Release Notes for
Certificate Management System

Version 7.0

Updated November 30, 2004

These release notes summarizes late-breaking information about version 7.0 of Certificate Management System.

What's New in This Release
Software/Hardware Requirements
Documentation
Installation Procedure
Upgrading from a Previous CMS Version
Important Notes and Known Problems

IMPORTANT: Before attempting to install this release, download and install JRE 1.4.2_06 as described below under Important Notes and Known Problems.

What's New in This Release

This section of the release notes summarizes the new features in this release of CMS. More information about these features can be found in the CMS Administrator's Guide and the standalone document Setting Up a Token Key Infrastructure.

Support for Visa Open Platform Compliant Smart Cards
Enterprise Security Client

Support for Visa Open Platform Compliant Smart Cards

CMS now supports Visa Open Platform compliant smart cards, greatly simplifying all aspects of key management.

The Visa Open Platform standard permits direct communication between a Registration Authority and individual Open Platform smart cards, facilitating a more rapid and transparent user experience for key management tasks such as enrollment, key archival, PIN reset, and key recovery. In addition, Open Platform makes it possible to update the Java applet on the token, permitting rapid deployment of new functionality with minimum user involvement.

Enterprise Security Client

The Enterprise Security Client included with this release is a desktop application that communicates with the back end of CMS and with the token available to the user's computer. This application provides a simple UI to support desktop key management tasks such as PIN reset.

The Enterprise Security Client is fully customizable; for example, it can be set up to require involvement by a human agent (for example, over the phone), or it can be fully automated to support initial enrollment using information such as mother's maiden name or whatever other user data a particular deployment requires.

In this release, the Enterprise Security Client is available for Windows desktops only.

Software/Hardware Requirements

This section contains the following information:

Supported Platform Requirements
Other Required Software

Supported Platform Requirements

This release of Certificate Management System is supported on the following operating system platforms:

Red Hat Linux Platform Requirements
Sun Solaris Platform Requirements

Red Hat Linux Platform Requirements
OS Version	Red Hat Linux Advanced Server 2.1
CPU	500MHz Pentium III or faster
RAM	256 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Other requirements	Unless you are following the detailed Common Criteria setup instructions documented in appendix B of the CMS Administrator's Guide to run the server using the cmssuid program with setuid/setgid privileges, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody as the default run-as user and group. Note: Although CMS 7.0 may work on Red Hat Linux 7.x platforms, it is only officially certified on the Red Hat Linux Advanced Server 2.1 platform. CMS 7.0 does NOT work on the Red Hat 8.x or Red Hat 9.x platforms.

Sun Solaris Platform Requirements
OS Version	Solaris 8 with relevant Java 2 patches for JDK 1.4.0 For patches, check the http://java.sun.com/j2se/1.4/install-solaris-patches.html site.
CPU	Ultra 10 or faster
RAM	256 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Other requirements	Unless you are following the detailed Common Criteria setup instructions documented in appendix B of the CMS Administrator's Guide to run the server using the cmssuid program with setuid/setgid privileges, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody as the default run-as user and group.

Other Required Software

Netscape Administration Server 6.1 SP4 (included)
Netscape Directory Server 6.21 (included)
Browser software that supports SSL (not included)

We strongly recommend that users who will interact with Certificate Management System as agents or end entities using Netscape browsers should use Communicator version 4.7x or Netscape 7.0x. Earlier versions, such as 4.5x, may not work properly. Netscape 6.x versions have not been fully tested with this release of Certificate Management System.

Documentation

The documentation for this release of CMS has been completely reorganized and rewritten. It contains complete information about this release and all the new features included in this release.

All documentation is installed with the product and can be accessed from the help system. Further, the documentation can also be accessed from the installed product in the following directory:

<server_root>/manual/en/

The documentation set for CMS includes the following:

Managing Servers with Netscape Console

Provides background information on basic cryptography concepts and the role of Netscape Console.

CMS Administrator's Guide

Describes how to plan for, install, and administer CMS.

CMS Command-Line Tools Guide

Provides detailed reference information on CMS tools.

CMS Customization Guide

Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces.

CMS Agent's Guide

Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button.

CMS End-Entity Guide

Provides detailed reference information on CMS end-entity interfaces. Although this documentation is available from each particular CMS instance, this documentation can also be accessed from the installed product in the <server_root>/bin/cert/forms/ee/manual/ee_guide/ directory.

Netscape Console and Directory Server reference documentation associated with this release of CMS is also included with this product, and can be accessed from the installed product in the <server_root>/manual/en/ directory.

Setting Up a Token Key Infrastructure.

Standalone document that provides instructions for setting up the new Token Key System and related subsystems.

How to Install and Run the Enterprise Security Client.

Standalone "readme" that provides user instructions for using the Enterprise Security Client.

Installation Procedure

Be sure to read these release notes, the JRE instruictions that follow, and the installation instructions in the CMS Administrator's Guide before installing the product.

