These Release Notes contain important information available at the time of the Version 4.7 Service Pack 1 (SP1) release of Sun ONE Certificate Server. Fixes, installation notes, known problems, and other late-breaking issues are addressed here. Read this document before you install this Service Pack 1.
This is a living document and subject to ongoing updates. Check the following URL frequently to ensure you have the latest version of Release Notes:
http://docs.sun.com/source/816-6407-10/index.html
For comprehensive product documentation for Certificate Server 4.7, go to:
http://docs.sun.com/db?p=coll/S1_s1CertificateServer_47
An electronic version of the complete product documentation set can be found at the Sun ONE documentation website:
http://docs.sun.com/db?p=coll/S1_s1CertificateServer_47
Check the website prior to installing and setting up your software and then periodically thereafter to view the most up-to-date release notes and manuals.
These release notes contain the following sections:
Certificate Server 4.7 Service Pack 1 includes the following fixes for problem areas found in previous versions of the software:
This Service Pack includes a fix for this problem. However, after installing the Service Pack, you must manually edit some files.
If you have customized DirPinUserEnroll.html and DirUserEnroll.html, then follow these steps:
} else
document.writeln(
`<form name="ReqForm" method="post" action="/enrollment"
`+
`onSubmit="return validate(document.forms[0])">');
}
//-->
</script>
with the following else statement:
If you have not customized DirPinUserEnroll.html and DirUserEnroll.html, then follow these steps:
cp bin/cert/sdk/i18n/ja/DirUserEnroll.html
<cms_server_root>/cms_sdk/i18n/ja/cms_sdk_DirUserEnroll.html
cp sdk/i18n/ja/DirUserEnroll.html
<cms_server_root>/cms_sdk/i18n/ja/DirUserEnroll.html
cp bin/cert/sdk/i18n/ko/DirUserEnroll.html
<cms_server_root>/cms_sdk/i18n/ko/cms_sdk_DirUserEnroll.html
cp bin/cert/sdk/i18n/ko/DirUserEnroll.html
<cms_server_root>/cms_sdk/i18n/ko/DirUserEnroll.html
Problems with setting up filters for automatic issuance and renewal notifications have been resolved.
You can now filter certificate issuance notifications (4750621). A new field, Predicate, was added to the Certificate Issued tab. Use this new field to specify a predicate string. For more information, click the Help button in the Certificates Issued tab, illustrated below.
You can now filter certificate renewal notifications (4749893). A new field, baseDN, was added to the Job Instance Editor window.
In order for this new baseDN field to display, you must delete the old certRenewalNotifier instance, and create a new one. Follow these steps:
The following illustration shows a new job instance named NewRenewalNotification, and it is Enabled. The older instance, named certRenewalNotifier, is Disabled.
The following problems have been resolved:
The following issues have been resolved in the migration scripts:
These requirements are based on the requirements for installing and running Certificate Server 4.7.
In addition to the requirements listed below, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install Certificate Server.
This service pack contains only select java classes and related files that will be copied into the appropriate directories of an existing Certificate Server 4.7 (CMS 4.7) installation. If you have a pre-4.7 version of CMS installed, see the following section "Migration Paths and Related Information."
If you don't have and existing CMS 4.7 installation, follow the instructions in the Certificate Server Installation and Setup Guide for installing the software.
Depending upon which version of Certificate Management System or Certificate System you have currently installed, choose one of the following migration paths:
If CMS 4.2 SP2 is currently installed, follow these steps:
Follow instructions in the CMS 4.7 Release Notes at the following URL:
http://docs.sun.com/source/816-5547-10/relnotes.html#70287, of CMS 4.7 Release Notes
Follow instructions in the section "Upgrading From a Previous Certificate Server or Certificate Management System Installation" of these Release Notes.
If CMS 4.2 is currently installed, follow these steps:
Follow instructions in Chapter 7, "Installing and Uninstalling CMS Instances" of the CMS 4.2 SP2 Installation and Setup Guide at the following URL:
http://docs.sun.com/source/816-5541-10/man_inst.htm#32168.
Follow instructions in the CMS 4.7 Release Notes at the following URL:
http://docs.sun.com/source/816-5547-10/relnotes.html#70287, of CMS 4.7 Release Notes
Follow instructions in the section "Upgrading From a Previous Certificate Server or Certificate Management System Installation" of these Release Notes.
Follow the instructions in the section "Upgrade From Certificate Management System 4.1" in the CMS 4.2 Release Notes at the following URL:
http://docs.sun.com/source/816-5535-10/index.html#Upgrade From
CMS 41x
Follow instructions in Chapter 7, "Installing and Uninstalling CMS Instances" of the CMS 4.2 SP2 Installation and Setup Guide at the following URL:
http://docs.sun.com/source/816-5541-10/man_inst.htm#32168.
Follow instructions in the CMS 4.7 Release Notes at the following URL:
http://docs.sun.com/source/816-5547-10/relnotes.html#70287, of CMS 4.7 Release Notes
Follow instructions in the section "Upgrading From a Previous Certificate Server or Certificate Management System Installation" of these Release Notes.
Before you begin, you must have an existing installation of CMS 4.7. For more information, see "Installing Certificate Server 4.7 Service Pack 1."
Unix: cd <server_root>
./stop-admin
Windows: Click Start, choose Run, and then enter the following:
serverRoot/stop-admin.cmd
Unix: cd <server_root>
./start-admin
Windows: Click Start, choose Run, and then enter the following:
serverRoot/start-admin.cmd
All Java classes and related files are automatically copied into the appropriate directories of your existing Certificate Server 4.7 installation.
The only direct migration path to Certificate Server 4.7SP1 is from version 4.7. If you have an existing installation of Certificate Server or Certificate Management System, please see the Certificate Server 4.7 Release Notes at the following URL:
http://docs.sun.com/db?p=coll/S1_s1CertificateServer_47
Certificate Server 4.7SP1 provides a utility that migrates certificates, keys, CRLs, and related user information contained in the Internal DB directories.
The tool migrates only Certificate Server instances, and only on a single host; it does not span multiple machines. If your iPlanet Certificate Management Server implementation spans multiple machines, then each instance must be migrated separately. For example, if you have set up a Certificate Authority on one host and a Registration Authority on a different host, migrating the Certificate Authority does not automatically migrate the Registration Authority. Each instance must be migrated separately.
There are two versions of the migration utility, one for Unix and one for Windows. All steps listed in the migration tool documentation are performed.
Log files containing migration details can be found in the following directories:
/47_binaries_location/migration_MM-DD-YYYY-HH_MM_SS.log for migration detailss
\47_binaries_location\migration-MMDDYYYY.log
If you're upgrading a Windows NT or 2000 installation:
If they are missing, you must add them to your system path. (4757146) You can obtain them from the directory where you unpacked the CMS 4.7 binaries. The file smime.dll is contained in the following zip file:
The files nssetup.32.dll, plc4.dll, and plds4.dll are contained in the following zip file:
When the administrator migrates the instance cert-guest2000 to CMS version 4.7, the migration script automatically creates a new instance of cert-<hostname> in addition to an upgraded instance of cert-guest2000.
If you need another instance of Certificate Server, you can configure the new instance cert-<hostname> to suit your needs.
If you do not need another instance of Certificate Server, you can remove the instance from iPlanet Console by following these steps:
You should address the following issues before running the migration tool:
The Unix version is a bourne shell script and is supported on Solaris.
There are two methods for using the migration tool on Unix. Choose one of the following methods:
Note that the CMS 4.7 binaries contain an older version of the migration script. You can still use the script as is, following the instructions in the section "Upgrading from a Previous Certificate Server Installation" of the CMS 4.7 Release Notes. When you use this older script, you'll be prompted to obtain the latest version of the script from the Sun website.
To Run the Migration Script that Comes with CMS 4.7
Note that the CMS 4.7 Service Pack 1 contains the latest version of the migration script. You can copy this latest MigrationSolaris file directly into the same directory where you unpack the CMS4.7 binaries.
To Run the Migration Script Obtained from CMS 4.7 Service Pack 1
Choose Typical if you want to automatically migrate CMS 4.2SP2 to CMS 4.7 using default values and without stopping between each step of the migration. When you choose Typical, the script automatically migrates the 4.2SP2 instance(s) to 4.7 using default values. When the script is finished, skip to Step 7 of this document.
Choose Custom if you want to be able to pause between each step of the migration. This is useful if you want to view the logs or view directories in the CMS installation to verify the changes being made. When you choose Custom, the following menu is displayed.
The migration process is complete. You can now install the CMS 4.7 Service Pack 1 following the instructions in the section "Installing Certificate Server 4.7 Service Pack 1" of this document.
The migration tool for Windows is PERL script using PERL 5.005 or higher.
There are two methods for using the migration tool on Windows. Choose one of the following methods:
Note that the CMS 4.7 binaries contain an older version of the script named migration.pl. You can still use the script as is, following the instructions in the section "Upgrading From a Previous Certificate Server Installation" of the CMS 4.7 Release Notes. When you use this older script, you'll be prompted to obtain the latest version of the script from the Sun website.
To Run the Migration Script that Comes with CMS 4.7
Note that the CMS 4.7 Service Pack 1 contains the latest version of the migration script. You can copy this latest migrationNT.pl file directly into the same directory where you unpack the CMS4.7 binaries.
To Run the Migration Script Obtained from CMS 4.7 Service Pack 1
Choose Typical if you want to automatically migrate CMS 4.2SP2 to CMS 4.7 using default values and without stopping between each step of the migration. When you choose Typical, the script automatically migrates the 4.2SP2 instance(s) to 4.7 using default values. When the script is finished, skip to Step 7 of this document.
Choose Custom if you want to be able to pause between each step of the migration. This is useful if you want to view the logs or view directories the CMS installation to verify the changes being made. When you choose Custom, the following menu is displayed.
Note that in order to migrate your data successfully, each of these steps must be performed in this exact sequence. Each time you complete a step, the same menu is displayed so that you can choose the next step in the sequence.
Choose Exit when you want to stop the script after the completion of any step in the migration sequence.
The migration process is complete. You can now install the CMS 4.7 Service Pack 1 following the instructions in the section "Installing Certificate Server 4.7 Service Pack 1" of this document.
Microsoft's Crypto APIs contain bugs which could allow identity spoofing or the deletion of digital certificates. Microsoft has released patch Q323172 to eliminate these security vulnerabilities. For detailed information about the nature of these bugs and how the Microsoft patch addresses them, go to the following URLs:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS02-050.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /bulletin/ms02-048.asp
If you have not installed the Microsoft security patch Q323172, and you attempt to do one of the following:
then the following dialog box is displayed (540435):
Click Yes to install it, and the certificate gets generated as expected. To prevent this dialog from being displayed in the future, follow these steps:
The setpin tool has fixed so that it now supports SSL connections over LDAP. An example usage is:
There are a few things to be aware of when running the setpin tool.
certutil -d . -A -n caSigningCert -t C -a -i inputfile
The following issues remains unresolved in Certificate Server 4.7SP1 at this time. Check back frequently for more information on this issue.
There is a problem with Cisco routers that prevents a router, when connecting to a Registration Manger (RA), from successfully generating a PKCS10 request. This problem is being investigated by Cisco at this time. A temporary workaround is available through Sun Technical Support at the following URL:
Descriptions of the following attributes should be included in the online Help for an SSOBasedAthentication instance:
com.iplanet.am.notification.url: Type the Certificate Server URL (without 'enrollment') used by Identity Server in the Identity Server Security Service Configuration. It uses the form:
http://<cms_server_hostname>:<non-ssl end entity port number> or
https://<cms_server_hostname>:<ssl end entity port number>
com.iplanet.am.notification.servletclass: Type the notification servlet class used by Identity Server. The default value is: com.iplanet.services.comm.client.PLLNotificationServlet.
This information will be added to online Help in the next release of the product (4766746).
Useful Sun ONE information can be found at the following Internet locations:
Last Updated November 07, 2002