Red Hat CERTIFICATE 7.3 RELEASE NOTES Release Note Download | Manualshive

Page: 1 / 24

background image

1

Red Hat Certificate

System 7.3

Release Notes

Copyright

©

2009 Red Hat, Inc.

Copyright

©

2009 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative
Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation
of CC-BY-SA is available at

http://creativecommons.org/licenses/by-sa/3.0/

. In

accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you
must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not
to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,
the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.

Linux

®

is the registered trademark of Linus Torvalds in the United States and other

countries.

All other trademarks are the property of their respective owners.

   1801 Varsity Drive
   Raleigh, NC 27606-2072 USA
   Phone: +1 919 754 3700
   Phone: 888 733 4281
   Fax: +1 919 754 3701
   PO Box 13588
    Research Triangle Park, NC 27709 USA

April 10, 2010 (update)

1. New Features in Red Hat Certificate System 7.3 ...................................................................... 2

1.1. Registration Authority ...................................................................................................  2
1.2.  SCEP  ..........................................................................................................................   3
1.3. Auto-enrollment Proxy ..................................................................................................  3

2. Platform Support ..................................................................................................................... 4

2.1. Server Support ............................................................................................................. 4
2.2. Client Support ..............................................................................................................  5
2.3. Other Required Software ..............................................................................................  5
2.4. Optional Server Hardware ............................................................................................  5
2.5. Optional Client Hardware .............................................................................................. 6

3. Installation and Deployment Notes ........................................................................................... 6

1
2
3
...
»

Summary of Contents for CERTIFICATE 7.3 RELEASE NOTES

Page 1: ...e law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive Raleigh NC 27606 2072 USA Phone ...

Page 2: ...ed Hat Certificate System 1 New Features in Red Hat Certificate System 7 3 1 1 Registration Authority Red Hat Certificate System 7 3 supports a stand alone Registration Authority RA which supports the automatic issue of certificates to devices and servers The RA subsystem is a front end subsystem to the Certificate Authority CA and it performs local authentication requestor information gathering a...

Page 3: ...Certificate Request is pending SCEP specifies two modes of operation RA mode CA mode In RA mode the enrollment request is encrypted with the RA signing certificate In CA mode the request is encrypted with the CA signing certificate The current Certificate System RA adn CA subsystems are implement so that SCEP is only supported in CA mode 1 3 Auto enrollment Proxy Red Hat Certificate System 7 3 sup...

Page 4: ...S 4 for AMD64 and Intel EM64T Sun Solaris 9 for SPARC 64 bit 2 1 1 Server Requirements Component Details CPU Intel 2 0 GHz Pentium 4 or faster RAM 1 GB required Hard disk storage space Total is approximately 5 GB Total transient space required during installation 1 GB Hard disk storage space required for installation Space required to set up configure and run the server approximately 2 GB Addition...

Page 5: ...oft Windows XP Professional i386 Red Hat Enterprise Linux AS 4 i386 Red Hat Enterprise Linux ES 4 i386 Red Hat Enterprise Linux AS 4 for AMD64 and Intel EM64T Red Hat Enterprise Linux ES 4 for AMD64 and Intel EM64T 2 3 Other Required Software Red Hat Directory Server 7 1 The source code and binaries for this component are available at https rhn redhat com through the Red Hat Directory Server 7 1 c...

Page 6: ...e code for Red Hat Directory Server 7 1 is included with the ISO image downloaded for the 32 bit Red Hat Enterprise Linux version Red Hat Certificate System itself is not yet open source Red Hat Enterprise Linux systems can upgrade or download Red Hat Certificate System using up2date 3 2 Installation Notes Packages are non relocatable The Red Hat Certificate System base packages can not be install...

Page 7: ...386 rpm JRE java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 i386 rpm JDK These packages are recommended for 64 bit Red Hat Enterprise Linux systems java 1 5 0 ibm 1 5 0 11 1 1jpp 3 el4 1 x86_64 rpm JRE java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 1 x86_64 rpm JDK WARNING Both the 32 bit xSeries Intel compatible and 64 bit AMD Opteron EM64T versions of the IBM J2SE JRE 5 0 RPM packages available through t...

Page 8: ...strictions Errata RHSA 2010 0130 2 Bug 533125 CVE 2009 3555 TLS MITM attacks via session renegotiation Table 2 CVEs Fixed in JRE JDK Errata Updates 3 3 1 2 Installing the Required JRE and JDK on Red Hat Enterprise Linux 4 1 Download the java 1 5 0 ibm 1 5 0 11 1 1jpp 3 el4 and java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 packages from the latest errata update Errata RHSA 2010 0130 3 2 Install the pa...

Page 9: ...at Advance notification of Security Updates for Java SE 4 page from Sun Microsystems Bug Description Errata RHSA 2007 0963 5 Bug 321951 CVE 2007 5232 Security Vulnerability in Java Runtime Environment With Applet Caching Bug 321961 CVE 2007 5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache Bug 321981 CVE 2007 5239 Untrusted Application or Applet May...

Page 10: ...empts to access some protected resource server initiated renegotiation asks client to authenticate with a certificate However the TLS SSL protocols did not use any mechanism to verify that session peers do not change during the session renegotiation Therefore a man in the middle attacker could use this flaw to open TLS SSL connections to the server send attacker chosen request to the server trigge...

Page 11: ...t for information on what needs to be done for those clients It is unclear on when browser clients will have updates available and applied to use the new session renegotiation protocol If these clients aren t updated but the server is then the connections to the subsystem server may fail NOTE These changes are not required if all clients accessing Certificate Systems are upgraded to support RFC 57...

Page 12: ...e in the uri line with the URL to the agent port The original line is uri profileSubmitSSLClient The updated line will look like the following uri https server example com 9444 ca ee ca profileSubmitSSLClient 7 Create a new end entities web services directory to contain the files for the new URL referenced in the ProfileSelect template file mkdir p var lib instance_name webapps ca ee ca cp var lib...

Page 13: ...nt 100 scheme https secure true clientAuth true sslProtocol SSL 5 Restart the subsystem For example etc init d rhpki kra restart Procedure 3 For the OCSP and TKS 1 Update the NSS packages by installing the system nss packages up2date nss 2 Open the server xml file vim var lib instance_name conf server xml 3 Change the clientAuth directive in the agent connector to true For example Connector name A...

Page 14: ...For example etc init d rhpki tps restart Procedure 5 For the RA 1 Update the NSS packages by installing the system nss packages and install the new RA packages up2date nss pki ra 2 On Linux systems only For an existing subsystem edit the init script to preload the system NSS library rather than dirsec nss vim etc init d instance_name 3 Remove the line LD_PRELOAD usr lib64 dirsec libssl3 so LD_PREL...

Page 15: ... certificate to be renewed the first time they are asked to authenticate This is awkward To avoid this provide a second port to handle only end entity operations 1 Open the configuration directory cd var lib rhpki ra conf 2 Edit the nss conf file a At the top add another Listen line with a different port For example Listen 0 0 0 0 12889 b Search for an existing VirtualHost VirtualHost container co...

Page 16: ...ure the logs manually so tha they can be viewed in the diagnostics window or with a text editor On Mac 1 Go to Applications ESC app Contents MacOS 2 Create an esc sh file as follows bin sh NSPR_LOG_FILE Library Application Support ESC Profiles esc log NSPR_LOG_MODULES tray 2 coolKeyLib 2 coolKey 2 coolKeyNSS 2 coolKeySmart 2 coolKeyHandler 2 BASE_DIR dirname 0 BASE_DIR xulrunner 3 Go to Applicatio...

Page 17: ...ing the AEP proxy on Windows child domains where the local administrator does not have permission to modify the cn configuration tree in Active Directory The simplest workaround is to use the Run as option to authenticate as the primary domain controller administrator and to then try to modify the cn configuration This relates to the Populate AD option in AEP 234884 The Phone Home UI pops up for b...

Page 18: ...sage similar to the following 1706 http 9080 Processor24 20 Apr 2007 05 47 23 PDT 20 3 CEP Enrollment Enrollment failed user used duplicate transaction ID To avoid this situation ensure that the Cisco router generates fresh sets of keys for SCEP enrollments 237353 If the user clicks a link in the agent interface too fast and too many times the server may return Broken pipe core_output_filter writi...

Page 19: ...d as part of the operating system with its corresponding license located in usr share doc httpd version LICENSE the latest version of this server is available at the following URL http httpd apache org Red Hat Certificate System CA DRM OCSP and TKS subsystems use a locally installed Tomcat 5 5 web server Although an appropriate server is installed when any of these subsystems are installed the lat...

Page 20: ...hino JavaScript for Java If any problems are found in this specific distribution the source code and build instructions for the latest version and potentially a binary image are available at the following URL http www mozilla org rhino index html 16 Red Hat Red Hat Certificate System requires a complete Red Hat Directory Server 7 1 binary and the open source portion of Certificate System is availa...

Page 21: ...opyright 2002 by Olaf Kirch See license terms below for rights on both parts Some header files are from the pcsclite distribution Copyright 1999 David Corcoran MUSCLE smart card middleware and applets Copyright 1999 2002 David Corcoran Copyright 2002 Schlumberger Network Solution All rights reserved The following license terms govern the identified modules and libraries e gate Smart Card Drivers f...

Page 22: ...r for Mac OS X Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclai...

Page 23: ...OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 7 Document History Revision 7 3 4 April 10 2010 Ella Deon Lackey dlackey redhat com Revising JRE JDK section ...

Page 24: ...24 ...

Reviews:

No comments

Related manuals for CERTIFICATE 7.3 RELEASE NOTES

TV708LL/A - NeatWorks For Mac

Brand: NeatWorks Pages: 33

Brand: Altigen Pages: 19

Brand: Crestron Pages: 230

Brand: Valgrind Pages: 319

SmartNode Series

Brand: Patton electronics Pages: 655

GZ-MG77 - Camcorder - 2.2 MP

Brand: JVC Pages: 72

Brand: TruCluster Pages: 88

PHOTO FANTASY 2000

Brand: ArcSoft Pages: 14

Brand: FarmerGPS Pages: 60

Brand: Denon Pages: 29

Brand: MINOLTA-QMS Pages: 60

Brand: FieldServer Pages: 51

Brand: Darim Pages: 8

Artistic Suite V6

Brand: Janome Pages: 5

MEDIASTUDIO PRO 6.0

Brand: Ulead Pages: 360

FLASH 8-USING FLASH

Brand: MACROMEDIA Pages: 678

Brand: Ulead Pages: 24

Brand: Nintendo Pages: 34

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands