manualshive.com logo in svg

Red Hat CERTIFICATE 8.0 RELEASE NOTES, Release Note

The Red Hat CERTIFICATE 8.0 RELEASE NOTES provide essential information about the latest updates and features of our certification program. This comprehensive manual is available for free download from manualshive.com, ensuring you have the most up-to-date resources at your fingertips. Stay informed and maximize your Red Hat certification experience with these detailed release notes.

Share
Download
background image

1

Red Hat Certificate

System 8

Red Hat Certificate System 8.0

with Updates for Errata RHBA 2001:0169

Ella Deon Lackey

Copyright 

©

 2009 Red Hat, Inc.

Copyright 

©

 2009 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative
Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation
of CC-BY-SA is available at 

http://creativecommons.org/licenses/by-sa/3.0/

. In

accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you
must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not
to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,
the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.

Linux

®

 is the registered trademark of Linus Torvalds in the United States and other

countries.

All other trademarks are the property of their respective owners.

   1801 Varsity Drive
   Raleigh, NC 27606-2072 USA
   Phone: +1 919 754 3700
   Phone: 888 733 4281
   Fax: +1 919 754 3701
   PO Box 13588
    Research Triangle Park, NC 27709 USA
  

July 22, 2009, updated on February 11, 2010

1. New Features for Red Hat Certificate System 8.0 .....................................................................  2

1.1. Certificate Renewal ......................................................................................................  3
1.2. Improved Subsystem Cloning ........................................................................................ 3
1.3. Stronger SELinux Policies ............................................................................................  3

Summary of Contents for CERTIFICATE 8.0 RELEASE NOTES

Page 1: ... right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All ot...

Page 2: ...Installing through yum 10 4 7 Installing from an ISO 11 5 Documentation for Certificate System 8 0 11 5 1 Documentation Changes in 8 0 11 5 2 Documentation with 8 0 12 6 Bugs Fixed in Certificate System 8 0 13 7 Errata Releases for Certificate System 8 0 16 8 Known Issues 19 8 1 Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS Related Man in the Middle Attack 19 8...

Page 3: ... Improved UTF8 Support The CA OCSP and DRM subsystems fully accept and interpret certificate requests generated using UTF 8 characters both in the console and in the agent services pages This support is for specific fields End users can submit certificate requests with UTF 8 characters in those fields and end users and agents can search for and retrieve certificates and CRLs in the CA and retrieve...

Page 4: ...TPS but cannot edit any entries Additionally the administrator role interface has been enhanced to allow administrators to create and edit users assign profiles and delete users directly 1 10 Added IPv6 Support The Certificate System 8 0 services can accept requests from all supported browsers from other Certificate System subsystems and from the administrative console over IPv6 The server also su...

Page 5: ...uration is to have separate ports Subsystem Standard End Entity SSL Agent SSL Admin SSL Tomcat CA 9180 9444 9443 9445 9701 RA 12888 12890 12889 12889 OCSP 11180 11443 11445 11701 DRM 10180 10443 10445 10701 TKS 13180 13443 13445 13701 TPS 7888 7890 7889 7889 Table 1 New Port Assignments for Certificate System 8 0 2 2 Changes in the Security Domain In previous releases of Certificate System the sec...

Page 6: ...e supported on the following platforms Red Hat Enterprise Linux 5 3 and later for x86 Red Hat Enterprise Linux 5 3 and later for x86_64 3 1 1 Server Requirements Component CPU RAM Hard disk storage space Table 2 Red Hat Enterprise Linux Server Requirements 3 1 2 Red Hat Enterprise Linux Considerations Before installing the Certificate System packages ensure that the proper dependencies are install...

Page 7: ...Red Hat Enterprise Linux 5 3 x86_64 IMPORTANT The Enterprise Security Client was supported on Apple Mac for Red Hat Certificate System 7 x but is not supported on Mac for 8 0 3 3 Supported Web Browsers The services pages for the subsystems require a web browser that supports SSL It is strongly recommended that users such as agents or administrators use Mozilla Firefox to access the agent services ...

Page 8: ...ed in Table 4 Tested HSM Versions for Red Hat Certificate System 8 0 Other HSMs can be added by loading their libraries in the local machine and configuring the default configuration files after the Certificate System packages are installed but before configuring the instances this is described in the Administrator s Guide HSM Firmware Appliance Software Client Software Safenet Chrysalis ITS LunaS...

Page 9: ...ertificate System 4 3 Verifying Red Hat Directory Server All subsystems require access to Red Hat Directory Server 8 1 on the local machine or a remote machine The Directory Server can be installed on Red Hat Enterprise Linux 5 3 32 bit Red Hat Enterprise Linux 5 3 64 bit or Solaris 9 Sparc 64 bit Check that the Red Hat Directory Server is already installed For example yum info redhat ds Installed...

Page 10: ...rough yum To install the subsystems on Red Hat Enterprise Linux 5 32 bit run a command like the following for each subsystem yum install pki subsystem subsystem can be any of the Certificate System subsystems ca for the Certificate Manager ra for the Registration Authority drm for the Data Recovery Manager ocsp for the Online Certificate Status Protocol Responder tks for the Token Key System tps f...

