The text of and illustrations in this document are licensed by Red Hat under a Creative
Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation
of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In
accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you
must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not
to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora,
the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United
States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other
countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701
PO Box 13588
Research Triangle Park, NC 27709 USA
July 22, 2009, updated on February 11, 2010
1. New Features for Red Hat Certificate System 8.0 ..................................................................... 2
4.6. Installing through yum ................................................................................................ 10
4.7. Installing from an ISO ................................................................................................. 11
5. Documentation for Certificate System 8.0 ............................................................................... 11
5.1. Documentation Changes in 8.0 ................................................................................... 11
5.2. Documentation with 8.0 .............................................................................................. 12
6. Bugs Fixed in Certificate System 8.0 ...................................................................................... 13
7. Errata Releases for Certificate System 8.0 ............................................................................. 16
8. Known Issues ....................................................................................................................... 19
8.1. Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-
Related Man-in-the-Middle Attack ....................................................................................... 19
8.2. List of Known Issues in Red Hat Certificate System 8.0 ................................................ 23
9. Copyright and Third-Party Acknowledgments ......................................................................... 29
9.1. Copyrights for Portions of the Server ........................................................................... 30
9.2. Copyrights for Certificate System Clients ..................................................................... 31
These release notes contain important information related to Red Hat Certificate System 8.0 that may
not be currently available in the Product Manuals. New features, system requirements, installation
notes, known problems, resources, and other current issues are addressed here. You should read
these Release Notes in their entirety before deploying Red Hat Certificate System 8.0.
1. New Features for Red Hat Certificate System 8.0
Red Hat Certificate System 8.0 is a major release of Certificate System, and many new, contemporary
features have been added and existing features have been made more robust and flexible.
2
Certificate Renewal
1.1. Certificate Renewal
Certificate renewal for all Certificate System-issued certificates has been reintroduced using the new
profile framework. There are a number of new profiles to use for renewal, including encryption and
signing certificates for both standard use and on tokens, and server certificate renewal. New inputs
have been added to manage certificate renewal, so corresponding renewal profiles can be created for
custom enrollment profiles.
1.2. Improved Subsystem Cloning
Cloning has been enhanced with distributed numeric assignments logic so that cloned CAs can
efficiently divide and use serial numbers for certificates without becoming blocked because of
inadequate serial number ranges.
1.3. Stronger SELinux Policies
SELinux policies are now required for every subsystem and run in enforcing mode by default,
providing much more protection for Certificate System processes.
1.4. Improved UTF8 Support
The CA, OCSP, and DRM subsystems fully accept and interpret certificate requests generated using
UTF-8 characters, both in the console and in the agent services pages. This support is for specific
fields.
End users can submit certificate requests with UTF-8 characters in those fields and end users and
agents can search for and retrieve certificates and CRLs in the CA and retrieve keys in the DRM when
using those field values as the search parameters.
Four fields fully-support UTF-8 characters:
• Common name (used in the subject name of the certificate)
• Organizational unit (used in the subject name of the certificate)
• Requester name
• Additional notes (comments appended by the agent to the certificate)
NOTE
This support does not include supporting internationalized domain names, like in email
addresses.
1.5. Enhanced Support for Third-Party ECC Modules
Certificate System 8.0, although it does not ship with an ECC module, does support loading and using
third-party ECC PKCS#11 modules with the CA. The console can handle ECC-based SSL sessions,
and the server generates and supports ECC certificates.
3
Red Hat Certificate System 8.0
1.6. Simplified Signed Audit Logging
Audit log signing certificates are now created with all of the other default subsystem certificates as
soon as a CA, DRM, OCSP, TKS, or TPS subsystem is configured. The log is also already configured
and can be very easily enabled. Signed audit logs can be verified by auditors using the included
AuditVerify script.
1.7. New Windows Smart Card Login Profile for Tokens
A new example profile is included with the regular CA profiles list which enabled the CA and TPS to
issue certificates and enroll tokens that can be used to log into Windows systems.
1.8. Enhanced Security Officer Mode and Enterprise Security Client
Configuration
Setting up and using security officer workstation has been improved and additional parameters have
been added to the esc-pref.js configuration file to make configuring the Enterprise Security Client
security officer settings easier and more flexible.
1.9. Expanded TPS Roles
A new role, the operator role has been added to the TPS subsystem. This role can view and search
all tokens, certificates, and activities within the Token Processing System (TPS) but cannot edit any
entries.
Additionally, the administrator role interface has been enhanced to allow administrators to create and
edit users, assign profiles, and delete users directly.
1.10. Added IPv6 Support
The Certificate System 8.0 services can accept requests from all supported browsers, from other
Certificate System subsystems, and from the administrative console over IPv6. The server also
supports using IPv6 addresses in the Subject Alt Names of certificates, with certificate extensions, and
with Certificate System scripts and tools.
1.11. Using HTTP1.1 for Publishing CRLs
HTTP 1.1 has been added as a supported protocol to use to publish CRLs, in addition to publishing
to file and to LDAP. This makes publishing CRLs safer and more efficient, since "chunks" of CRLs
can be published rather the entire CRL. If CRL publishing is ever interrupted, the process can resume
smoothly.
1.12. Enhanced Installation Scripts
Certificate System creates and configures additional instances using the pkicreate script. An
additional script, pkisilent, can be used to create and configure multiple subsystem instances
quickly and without unnecessary user interaction. Both of these scripts have been enhanced and
strengthened for changes to port separation, security domain configuration, and other updates to the
structure of Certificate System subsystems.
4
Important Configuration Changes
2. Important Configuration Changes
There have been some significant changes to the structure and configuration of the Certificate System
8.0 installation, which are not directly related to new features in Certificate System 8.0.
2.1. Default Port Separation
Starting in Certificate System 8.0, there are three SSL ports, one each for each of the user interfaces
(agents, administrators, and end entities). The web application folders are also separated, so each
web service is independent and secure. The pkicreate script has been updated to permit both
separated and non-separated port configurations.
The original RA and TPS standard and SSL ports remain the same, but new SSL ports have been
added for end entities.
NOTE
Port separation was originally introduced in an update to Certificate System 7.3, but the
default for this errata was still to use a single SSL port at installation. In Certificate System
8.0, the default configuration is to have separate ports.
SubsystemStandardEnd-Entity
SSL
CA91809444944394459701
RA12888128901288912889
OCSP11180114431144511701
DRM10180104431044510701
TKS13180134431344513701
TPS7888789078897889
Table 1. New Port Assignments for Certificate System 8.0
Agent SSLAdmin SSLTomcat
2.2. Changes in the Security Domain
In previous releases of Certificate System, the security domain was maintained in an XML file for the
CA, domain.xml. In Certificate System 8.0, the security domain configuration has been moved to
LDAP entries within the CA's LDAP entry.
2.3. Renamed Directory Paths
In previous releases of Red Hat Certificate System, the subsystem directories had the term rhpki
in the name, such as /etc/rhpki-tps/CS.cfg and /usr/lib/rhpki/native-tools. All
directories have been renamed pki, such as /etc/pki-tps/CS.cfg.
2.4. Replacing Policy Framework with Profile Framework
The old policy framework for managing certificates was deprecated in Certificate System 7.1 and
was removed entirely for Certificate System 7.2, 7.3, and 8.0. Any certificate enrollments or other
operations must be performed using the new profile framework.
5
Red Hat Certificate System 8.0
2.5. Removing Mac Support for Enterprise Security Client
The Enterprise Security Client was previously supported on Apple Mac, but the smart card client is not
currently supported on Mac for Certificate System 8.0.
3. Supported Platforms
This section covers the different server platforms, hardware, tokens, and software supported by Red
Hat Certificate System 8.0.
3.1. Server Support
The Certificate System subsystems are supported on the following platforms:
• Red Hat Enterprise Linux 5.3 and later for x86
• Red Hat Enterprise Linux 5.3 and later for x86_64
3.1.1. Server Requirements
ComponentDetails
CPUIntel — 2.0 ZZ Pentium 4 or faster
RAM1 GB (required)
Hard disk storage spaceTotal is approximately 5 GB
Table 2. Red Hat Enterprise Linux Server Requirements
3.1.2. Red Hat Enterprise Linux Considerations
Before installing the Certificate System packages, ensure that the proper dependencies are installed
on the Red Hat Enterprise Linux system.
The following package groups and packages must be installed on all Red Hat Enterprise Linux
systems:
• gnome-desktop (package group)
• compat-arch-support (package group)
• web-server (package group)
• kernel-smp (package)
6
Client Support
• e2fsprogs (package)
• firefox (package)
On 64-bit Red Hat Enterprise Linux platforms, ensure that the 64-bit (x86_64) compat-libstdc++ libraries are installed, and not only the 32-bit (i386) libraries. To confirm this, run the following
command as root:
The Enterprise Security Client is supported on the following platforms:
• Microsoft Windows Vista 32-bit
• Microsoft Windows Vista 64-bit
• Microsoft Windows XP 32-bit
• Microsoft Windows XP 64-bit
• Red Hat Enterprise Linux 5.3 x86
• Red Hat Enterprise Linux 5.3 x86_64
IMPORTANT
The Enterprise Security Client was supported on Apple Mac for Red Hat Certificate
System 7.x, but is not supported on Mac for 8.0.
3.3. Supported Web Browsers
The services pages for the subsystems require a web browser that supports SSL. It is strongly
recommended that users such as agents or administrators use Mozilla Firefox to access the agent
services pages. Regular users should use Mozilla Firefox or Microsoft Internet Explorer.
NOTE
The only browser that is fully-supported for the HTML-based instance configuration wizard
is Mozilla Firefox.
PlatformAgent ServicesEnd User Pages
Red Hat Enterprise LinuxFirefox 3.xFirefox 3.x
Windows VistaFirefox 2.xFirefox 2.x
Internet Explorer 7 and higher
Windows XPFirefox 2.xFirefox 2.x
Internet Explorer 6 and higher
7
Red Hat Certificate System 8.0
PlatformAgent ServicesEnd User Pages
Mac OS 10.xAgent services are not
supported for Mac
Table 3. Supported Web Browsers by Platform
Firefox 2.x
3.4. Supported Smart Cards
The Enterprise Security Client supports Global Platform 2.01-compliant smart cards and JavaCard 2.1
or higher.
The Certificate System subsystems have been tested using the following tokens:
• Gemalto TOP IM FIPS CY2 64K token, both as a smart card and GemPCKey USB form factor key
• Gemalto Cyberflex e-gate 32K token (Red Hat Enterprise Linux only)
• Safenet 330J Java smart card
Smart card testing was conducted using the SCM SCR331 CCID reader.
The only card manager applet supported with Certificate System is the CoolKey applet which ships
with Red Hat Enterprise Linux 5.3.
3.5. Supported HSM
Red Hat Certificate System supports the Safenet Chrysalis-IT LunaSA and nCipher netHSM 2000
hardware security modules (HSM) by default. The tested and supported versions are listed in Table 4,
“Tested HSM Versions for Red Hat Certificate System 8.0”. Other HSMs can be added by loading their
libraries in the local machine and configuring the default configuration files after the Certificate System
packages are installed, but before configuring the instances; this is described in the Administrator'sGuide.
HSMFirmwareAppliance SoftwareClient Software
Safenet Chrysalis-ITS
LunaSA
nCipher netHSM 20002.33.6011.10
Table 4. Tested HSM Versions for Red Hat Certificate System 8.0
4.5.23.2.43.2.4
4. Installing Red Hat Certificate System Subsystems
The following sections contain information on the prerequisites and procedures for installing Certificate
System subsystems, including basic information that you need to begin installing the packages.
Installing and configuring Certificate System 8.0 subsystems is described in more detail in the
Installation Guide.
4.1. Installation Notes
• Packages are non-relocatable. The Red Hat Certificate System base packages can not be installed
to a user-designated location.
• Remove any installed libsqlite RPM files before installing the RA. The sqlite RPM files that
ship with RA cause conflicts with those files.
8
Install the Required JDK
4.2. Install the Required JDK
Certificate System requires Sun JDK 1.6.0. This JDK must be installed separately.
The OpenJDK can be installed by using yum or by downloading the packages directly from http://
openjdk.java.net/install/. For example:
yum install java-1.6.0-openjdk
After installing the JDK, run /usr/sbin/alternatives as root to insure that the proper JDK is
available:
See http://kbase.redhat.com/faq/FAQ_54_4667.shtm for more information on using the JDK for Red
Hat Certificate System.
4.3. Verifying Red Hat Directory Server
All subsystems require access to Red Hat Directory Server 8.1 on the local machine or a remote
machine. The Directory Server can be installed on Red Hat Enterprise Linux 5.3 32-bit, Red Hat
Enterprise Linux 5.3 64-bit, or Solaris 9 Sparc 64-bit.
Check that the Red Hat Directory Server is already installed. For example:
yum info redhat-ds
Installed Packages
Name -: redhat-ds
Arch -: x86_64
Version -: 8.1.0
Release -: 1.4.el5dsrv
Size -: 136M
Repo -: installed
...
Install Red Hat Directory Server 8.1, if a directory service is not already available. For example:
yum install redhat-ds
Installing Red Hat Directory Server is described in more detail in the Red Hat Directory Server
Installation Guide.
4.4. Verifying Apache
Apache 2.x must be installed on Red Hat Enterprise Linux systems in order to install the TPS
subsystem. Check that the appropriate version of Apache is installed.
9
Red Hat Certificate System 8.0
yum info httpd
Installed Packages
Name -: httpd
Arch -: x86_64
Version: 2.2.3
Release: 1.4.el5
Size -: 2.9 M
Repo -: installed
...
Install Apache if it is not already available. For example:
yum install httpd
4.5. Installing mod_nss
Before installing the subsystem packages on Red Hat Enterprise Linux, first install or upgrade
mod_nss. mod_nss is required for all Red Hat Certificate System packages, but is not included in the
Red Hat Certificate System repositories, so make sure that the appropriate Red Hat Network channels
are configured.
yum install mod_nss
4.6. Installing through yum
To install the subsystems on Red Hat Enterprise Linux 5 (32-bit), run a command like the following for
each subsystem:
yum install pki-subsystem
subsystem can be any of the Certificate System subsystems:
• ca for the Certificate Manager.
• ra for the Registration Authority.
• drm for the Data Recovery Manager.
• ocsp for the Online Certificate Status Protocol Responder.
• tks for the Token Key System.
• tps for the Token Processing System.
• console for the Java console.
When the installation process is complete, a URL to access this instance is printed to the screen which
gives the subsystem instances hostname, port, and a login PIN to access the configuration wizard.
Configuration Wizard listening on http://hostname.domainname:unsecure-port/subsystem_type/
admin/console/config/login?pin=pin
Red Hat Certificate System 8.0 can also be downloaded from Red Hat Network as an ISO image. This
ISO image contains an RPMS/ directory which can be used as a local yum repository.
Place that RPMS/ directory on a web server and then configure yum to use that location as a
repository. After that, install Certificate System as described in Section 4.6, “Installing through yum”.
5. Documentation for Certificate System 8.0
The Red Hat Certificate System 8.0 documentation includes a complete set of usage and
management documentation for both regular users and administrators. Along with the existing
documentation set, there are important changes and enhancements to the 8.0 documentation:
5.1. Documentation Changes in 8.0
• The Administrator's Guide has been reorganized and partially rewritten to have a better structure
and flow to the content. The intent of rewriting the Administrator's Guide is to make information
easier and more intuitive to find.
• A new Installation Guide has been added to the doc set. This is based on the installation sections
from the Administrator's Guide.
• A new Certificate System Deployment Guide has been written to cover PKI concepts and
deployment planning.
• A new end-entities guide, Using End User Services, has been created to have a small, handy guide
for the end-user services for the CA and RA which are available through Certificate System.
All of the new features implemented in Certificate System 8.0 are covered in the documentation:
• New information on port separation has been added in all of the guides and all examples and
screenshots have been updated with the new port settings.
• The renewal sections in the Administrator's Guide have been rewritten and updated for the new
profile framework. This includes adding information on new CA profiles for renewal and new
procedures to renew user and server SSL certificates. The enrollment pages list in the Agent'sGuide has also been updated.
• The existing auto enrollment proxy information has been added to the Administrator's Guide.
• A new method for publishing CRLs over HTTP has been added, and the corresponding sections of
the publishing chapter in the Administrator's Guide have been updated.
• The new TPS operator role has been added to the TPS chapter of the Agent's Guide, and the
information for the agent and admin roles has been updated.
• The cloning sections have been updated to cover enhancements for managing and assigning serial
numbers and for changes in the configuration procedure.
• There is enhanced UTF-8 support for subject alt names in certificates. This has been noted in the
Administrator's Guide.
11
Loading...
+ 23 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.