Netscape Certificate Management System 6.01 Release Notes

Netscape Certificate Management System Release Notes

Version: 6.01

Updated on: May 28, 2002

These release notes contain important information available at the time of the version 6.01 release of Netscape Certificate Management System (CMS). Installation requirements, known problems, and other late-breaking issues are addressed here. Read this document before you begin installing and using Certificate Management System.

Check the Red Hat Certificate System site prior to installing and setting up your software and then periodically thereafter to obtain the latest release notes and manuals.

These release notes contain the following sections:

What's New in This Release
Software/Hardware Requirements
CMS Documentation
Installation Procedure
Important Notes and Known Problems
For More Information

What's New in This Release

This release of Certificate Management System contains a few enhancements and includes fixes to some of the problems noticed in earlier releases. This section summarizes the enhancements/changes made in the product.

This release of Certificate Management System

Supports generation of RSA key sizes of upto 4096 bits; the previous release supported RSA key sizes of up to 2048 bits.
Enables two cloned CAs to use the same certificate repository/internal database; see the CA Cloning section.
Provides a command-line utility for upgrading from previous CMS versions. For details, check CMS Command-Line Tools Guide.
Includes some performance and scalability improvements.
Includes some bug fixes; see the table below.
Includes an updated version of CMS Customization Guide, which covers the changes made to the HTTP interface of the product.
Uses Netscape Directory Server 6.02, Netscape Administration Server 6.02, and Network Security Services (NSS) 3.3.2. These products/components include many new and enhanced features and bug fixes. For details about Directory Server and Administration Server, check the corresponding documentation at the http://enterprise.netscape.com/docs/ site. For NSS, check the http://www.mozilla.org/projects/security/pki/nss/ site.

The table below lists problems that have been fixed since the release of Certificate Management System 6.0.

Bug Number	Description
604453	The problem of CMS Installation Wizard prompting for a password for the hardware cryptographic token, with its own keypad for entering PINs, has been fixed. If you use a hardware token for CMS keys and certificates, you no longer get prompted for a password in the last screen of the Installation Wizard, and you are able to complete the installation successfully.
604215	In the CMS Console, changing the default certificate-signing algorithm from MD5RSA to SHA1RSA or MD2RSA resulted in an error. This problem has been fixed.
604212	In the CMS Installation Wizard and Certificate Setup Wizard, you can now set validity periods for certificates up to the year 2037; in the previous version, you could select up to the year 2032 as the validity period. The reason for not being able to select validity periods beyond year 2037 is that POSIX timestamps used in most UNIX systems are 32-bit signed integers. This results in an available period of 2^31 seconds or about 68 years. The epoch is 1970-01-01 00:00:00, so the counter will overflow sometime in January 2038.
603353	The CMS Customization Guide now covers the changes made to the HTTP interface of the product.

Software/Hardware Requirements

This section contains the following information:

Supported Platforms
Other Required Software

Supported Platforms

This release of Certificate Management System is supported on the following operating-system platforms:

RedHat Linux
Sun Solaris


RedHat Linux Platform Requirements
OS Version	Redhat Linux 7.2; Kernel Revision: 2.4.7-10 Redhat Linux Advanced Server; Kernel Revision: 2.4.9-e.3
CPU	350 MHz or higher, Pentium compatible.
RAM	256 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Other Requirements	You must install as `root` in order to use well-known port numbers (such as 389) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root.` If you plan to run as `root,` you should also install as `root` and specify `nobody` as the default run-as user and group.
Sun Solaris Platform Requirements
OS Version	Solaris 8 with relevant Java 2 patches for JDK 1.3.1_02 For patches, check the http://java.sun.com/j2se/1.3/install-solaris-patches.html site.
CPU	Ultra 10 or faster
RAM	256 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Other Requirements	You must install as `root` in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root.` If you plan to run as `root` , you should also install as `root` and specify `nobody` as the default run-as user and group.

Other Required Software

Netscape Administration Server 6.02 (included)

Netscape Directory Server 6.02 (included)
Check the Directory Server 6.02 release notes available at http://enterprise.netscape.com/docs/directory/index.html for the latest information about this server.

Browser software that supports SSL (not included)
We strongly recommend that users who will interact with Certificate Management System as agents or end entities using Netscape browsers should use Communicator version 4.7x or Netscape 6.2. Earlier versions, such as 4.5x, may not work properly. Netscape 6 and 6.1 has not been fully tested with this release of Certificate Management System.

CMS Documentation

For the latest information about Certificate Management System, including current release notes, technical notes, and deployment information, always check this site:
http://enterprise.netscape.com/docs/cms/index.html

The complete set of CMS documentation for this release includes the following:

CMS Release Notes (this document) -- The release notes contain information on software/hardware requirements for installing the product, important notes and known bugs, last-minute product information, and how to send feedback.

CMS Installation and Setup Guide -- This guide describes how to plan for, install, and configure Certificate Management System. Read this guide first, after you have read these release notes.

CMS Plug-Ins Guide -- This guide contains reference information on CMS plug-in modules, such as the ones provided for authentication, policy, publishing, and so on.

CMS Command-Line Tools Guide -- This guide contains reference information on command-line tools.

CMS Customization Guide -- This guide contains reference information on customizing the HTML-based agent and end-entity interfaces.

CMS Agent's Guide -- This guide provides an overview of the CMS Agent Service interface and explains how to use the interface to perform agent tasks.

CMS End-Entity Help -- This document is the online help provided for the End-Entity Services interfaces; this interface contains HTML-based forms for certificate enrollments, renewals, revocations, and so on.

If you obtained product on a CD, you can find the documentation in the directory named Docs at the top level of the CD. For a list of documentation, open the index.html file.

If you are working with files you have downloaded from the web site, as opposed to the files on the CD, the Docs directory mentioned above will not be present. Instead, you must use either of these options:

Download the CMS documentation from this site: http://enterprise.netscape.com/docs/cms/index.html

Run the setup script as described under Installation Procedure, then check the <server_root>/manual/en/cert/index.htm file for a complete list of documentation installed with the product, where <server_root> is your installation directory. The index file also contains a link to the Netscape Console/Netscape Administration Server documentation that gets installed along with the CMS documentation.

Installation Procedure

Before installing the product, be sure to read these release notes and the installation instructions in CMS Installation and Setup Guide.

If you are using the product CD for installation, this book is available as a PDF file in the Docs directory.
If you downloaded the software from the web site, be sure to download the PDF version of the book.

If you do not have any previous installation of Certificate Management System, follow the instructions for installing the software. It involves the following stages:

Stage 1: Run the installation script ( setup or setup.exe) to install administration and directory servers as necessary, and perform the initial phase of CMS installation.
Stage 2: Run the Installation Wizard to set up the initial configuration of the CMS instance. This is where you specify which subsystems are to be part of this instance.
Stage 3: Use Netscape Console to further configure the new CMS instance as needed. For example, you must provide it with information about the LDAP publishing and authentication directories.
Stage 4: If you wish, use Netscape Console to create additional instances of the Certificate Management System in the same server root directory, and use the Installation Wizard to configure them.

Important Notes and Known Problems

This section lists important notes, bugs, and known issues, and provides workarounds for some of the problems that you may encounter with the product. (The problems are identified by bug numbers to help you refer to them if you need to contact technical support.)

