Sun™ ONE Certificate Server 4.7

Release Notes

These Release Notes contain important information available at the time of the Version 4.7 release of Sun™ ONE Certificate Server. New features and enhancements, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you begin using Certificate Server.

This is a living document and subject to ongoing updates. Please check the following URL frequently to ensure you have the latest version of Release Notes:

http://docs.sun.com/source/816-5547-10/index.html

You can download the complete documentation set via the following links:

• all_docs.zip (for Windows) - Contains both HTML and PDF versions of all product manuals.

• all_pdf.zip (for Windows) - Contains PDF versions of all product manuals.

• all_docs.tar.gz (for Unix) - Contains both HTML and PDF versions of all product manuals.

• all_pdf.tar.gz (for Unix) - Contains PDF versions of all product manuals.

  
  
  

  ---

  Note

  Sun™ ONE Certificate Server was previously iPlanet™ Certificate Management System. The product was renamed shortly before the launch of this 4.7 release. The late renaming of this product has resulted in a situation where the new product name is not fully integrated into the shipping product. In particular, you will see the product referenced as iPlanet Certificate Management System within the product GUI and within the product documentation. For this release, please consider iPlanet Certificate Management System (CMS) and Sun ONE Certificate Server as interchangeable names for the same product.

  ---

  
  
  

An electronic version of the complete product documentation set can be found at the iPlanet documentation web site:

http://docs.sun.com/db?p=coll/S1_s1CertificateServer_47

Check the web site prior to installing and setting up your software and then periodically thereafter to view the most up-to-date release notes and manuals.

These release notes contain the following sections:

• What's New in This Release

• Software and Hardware Requirements

• Installation Overview

• Upgrading From a Previous Certificate Server Installation

• Known Problems and Limitations

• How to Report Problems

• For More Information

---

What's New in This Release

The 4.7 version of Certificate Server includes a number of new features as well as important updates and enhanced performance. For detailed information, click a link in the following sections:

New Features

• Support for Windows 2000 Login Certificates

• FIPS 140-1 Level 3 Support

• Extended Functionality for Registration Manager

• Challenge Password-based Certificate Renewal

• Support for Identity Server Single Sign-on (SSO)

Important Update

• Upgrading From a Previous Certificate Server Installation

  
  
  

  ---

  Note

  Sun™ ONE Certificate Server was previously iPlanet™ Certificate Management System. The product was renamed shortly before the launch of this 4.7 release. The late renaming of this product has resulted in a situation where the new product name is not fully integrated into the shipping product. In particular, you will see the product referenced as iPlanet Certificate Management System within the product GUI and within the product documentation. For this release, please consider iPlanet Certificate Management System (CMS) and Sun ONE Certificate Server as interchangeable names for the same product.

  ---

  
  
  

---

Software and Hardware Requirements

Operating Systems Supported

• Windows 2000 and Windows NT 4.0 with Service Pack 6

• Solaris 8 (with relevant Java 2 patches)

Other Required Software

• iPlanet Administration Server 5.1 (included)

• iPlanet Directory Server 5.1 (included)

  Check the Directory Server release notes at http://docs.sun.com/db?p=coll/S1_ipDirectoryServer_51 for the latest information about installing this server.

• Administrators and end users use web browsers to perform user management tasks.CMS 4.7 supports the following web browsers:
  • Netscape Communicator 4.79 on the following platforms:
    Solaris 8; Windows versions NT 4.0 SP6a and 98SE.

  • Microsoft Internet Explorer 5.5 SP2 on the following Windows versions:
    2000 Professional, NT 4.0 SP6a, and 98 SE.

  • Microsoft Internet Explorer 6.0 on the following Windows versions:
    2000 Professional, NT 4.0 SP6a.

• Java 1.3.1

Packages Included with Certificate Server

• Network Security Services (NSS)

• Certificate Server SDK and Samples

• Command-line Tools

• Certificate Server Documentation

Platform and Hard Disk Requirements

In addition to the requirements listed below, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install Certificate Server.

Table 0-1    Platform and Hard Disk Requirements

Solaris Platform Requirements
OS Version	Solaris 8
Machine	Ultra 1 or faster
RAM	128 MB (256 MB recommended)
Hard disk storage space requirements	Total required is approximately 450 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 300 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 350 MB
Windows Platform Requirements
OS Version	Windows 2000, Windows NT 4.0 SP6a
Machine	Pentium II 400 or faster
File system	NTFS or FAT
RAM	128 MB (256 MB recommended)
Hard disk storage space requirements	Total required is approximately 350 MB, as follows: Total transient space required during installation: 100 MB Hard disk storage space required for installation: Space required for setup, configuration, and running the server: approximately 200 MB Additional space to allow for database growth in pilot deployment: approximately 50 MB Total disk storage space for installation: approximately 250 MB
Other Requirements
On Unix systems, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run as root, you should also install as root and specify nobody as the default run-as user and group. On a Windows NT system, you must install as Administrator or a user with Administrator privileges (that is, the user must be in the Administrators group).

---

Installation Overview

Before installing the product, be sure to read the installation instructions in the Certificate Server Installation and Setup Guide.

If you're using the product CD for installation, this book is available in HTML in the /Docs directory.

If you downloaded the software from the web site, be sure to download the pdf version of the book from this site: http://docs.sun.com/db?p=coll/S1_s1CertificateServer_47

If you're using CMS 4.2-SP2 and want to upgrade to Certificate Server 4.7, follow the upgrade instructions in these Release Notes. If you don't have a previous installation of Certificate Server, follow the instructions in the Certificate Server Installation and Setup Guide for installing the software. It involves the following stages:

• Stage 1: Run the installation script (setup on Unix, setup.exe on Windows NT) to install administration and directory servers as necessary, and perform the initial phase of Certificate Server installation.

• Stage 2: Run the Installation Wizard to set up the initial configuration of the Certificate Server instance. This is where you specify which subsystems are to be part of this instance.

• Stage 3: Use iPlanet Console to further configure the new Certificate Server instance as needed. For example, you must provide it with information about the LDAP publishing and authentication directories.

• Stage 4 (Optional): You can use iPlanet Console to create additional instances of the Certificate Server in the same server root directory, and use the Installation Wizard to configure them.

If you want to install a separate, stand-alone version of iPlanet Console for any reason, you can download it from this site: http://wwws.sun.com/software/download/allproducts.html

---

Upgrading From a Previous Certificate Server Installation

The only direct migration path to Certificate Server 4.7 is from version 4.2, Service Pack 2 (SP2). If you have an existing installation of Certificate Server version 4.2, you must first upgrade to version 4.2SP2. Follow the instructions in the section "Upgrading From a Previous Certificate Server Installation" in the Installation and Setup Guide that comes with the version 4.7 software.

If you already have an existing installation of Certificate Server 4.2 SP2, use the following instructions instead of those in the Installation and Setup Guide.

The Certificate Server Migration Tool

Certificate Server 4.7 provides a utility that migrates certificates, keys, CRLs, and related user information contained in the Internal DB directories. The tool migrates only Certificate Server instances, and only on a single host; it does not span multiple machines. There are two versions of the migration utility, one for Unix and one for Windows. All steps listed in the migration tool documentation are performed.

Log files containing migration details can be found in the following directories:

Solaris:

/47_binaries_location/migration_MM-DD-YYYY-HH_MM_SS.log for   migration detailss

Windows:

\47_binaries_location\migration-MMDDYYYY.log

Known Issues and Workarounds

• If you're upgrading a Windows NT or 2000 installation:
  • If you use a third-party tool such as MKS toolkit, then the PATH should have the MKS toolkit as the last entry. Otherwise, the perl script will fail to execute.

  • During the migration and after Certificate Server 4.2SP2 is uninstalled, if this message displays: "There are files marked for deletion upon next Reboot, Do you wish to Reboot now?" do not reboot; enter "No."

• If you've upgraded from CMS4.2 to CMS4.2sp2, and then use the migration script to upgrade to CMS4.7, the migration script may fail due to a missing file db.instanceName. As a work around, follow these steps:
  1. Manually edit the CertSetup.cfg, adding the following line:
     
     

     db.instanceName=<Name of the Instance Directory>

     
     
     

  2. The OCSP signing certificate entries in the CMS.cfg will not be carried over. Once they have migrated from CMS4.2 to CMS4.2sp2, you must manually add the following lines to CMS.cfg before running the migration script:
     
     

     ca.ocsp_signing.cacertnickname=caSigningCert cert-IS-RootCA ----> your CA Signing cert

     ca.ocsp_signing.defaultSigningAlgorithm=MD5withRSA

     ca.ocsp_signing.tokenname=Internal Key Storage Token

     
     
     

Before You Begin

You should address the following issues before running the migration tool:

• Migration to Certificate Server 4.7 can be performed only on the same machine where Certificate Server 4.2SP2 is installed.