IMPORTANT: Before you attempt to install this release, you must download and extract JRE 1.4.2_06. Follow these steps:

Go to http://java.sun.com.
Locate JRE 1.4.2_06 (location may vary over time).

NOTE: CMS 7.0 has been tested with JRE 1.4.2_06. Later versions may work, but have not yet been tested. Earlier version will probably not work correctly.
Download JRE 1.4.2_06 into a new directory.
Take appropriate action for the type of JRE file you downloaded. For example, for Linux you can download the JRE as either an RPM file or as a self-extracting binary.

For an RPM file, you would need to run a command like this:

rpm -i <JRE RPM filename>

For a self-extracting directory, you would need to run the script file itself, like this:

./J2re-1_4_2-linux-i586.bin

Here are some examples.

For a JRE RPM file:

./j2re-1_4_2-linux-i586.bin

...
Do you agree to the above license terms? [yes or no] Yes
Unpacking...
Checksumming...
...
...
Extracting...
UnZipFX 5.40 of 28 November 1998, by Info-ZIP
(Zip-Bugs@Lists.wku.edu).
inflating: j2re-1_4_2_06-linux-i586.rpm
Done.

rpm -i j2re-1_4_2_06-linux-i586.rpm

For a self-extracting binary:

./j2re-1_4_2-linux-i586.bin
...
Do you agree to the above license terms? [yes or no] Yes
Unpacking...
Checksumming...
...
...

Creating j2re1.4.2/lib/rt.jar
Creating j2re1.4.2/lib/jsse.jar
Creating j2re1.4.2/lib/charsets.jar
Creating j2re1.4.2/lib/ext/localedata.jar
Creating j2re1.4.2/lib/plugin.jar
Creating j2re1.4.2/javaws/javaws.jar
Done.

Note the location where the JRE has been extracted, then run the setup script for CMS 7.0:

./setup
To run setup, you need to have version 1.4.2 of
Sun's 32-bit Linux Java runtime environment on your system.

Enter the path to the unpackaged JRE: /export/download/cms70/jre

/j2re1.4.2
Verifying JRE... Found JRE "1.4.2"
Creating Console JRE package... Done
Cleaning up... Done
Creating CMS JRE package... Done
Cleaning up... Done

Note : The setup script bundles the JRE into the CMS package and then proceeds with the normal installation.

If you do not have any previous installation of Certificate Management System, follow the instructions above for installing the software. If you are installing the software for Common Criteria purposes, follow the detailed Common Criteria setup instructions included in Appendix B of the CMS Administrator's Guide. Otherwise, simply perform the following stages:

Stage 1: Run the installation script (setup) to install administration and directory servers as necessary, and perform the initial phase of CMS installation.
Stage 2: Run the Installation Wizard to set up the initial configuration of the CMS instance. This is where you specify which subsystems are to be part of this instance.
Stage 3: Use Netscape Console to further configure the new CMS instance as needed. For example, you must provide it with information about the LDAP publishing and authentication directories.
Stage 4: If you wish, use Netscape Console to create additional instances of the Certificate Management System in the same server root directory, and use the Installation Wizard to configure them.

For information on installing and setting up a token key infrastructure, see the standalone document Setting Up a Token Key Infrastructure.

For end-user instructions for setting up the Enterprise Security Client, see the standalone document How to Install and Run the Enterprise Security Client.

Upgrading from a Previous CMS Version

Upgrading from a previous version of CMS can be accomplished by installing CMS 6.2 into a server root which differs from the previous installation's server root, and migrating the data as described in chapter 2 of the CMS Command-Line Tools Guide. Note that although the original installation should not be adversely affected, it is still always advisable to backup the entire original server root before upgrading.

Important Notes and Known Problems

To specify an out-of-band shared secret for use with CMC, you must modify and recompile the source.

For CMC, an out-of-band shared secret is involved in some of the control attributes. There is an interface called SharedSecret.class in the com.netscape.cms.authentication package. The administrator may modify the source codes in SharedSecret.java, compile it, and install it in <serverRoot>/bin/cert/classes/com/netscape/cms/authentication directory. The instructions on how to compile the codes are described in the CMS SDK authentication tutorial.

The source code for SharedSecret.java looks like this:

/* CMS_SDK_LICENSE_TEXT */

package com.netscape.cms.authentication;

import java.math.BigInteger;
import org.mozilla.jss.pkix.cmc.PKIData;
import com.netscape.certsrv.authentication.ISharedToken;

public class SharedSecret implements ISharedToken {

    public SharedSecret() {
    }

    //Implements this method to return the shared secret on the server side.
    public String getSharedToken(PKIData cmcdata) {
        return "testing";
    }

    //Implements this method to return the shared secret on the server side.
    public String getSharedToken(BigInteger serial) {
        return "testing";
    }
}

To purchase token hardware, go to Axalto's online store.

Axalto's online store is located here: http://www.scmegastore.com. Navigate to the pages for buying "Cyberflex e-gate 32K with plug" and "e-gate Token Connector".