Agent and End-Entity_Interface	Documentation
Authentication/Enrollment	Installation
CA Cloning	Renewal of Certificates
Certificate Revocation List (CRL)	Revocation of Certificates
CMS Console	Policy
Command-Line Tools	Publishing of Certificates

Agent and End-Entity Interface

The Registration Manager Agent interface includes an enrollment form for face-to-face or in-person certificate enrollment. This feature enables end users to enroll for certificates in person by going to an agent. The enrollment form works in conjunction with an authentication plug-in, named HashAuth, provided for the Registration Manager. That is, the enrollment form works only if an instance of the HashAuth authentication plug-in is enabled in the Registration Manager's configuration, giving administrators control in deciding whether agents should be allowed to perform certificate enrollment for end users. For details about this enrollment method, check the CMS Installation and Setup Guide. Note that this feature is not fully documented; for example, the CMS Plug-Ins Guide does not cover the HashAuth plug-in. (603215)

Some of the Help buttons in the Data Recovery Manager's agent interface may not work. (524107)
If you run into this problem, check the Agent's Guide for instructions on using this interface.

Authentication/Enrollment

As a part of configuring an authentication plug-in, you are required to provide the base DN of the authentication directory. If your authentication directory is based on Netscape Directory Server 6.x, be sure to enter the value in the domain-component format (for example, dc=domain, dc=com).

The certificate-based enrollment/authentication method does not work. (602205)

The CEP enrollment method (provided for routers) does not work.

During the bulk-issuance process, you may get an error indicating that the bulkissurance.template is not found. To workaround the problem, rename the <server_root>/cert-<instance_id>/web-apps/agent/ca/bulkissuance.template file to bulkissurance.template. (605105)

See also Agent and End-Entity Interface.

CA Cloning

For scalability purposes, you can configure two cloned Certficate Managers (CAs) to share the same certificate repository/internal database. For example, if you have installed two cloned Certificate Managers, each clone would have its own certificate repository. If one were to search for a certificate, the scope of the search would be limited to the certificates contained in a repository.

A new parameter defined in the CMS configuration file enables you to connect two certificate repositories by manually editing the value assigned to the parameter. To join two certificate repositories:

Stop the cloned Certificate Managers.
In the second cloned CA, open the <server_root>/cert-<instance_id>/config/CMS.cfg file in a text editor.
Locate this parameter: internaldb.basedn
Copy the value assigned to the parameter (for example, o=NetscapeCertificateServer ), and close the file.
In the first cloned CA, open the <server_root>/cert-<instance_id>/config/CMS.cfg file in a text editor.
Locate this entry: ca.CertificateRepositoryDN
Set the entry's value to the distinguished name (DN) of the second cloned CA's internal database. You can construct the DN by prefixing ou=certificaterepository,ou=ca, to the internaldb.basedn parameter value you copied. The edited entry should look similar to this:
ca.CertificateRepositoryDN = ou=certificaterepository,ou=ca,o=NetscapeCertificateServer
Save your changes and close the file.
Restart the servers.

You now have two cloned CAs, each with its own request queue, but sharing a common certificate repository.

Certificate Revocation List (CRL)

The default limitation on the size of CRL is 2M. (603303)
Certificate Management System uses Netscape Directory Server as its internal database and uses the same to store all data, including the CRL. By default, the Directory Server is configured to handle attributes up to a size of 2M. The size is determined by the value assigned to the Maximum Message Size (nsslapd-maxbersize) parameter. (Check the Directory Server documentation at the http://enterprise.netscape.com/docs/directory/602/cli/config.htm#14685 site.) If the size of your CRL reaches the 2M limit, adjust the value of the nsslapd-maxbersize parameter accordingly.

CMS Console

You cannot delete public root CA certificates from the CMS Console. (603125)
For example, if you add public root CA certificates to the CMS database and then try to delete one of those certificates from the Certificate Database Management window (CMS Console > Configuration > Encryption > Manage Certificates), the operation fails with no error.

In the Users and Groups section of the CMS Console, deleting a certificate which has its serial number as a hex value results in an error, Java.lang.Number format exception. To workaround the problem, do not delete the certificate from the Manage User Certificate window. Instead, delete the user entry, create the user entry again, and import the necessary certificates. (605128)

Command-Line Tools

Many of the command-line tools (for example, cmsutil , certutil, setpin, and ssltap) that get installed in the <server_root>/bin/cert/tools directory require LD_LIBRARY_PATH set to point to the <server_root>/bin/cert/lib directory. If LD_LIBRARY_PATH is not set correctly, you will not be able to run these tools. (601377)

Documentation

The documentation contains references to files in the CMS SDK and samples area (the <server_root>/cms_sdk/... directory). Some of these files are no longer bundled with the product. Instead, they will be made available on a future date. Javadocs for CMS interfaces and plug-ins do get installed with the product in a new location, the <server_root>/bin/cert/javadocs directory.

Because CMS 6.x versions use newer versions of NSS, from CMS 6.01 onwards, details pertaining to older versions of NSS tools have been removed from the CMS Command-Line Tools Guide. Now, the book only contains details about CMS-specific command-line tools. The documentation for NSS tools is available at the http://www.mozilla.org/projects/security/pki/nss/ site.

This version of Certificate Management System is not supported on the Windows platform. However, the documentation may contain references to performing certain administrative tasks and running commands on the Windows platform.

Installation

During the first phase of CMS installation, you are given the opportunity to specify whether to use an existing/remote configuration directory or create a new instance Directory Server for use as the configuration directory. If you opt to use an existing configuration directory, it is used for storing the configuration information. However, a new instance of Directory Server is created on the machine in which Certificate Management System is being installed. After installation, you can remove the extra configuration Directory Server colocated with the CMS instance. (604733)

The CMS Installation Wizard sometimes fails to start at the first attempt, especially when you run the wizard on a slow machine. (602048)

During the installation of a Certificate Manager, in one of the wizard screens, you are asked to enable or disable the internal OCSP feature of the Certificate Manager. Be noted that irrespective of the choice you make, the Certificate Manager is installed with this feature. The status of the Enable checkbox has no effect on installation. (603323)

You cannot install a Certificate Manager with a DSA key of size 1024 bits for the CA Signing Certificate and an RSA key of size 1024 bits for the SSL Server Certificate. To workaround the problem, install the Certificate Manager with a DSA key of size 512 bits for the CA Signing Certificate and an RSA key of size 1024 bits for SSL Server Certificate and, post installation, renew the CA Signing Certificate with a key of size 1024 bits. (603274)

Solaris only. If you create multiple CMS instances based on a CMS instance that has been installed with root privileges, be sure to manually adjust the file permission on the new instances. (602987)

Renewal of Certificates

You cannot renew CMS certificates using the Certificate Setup Wizard, which is built into the CMS Console; the wizard will fail while importing a renewed certificate. To renew these certificates, use the certutil command-line tool instead. (604543)

Revocation of Certificates

The secure (HTTPS) end-entity port requires users to present the certificate multiple times during revocation of a certificate. (603025)

Policy

The IssuerConstraints policy plug-in, which checks for certificates that have been issued by a particular CA, does not work. (602205)
To workaround the problem, edit the default value assigned to the predicate parameter as indicate below:
Default value: HTTP_PARAMS.certType==client AND certauthEnroll==on
Correct value: HTTP_PARAMS.certType==client AND HTTP_PARAMS. certauthEnroll==on

Publishing of Certificates

If Cerificate Management System is enabled for publishing certificates and if more than 10 clients concurrently submit requests to the server, some of the certificates may not get published. (603337)

For More Information

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Certificate Management System or if you need to report problems with this product, contact technical support. You may also contact us through our newsgroup for support, questions, answers, and the latest information:

snews://secnews.netscape.com/netscape.dev.certificate

You might also find it useful to subscribe to the following newsgroups, where topics related to security, certificate, and directory are discussed:

snews://secnews.netscape.com/netscape.dev.ssl
snews://secnews.netscape.com/netscape.dev.security
snews://secnews.netscape.com/netscape.dev.directory

So that we can best assist you in resolving problems, please be sure to include the following information:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

For problems involving the use of directory with other products, include the product name (for example, Netscape 6.2), the release number, and platform information for those products as well.