• Back up the your CMS 4.2SP2 installation in case you need to recover your data.

• Gather information about the servers running on the system. For example, you should know the server names, ports, and plug-ins being used, and so on.

• Know the passwords for the iPlanet Console administrator, the Certificate Server administrator, the LDAP data bases, the single sign on for each instance.

• Close the 4.2SP2 Certificate Server window, and close any instances of iPlanet servers before starting the migration process.

• Process all 4.2SP2 pending certificate requests.

• Close all sessions to Certificate Server 4.2SP2. Do not access Certificate Server until after the migration process is completed.

• On Unix, you should run the migration tool as the same user who installed CMS 4.2SP2.

• Know the location of the unzipped Certificate Server 4.7 binaries.

• If a Certificate Server instance has been deleted from the installation, then delete its corresponding internal database instance.

• The migration tool needs ample space to backup the Certificate Server instances. Be sure that there is sufficient disk space in /var/tmp and the new 4.7 installation directory for Unix/Solaris, or in the default system drive for Windows NT/2000.

• On Windows only:
  • Prior to running the migration tool, you should install PERL on a directory other than the one that contains the PERL that comes with Certificate Server 4.2SP2. If the PATH to PERL is set to the PERL that comes with Certificate Server 4.2SP2, the PATH will be invalid after uninstallation.

  • If possible, take a system image of your machine for recovery purposes.

  • You should run the migration tool as Administrator.

Running the Migration Tool on Unix

The Unix version is a bourne shell script and is supported on Solaris.

1. Identify the Certificate Server 4.2SP2 instance that you want to upgrade and note the corresponding server root and instance ID.

2. Extract files from the Certificate Server archive; you can get the archive from the product CD or from the iPlanet download site (at http://wwws.sun.com/software/download/).

3. In the list of extracted files, locate this file: /dist/MigrationSolaris.

4. Run the following command:

   cd <extracted_root>/dist

5. Run the migration tool:

   . /MigrationSolaris

6. Provide the following information when prompted:

7. The script prompts you to provide the following information:
   1. Installed location of CMS 4.2 SP2:

   2. Do you want the Migration script to run the cmsbackup tool for each CMS instance?

   3. Install location for CMS 4.7:

   4. Location of extracted CMS 4.7 distribution:

   5. Please make sure that at least <X> space is available in the respective partitions. Continue?

   6. Please verify the Admin password for the Administration Server:

   7. Please enter the password for the configuration Directory Manager:

   8. Please enter the Single Sign-On password:

8. Verify that the new installation works and that your data has been successfully migrated.

9. Manually uninstall Certificate Server 4.2 SP2.

Running the Migration Tool on Windows

This is PERL script using PERL 5.005 or higher.

1. Identify the Certificate Server 4.2SP2 instance that you want to upgrade and note the corresponding server root and instance ID.

2. Extract files from the Certificate Server archive; you can get the archive from the product CD or from the iPlanet download site (at http://wwws.sun.com/software/download/).

3. In the list of extracted files, locate this file: MigrationNt.pl

4. Run the migration tool:

   MigrationNt.pl

   You can invoke the script with the -v option to see debug messages.

5. Provide the following information when prompted:

6. The script will prompt you to provide the following information:
   1. The absolute pathname of the 4.2 SP2 Certificate Server Root Directory:

   2. The absolute pathname for the new 4.7 Certificate Server Root Directory:

   3. The absolute pathname of the CMS 4.7 binaries:

   4. Please verity the Admin password for the Administration Server:

   5. What is the Directory Manager Password?

   6. Do you want to delete the temporary backup files?

7. After the script has completed, reboot the computer system.

8. Verify that the new installation works and that your data has been successfully migrated.

   The migration tool for Windows automatically uninstalls the 4.2SP2 installation. It is a good practice to check the old installation directory and to delete any remaining files.

---

Support for Windows 2000 Login Certificates

Certificate Server can now generate certificates that can be used for Smart Card login in a Windows 2000 environment. This feature requires two types of certificates, one for the SmartCard and the other for the domain controller server. Each certificate includes some extensions specifically required by the Windows environment.

For detailed information about this feature, see the document "Configuring Support for Windows 2000 Login Certificates."

---

Extended Functionality for Registration Manager

Registration Authority (RA) Agents can now list and revoke certificates they have previously approved. In earlier versions of the product, only a Certificate Authority (CA) Agent could revoke certificates. This extended functionality is made possible by using the CA's agent port for RA-to-CA communication. The CA now supports new servlets which are accessed through a new agent group named Remote Revocation Agents. If an individual Remote Revocation Agent has a certificate properly imported into the CA, then he or she will have access to the new servlets that list and revoke certificates.

For detailed information on enabling this feature, see the document "Configuring the List Certificates Page."

---

FIPS 140-1 Level 3 Support

Previous versions of Certificate Server supported FIPS 140-1 Level 2 Security requirements. Version 4.7 now supports Level 3 Security requirements on root key management hardware such as the Chrysalis Luna CA 3. Both the Certificate Manager and Data Recovery Manager (DRM) can now store keys in certified tokens.

You can enable FIPS 140-1 Level 3 Support during installation. When this option is enabled, the DRM will not set the password on a hardware token device.

For More Information

• For detailed information on configuring Certificate Server to work with the Chyrsalis LunaCA3, see "Configuring Certificate Server for FIPS 140-1 Level 3 Support."

• For detailed information about other manufacturers' hardware tokens, see the manufacturer's website or token documentation.

• For detailed information about FIPS 140-1 levels of support, see http://csrc.nist.gov/publications/fips/.

---

Support for Identity Server Single Sign-on (SSO)

Certificate Server provides a Single Sign-On (SSO) authentication module for user authentication. The Sun ONE Identity Server 6.0 will be integrated with the Certificate Server SSO authentication mechanism. This integration will make it possible for an Identity Server user to authenticate himself to the Certificate Server by providing his Single Sign-On token instead of userID and password. The user can also apply for a general-purpose user certificate with a single click of a button, eliminating the need to manually import or install the certificate. The user clicks the GetMyCert button in the Identity Server user profile page to automatically generate the user certificate.

For a brief description of how one would configure Certificate Server to work with Identity Server 6.0, see the document "Single Sign-On Authentication Module and Identity Server 6.0."

---

Challenge Password-based Certificate Renewal

Previous versions of Certificate Server provided certificate-based renewal but only for signing certificates, and only when a user had direct access to the certificate. Before a user could renew a certificate, he would have to first present the certificate to Certificate Server in order to authenticate himself.

The new renewal feature allows the user to identify and renew any type of certificate by providing the certificate's serial number and the challenge password associated with it. A user enters the Challenge Phrase Password field when he uses a certificate enrollment form

.

The challenge phrase is a password that he can use to revoke his certificate at any time. In order to revoke the certificate, the user must either present the certificate to the server (a web browser will do this automatically if the certificate is installed in it), or he must know this secret challenge phrase (in case the certificate is not accessible when he needs to revoke it). The challenge Phrase Password can be any combination of letters, numbers, and symbols (for example, !,@,#,%,^). Anyone who knows it can revoke the certificate.

---

Known Problems and Limitations

The following issues remain unresolved in Certificate Server 4.7 at this time. Check back fortunately for more information on these issues.

Installation

If the operating system does not contain the patches necessary to support Java 1.3.1 or Directory Server 5.1, when running the Setup program to install Certificate Server, you may see the following error message:

Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... Can't start Admin server [/usr/iplanet/server47/start-admin > /var/tmp/aaaA5aGlb 2>&1] (error: No such file or directory) Press Return to continue...

To resolve this problem:

1. Go to the following URL:

   http://sunsolve.Sun.COM/

2. Click "Recommended & Security Patches,"and then download and install the patches.

3. Reboot the computer system.

   Note that installation takes about 1.5 hours on Solaris Ultra 10. Installation time may vary depending on your machine's configuration.

Updated Tools

• The tools in <server-root>/bin/cert/tools have been updated to correspond with the version of NSS used in the core product (4678054). In order to use the tools, the LD_LIBRARY_PATH has to be set and exported on Solaris:

    LD_LIBRARY_PATH=<server-root>/bin/cert/lib

    export LD_LIBRARY_PATH=

• The tools will no longer work on Solaris with LD_LIBRARY_PATH=/usr/iplanet/servers/lib

• Keyutil and sslstrength are no longer available. Keyutil functionality has been migrated into certutil.

Certificate Server Fails to Start

If the CA is the configured to work with the DSA algorithm, Certificate Server fails to start (4684417). You might see the error message "Error: CMS failed to start. Certificate object not found."

Certificate Enrollment Protocol (CEP) and Automated Enrollment

The Perl script that comes with CMS 4.7 for automating Certificate Enrollment Process (CEP) enrollment will stop in mid-process and not continue. The script attempts to access Directory Server 4.13, and does not access Directory Server 5.1 as it should (540168).

Do not use the script cepconfig.pl that is installed with CMS 4.7. Instead, follow these steps:

1. Obtain the new Perl script named cepconfig.pl from the CMS 4.7 Service Pack 1 or as a stand-alone download from the Sun Microsystems website.

   See http://wwws.sun.com/software/download/download/5264.html.

2. Copy the new script cepconfig.pl into the following CMS 4.7 directory:

   <server_root>/bin/cert/tools

3. In the server root directory, run the script by typing the following:

   perl bin/cert/tools/cepconfig.pl

For detailed information about using the cepconfig.pl to set up automated enrollment, see Chapter 25, "Setting Up CEP Enrollment" in the CMS Installation and Setup Guide.

PortalEnrollment Authentication Plug-in Does Not Work

The PortalEnrollment Authentication plug-in does not work as designed in this version 4.7 release (4679762).

Windows 2000

• Setting Up a CA

  When you set a CA for a Windows 2000 computer system, an exception is thrown (org.mozilla.jss.crypto.TokenException) when a certificate is installed (4658964).

• End-Entity Enrollment Page

  When accessing the End Entity Enrollment page on Windows 2000, the enrollment page may display very slowly when all of these are true (4666778):

  1. Windows 2000 is installed.

  2. Communicator 4.7x is installed.

  3. Communicator's Personal Security Manager (PSM) is NOT installed

Processing Pending 4.2SP2 Requests

Processing pending (4.2SP2) requests in Certificate Server 4.7 produces errors (4686580). Part of the migration process is to migrate pending requests from a CMS 4.2SP2 to a CMS4.7, but this doesn't work as designed at this time. The pending requests are migrated to the CMS 4.7 pending requests queue without a problem. However, processing the request on the CMS 4.7 fails. The following error message displays:

"Cannot process request from a previous version of CMS (version 4.2). Expected version is 4.7."

Configuring Automatic Renewal Notices

The CMS Plug-Ins Guide erroneously states the following:

"Using the Jobs Scheduler, you can configure a Certificate Manager or Registration Manager to automatically send email-based renewal notices to users whose certificates are about to expire or have expired."

In fact, you cannot configure a Registration Manager to automatically send such email-based renewal notices. This section of the documentation will be fixed in the next version of the product (464982).

Public and Private Storage Keys

The CMS Installation and Setup Guide erroneously states the following:

"Public storage key: used to encrypt an end entity's private encryption key for long-term storage.

"Private storage key: used to decrypt an end entity's stored private encryption key after m of n recovery agents have authorized the recovery operation."

In fact, the opposite is true. The documentation should read:

"Public storage key: used to decrypt an end entity's stored private encryption key after m of n recovery agents have authorized the recovery operation.used to encrypt an end entity's private encryption key for long-term storage.

"Private storage key: used to encrypt an end entity's private encryption key for long-term storage."

This section of the documentation will be fixed in the next version of the product (4727931).

---

How to Report Problems

Your feedback is welcome and extremely helpful for improving the product. Before contacting us to request assistance, please check the latest documentation for this release at this site: http://docs.sun.com/db?p=coll/S1_s1CertificateServer_47

If you need further assistance or information about Certificate Server, contact Technical Support:

http://www.sun.com/supportraining/

So that we can best assist you in resolving problems, please be sure to include the following information:

• Description of the problem, including the situation where the problem occurs and its impact on your operation

• Machine type, operating system version, and product version, including any patches and other software that might be affecting the problem

• Detailed steps on the methods you have used to reproduce the problem

• Any error logs or core dumps

For problems involving the use of certificates issued by Certificate Server in other products, include the product name (for example, Netscape Communicator), the release number, and platform information for those products as well.

---

For More Information

Useful iPlanet information can be found at the following Internet locations:

• iPlanet release notes and other documentation --- http://docs.sun.com/db/prod/sunone

• iPlanet product status --- http://www.sun.com/products/

• iPlanet Professional Services information --- http://www.sun.com/service/support/

• iPlanet developer information --- http://www.sun.com/developers/support/

Last Updated September 30, 2003