CMS 7.0 is not Common Criteria certified

While instructions are included to set up CMS 7.0 in this mode, it should be understood that this version of the CMS product is NOT officially Common Criteria certified. To run CMS as an officially certified Common Criteria product, use CMS 6.1 (SP 1).

Ignore references to the NISAuth plug-in in the Netscape Console documentation.

The Netscape Console documentation includes some references to the NISAuth plug-in. This plug-in has been removed from this release. Please ignore all references to it.

CMS creates a local database even if the user specified a remote one (34174)

Follow these steps to work around this problem:

Install a CMS server as usual, specifying the use of a remote configuration directory).

Unfortunately, the setupSDK will still prompt for a "local configuration directory" port number. This number must be different from the real configuration directory server if it exists on the same machine.
Launch Netscape Console and select the configuration directory generated by the previous setup installation.
Right click the configuration directory, choose Remove Server, and answer Yes to the confirmation question. Click OK when success is reported.
Select the CMS instance generated by the previous setup installation, and configure this instance as usual.

NOTE: Use Netscape Console to remove the superfluous configuration directory instance, but do NOT use the command line uninstall utility to select removal of the Directory Server component, as this will remove the Directory Server binaries required for CMS configuration as well as the superfluous directory server instance.

OCSP may fail when CRL is large (46209)

If you are using OCSP with large CRLs, you may encounter this error:

CRLIssuingPoint MasterCRL - Failed to sign CRL java.lang.OutOfMemoryError

If you do see this error, adding more memory may solve the problem.

Unified CMS Directory Server database user/group replication causes Directory Server to fail (53602)

This situation will lead to a Directory Server failure:

Two directory servers are set up. The first CA is configured, and the second CA is cloned and replicated from the first.
With TKS installed, Directory Server when you attempt to create users and groups.

TKS fails to generate keys if specified key is not present (55855)

The CMS.cfg file includes a parameter that looks similar to this:

op.enroll.deviceKey.update.symmetrickeys.requiredversion=100

If the symmetric keys of the specified version doesn't exist within TKS, TKS will fail to generate keys for that session.

Searching for serial numbers on the Revoke Certificates page causes the browser to hang (56391)

This situation will cause the browser to hang:

The CA has about 300,000 certificates.
Go to the CA agent page and click Revoke Certificates.
Search for some serial numbers like this:
```
0x1000 - 0x2000 ( max rbs : 1000 )
```

Logging a shutdown leads to an error (57222)

You may sometimes see an error like this when you start up the CA or TKS:

Thread-4: Failed to log event "AUDIT_LOG_SHUTDOWN", error: Attempt to log message

To work around this problem, restart the Directory Server and then restart the CA or TKS.

Token management for nCipher tokens is not supported in this release (57241)

The only hardware token supported by the new Token Key System (TKS) in this release is Chrysalis-ITS lunaSA hardware (version 2.3 or 3.0) for Solaris 8 and Linux 2.1. This initial release of TKS does not support token management with nCipher on Solaris 8.

TPS crashes when enrollment operation is canceled (57285)

If you start a devicekey enrollment, then cancel it when it's about 10-15 percent complete, and wait about two minutes for the client and server to time out, TPS will fail.

Signing and encryption certificates issued at the same time may have different validity dates (57312)

Signing and encryption certificates issued at the same time may end up with slightly different "not valid after" dates.

If a request email is not specified, "$request.requestor_email$" appears in the certificate's SubjectAltName extension (57313)

This problem prevents the browser from importing the certificate. To work around the problem, remove the SubjectAltName extension from the profile policies and save the configuration settings for the profile. When you then issue the CMC request, the issued certificate will be successfully imported to the certificate database.

Missing # in the configuration file for CMCRequest (57315)

If you type CMCRequest on the command line in the bin/cert/tools directory, you'll see the usage (what the configuration file looks like) on the screen. You can then copy the content from the screen and paste it in anew file called CMCRequest.cfg as the configuration file, and make modifications for the parameter values.

When you run the command CMCRequest CMCRequest.cfg, you will get the following error:

Error in configuration file: certificate.

You should edit the configuration file and search for the line starting with certificate, then put the # in front of the word certificate. When you run the command again, it should work correctly

RA-CA connector issue (615957)

If the CA is unavailable, the RA queues requests in the svc_pending state. When the CA becomes available, the RA should submit those requests. However, the RA does not submit these requests until the RA is restarted. During RA startup, there is a warning message shown on the command line:

CMS Warning: FAILURE: error in resending request 8 - Invalid attribute HttpConn:

request no good 403 Forbidden|

The request 8 reference is referring to the svc_pending request. If your RA has any svc_pending requests, you will see the above warning message. Despite this warning message, the RA is still functioning correctly.

RA and CA cannot share the same hardware token (622376)

If you are using hardware token to store your CA's signing certificate, make sure you do not use the same token to store other subsystems' certificates.

Please note that this also applies to a subordinate CA.

Use of this product is subject to the License accompanying the product. Copyright © 2001 Sun Microsystems, Inc.
Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.

Last Updated November 30, 2004

Release Notes for Certificate Management System