Red Hat CERTIFICATE 7.3 RELEASE NOTES Скачать руководство пользователя | Manualshive

Страница: 13 / 24

background image

Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-Related Man-in-the-Middle Attack

13

2. First, in the CA, edit the

CS.cfg

file to contain the connector information with the agent's SSL

port. For example:

vim -/var/lib/rhpki-ca/conf/CS.cfg

ca.connector.KRA.port=10443

3. Then, for the DRM, open the

server.xml

file.

vim -/var/lib/rhpki-kra/conf/server.xml

4. Change the

clientAuth

directive in the agent connector to true. For example:

<Connector name="Agent" port="10443" maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"

clientAuth="true"

sslProtocol="SSL"

5. Restart the subsystem. For example:

/etc/init.d/rhpki-kra restart

Procedure 3. For the OCSP and TKS

1. Update the NSS packages by installing the system

nss

packages.

up2date nss

2. Open the

server.xml

file.

vim -/var/lib/

instance_name

/conf/server.xml

3. Change the

clientAuth

directive in the agent connector to

true

. For example:

<Connector name="Agent" port="11443" maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"

clientAuth="true"

sslProtocol="SSL"

4. Restart the subsystem. For example:

/etc/init.d/rhpki-ocsp restart

Procedure 4. For the TPS

1. Update the NSS packages by installing the system

nss

packages and install the new TPS

packages.

up2date nss pki-tps

«
...
11
12
13
14
15
...
»

Содержание CERTIFICATE 7.3 RELEASE NOTES

Страница 1: ...e law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive Raleigh NC 27606 2072 USA Phone ...

Страница 2: ...ed Hat Certificate System 1 New Features in Red Hat Certificate System 7 3 1 1 Registration Authority Red Hat Certificate System 7 3 supports a stand alone Registration Authority RA which supports the automatic issue of certificates to devices and servers The RA subsystem is a front end subsystem to the Certificate Authority CA and it performs local authentication requestor information gathering a...

Страница 3: ...Certificate Request is pending SCEP specifies two modes of operation RA mode CA mode In RA mode the enrollment request is encrypted with the RA signing certificate In CA mode the request is encrypted with the CA signing certificate The current Certificate System RA adn CA subsystems are implement so that SCEP is only supported in CA mode 1 3 Auto enrollment Proxy Red Hat Certificate System 7 3 sup...

Страница 4: ...S 4 for AMD64 and Intel EM64T Sun Solaris 9 for SPARC 64 bit 2 1 1 Server Requirements Component Details CPU Intel 2 0 GHz Pentium 4 or faster RAM 1 GB required Hard disk storage space Total is approximately 5 GB Total transient space required during installation 1 GB Hard disk storage space required for installation Space required to set up configure and run the server approximately 2 GB Addition...

Страница 5: ...oft Windows XP Professional i386 Red Hat Enterprise Linux AS 4 i386 Red Hat Enterprise Linux ES 4 i386 Red Hat Enterprise Linux AS 4 for AMD64 and Intel EM64T Red Hat Enterprise Linux ES 4 for AMD64 and Intel EM64T 2 3 Other Required Software Red Hat Directory Server 7 1 The source code and binaries for this component are available at https rhn redhat com through the Red Hat Directory Server 7 1 c...

Страница 6: ...e code for Red Hat Directory Server 7 1 is included with the ISO image downloaded for the 32 bit Red Hat Enterprise Linux version Red Hat Certificate System itself is not yet open source Red Hat Enterprise Linux systems can upgrade or download Red Hat Certificate System using up2date 3 2 Installation Notes Packages are non relocatable The Red Hat Certificate System base packages can not be install...

Страница 7: ...386 rpm JRE java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 i386 rpm JDK These packages are recommended for 64 bit Red Hat Enterprise Linux systems java 1 5 0 ibm 1 5 0 11 1 1jpp 3 el4 1 x86_64 rpm JRE java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 1 x86_64 rpm JDK WARNING Both the 32 bit xSeries Intel compatible and 64 bit AMD Opteron EM64T versions of the IBM J2SE JRE 5 0 RPM packages available through t...

Страница 8: ...strictions Errata RHSA 2010 0130 2 Bug 533125 CVE 2009 3555 TLS MITM attacks via session renegotiation Table 2 CVEs Fixed in JRE JDK Errata Updates 3 3 1 2 Installing the Required JRE and JDK on Red Hat Enterprise Linux 4 1 Download the java 1 5 0 ibm 1 5 0 11 1 1jpp 3 el4 and java 1 5 0 ibm devel 1 5 0 11 1 1jpp 3 el4 packages from the latest errata update Errata RHSA 2010 0130 3 2 Install the pa...

Страница 9: ...at Advance notification of Security Updates for Java SE 4 page from Sun Microsystems Bug Description Errata RHSA 2007 0963 5 Bug 321951 CVE 2007 5232 Security Vulnerability in Java Runtime Environment With Applet Caching Bug 321961 CVE 2007 5238 Vulnerabilities in Java Web Start allow to determine the location of the Java Web Start cache Bug 321981 CVE 2007 5239 Untrusted Application or Applet May...

Страница 10: ...empts to access some protected resource server initiated renegotiation asks client to authenticate with a certificate However the TLS SSL protocols did not use any mechanism to verify that session peers do not change during the session renegotiation Therefore a man in the middle attacker could use this flaw to open TLS SSL connections to the server send attacker chosen request to the server trigge...

Страница 11: ...t for information on what needs to be done for those clients It is unclear on when browser clients will have updates available and applied to use the new session renegotiation protocol If these clients aren t updated but the server is then the connections to the subsystem server may fail NOTE These changes are not required if all clients accessing Certificate Systems are upgraded to support RFC 57...

Страница 12: ...e in the uri line with the URL to the agent port The original line is uri profileSubmitSSLClient The updated line will look like the following uri https server example com 9444 ca ee ca profileSubmitSSLClient 7 Create a new end entities web services directory to contain the files for the new URL referenced in the ProfileSelect template file mkdir p var lib instance_name webapps ca ee ca cp var lib...

Страница 13: ...nt 100 scheme https secure true clientAuth true sslProtocol SSL 5 Restart the subsystem For example etc init d rhpki kra restart Procedure 3 For the OCSP and TKS 1 Update the NSS packages by installing the system nss packages up2date nss 2 Open the server xml file vim var lib instance_name conf server xml 3 Change the clientAuth directive in the agent connector to true For example Connector name A...

Страница 14: ...For example etc init d rhpki tps restart Procedure 5 For the RA 1 Update the NSS packages by installing the system nss packages and install the new RA packages up2date nss pki ra 2 On Linux systems only For an existing subsystem edit the init script to preload the system NSS library rather than dirsec nss vim etc init d instance_name 3 Remove the line LD_PRELOAD usr lib64 dirsec libssl3 so LD_PREL...

Страница 15: ... certificate to be renewed the first time they are asked to authenticate This is awkward To avoid this provide a second port to handle only end entity operations 1 Open the configuration directory cd var lib rhpki ra conf 2 Edit the nss conf file a At the top add another Listen line with a different port For example Listen 0 0 0 0 12889 b Search for an existing VirtualHost VirtualHost container co...

Страница 16: ...ure the logs manually so tha they can be viewed in the diagnostics window or with a text editor On Mac 1 Go to Applications ESC app Contents MacOS 2 Create an esc sh file as follows bin sh NSPR_LOG_FILE Library Application Support ESC Profiles esc log NSPR_LOG_MODULES tray 2 coolKeyLib 2 coolKey 2 coolKeyNSS 2 coolKeySmart 2 coolKeyHandler 2 BASE_DIR dirname 0 BASE_DIR xulrunner 3 Go to Applicatio...

Страница 17: ...ing the AEP proxy on Windows child domains where the local administrator does not have permission to modify the cn configuration tree in Active Directory The simplest workaround is to use the Run as option to authenticate as the primary domain controller administrator and to then try to modify the cn configuration This relates to the Populate AD option in AEP 234884 The Phone Home UI pops up for b...

Страница 18: ...sage similar to the following 1706 http 9080 Processor24 20 Apr 2007 05 47 23 PDT 20 3 CEP Enrollment Enrollment failed user used duplicate transaction ID To avoid this situation ensure that the Cisco router generates fresh sets of keys for SCEP enrollments 237353 If the user clicks a link in the agent interface too fast and too many times the server may return Broken pipe core_output_filter writi...

Страница 19: ...d as part of the operating system with its corresponding license located in usr share doc httpd version LICENSE the latest version of this server is available at the following URL http httpd apache org Red Hat Certificate System CA DRM OCSP and TKS subsystems use a locally installed Tomcat 5 5 web server Although an appropriate server is installed when any of these subsystems are installed the lat...

Страница 20: ...hino JavaScript for Java If any problems are found in this specific distribution the source code and build instructions for the latest version and potentially a binary image are available at the following URL http www mozilla org rhino index html 16 Red Hat Red Hat Certificate System requires a complete Red Hat Directory Server 7 1 binary and the open source portion of Certificate System is availa...

Страница 21: ...opyright 2002 by Olaf Kirch See license terms below for rights on both parts Some header files are from the pcsclite distribution Copyright 1999 David Corcoran MUSCLE smart card middleware and applets Copyright 1999 2002 David Corcoran Copyright 2002 Schlumberger Network Solution All rights reserved The following license terms govern the identified modules and libraries e gate Smart Card Drivers f...

Страница 22: ...r for Mac OS X Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclai...

Страница 23: ...OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 7 Document History Revision 7 3 4 April 10 2010 Ella Deon Lackey dlackey redhat com Revising JRE JDK section ...

Страница 24: ...24 ...

Отзывы:

Нет отзывов

Похожие инструкции для CERTIFICATE 7.3 RELEASE NOTES

CONTRIBUTE-USING CONTRIBUTE

Бренд: MACROMEDIA Страницы: 214

SmartOffice SmartOffice Mobile

Бренд: Palm Страницы: 29

DRAGON NATURALLYSPEAKING ESSENTIALS

Бренд: Dragon Systems Страницы: 26

Бренд: McAfee Страницы: 2

WISE MOBILE DEVICE PACKAGE EDITOR 7.0 SP2

Бренд: Symantec Страницы: 22

CLUSTER SUITE FOR ENTERPRISE LINUX 4.7

Бренд: Red Hat Страницы: 78

Бренд: Ulead Страницы: 60

DuraStor 6220SS

Бренд: Adaptec Страницы: 133

Бренд: Adaptec Страницы: 174

Бренд: Hasselblad Страницы: 6

RegistryBooster 2010

Бренд: UNIBLUE Страницы: 11

Бренд: MINOLTA-QMS Страницы: 42

Gateway Routing Manager

Бренд: Bay Networks Страницы: 20

Бренд: Bay Networks Страницы: 58

Бренд: Autodesk Страницы: 4

Бренд: Bay Networks Страницы: 88

SAMREPORT-LITE 2006

Бренд: Macrovision Corporation Страницы: 36

ADMINISTRATION KIT 6.0

Бренд: KAPERSKY Страницы: 229

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды