background image

Bug Number

Description

bad. SHA-256 can be used as the signing algorithm instead.

57514

If a TKS master key is generated on a SafeNet LunaSA HSM, server-side key genera-
tion fails with the following error in the TKS debug log:

"can't generate key encryption key"

A similar message also appears in the debug log if server-side key generation is turned
on:

"TokenServlet: key encryption key generation failed

for CUID"

where CUID is the card unique ID.

57526

If a server certificate contains the Authority Information Access extension, the certificate
cannot be imported on an nCipher netHSM hardware token. The default caServerCert
profile has this extension enabled by default. For example, when installing a subsystem
such as the Token Key Service (TKS), the SSL server certificate fails to import if the
certificate is processed through the default caServerCert profile because the caServer-
Cert profile adds the Authority Information Access extension to the SSL server certific-
ate automatically. If a CA server is already installed on the nCipher netHSM token, then
the CA signing certificate is overwritten, as well. To import the server certificate prop-
erly, first remove the Authority Information Access extension from the caServerCert pro-
file, then install the subsystem.

57677

If the DRM response to the TPS exceeds the timeout period, the server can return the
incorrect response message,

200 HTTP/1.1 OK

, signaling that the operation com-

pleted successfully instead of timing out.

57640

If a DRM version 6.1 SP4 is migrated to version 7.2, then the archived keys that were
migrated cannot be recovered because the key splitting schemes are different. To be
able to recover these keys, first obtain a migration patch from Red Hat services. This
patch will recover the PIN needed to access the storage token where the DRM private
key resides, then recover the keys and export them to a PKCS #12 file. However, this
package can potentially expose security issues in the version 6.1 SP 4 DRM, so it
should be used only as necessary.

For information on using these migration scripts, see the README available with the
migration package.

57683

If there are multiple enrollment operations using the

tpsclient

tool when server-side

key generation is enabled in the TPS, then the DRM connection can time out before the
TPS can generate the keys. The tool will then return the error

Failed to generate

key on server. Please check DRM.

To correct this, edit the TPS

CS.cfg

con-

figuration file and add a line increasing the timeout period for the connection to the
DRM:

conn.drm1.timeout=25

Release Notes

12

Summary of Contents for CERTIFICATE 7.2 RELEASE NOTES

Page 1: ...trademarks of Red Hat Inc in the United States and other countries All other trademarks referenced herein are the property of their respective owners The GPG fingerprint of the security redhat com key is CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E 1801 Varsity Drive Raleigh NC 27606 2072USAPhone 1 919 754 3700 Phone 888 733 4281 Fax 1 919 754 3701 PO Box 13588Research Triangle Park...

Page 2: ...talling and configuring multiple subsystem instances New security domain structure to organize and streamline communications between subsystems Enhanced cloning functionalities utilizing the new security domain organization Enhanced Red Hat Enterprise Security Client GUI and diagnostic and Phone Home functionality Multiple distinct packages rather than a single all encompassing package A new stand...

Page 3: ... System server functionality is implemented through distribution to appropriate locations within the op erating system For example 32 bit Red Hat Certificate System libraries are located under usr lib binaries are located under usr bin and Java archives jars are located under usr share java In Red Hat Certificate System 7 1 the Java based tool startconsole was used to configure and manage any serv...

Page 4: ...Enterprise Linux 4 i386 Red Hat Enterprise Security Client 1 0 is now available on Apple Macintosh OS X 10 4 x Tiger as well as Microsoft Windows XP Professional and 32 bit and 64 bit Red Hat Enterprise Linux 4 The TokenD implementation in the new Enterprise Security Client allows use of Red Hat Certificate System smart card technology to be integrated with Apple applications such as the Safari We...

Page 5: ...equired to set up configure and run the server approximately 2 GB Additional space for database growth in pilot deployment approximately 1 GB Total disk storage space for installation ap proximately 1 GB Table 2 Server Requirements 3 2 Optional Server Hardware Chrysalis ITS LunaSA Hardware Security Module HSM Firmware 4 5 2 Appliance Software 3 2 4 Client Software 3 2 4 nCipher netHSM Firmware 2 1...

Page 6: ... this component are available at ht tps 1rhn redhat com through the Red Hat Directory Server 7 1 channel Web browser software that supports SSL It is strongly recommended that users such as agents or administrators use Mozilla Firefox End entities should use Mozilla Firefox or Microsoft Internet Ex plorer The only browser that is fully supported for the HTML based instance configuration wizard is ...

Page 7: ...ing Packages Red Hat Network http 1rhn redhat com is the software distribution mechanism for most Red Hat customers Account login information for Red Hat Network including entitlements for the Red Hat Cer tificate System 7 2 release is required to download this software from Red Hat Network After logging into Red Hat Network go to the appropriate Red Hat Certificate System 7 2 channel to download ...

Page 8: ...e packaged binary distribution of this package java 1 5 0 ibm 1 5 0 0 1jpp_2rh 0 i386 is available through either the Red Hat Enterprise Linux AS v 4 for x86 Extras Red Hat Network channel or the Red Hat Enterprise Linux ES v 4 for x86 Extras Red Hat Network channel Similarly for 64 bit Red Hat Enterprise Linux 4 platforms Certificate System 7 2 requires the 64 bit version of the IBM JRE 1 5 0 A p...

Page 9: ...ity The contents of the 32 bit file jdk 1_5_0_09 solaris sparc tar Z are COPYRIGHT LICENSE README html SUNWj5cfg SUNWj5dev SUNWj5dmo SUNWj5jmp SUNWj5man and SUNWj5rt The contents of the 64 bit file jdk 1_5_0_09 solaris sparcv9 tar Z are SUNWj5dmx SUN Wj5dvx and SUNWj5rtx Since only the JRE is needed on Solaris 9 systems use the pkgadd utility to add the 32 bit package SUNWj5rt first and then add t...

Page 10: ...r Information All subsystems require access to Red Hat Directory Server 7 1 on either the local machine if it is also a 32 bit Red Hat Enterprise Linux platform or a remote machine acceptable platforms are 32 bit Red Hat Enterprise Linux 4 32 bit Solaris 9 for SPARC or 64 bit Solaris 9 for SPARC 5 6 Source RPMs Since Red Hat Certificate System 7 2 is not an open source product source RPMs are only...

Page 11: ...es Page https hostname SSLport https hostname SSLport ca services CA Agents Page https hostname SSLport ca agent ca CA End Entities Page https hostname SSLport ca ee ca DRM Services Page https hostname SSLport https hostname SSLport kra services DRM Agents Page https hostname SSLport kra agent kra OCSP Services Page https hostname SSLport https hostname SSLport ocsp services OCSP Agents Page https...

Page 12: ...n Access extension from the caServerCert pro file then install the subsystem 57677 If the DRM response to the TPS exceeds the timeout period the server can return the incorrect response message 200 HTTP 1 1 OK signaling that the operation com pleted successfully instead of timing out 57640 If a DRM version 6 1 SP4 is migrated to version 7 2 then the archived keys that were migrated cannot be recov...

Page 13: ...s subordinate CAs publish CRLs to an OCSP the OCSP needs the CA signing certificate of both CAs The signing certificate can be imported into the OCSP database through the OCSP agent interface 57978 Trying to add the nsTokenUserKeySubjectName default with No Constraint ex tension to a certificate profile through the Certificate Manager Console throws a null pointer exception and the default is not ...

Page 14: ...le config wizard p 12 58464 On Mozilla Firefox when accessing a subsystem URL without specifying the desired page such as https server example com 9443 it automatically redirects to https server example com 9443 ca services The redirect does not work on Internet Explorer 6 0 when trying the URL ht tps server example com 9443 Internet Explorer opens a blank page 58518 When starting or stopping a CA...

Page 15: ...ed on 21 These warnings can be ignored because they only indicate that the request repository is empty at the time the clone is configured they do not indicate a problem with the clone instance 58773 If a subsystem within a security domain needs to be re installed there may be a sub system user already created in the security domain CA s user database if the previous installation was either succes...

Page 16: ...s a member to the nfast group if the Certificate System group has not already been added 213805 If a token is plugged in when the Enterprise Security Client is installed then the client can fail to recognize the token To be certain that the Enterprise Security Client will re cognize tokens make sure that no smart card tokens are plugged in when the Enter prise Security Client packages are installe...

Page 17: ...ng an OCSP request via the GET method may have caused a Null PointerException This errata adds support for processing OCSP requests submitted through a GET method 239876 308161 Because Certificate System subsystems could not handling Online Certificate Status Protocol OCSP requests in the GET method OCSP GET requests resulted in a 404 error This was also related to a problem which caused the subsy...

Page 18: ...s were added to the issued certificate even if con straints were defined in the certificate authority CA profile An attacker could submit a CSR for a subordinate CA certificate even if the CA configuration prohibited subordinate CA certi ficates This led to a bypass of the intended security policy possibly simplifying man in the middle attacks against users that trust Certificate System CAs Januar...

Page 19: ...ts and managing other aspects of certificate management can use the Certificate Sys tem subsystems web services pages to process certificate requests key recovery OCSP requests and CRLs and other functions The documentation for Certificate System includes the following guides Certificate System Administrator s Guide explains all administrative functions for the Certificate Sys tem such as adding u...

Page 20: ...LICENSE the latest version of this server is available at the following URL http 1httpd apache org Red Hat Certificate System CA DRM OCSP and TKS subsystems use a locally installed Tomcat 5 5 web server Although an appropriate server is installed when any of these subsystems are in stalled the latest version of this server is available at the following URL http 1tomcat apache org Red Hat Certifica...

Page 21: ...ctions for the latest ver sion and potentially a binary image are available at the following URL http 1www mozilla org 1rhino 1index html Red Hat Red Hat Certificate System requires a complete Red Hat Directory Server 7 1 binary and the open source portion of Certificate System is available at the following URL https 1rhn redhat com Copyrights and third party acknowledgments for portions of Red Ha...

Page 22: ...on All rights reserved The following license terms govern the identified modules and libraries e gate Smart Card Drivers for Windows 2000 XP Limited Warranty Exclusive Remedies Schlumberger warrants to the benefit of Customer only for a term of sixty 60 days from the date of acquisition of the e gate Smart Card Warranty Term that if operated as directed under normal use and service the Software wi...

Page 23: ...following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distri bution The names of its contributors may not be used ...

Page 24: ...AR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPE CIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LI ABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARIS...

Reviews: