Page 7: ...386 rpm JRE java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 i386 rpm JDK These packages are recommended for 64 bit Red Hat Enterprise Linux systems java 1 5 0 ibm 1 5 0 11 1 1jpp 3 el4 1 x86_64 rpm JRE java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 1 x86_64 rpm JDK WARNING Both the 32 bit xSeries Intel compatible and 64 bit AMD Opteron EM64T versions of the IBM J2SE JRE 5 0 RPM packages available through t...

Page 8: ...strictions Errata RHSA 2010 0130 2 Bug 533125 CVE 2009 3555 TLS MITM attacks via session renegotiation Table 2 CVEs Fixed in JRE JDK Errata Updates 3 3 1 2 Installing the Required JRE and JDK on Red Hat Enterprise Linux 4 1 Download the java 1 5 0 ibm 1 5 0 11 1 1jpp 3 el4 and java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 packages from the latest errata update Errata RHSA 2010 0130 3 2 Install the pa...

Page 9: ...at Advance notification of Security Updates for Java SE 4 page from Sun Microsystems Bug Description Errata RHSA 2007 0963 5 Bug 321951 CVE 2007 5232 Security Vulnerability in Java Runtime Environment With Applet Caching Bug 321961 CVE 2007 5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache Bug 321981 CVE 2007 5239 Untrusted Application or Applet May...

Page 10: ...empts to access some protected resource server initiated renegotiation asks client to authenticate with a certificate However the TLS SSL protocols did not use any mechanism to verify that session peers do not change during the session renegotiation Therefore a man in the middle attacker could use this flaw to open TLS SSL connections to the server send attacker chosen request to the server trigge...

Page 11: ...t for information on what needs to be done for those clients It is unclear on when browser clients will have updates available and applied to use the new session renegotiation protocol If these clients aren t updated but the server is then the connections to the subsystem server may fail NOTE These changes are not required if all clients accessing Certificate Systems are upgraded to support RFC 57...

Page 12: ...e in the uri line with the URL to the agent port The original line is uri profileSubmitSSLClient The updated line will look like the following uri https server example com 9444 ca ee ca profileSubmitSSLClient 7 Create a new end entities web services directory to contain the files for the new URL referenced in the ProfileSelect template file mkdir p var lib instance_name webapps ca ee ca cp var lib...

Page 13: ...nt 100 scheme https secure true clientAuth true sslProtocol SSL 5 Restart the subsystem For example etc init d rhpki kra restart Procedure 3 For the OCSP and TKS 1 Update the NSS packages by installing the system nss packages up2date nss 2 Open the server xml file vim var lib instance_name conf server xml 3 Change the clientAuth directive in the agent connector to true For example Connector name A...

Page 14: ...For example etc init d rhpki tps restart Procedure 5 For the RA 1 Update the NSS packages by installing the system nss packages and install the new RA packages up2date nss pki ra 2 On Linux systems only For an existing subsystem edit the init script to preload the system NSS library rather than dirsec nss vim etc init d instance_name 3 Remove the line LD_PRELOAD usr lib64 dirsec libssl3 so LD_PREL...

Page 15: ... certificate to be renewed the first time they are asked to authenticate This is awkward To avoid this provide a second port to handle only end entity operations 1 Open the configuration directory cd var lib rhpki ra conf 2 Edit the nss conf file a At the top add another Listen line with a different port For example Listen 0 0 0 0 12889 b Search for an existing VirtualHost VirtualHost container co...

Page 16: ...ure the logs manually so tha they can be viewed in the diagnostics window or with a text editor On Mac 1 Go to Applications ESC app Contents MacOS 2 Create an esc sh file as follows bin sh NSPR_LOG_FILE Library Application Support ESC Profiles esc log NSPR_LOG_MODULES tray 2 coolKeyLib 2 coolKey 2 coolKeyNSS 2 coolKeySmart 2 coolKeyHandler 2 BASE_DIR dirname 0 BASE_DIR xulrunner 3 Go to Applicatio...

Page 17: ...ing the AEP proxy on Windows child domains where the local administrator does not have permission to modify the cn configuration tree in Active Directory The simplest workaround is to use the Run as option to authenticate as the primary domain controller administrator and to then try to modify the cn configuration This relates to the Populate AD option in AEP 234884 The Phone Home UI pops up for b...

Page 18: ...sage similar to the following 1706 http 9080 Processor24 20 Apr 2007 05 47 23 PDT 20 3 CEP Enrollment Enrollment failed user used duplicate transaction ID To avoid this situation ensure that the Cisco router generates fresh sets of keys for SCEP enrollments 237353 If the user clicks a link in the agent interface too fast and too many times the server may return Broken pipe core_output_filter writi...

Page 19: ...d as part of the operating system with its corresponding license located in usr share doc httpd version LICENSE the latest version of this server is available at the following URL http httpd apache org Red Hat Certificate System CA DRM OCSP and TKS subsystems use a locally installed Tomcat 5 5 web server Although an appropriate server is installed when any of these subsystems are installed the lat...

Page 20: ...hino JavaScript for Java If any problems are found in this specific distribution the source code and build instructions for the latest version and potentially a binary image are available at the following URL http www mozilla org rhino index html 16 Red Hat Red Hat Certificate System requires a complete Red Hat Directory Server 7 1 binary and the open source portion of Certificate System is availa...

Page 21: ...opyright 2002 by Olaf Kirch See license terms below for rights on both parts Some header files are from the pcsclite distribution Copyright 1999 David Corcoran MUSCLE smart card middleware and applets Copyright 1999 2002 David Corcoran Copyright 2002 Schlumberger Network Solution All rights reserved The following license terms govern the identified modules and libraries e gate Smart Card Drivers f...

Page 22: ...r for Mac OS X Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclai...

Page 23: ...OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 7 Document History Revision 7 3 4 April 10 2010 Ella Deon Lackey dlackey redhat com Revising JRE JDK section ...

Page 24: ...24 ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands