Release Notes for Certificate Management System

Version 6.1 (SP 1)

Updated March 12, 2003

These release notes contain information about the new features and other information available at the time of the version 6.1 (SP 1) release of Certificate Management System.

These release notes contain the following sections:

What's New in This Release
Software/Hardware Requirements
CMS Documentation
Installation Procedure
Upgrading from a Previous CMS Version
Important Notes and Known Problems
For More Information

What's New in This Release

This section of the release notes contains a brief description of the new features in this release of CMS. A complete description of these features and complete details on using each feature can be found in the CMS Administrator's Guide.

This version of Certificate Management System contains the following new features:

Common Criteria Certification
Authorization
Cross Certificate Pairs
Signed Audit Log
UNICODE Support for Subject Name and Issuer Name
CMC Enroll and CMC Revoke
Proof of Possession
Allowing Empty Certificate Subject Name
Certificate Profiles
Console Certificate Authentication
Self Tests
Certificate Search Improvements
Authority Revocation List
CRL Issuing Points
Clean Shutdown

Common Criteria Certification

This version of Netscape Certificate Management System is Common Criteria Certified

VPL Identification: Netscape Certificate Management System 6.1 Service Pack 1

Information on how to verify whether the software you've received is the intended Certified Target of Evaluation of this product can be found on the download site for CMS.

Information on the Common Criteria Certified Target of Evaluation on this product and the setup of which can be found in Appendix B of the CMS Administrator's Guide.

Authorization

CMS provides a new authorization framework that allows you to create groups and assign access control to those groups. You can also change the default access control for prebuilt groups, and assign access control to individual users and IP addresses. Access points for authorization have been created for the major portions of the system allowing you to set access control rules for each of these. You can also create additional access points and additional access control lists using the CMS SDK. For complete details, see the chapter "Authorization" in the CMS Administrator's Guide.

Cross Certificate Pairs

Federal Bridge Certificate Authority (FBCA) is a PKI setup in which trust is established between two or more Certificate Authorities (CAs). In an FBCA setup, CA1 creates and signs a certificate for CA2, and CA2 creates and signs a certificate for CA1. These certificates are called cross-signed certificates. End entities with certificates from CA1 can present their certificates to entities in CA2. Entities in CA2 validate the chain of trust through the cross-certificate for CA1, signed by CA2.

This version of CMS has added FBCA features to allow for the generation of cross-signed certificates between CAs, the importation of cross-signed certificates, and the publishing of cross-signed certificate pairs.

For complete details, see the chapter "Certificate Manager" in the CMS Administrator's Guide.

Signed Audit Log

CMS can be configured to produce signed audit logs that record auditable events from the subsystem. The audit log feature is configurable allowing you to specify the events that are logged. An auditor user is assigned who is the only user who can view the audit logs.

See the section "Signed Audit Log," in the "Administrative Basics" chapter in the CMS Administrator's Guide.

UNICODE Support for Subject Name and Issuer Name

CMS now supports UNICODE as the default character set in a certificate's subject name and issuer name.

UTF8 encoding can be enabled for the certificates that are issued by CMS to its own subsystems providing UTF8 encoding of the subject name and issuer name. When UTF8 is used for these certificates, the end entity certificates created by the subsystems also contain UTF8 encoding for the issuer name field.
UTF8 encoding can be enabled for the certificates that are issued by CMS to end entities. When UTF8 is enabled for these certificates, the subject name field is encoded using UTF8.

To Enable UNICODE for Subsystem Certificates

Use the following procedure to change the default character set used in the subject line of certificates CMS generates for its own subsystems to UTF8 encoding. You must make this change before any subsystem certificates are issued. (You need to perform this procedure for any instance that will contain a Certificate Manager.)

Open the file <server_root>/<cms-instance>/config/CertSetup.cfg
Add the following line to this file on a line of its own:

dnUTF8Encoding=true

Save the file.

To Enable UNICODE for End Entity Certificates

Use the following procedure to change the default character set used in the subject line of certificates CMS generates for end entities to UTF8. (You need perform this procedure for any instance that will contain a Certificate Manager.)

Stop the CMS server instance.
Open the file <server_root>/<cms-instance>/config/CMS.cfg
Add the following line to this file on a line of its own:

ca.connector.dnUTF8Encoding=true

Save the file.
Start the CMS server instance.

CMC Enroll and CMC Revoke

CMC Enroll is a new feature of CMS that provides agent request signing capabilities. A new tool is provided that allows an agent to sign a certificate request using their agent certificate issued by the CA. A new plug-in has been created in CMS that sets rules requiring agent signed requests, and also authenticates the signed request. The signed request is considered an approved request and once it is authenticated, is immediately processed.

