Red Hat CERTIFICATE 8.0 RELEASE NOTES Installationsanleitung

LandmannRed Hat Certificate System 8.0Release Noteswith Updates for Errata RHSA-2010:0838Edition 8.0.7

rpm -qi compat-libstdc++ --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}.rpm \n' | grep x86_64Numerous libraries should be displayed.3.

The Certificate System subsystems have been tested using the following tokens:Gemalto T OP IM FIPS CY2 64K token, both as a smart card and GemPCKey US

After installing the JDK, run /usr/sbin/alternatives as root to insure that the proper JDK isavailable:/usr/sbin/alternatives --config javaThere are 3

yum install httpd4.5. Installing mod_nssBefore installing the subsystem packages on Red Hat Enterprise Linux, first install or upgrade m od_nss.mod_ns

there are important changes and enhancements to the 8.0 documentation:5.1. Documentation Changes in 8.0The Administrator's Guide has been reorgan

Certificate System Installation Guide covers the installation process for all Certificate Systemsubsystems.This manual is intended for Certificate Sys

Table 5. Fixed BugsBug Number Description209213 There was a random error in the Enterprise Security Client thatwhen an enrolled card was inserted and

482935process (ns-slapd) to reach 100% CPU.253323 When using the Certicom PKCS #11 module with the OCSP, theOCSP failed to start because the OCSP sign

445436 Searching for certificates through the Revoke Certificatespage in the CA's agent services reported a bad search filter. Theschema used for

indexed key version.491000 Trying to format or re-enroll a formatted security officer tokencaused the Enterprise Security Client to throw error 28 on

Red Hat Certificate System 8.0 Release Noteswith Updates for Errata RHSA-2010:0838Edition [email protected] m

Table 6. Errata ReleasesAdvisory Description Release DateRHSA-2010-0837 This erratum introduces bugfixes and enhancements forSCEP operations.CVE-2010-

encryption and hash algorithms.RHBA-2010-0701 This erratum introducesenhancements for certificateand token policy settings.Bugzilla #609331. It waspos

special security officer modeof esc did not function onMac. Security officer modeallows designated users toperform in-person tokenenrollments, as adde

cryptographic functionsexpected of smart cardswere not possible. Forinstance, an encrypted emailcould not be sent with 2048-bit keys.RHBA-2010:0169 Th

helpful error message hasbeen added to the client.Bugzilla 523568. Smartcards could not be enrolledusing LDAP authenticationwhen the passwords wherest

Bugzilla 351162RHBA-2009:1596 This update addresses Bug505682 - Allow configuration ofNSS OCSP cache settings. Newparameters are enabled to allowuser-

TLS Renegotiation Attack" provides additional details about this flaw.In Certificate System, this kind of session renegotiation occurs if a user

a. At the top of the file, replace the PKI status definitions with the following section, with thecorrect hostname and ports. Replace all the lines w

4. Modify the /etc/init.d/instance_name initialization script to read the new status definitions.a. At line 242, replace the following lines. Replac

7. Edit the profile selection template to use the URL for the new secure end-entities clientauthentication services port. For example, assuming the d

Legal NoticeCopyright © 2009 Red Hat, Inc..This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 UnportedLicense

These are known issues in the 8.0 release of Red Hat Certificate System. When available, workaroundsare included.8. Known Issues 27

Table 7. Known IssuesBugNumberDescription Workaround223299 If a TKS master key is generated on a SafeNet LunaSAHSM, server-side key generation fails w

though the tokens contain Phone Home URLs.235150 The TKS sub-system start and stop scripts currently donot check that the package is installed beforea

456701 The default signing algorithm used by the CA cannot besuccessfully changed in the CA configuration or whensetting up the CA. T he default is ha

499014 When trying to renew a DRM certificate using thecertificate wizard tool in the Java console(pkiconsole), the certificate renewal fails and theD

chcon -t textrel_shlib_t '/usr/lib/libsbgse2.so'2. T hen change the defaultfile context files on thesystem so that theupdated context ispre

Misc { NetscapeCustom ize=1023; }Additionally, these two linesmust be removed:AppIdMajor=2;AppIdMinor=4;511327 Trying to set up a T PS using a Safenet

2. Open the CS.cfg fileand change the authType value to theclient authenticationsetting.vim /var/lib/pki-ca/conf/CS.cfgauthType=sslclientauth3. Open

a. Open the user'sconsole directory./user-directory/.redhat-idm-consoleb. Create newsecuritydatabases.certutil -N -d .c. Export theadministrat

certificate from thebase 64-blobassociated withthe admin usercert.certutil -A -d . -n ca -t CT,C,C -i ./ca.crt6. T he next time you run pkiconsole, i

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

vim /var/lib/pki-ca/conf/CS.cfgca.crl.MasterCRL.extension.AuthorityInform ationAccess.accessLocation0=http://hostname:9180/ca/ocspca.crl.MasterCRL.ext

Administrator's Guide.523568 On Windows XP and Vista systems, logging into theEnterprise Security Client using LDAP authenticationcan fail if the

http://jakarta.apache.org/tomcat/index.html.9.1.2. Mozilla FoundationRed Hat Certificate System uses version 4.2 of the Java™ Security Services (JSS)

Mozilla Project. If any problems are found in these specific libraries, the source code and buildinstructions for the latest version of these librarie

Redistributions of source code must retain the above copyright notice, this list of conditions andthe following disclaimer.Redistributions in binary f

9.1.1. Apache Software Foundation9.1.2. Mozilla Foundation9.1.3. Red Hat9.2. Copyrights for Certificate System Clients9.2.1. Mozilla Foundation9.2.2.

These release notes contain important information related to Red Hat Certificate System 8.0 that maynot be currently available in the Product Manuals.

Certificate System 8.0, although it does not ship with an ECC module, does support loading and usingthird-party ECC PKCS#11 modules with the CA. The c

2.1. Default Port SeparationStarting in Certificate System 8.0, there are three SSL ports, one each for each of the user interfaces(agents, administra

pki_load, can be obtained from Red Hat support to send the certificate requests to httpclient.3. Supported PlatformsThis section covers the different