Page 11: ...ritten to cover PKI concepts and deployment planning A new end entities guide Using End User Services has been created to have a small handy guide for the end user services for the CA and RA which are available through Certificate System All of the new features implemented in Certificate System 8 0 are covered in the documentation New information on port separation has been added in all of the gui...

Page 12: ...ystems This manual is intended for Certificate System administrators Certificate System Administrator s Guide 3 explains all administrative functions for the Certificate System Administrators maintain the subsystems themselves so this manual details backend configuration for certificate profiles publishing and issuing certificates and CRLs It also covers managing subsystem settings like port numbe...

Page 13: ...rosoft Windows Vista after the m have to be started manually 223309 When a CA was cloned certain attributes that are required for the clone were not proper the CA certificates This meant that the cloned CA could not function 223367 224902 When a subsystem configuration failed or if a subsystem were uninstalled and then a ne was created then the configuration would fail at the internal database con...

Page 14: ...s pages the enrollment form al option and claimed to archive the new keys successfully even though the profile was not config keys were archived 439027 Certificates could not be imported into a subsystem instance s certificate database using the adm 441896 442387 443657 480804 A number of different actions in the CA console would make the console freeze and hang includ Deleting certificates from t...

Page 15: ...atch the one in the TPS configuration However chang configuration prevented new tokens with the default master key from being enrolled New configuration parameters have been added to allow the TPS configuration to set bo indexed key version 491000 Trying to format or re enroll a formatted security officer token caused the Enterprise Sec window because the command to revoke the existing certificate...

Page 16: ...of man in the middle attack This errata and related configuration changes make all Certificate System subsystems compliant with RFC 5746 March 25 2010 RHBA 2010 0097 This update addresses a problem Bugzilla 557346 in marking the Name Constraints Extension as critical When the criticality was marked true in the enrollment profile or if the agent marked the criticality as true when approving the req...

Page 17: ...9 1665 These packages included an enhancement which allows a subsystem to be configured to prompt for subsystem passwords rather than reading them out of the plaintext password conf file New instances can have the password conf file removed and prompt for all necessary passwords immediately existing and fully updated instances can be configured to prompt for passwords once the password conf file i...

Page 18: ...a 529945 Bugzilla 351162 November 25 2009 RHBA 2009 1596 This update addresses Bug 505682 Allow configuration of NSS OCSP cache settings New parameters are enabled to allow user defined cache sizes OCSP check times and timeout periods for OCSP responses November 19 2009 RHBA 2009 1443 This release had enhancements for ECC support including extending support on Firefox for ECC enrollments and addin...

Page 19: ... request being performed by the server as if authenticated using victim s credentials or using data from victim s request After the renegotiation attacker can no longer decrypt communication between the client and the victim so this attack is also referred to as a blind prefix injection attack Eric Rescorla s blog post Understanding the TLS Renegotiation Attack provides additional details about th...

Page 20: ... instances will automatically have these changes applied Procedure 1 For Existing CAs 1 Before making any edits to the CA configuration back up the following files var lib instance_name webapps ca WEB INF web xml var lib instance_name web apps ee ca ee ca ProfileSelect template var lib instance_name conf server xml etc init d instance_name 2 Since database changes are also required back up the dat...

Page 21: ..._CBC_SHA tls3Ciphers SSL3_FORTEZZA_DMS_WITH_NULL_SHA SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA SSL3_RSA_WITH_RC4_128_SHA SSL3_RSA_EXPORT_WITH_RC4_40_MD5 SSL3_RSA_WITH_3DES_EDE_CBC_SHA SSL3_RSA_WITH_DES_CBC_SHA SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSL3_RSA_WITH_NULL_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SH...

Page 22: ...ing servlet name caGetCertFromRequest servlet name url pattern eeca ca getCertFromRequest url pattern servlet mapping 7 Edit the profile selection template to use the URL for the new secure end entities client authentication services port For example assuming the default end entities client authentication SSL port of 9446 vim var lib instance_name webapps ca ee ca ProfileSelect template original u...

Page 23: ...m usr lib mozldap ldapmodify p db_port h db_host D cn Directory Manager w db_password dn cn hostname admin_port cn CAList ou Security Domain dc basedn changetype modify add SecureEEClientAuthPort SecureEEClientAuthPort new_port_number C 8 2 List of Known Issues in Red Hat Certificate System 8 0 These are known issues in the 8 0 release of Red Hat Certificate System When available workarounds are i...

Page 24: ...onfiguration This relates to the Populat AD option in AEP 234884 The Phone Home UI pops up for both enrolled and uninitializ tokens on RHEL4 and MAC OS X even though the tokens contain Phone Home URLs 235150 The TKS sub system start and stop scripts currently do not c that the package is installed before attempting to execute 236795 In the Enterprise Security Client the security officer mode do no...

Page 25: ...ion file in var lib rhpki tps conf C 456701 The default signing algorithm used by the CA cannot successfully changed in the CA configuration or when the CA The default is hard coded to MD5withRSA 453051 483359 When trying to renew a subsystem certificate using th certificate wizard tool in the Java console pkiconso the certificate renewal fails and the console throws a exception such as UNKNOWNEXC...