CMS also supports CMC Revocation. When the CMCAuth plug-in is enabled, CMC enrollment and CMC revocation are both enabled. CMC Revocation allows you to send signed revocation requests that are automatically processed.

For complete details about CMC Enroll, see the chapter "Authentication" in the CMS Administrator's Guide. For information about the CMC Revocation tool, see the chapter "Revocation and CRLs" in the CMS Administrator's Guide.

Proof of Possession

CMS has been enabled to detect and validate the proof of possession field contained in a certificate request for signing certificates. This is supported for requests in the CRMF format. Since the CMC format can contain a CRMF request, the CRMF POP functionality should also be supported in a properly encoded CMC request. The proof of possession field is defined in RFC2511.

The server will detect this field and then validate the value for this field. If there is an error validating the proof of possession field, then an error is sent to the requestor of the certificate.

Allowing Empty Certificate Subject Name

CMS now allows the creation of a certificate without a subject name. If a subject name does not exist, clients will be forced to use the value of the subjectAltName extension as the subject name for the certificate. Previously, CMS would not allow you to create a certificate without a subject name.

Certificate Profiles

CMS has a new feature called certificate profiles. Certificate Profiles allow you to create a single certificate profile associated with the issuance of a particular type of certificate by configuring the content of the certificate, the constraints put on the issuance of this certificate, the enrollment method used, and the input and output forms associated with this enrollment.

A set of certificate profiles are included for the most common certificate types. You can use these Certificate Profiles and configure their settings to suit your needs. Certificate Profiles are configured by an administrator, and then sent to the Agent Services Interface for agent approval. Once a certificate profile is approved, it is enabled for use. A dynamically generated HTML form for the certificate profile is used in the end-entity interface for enrollment which triggers this certificate profile. The server will verify that the defaults and constraints set in the certificate profile are met before acting on the request, and will use the certificate profile to determine the content of the issued certificate. You can create additional Certificate Profile plug-in modules using the CMS SDK.

For complete details, see the chapter "Certificate Profiles" in the CMS Administrator's Guide.

Console Certificate Authentication

To allow for stronger authentication for the communication between the Administration Console and CMS server, the Administration Console now supports SSL client-authentication. When configured, CMS administrators must present their certificate when configuring CMS using the Administration Console.

For complete details, see the chapter "Administrative Basics" in the CMS Administrator's Guide.

Self Tests

CMS provides the framework for self-tests of the system that are automatically run at startup and can be run on demand. It ships with a set of self tests that are configurable and allows you to create additional self tests using the CMS SDK.

For complete details, see the chapter "Administrative Basics" in the CMS Administrator's Guide.

Certificate Search Improvements

New search options have been added to the End Entity and Agent certificate search user interface pages. These parameters were added to improve search speeds, and provide finer control of searches. The fields added are:

Maximum Results.

Time Limit. Specify the maximum amount of time, in seconds, that the server should search. If this number is less than the amount of time needed, then only those search results obtained in the specified time will be returned.

Authority Revocation List

You can now create revocation lists containing only those certificates that were issued to Certificate Authorities.

For complete details, see the chapter "Revocation and CRLs" in the CMS Administrator's Guide.

CRL Issuing Points

CMS now has the ability to create more than one type of CRL at the same time from defined issuing points. You can define the issuing points when you set up CRLs.

For complete details, see the chapter "Revocation and CRLs" in the CMS Administrator's Guide.

Clean Shutdown

With this version of CMS, CMS is enabled for a clean shutdown. During the shutdown process, the subsystem will process any already posted requests to any of its interfaces to completion, but will accept no new requests.

You can set a timeout value by changing the shutdownTimeout parameter found in the CMS.cfg file. The setting is the amount of time before the between issuing the shutdown command and actual shutdown. If this time is reached before all processes are complete, the server will shutdown without completing the processes. The value for the shutdownTimeout parameter in CMS.cfg file must be shorter than the value (max_count * sleep2) in the stop_cert script for clean shutdown. The default time out setting is 30 seconds.

Software/Hardware Requirements

This section contains the following information:

Supported Platforms
Other Required Software

Supported Platforms

This release of Certificate Management System is supported on the following operating system platforms:

Sun Solaris


Sun Solaris Platform Requirements
OS Version	Solaris 8 with relevant Java 2 patches for JDK 1.4.0 For patches, check the http://java.sun.com/j2se/1.4/install-solaris-patches.html site.
CPU	Ultra 10 or faster
RAM	256 MB (required)
Hard disk storage space requirements	Total required is approximately 400 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 250 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 300 MB
Other Requirements	Unless you are following the detailed Common Criteria setup instructions documented in appendix B of the CMS Administrator's Guide to run the server using the `cmssuid` program with `setuid/setgid` privileges, you must install as `root` in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as `root.` If you plan to run as `root`, you should also install as `root` and specify `nobody` as the default run-as user and group.

Other Required Software

Netscape Administration Server 6.11 (included)

Netscape Directory Server 6.11 (included)

http://enterprise.netscape.com/docs/directory/index.html

Browser software that supports SSL (not included)

CMS Documentation

The documentation for this release of CMS has been completely reorganized and rewritten. It contains complete information about this release and all the new features included in this release.

All documentation is installed with the product and most of it can be accessed from the help system.

The documentation set for CMS includes the following:

CMS Administrator's Guide

Describes how to plan for, install, and administer CMS. Further, this documentation can also be accessed from the installed product in the <server_root>/manual/en/ directory.

CMS Command-Line Tools Guide

Provides detailed reference information on CMS tools. Further, this documentation can also be accessed from the installed product in the <server_root>/manual/en/ directory.

CMS Customization Guide

Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces. Further, this documentation can also be accessed from the installed product in the <server_root>/manual/en/ directory.

CMS Agent's Guide

Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button. Further, although this documentation is available from each particular CMS instance, this documentation can also be accessed from the installed product in the <server_root>/bin/cert/forms/agent/manual/agent_guide/ directory.

CMS End-Entity Guide

Provides detailed reference information on CMS end-entity interfaces. Although this documentation is available from each particular CMS instance, this documentation can also be accessed from the installed product in the <server_root>/bin/cert/forms/ee/manual/ee_guide/ directory.

Netscape Console and Directory Server reference documentation associated with this release of CMS is also included with this product, and can be accessed from the installed product in the <server_root>/manual/en/ directory. This includes the following reference documents:

Managing Servers with Netscape Console

Provides background information on basic cryptography concepts and the role of Netscape Console.

Netscape Directory Server Deployment Guide

Provides information on deploying the Netscape Directory Server.

Netscape Directory Server Installation Guide

Provides information on installing the Netscape Directory Server.

Netscape Directory Server Administrator's Guide

Describes how to plan for, install, and administer Netscape Directory Server.

Netscape Directory Server Configuration, Command, and File Reference

Provides information on configuring Netscape Directory Server.

Netscape Directory Server Schema Reference

Provides information on managing Netscape Directory Server schema.

Netscape Directory Server Plug-In Programmer's Guide

Provides information on developing plug-ins for Netscape Directory Server.

Installation Procedure

Before installing the product, be sure to read these release notes and the installation instructions in the CMS Administrator's Guide.

If you are using the product CD for installation, this book is available as a PDF file in the Docs directory which includes everything except information on setting up the Common Criteria Certified Target of Evaluation on this product. This setup procedure can be found in Appendix B of the HTML version of the CMS Administrator's Guide located on the website at http://enterprise.netscape.com/docs/cms/index.html, and is also included within the product software located on the CD.
If you downloaded the software from the website, be sure to download the PDF version of the book. The HTML version of the Common Criteria Certified Target of Evaluation documentation is included within the downloaded software, or on the website mentioned previously.

If you do not have any previous installation of Certificate Management System, follow the instructions for installing the software. If you are installing the software for Common Criteria purposes, follow the detailed Common Criteria setup instructions included in appendix B of the CMS Administrator's Guide. Otherwise, simply perform the following stages:

Stage 1: Run the installation script (setup) to install administration and directory servers as necessary, and perform the initial phase of CMS installation.
Stage 2: Run the Installation Wizard to set up the initial configuration of the CMS instance. This is where you specify which subsystems are to be part of this instance.
Stage 3: Use Netscape Console to further configure the new CMS instance as needed. For example, you must provide it with information about the LDAP publishing and authentication directories.
Stage 4: If you wish, use Netscape Console to create additional instances of the Certificate Management System in the same server root directory, and use the Installation Wizard to configure them.

Upgrading from a Previous CMS Version

Upgrading from a previous version of CMS can be accomplished by installing CMS 6.1 (SP 1) into a server root which differs from the previous installation's server root, and migrating the data as described in chapter 2 of the CMS Command-Line Tools Guide. Note that although the original installation should not be adversely affected, it is still always advisable to backup the entire original server root before upgrading.

Important Notes and Known Problems

Incorrect LD_LIBRARY_PATH variable Leads to Installation Failure (608176)

CMS 6.1 (SP 1) Solaris installer fails if the user has the LD_LIBRARY_PATH variable set to include a JDK library, because the installer downloads its own version of JDK. The installer should unset LD_LIBRARY_PATH before beginning the installation.

