Redhat Certificate User Manual

Red Hat Certificate
System 8

Red Hat Certificate System 8.0

with Updates for Errata RHBA 2001:0169
Ella Deon Lackey
Copyright © 2009 Red Hat, Inc.
Copyright © 2009 Red Hat, Inc.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
All other trademarks are the property of their respective owners.
1801 Varsity Drive Raleigh, NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park, NC 27709 USA
July 22, 2009, updated on February 11, 2010
1. New Features for Red Hat Certificate System 8.0 ..................................................................... 2
1.1. Certificate Renewal ...................................................................................................... 3
1.2. Improved Subsystem Cloning ........................................................................................ 3
1.3. Stronger SELinux Policies ............................................................................................ 3
1
Red Hat Certificate System 8.0
1.4. Improved UTF8 Support ............................................................................................... 3
1.5. Enhanced Support for Third-Party ECC Modules ............................................................ 3
1.6. Simplified Signed Audit Logging .................................................................................... 4
1.7. New Windows Smart Card Login Profile for Tokens ........................................................ 4
1.8. Enhanced Security Officer Mode and Enterprise Security Client Configuration .................. 4
1.9. Expanded TPS Roles ................................................................................................... 4
1.10. Added IPv6 Support ................................................................................................... 4
1.11. Using HTTP1.1 for Publishing CRLs ............................................................................ 4
1.12. Enhanced Installation Scripts ...................................................................................... 4
2. Important Configuration Changes ............................................................................................. 5
2.1. Default Port Separation ................................................................................................ 5
2.2. Changes in the Security Domain ................................................................................... 5
2.3. Renamed Directory Paths ............................................................................................. 5
2.4. Replacing Policy Framework with Profile Framework ...................................................... 5
2.5. Removing Mac Support for Enterprise Security Client ..................................................... 6
3. Supported Platforms ............................................................................................................... 6
3.1. Server Support ............................................................................................................. 6
3.2. Client Support .............................................................................................................. 7
3.3. Supported Web Browsers ............................................................................................. 7
3.4. Supported Smart Cards ................................................................................................ 8
3.5. Supported HSM ........................................................................................................... 8
4. Installing Red Hat Certificate System Subsystems .................................................................... 8
4.1. Installation Notes .......................................................................................................... 8
4.2. Install the Required JDK ............................................................................................... 9
4.3. Verifying Red Hat Directory Server ................................................................................ 9
4.4. Verifying Apache .......................................................................................................... 9
4.5. Installing mod_nss ...................................................................................................... 10
4.6. Installing through yum ................................................................................................ 10
4.7. Installing from an ISO ................................................................................................. 11
5. Documentation for Certificate System 8.0 ............................................................................... 11
5.1. Documentation Changes in 8.0 ................................................................................... 11
5.2. Documentation with 8.0 .............................................................................................. 12
6. Bugs Fixed in Certificate System 8.0 ...................................................................................... 13
7. Errata Releases for Certificate System 8.0 ............................................................................. 16
8. Known Issues ....................................................................................................................... 19
8.1. Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-
Related Man-in-the-Middle Attack ....................................................................................... 19
8.2. List of Known Issues in Red Hat Certificate System 8.0 ................................................ 23
9. Copyright and Third-Party Acknowledgments ......................................................................... 29
9.1. Copyrights for Portions of the Server ........................................................................... 30
9.2. Copyrights for Certificate System Clients ..................................................................... 31
These release notes contain important information related to Red Hat Certificate System 8.0 that may not be currently available in the Product Manuals. New features, system requirements, installation notes, known problems, resources, and other current issues are addressed here. You should read these Release Notes in their entirety before deploying Red Hat Certificate System 8.0.

1. New Features for Red Hat Certificate System 8.0

Red Hat Certificate System 8.0 is a major release of Certificate System, and many new, contemporary features have been added and existing features have been made more robust and flexible.
2
Certificate Renewal

1.1. Certificate Renewal

Certificate renewal for all Certificate System-issued certificates has been reintroduced using the new profile framework. There are a number of new profiles to use for renewal, including encryption and signing certificates for both standard use and on tokens, and server certificate renewal. New inputs have been added to manage certificate renewal, so corresponding renewal profiles can be created for custom enrollment profiles.

1.2. Improved Subsystem Cloning

Cloning has been enhanced with distributed numeric assignments logic so that cloned CAs can efficiently divide and use serial numbers for certificates without becoming blocked because of inadequate serial number ranges.

1.3. Stronger SELinux Policies

SELinux policies are now required for every subsystem and run in enforcing mode by default, providing much more protection for Certificate System processes.

1.4. Improved UTF8 Support

The CA, OCSP, and DRM subsystems fully accept and interpret certificate requests generated using UTF-8 characters, both in the console and in the agent services pages. This support is for specific fields.
End users can submit certificate requests with UTF-8 characters in those fields and end users and agents can search for and retrieve certificates and CRLs in the CA and retrieve keys in the DRM when using those field values as the search parameters.
Four fields fully-support UTF-8 characters:
• Common name (used in the subject name of the certificate)
• Organizational unit (used in the subject name of the certificate)
• Requester name
• Additional notes (comments appended by the agent to the certificate)
NOTE
This support does not include supporting internationalized domain names, like in email addresses.

1.5. Enhanced Support for Third-Party ECC Modules

Certificate System 8.0, although it does not ship with an ECC module, does support loading and using third-party ECC PKCS#11 modules with the CA. The console can handle ECC-based SSL sessions, and the server generates and supports ECC certificates.
3
Red Hat Certificate System 8.0

1.6. Simplified Signed Audit Logging

Audit log signing certificates are now created with all of the other default subsystem certificates as soon as a CA, DRM, OCSP, TKS, or TPS subsystem is configured. The log is also already configured and can be very easily enabled. Signed audit logs can be verified by auditors using the included AuditVerify script.

1.7. New Windows Smart Card Login Profile for Tokens

A new example profile is included with the regular CA profiles list which enabled the CA and TPS to issue certificates and enroll tokens that can be used to log into Windows systems.

1.8. Enhanced Security Officer Mode and Enterprise Security Client Configuration

Setting up and using security officer workstation has been improved and additional parameters have been added to the esc-pref.js configuration file to make configuring the Enterprise Security Client security officer settings easier and more flexible.

1.9. Expanded TPS Roles

A new role, the operator role has been added to the TPS subsystem. This role can view and search all tokens, certificates, and activities within the Token Processing System (TPS) but cannot edit any entries.
Additionally, the administrator role interface has been enhanced to allow administrators to create and edit users, assign profiles, and delete users directly.

1.10. Added IPv6 Support

The Certificate System 8.0 services can accept requests from all supported browsers, from other Certificate System subsystems, and from the administrative console over IPv6. The server also supports using IPv6 addresses in the Subject Alt Names of certificates, with certificate extensions, and with Certificate System scripts and tools.

1.11. Using HTTP1.1 for Publishing CRLs

HTTP 1.1 has been added as a supported protocol to use to publish CRLs, in addition to publishing to file and to LDAP. This makes publishing CRLs safer and more efficient, since "chunks" of CRLs can be published rather the entire CRL. If CRL publishing is ever interrupted, the process can resume smoothly.

1.12. Enhanced Installation Scripts

Certificate System creates and configures additional instances using the pkicreate script. An additional script, pkisilent, can be used to create and configure multiple subsystem instances quickly and without unnecessary user interaction. Both of these scripts have been enhanced and strengthened for changes to port separation, security domain configuration, and other updates to the structure of Certificate System subsystems.
4
Important Configuration Changes

2. Important Configuration Changes

There have been some significant changes to the structure and configuration of the Certificate System
8.0 installation, which are not directly related to new features in Certificate System 8.0.

2.1. Default Port Separation

Starting in Certificate System 8.0, there are three SSL ports, one each for each of the user interfaces (agents, administrators, and end entities). The web application folders are also separated, so each web service is independent and secure. The pkicreate script has been updated to permit both separated and non-separated port configurations.
The original RA and TPS standard and SSL ports remain the same, but new SSL ports have been added for end entities.
NOTE
Port separation was originally introduced in an update to Certificate System 7.3, but the default for this errata was still to use a single SSL port at installation. In Certificate System
8.0, the default configuration is to have separate ports.
Subsystem Standard End-Entity
SSL
CA 9180 9444 9443 9445 9701
RA 12888 12890 12889 12889
OCSP 11180 11443 11445 11701
DRM 10180 10443 10445 10701
TKS 13180 13443 13445 13701
TPS 7888 7890 7889 7889
Table 1. New Port Assignments for Certificate System 8.0
Agent SSL Admin SSL Tomcat

2.2. Changes in the Security Domain

In previous releases of Certificate System, the security domain was maintained in an XML file for the CA, domain.xml. In Certificate System 8.0, the security domain configuration has been moved to LDAP entries within the CA's LDAP entry.

2.3. Renamed Directory Paths

In previous releases of Red Hat Certificate System, the subsystem directories had the term rhpki in the name, such as /etc/rhpki-tps/CS.cfg and /usr/lib/rhpki/native-tools. All directories have been renamed pki, such as /etc/pki-tps/CS.cfg.

2.4. Replacing Policy Framework with Profile Framework

The old policy framework for managing certificates was deprecated in Certificate System 7.1 and was removed entirely for Certificate System 7.2, 7.3, and 8.0. Any certificate enrollments or other operations must be performed using the new profile framework.
5
Red Hat Certificate System 8.0

2.5. Removing Mac Support for Enterprise Security Client

The Enterprise Security Client was previously supported on Apple Mac, but the smart card client is not currently supported on Mac for Certificate System 8.0.

3. Supported Platforms

This section covers the different server platforms, hardware, tokens, and software supported by Red Hat Certificate System 8.0.

3.1. Server Support

The Certificate System subsystems are supported on the following platforms:
• Red Hat Enterprise Linux 5.3 and later for x86
• Red Hat Enterprise Linux 5.3 and later for x86_64

3.1.1. Server Requirements

Component Details
CPU Intel 2.0 ZZ Pentium 4 or faster
RAM 1 GB (required)
Hard disk storage space Total is approximately 5 GB
Table 2. Red Hat Enterprise Linux Server Requirements

3.1.2. Red Hat Enterprise Linux Considerations

Before installing the Certificate System packages, ensure that the proper dependencies are installed on the Red Hat Enterprise Linux system.
The following package groups and packages must be installed on all Red Hat Enterprise Linux systems:
• gnome-desktop (package group)
• compat-arch-support (package group)
• web-server (package group)
• kernel-smp (package)
6
Client Support
• e2fsprogs (package)
• firefox (package)
On 64-bit Red Hat Enterprise Linux platforms, ensure that the 64-bit (x86_64) compat-libstdc ++ libraries are installed, and not only the 32-bit (i386) libraries. To confirm this, run the following command as root:
rpm --qi compat-libstdc++ ---queryformat -'%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}.rpm\n' -| grep x86_64
Numerous libraries should be displayed.

3.2. Client Support

The Enterprise Security Client is supported on the following platforms:
• Microsoft Windows Vista 32-bit
• Microsoft Windows Vista 64-bit
• Microsoft Windows XP 32-bit
• Microsoft Windows XP 64-bit
• Red Hat Enterprise Linux 5.3 x86
• Red Hat Enterprise Linux 5.3 x86_64
IMPORTANT
The Enterprise Security Client was supported on Apple Mac for Red Hat Certificate System 7.x, but is not supported on Mac for 8.0.

3.3. Supported Web Browsers

The services pages for the subsystems require a web browser that supports SSL. It is strongly recommended that users such as agents or administrators use Mozilla Firefox to access the agent services pages. Regular users should use Mozilla Firefox or Microsoft Internet Explorer.
NOTE
The only browser that is fully-supported for the HTML-based instance configuration wizard is Mozilla Firefox.
Platform Agent Services End User Pages
Red Hat Enterprise Linux Firefox 3.x Firefox 3.x
Windows Vista Firefox 2.x Firefox 2.x
Internet Explorer 7 and higher
Windows XP Firefox 2.x Firefox 2.x
Internet Explorer 6 and higher
7
Red Hat Certificate System 8.0
Platform Agent Services End User Pages
Mac OS 10.x Agent services are not
supported for Mac
Table 3. Supported Web Browsers by Platform
Firefox 2.x

3.4. Supported Smart Cards

The Enterprise Security Client supports Global Platform 2.01-compliant smart cards and JavaCard 2.1 or higher.
The Certificate System subsystems have been tested using the following tokens:
• Gemalto TOP IM FIPS CY2 64K token, both as a smart card and GemPCKey USB form factor key
• Gemalto Cyberflex e-gate 32K token (Red Hat Enterprise Linux only)
• Safenet 330J Java smart card
Smart card testing was conducted using the SCM SCR331 CCID reader.
The only card manager applet supported with Certificate System is the CoolKey applet which ships with Red Hat Enterprise Linux 5.3.

3.5. Supported HSM

Red Hat Certificate System supports the Safenet Chrysalis-IT LunaSA and nCipher netHSM 2000 hardware security modules (HSM) by default. The tested and supported versions are listed in Table 4,
“Tested HSM Versions for Red Hat Certificate System 8.0”. Other HSMs can be added by loading their
libraries in the local machine and configuring the default configuration files after the Certificate System packages are installed, but before configuring the instances; this is described in the Administrator's Guide.
HSM Firmware Appliance Software Client Software
Safenet Chrysalis-ITS LunaSA
nCipher netHSM 2000 2.33.60 11.10
Table 4. Tested HSM Versions for Red Hat Certificate System 8.0
4.5.2 3.2.4 3.2.4

4. Installing Red Hat Certificate System Subsystems

The following sections contain information on the prerequisites and procedures for installing Certificate System subsystems, including basic information that you need to begin installing the packages.
Installing and configuring Certificate System 8.0 subsystems is described in more detail in the Installation Guide.

4.1. Installation Notes

• Packages are non-relocatable. The Red Hat Certificate System base packages can not be installed to a user-designated location.
• Remove any installed libsqlite RPM files before installing the RA. The sqlite RPM files that ship with RA cause conflicts with those files.
8
Install the Required JDK

4.2. Install the Required JDK

Certificate System requires Sun JDK 1.6.0. This JDK must be installed separately.
The OpenJDK can be installed by using yum or by downloading the packages directly from http://
openjdk.java.net/install/. For example:
yum install java-1.6.0-openjdk
After installing the JDK, run /usr/sbin/alternatives as root to insure that the proper JDK is available:
/usr/sbin/alternatives ---config java
There are 3 programs which provide -'java'.
Selection Command
----------------------------------------------­ 1 -/usr/lib/jvm/jre-1.4.2-gcj/bin/java 2 -/usr/lib/jvm/jre-1.6.0-openjdk/bin/java *+ 3 -/usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java
See http://kbase.redhat.com/faq/FAQ_54_4667.shtm for more information on using the JDK for Red Hat Certificate System.

4.3. Verifying Red Hat Directory Server

All subsystems require access to Red Hat Directory Server 8.1 on the local machine or a remote machine. The Directory Server can be installed on Red Hat Enterprise Linux 5.3 32-bit, Red Hat Enterprise Linux 5.3 64-bit, or Solaris 9 Sparc 64-bit.
Check that the Red Hat Directory Server is already installed. For example:
yum info redhat-ds Installed Packages Name -: redhat-ds Arch -: x86_64 Version -: 8.1.0 Release -: 1.4.el5dsrv Size -: 136M Repo -: installed ...
Install Red Hat Directory Server 8.1, if a directory service is not already available. For example:
yum install redhat-ds
Installing Red Hat Directory Server is described in more detail in the Red Hat Directory Server Installation Guide.