Page 26: ...tool in the Java console pkiconsole the certificate renewal fails and the DRM crashes The console relied on the old policy framework to renew certificates but the policy framework was replaced by a new profile framework in Certificate System 7 2 Therefore the renewal feature in the console is broken This is related to bug 453501 499052 If the configured OCSP responder in the RA or TPS nss co file ...

Page 27: ...etting for Certificate Sys modutil the tool which is used to load ECC module requests text relocation permissions for Certicom s lib libsbgse2 so library This is not allowed by S enforcing mode 504013 Because of potential security risks SCEP enrollment through the RA for Certificate System 8 0 and the co enrollment forms have been removed 504088 The CRMFPopClient tool is used to submit a CRMF a CA...

Page 28: ...the CA was unavailable 512029 If the same HSM partition is used to multiple Certificate Syste subsystem instances than the instance names cannot be us more than once even if the instances are on different hosts a user tries to configure a new instance with the same name including the default options as an existing instance then configuration will stall at key generation with an error that the cert...

Page 29: ...ing into the Security Client using LDAP authentication can fail if t is stored using the SSHA hash and has the exclamat or dollar sign characters Table 7 Known Issues 9 Copyright and Third Party Acknowledgments Red Hat Certificate System recognizes third party contributions to portions of its servers and clients ...

Page 30: ...ape Portable Runtime NSPR libraries from the Mozilla Project If any problems are found in these specific libraries the source code and build instructions for the latest version of these libraries and potentially the binary images for newer versions are available at http www mozilla org projects nspr index html Additionally Red Hat Certificate System uses version 3 11 of the Network Security Servic...

Page 31: ...ndex html Red Hat Enterprise Security Client also uses the Network Security Services NSS libraries from the Mozilla Project If any problems are found in these specific libraries the source code and build instructions for the latest version of these libraries and potentially binary images for newer versions are available at http www mozilla org projects security pki nss index html 9 2 2 e gate Smar...

Page 32: ...re in this case the cost of the single e gate Smart Card In no event shall Schlumberger or any Supplier be liable for any indirect incidental special consequential or exemplary damages of any character including without limitation damages for lost profits goodwill work stoppage computer failure and all other commercial damages e gate Smart Card Driver for Mac OS X Redistribution and use in source ...

Page 33: ...ntation and or other materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE D...

Page 34: ...34 ...

Reviews:

No comments

Related manuals for CERTIFICATE 8.0 RELEASE NOTES

RTS RTS ISDN 2002 Operator'S Manual preview
RTS ISDN 2002
Brand: RTS Pages: 51
COMPRO COMPRODVD2 User Manual preview
COMPRODVD2
Brand: COMPRO Pages: 18
AVG 8.5 EMAIL SERVER EDITION - V 85.4 User Manual preview
8.5 EMAIL SERVER EDITION - V 85.4
Brand: AVG Pages: 52
F-SECURE MOBILE SECURITY FOR WINDOWS MOBILE - User Manual preview
MOBILE SECURITY FOR WINDOWS MOBILE -
Brand: F-SECURE Pages: 35
FARONICS INSIGHT - Manual preview
INSIGHT -
Brand: FARONICS Pages: 43
Philips SA2SONGBRD/00 User Manual preview
SA2SONGBRD/00
Brand: Philips Pages: 18
Paradyne 8922 Installation And User Manual preview
8922
Brand: Paradyne Pages: 24
MMSOFT Design Pulseway User Manual preview
Pulseway
Brand: MMSOFT Design Pages: 85
Casio ADD-IN INSTALLER User Manual preview
ADD-IN INSTALLER
Brand: Casio Pages: 18
DeLorme Earthmate GPS BT-20 Quick Start Manual preview
Earthmate GPS BT-20
Brand: DeLorme Pages: 9
Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE Agents Manual preview
CERTIFICATE SYSTEM 8 - AGENTS GUIDE
Brand: Red Hat Pages: 146
ZyXEL Communications VANTAGE CNM 2.0 - User Manual preview
VANTAGE CNM 2.0 -
Brand: ZyXEL Communications Pages: 346
AVG ANTI-VIRUS 2011 - REV 2011.11 User Manual preview
ANTI-VIRUS 2011 - REV 2011.11
Brand: AVG Pages: 209
Oce XMPie User Manual preview
XMPie
Brand: Oce Pages: 22
Xerox 6100BD - Phaser Color Laser Printer User Manual preview
6100BD - Phaser Color Laser Printer
Brand: Xerox Pages: 56
KAPERSKY ANTI-VIRUS 5.5 - FOR CHECK POINT FIREWALL-1 Administrator'S Manual preview
ANTI-VIRUS 5.5 - FOR CHECK POINT FIREWALL-1
Brand: KAPERSKY Pages: 141
Panasonic Lumix VQT0R46 ( ) Operating Instructions Manual preview
Lumix VQT0R46 ( )
Brand: Panasonic Pages: 32
JVC S100U Instructions Manual preview
S100U
Brand: JVC Pages: 32

Brands by name

Popular brands

Load more brands