Installer Fails Without Correct Solaris Patches (608182)

CMS 6.1 (SP 1) Solaris installer fails if the user's Solaris 8 system does not have the correct patches applied for JDK 1.4.0. The installer should check if the required patches are installed and if they are not, it should report this to the user and stop the installation. The required patches are located at http://java.sun.com/j2se/1.4/install-solaris-patches.html

Cannot Publish Delta CRLs to an OCSP Responder (615685)

Delta CRLs cannot be published to the OCSP responder. If delta CRLs are published to the OCSP responder, the OCSP responder confuses CRL numbers and does not accept new full CRLs.

Empty Subject Alternative Name Extension (615932)

Certificate with empty subject alternative name extension cannot be used to authenticate against CMS.

Null Subject Name (604865)

Certificates with empty subject names may crash the Netscape browser when they are imported into the browser. They do work when imported into Internet Explorer.

Old Enrollment Pages

The Certificate Profile Enrollment forms are now the default forms in the end-entity interface. The old forms associated with the Policy feature are still in the product, but requires extra steps to use.

To restore the old enrollment forms:

Go to the following directory:

<serverRoot>/cert-<instanceid>/web-apps/ee/<subsystem-id>/policyEnrollment

where subsystem-id is either ca or ra

Copy the old files to the correct folder:

cp *.html ../.

If you want to switch back to Profile-base enrollment:

Go to the following directory:

<serverRoot>/cert-<instanceid>/web-apps/ee/<subsystem-id>/profileEnrollment

where subsystem-id is either ca or ra

Copy the files to the correct folder:

cp *.html ../.

Signing Certificate Not Issued in RA (616142)

Signing Certificate is not issued if the enrollment request is submitted to the "Manual User Signing & Encryption Certificates Enrollment" certificate profile enrollment in a Registration Manager; although the encryption certificate is issued. OCSP Manager Signing certificate is not issued if the enrollment request is submitted via "Manual OCSP Signing Certificate Enrollment" certificate profile enrollment in Registration Manager.

Automated certificate Enrollment Requests Not Saved by RA (616148)

When using one of the authentication plug-ins to automate certificate enrollment, the request generated by the enrollment is not properly saved by a Registration Manager and does not appear in the request queue when a query is made for this request.

Using CMS with an nCipher nShield HSM Device

Using CMS with an nCipher nShield HSM device is supported only when using the correct versions of the nCipher PKCS#11 library and firmware. The supported versions of the nCipher PKCS#11 library are 1.18.25 and higher. The supported versions of the nCipher firmware are 1.79.12 and higher. Please contact nCipher support at support@ncipher.com for information on obtaining copies of the appropriate software.

CMC Enroll (613150)

Fail to issue certificate if CMC enrollment request contains the "dc" component. The request should have one of the following components: CN, L, ST, O, OU, C.

Creating a New Instance Does Not Change File Permissions (602987)

When creating an instance, the ownership of the files are not changed: Solaris only. If you create multiple CMS instances based on a CMS instance that has been installed with root privileges, be sure to manually adjust the file permission on the new instances.

DSA for Policy-based Enrollments (600140)

You need to modify the Javascript to the policy-based enrollment pages in order to generate DSA requests. Note: Certificate Profile-based enrollments are not capable of generating DSA requests. The ManUserEnroll.html and DirUserEnroll.html certificate enrollment forms are modified so that they are mainly using the Javascript call crypto.generateCRMFRequest() to generate requests. However, the absence of the KEYGEN tag makes it difficult to edit enrollment forms to obtain DSA certificates, as the user is not allowed to specify PQG parameters. Therefore, here is an example of how crypto.generateCRMFRequest() should be called:

var keyTransportCert = null;

var keyGenAlg = "dsa-nonrepudiation";

certNickname.value = subject.value;

crmfObject = crypto.generateCRMFRequest(

subject.value,

"regToken", "authenticator",

keyTransportCert,

"setCRMFRequest();",

512, null, keyGenAlg);

Password stored in CertSetup.cfg (617631)

The CertSetup.cfg in <server_root>/cert-<instance-id>/config needs to be removed after the CMS configuration is done. This is because it contains the sensitive information such as the token password.

SHA1withRSA is not a default signing algorithm option (616365)

The default signing algorithm in profiles does not have SHA1withRSA as a signing algorithm option. One can manually add the option via CMS console or modification of the profile configuration.

For More Information

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the documentation for this release. If you need further assistance or information about Certificate Management System or if you need to report problems with this product, either contact technical support, or email us at cms-feedback@netscape.com.

So that we can best assist you in resolving problems, please be sure to include the following information:

Description of the problem, including the situation where the problem occurs and its impact on your operation
Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem
Detailed steps on the methods you have used to reproduce the problem
Any error logs or core dumps

For problems involving the use of directory with other products, include the product name (for example, Netscape 7.0), the release number, and platform information for those products as well.

Use of this product is subject to the License accompanying the product. Copyright © 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.

Last Updated March 12, 2003