These release notes contain information about the new features and other information available at the time of the version 6.2 release of Certificate Management System.
These release notes contain the following sections:
This section of the release notes contains a brief description of the new features in this release of CMS. A complete description of these features and complete details on using each feature can be found in the CMS Administrator's Guide.
This version of Certificate Management System contains the following new features:
CMS supports a new cloning architecture for high availability. See Chapter 16 of the Netscape Certificate Manager System Administrator's Guide, "Configuring CMS for High Availability," for more information about cloning.
CMS 6.2 provides additional CRL scheduling support. This support and other related advanced features are present within the CRL configuration panels provided through the CMS console.
Version 6.2 of the Netscape Certificate Manager System includes three new profile plugins for the Certificate Manager Subsystem:
This section contains the following information:
This release of Certificate Management System is supported on the following operating system platforms:
Sun Solaris Platform Requirements
Solaris 8 with relevant Java 2 patches for JDK 1.4.0
For patches, check the http://java.sun.com/j2se/1.4/install-solaris-patches.html site.
Unless you are following the detailed Common Criteria setup instructions documented in appendix B of the CMS Administrator's Guide to run the server using the cmssuid program with setuid/setgid privileges, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody as the default run-as user and group.
Check the Directory Server 6.11 release notes available at http://enterprise.netscape.com/docs/directory/index.html for the latest information about this server.
We strongly recommend that users who will interact with Certificate Management System as agents or end entities using Netscape browsers should use Communicator version 4.7x or Netscape 7.0x. Earlier versions, such as 4.5x, may not work properly. Netscape 6.x versions have not been fully tested with this release of Certificate Management System.
The documentation for this release of CMS has been completely reorganized and rewritten. It contains complete information about this release and all the new features included in this release.
All documentation is installed with the product and can be accessed from the help system. Further, the documentation can also be accessed from the installed product in the following directory:
The documentation set for CMS includes the following:
Managing Servers with Netscape Console
Provides background information on basic cryptography concepts and the role of Netscape Console.
Describes how to plan for, install, and administer CMS.
Provides detailed reference information on CMS tools.
Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces.
Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button.
Provides detailed reference information on CMS end-entity interfaces. Although this documentation is available from each particular CMS instance, this documentation can also be accessed from the installed product in the <server_root>/bin/cert/forms/ee/manual/ee_guide/ directory.
Netscape Console and Directory Server reference documentation associated with this release of CMS is also included with this product, and can be accessed from the installed product in the <server_root>/manual/en/ directory.
Before installing the product, be sure to read these release notes and the installation instructions in the CMS Administrator's Guide.
http://enterprise.netscape.com/docs/cms/index.html
It is also included within the product software located on the CD.
If you do not have any previous installation of Certificate Management System, follow the instructions for installing the software. If you are installing the software for Common Criteria purposes, follow the detailed Common Criteria setup instructions included in Appendix B of the CMS Administrator's Guide. Otherwise, simply perform the following stages:
Upgrading from a previous version of CMS can be accomplished by installing CMS 6.2 into a server root which differs from the previous installation's server root, and migrating the data as described in chapter 2 of the CMS Command-Line Tools Guide. Note that although the original installation should not be adversely affected, it is still always advisable to backup the entire original server root before upgrading.
While instructions are included to set up CMS 6.2 in this mode, it should be understood that this version of the CMS product is NOT officially Common Criteria certified. To run CMS as an officially certified Common Criteria product, CMS 6.1 (SP 1) must be utilized.
RA-CA Connector Issue (615957)
If the CA is unavailable, the RA queues requests in the svc_pending state. When the CA becomes available, the RA should submit those requests. However, the RA does not submit these requests until the RA is restarted. During RA startup, there is a warning message shown on the command line:
CMS Warning: FAILURE: error in resending request 8 - Invalid attribute HttpConn:
request no good 403 Forbidden|
The request 8 reference is referring to the svc_pending request. If your RA has any svc_pending requests, you will see the above warning message. Despite this warning message, the RA is still functioning correctly.
RA and CA cannot share the same hardware token (622376)
If you are using hardware token to store your CA's signing certificate, make sure you do not use the same token to store other subsystems' certificates.
Please note that this also applies to subordinate CA.
CRL Distribution Points Profile Issue (616970)
Currently, the Console is not showing the PointName in the CRL Distribution Points extension of the profile feature if the character ";" is present.
If the value for the crlDistPointsPointName contains ";", then you need to replace ";" with %3b. For example, if the value is ldap://myhost.netscape.com:389/cn=mySigningCA,ou=people,
o=netscape?certificaterevocationlist;binary, then you should change it to
ldap://myhost.netscape.com:389/cn=mySigningCA,ou=people,
o=netscape?certificaterevocationlist%3bbinary.
OCSP Responder does not respond to OCSP client when the CRL grows too large (622499)
The current CMS implementation stores CRL information in memory. As the CRL grows, memory consumption will increase. The default heap size is set to 512M and can be configured by changing the jvm.maxHeapSize parameter in the <server_root>/cert-<instance>/config/jvm12.conf file.
Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the Documentation for this release. If you need further assistance or information about Certificate Management System or if you need to report problems with this product, either contact technical support, or email us at cms-feedback@netscape.com.
So that we can best assist you in resolving problems, please be sure to include the following information:
For problems involving the use of directory with other products, include the product name (for example, Netscape 7.0), the release number, and platform information for those products as well.
Use of this product is subject to the License accompanying the product. Copyright © 2001 Sun Microsystems, Inc.
Portions copyright 1999, 2002-2003 Netscape Communications Corporation. All rights reserved.
Last Updated June 23, 2003