4.4. Verifying Apache

Apache 2.x must be installed on Red Hat Enterprise Linux systems in order to install the TPS subsystem. Check that the appropriate version of Apache is installed.
9
Red Hat Certificate System 8.0
yum info httpd Installed Packages Name -: httpd Arch -: x86_64 Version: 2.2.3 Release: 1.4.el5 Size -: 2.9 M Repo -: installed ...
Install Apache if it is not already available. For example:
yum install httpd

4.5. Installing mod_nss

Before installing the subsystem packages on Red Hat Enterprise Linux, first install or upgrade mod_nss. mod_nss is required for all Red Hat Certificate System packages, but is not included in the Red Hat Certificate System repositories, so make sure that the appropriate Red Hat Network channels are configured.
yum install mod_nss

4.6. Installing through yum

To install the subsystems on Red Hat Enterprise Linux 5 (32-bit), run a command like the following for each subsystem:
yum install pki-subsystem
subsystem can be any of the Certificate System subsystems:
ca for the Certificate Manager.
ra for the Registration Authority.
drm for the Data Recovery Manager.
ocsp for the Online Certificate Status Protocol Responder.
tks for the Token Key System.
tps for the Token Processing System.
console for the Java console.
When the installation process is complete, a URL to access this instance is printed to the screen which gives the subsystem instances hostname, port, and a login PIN to access the configuration wizard.
Configuration Wizard listening on http://hostname.domainname:unsecure-port/subsystem_type/ admin/console/config/login?pin=pin
For example:
10
Installing from an ISO
http://server.example.com:9180/ca/admin/console/config/login?pin=Yc6EuvuY2OeezKeX7REk

4.7. Installing from an ISO

Red Hat Certificate System 8.0 can also be downloaded from Red Hat Network as an ISO image. This ISO image contains an RPMS/ directory which can be used as a local yum repository.
Place that RPMS/ directory on a web server and then configure yum to use that location as a repository. After that, install Certificate System as described in Section 4.6, “Installing through yum”.

5. Documentation for Certificate System 8.0

The Red Hat Certificate System 8.0 documentation includes a complete set of usage and management documentation for both regular users and administrators. Along with the existing documentation set, there are important changes and enhancements to the 8.0 documentation:

5.1. Documentation Changes in 8.0

• The Administrator's Guide has been reorganized and partially rewritten to have a better structure and flow to the content. The intent of rewriting the Administrator's Guide is to make information easier and more intuitive to find.
• A new Installation Guide has been added to the doc set. This is based on the installation sections from the Administrator's Guide.
• A new Certificate System Deployment Guide has been written to cover PKI concepts and deployment planning.
• A new end-entities guide, Using End User Services, has been created to have a small, handy guide for the end-user services for the CA and RA which are available through Certificate System.
All of the new features implemented in Certificate System 8.0 are covered in the documentation:
• New information on port separation has been added in all of the guides and all examples and screenshots have been updated with the new port settings.
• The renewal sections in the Administrator's Guide have been rewritten and updated for the new profile framework. This includes adding information on new CA profiles for renewal and new procedures to renew user and server SSL certificates. The enrollment pages list in the Agent's Guide has also been updated.
• The existing auto enrollment proxy information has been added to the Administrator's Guide.
• A new method for publishing CRLs over HTTP has been added, and the corresponding sections of the publishing chapter in the Administrator's Guide have been updated.
• The new TPS operator role has been added to the TPS chapter of the Agent's Guide, and the information for the agent and admin roles has been updated.
• The cloning sections have been updated to cover enhancements for managing and assigning serial numbers and for changes in the configuration procedure.
• There is enhanced UTF-8 support for subject alt names in certificates. This has been noted in the Administrator's Guide.
11
Loading...
+ 23 hidden pages