Security Services 2.0.5
This document (5006501) is provided subject to the disclaimer at the end of this document.
patches this patch supersedes
| File | Product | Status | Patch |
|---|---|---|---|
| ss204_SLAH.tgz | Security Services 2.0 | Obsolete | Security Services 2.0.4 |
patches that supersede this patch
patch attributes
document
abstract
Security Services 2.0.5 patch contains updates for PKI, NICI, NMAS and NTLS. This patch contains bug fixes and enhancements for the above products. Please see the readme for more detailed information on what is resolved in this release.
details
Security Services 2.0.5
About This Readme
This file contains installation instructions and issues related to Security Services 2.0.5 (Novell® Certificate ServerTM 3.3.0, NICI 2.7.3, NMASTM 3.2.0, and NTLS 2.0.2).
1.0 Prerequisites
1.1 Minimal and Custom Install Prerequisites
2.0 Installation Instructions
3.0 Security Services General Issues
4.0 Certificate Server 3.3.0
4.1 Issues Resolved
4.2 Installation Issues
4.3 Administration Issues
5.0 NICI 2.7.3
5.1 Issues Resolved
6.0 NMAS 3.2.0
6.1 Issues Resolved
7.0 NTLS 2.0.2
7.1 Issues Resolved
8.0 NMAS Methods 2.7.5
8.1 Issues Resolved
8.2 Methods and Sequences Issues
1.0 Prerequisites
Security Services 2.0.5 can be installed on eDirectoryTM 8.7.3 SP9, eDirectoryTM 8.8 SP1, or eDirectoryTM 8.8 SP2.
***See note below about eDirectoryTM 8.8 SP2.***
***See note below about NetWare® 6.5 SP7.***
This bundle will install on the following platforms:
* NetWare®
o NetWare® 6.5 SP6
o NetWare® 6.5 SP7
* Linux*
o Open Enterprise Server SP2
o SUSE® Linux Enterprise Server (SLES) 9 and 10
o Red Hat* Advanced Server 3.0 and 4.0
* Solaris*
o Solaris 8 (eDirectoryTM 8.7.3 SP9 only)
o Solaris 9
o Solaris 10 (eDirectoryTM 8.8 SP1/SP2 only)
* HP-UX*
o HP-UX 11i
* AIX*
o AIX 5.2
* Windows*
o 2000 Advanced Server SP4
o 2000 Professional SP4
o Server 2003
NOTE:eDirectoryTM 8.8 SP2, fresh installs of NetWare® 6.5SP7, and NetWare® 6.5 Support Pack 7 include most of the bug fixes from Security Services 2.0.5. There are a few bug fixes that were not included in eDirectoryTM 8.8 SP2 and NetWare® 6.5 SP7.
Issues Resolved in Security Services 2.0.5, which were not included in eDirectoryTM 8.8 SP2 and NetWare® 6.5 SP7
* 326676 ndsd core using Encrypted Replication (ntls)
* 329130 cert mutual logins fail with ldap error 81(ntls)
NOTE: If you have installed eDirectoryTM 8.8 SP2 and you are not using Encrypted Replication or the CertMutual NMAS login method, then there is not a need to install Security Services 2.0.5 on top of eDirectoryTM 8.8 SP2. However, if you have installed eDirectory 8.8 SP2 and are using Encrypted Replication or the CertMutual NMAS login method , we recommend you install Security Services 2.0.5 on the eDirectoryTM8.8 SP2 server.
NOTE: The Security Services 2.0.5 patch copies newer schema files to the server, however they are not extended by default. Some newer functionality (such as the new Passwords iManager plug-in) will not work until schema has been extended manually. Please see eDirectory Documentation for instructions on extending schema. Schema needs to be extended once per tree. (The schema files which need to be extended are: nmas.sch, nspm.sch, notf.sch, and nsimpm.sch)
NOTE:If running eDirectory 8.7.3 or eDirectory 8.8/8.8 SP1 in certain cases NDSD can core when shutting down ndsd or when using embox. If you are NOT using embox/dsbk, you can comment embox out of the ndsmodules.conf and restart ndsd. If you are using embox/dsbk, you can create a symbolic link (see below) after installing Security Services 2.0.5.
To resolve this coring issue, recreate the softlink as follows after the install:
ln -s /etc/opt/novell/nici.cfg /etc/nici.cfg
Please see TID# 3154121 and TID# 3950804 for more details.
NOTE: If you are installing the Security Services 2.0.5 patch on a NetWare 6.5 server with eDirectory 8.8 SP1 installed, you MUST apply eDirectory Post 8.8 SP1 FTF1 for NetWare (or greater) prior to applying the Security Services 2.0.5 patch or the install will hang. If you did not apply the eDirectory Post 8.8 SP1 FTF1 (or greater) patch before installing the Security Services 2.0.5 patch and the installation hangs, apply the above patch and rerun the Security Services 2.0.5 install.
NOTE:If you install NetWare 6.5 SP6 and upgrade to eDirectoryTM 8.8 or eDirectoryTM 8.8 SP1, the eDirectory install will backrev NMAS, PKIS, NICI and NTLS. If this happens, reapply the Security Services 2.0.5 patch.
This bundle has been tested with eDirectoryTM 8.7.3 SP9, eDirectoryTM 8.8 SP1, and eDirectoryTM 8.8 SP2. Novell recommends one of these minimum versions be installed prior to installing Security Services 2.0.5.
The Security Services 2.0.5 patch installs Novell Certificate Server 3.3.0, NICI 2.7.3, NMAS 3.2.0, and NTLS 2.0.2 using one integrated install script.
1.1 Minimal and Custom Install Prerequisites
If you have performed a minimal or custom install of Open Enterprise Server (OES), SUSE Linux Enterprise Server (SLES), or Red Hat Advanced Server, you may be lacking a dependent module needed by this Security Services 2.0.5 patch. The Security Services 2.0.5 patch is dependent on the Compat library being installed on your server. You can identify the installation of this module on your server by running the following command:
rpm -qa |grep compat
For OES or SLES, look for this command to return compat-2004.7.1-1.2 or later.
For Red Hat, look for compat-libstdc++-296-2.96-132.7.2 or later.
If you don't have the Compat module installed, the module can be found on your install CDs.
2.0 Installation Instructions
1.
Select "Security Services" from the "Product or Technology" dropdown at the Novell Downloads Web site and download the necessary platform-specific download for the Security Services 2.0.5 patch.
* For NetWare - select ss205_NW.tgz
* For Linux, Solaris, HP-UX, and AIX - select ss205_SLAH.tgz
* For Windows - select ss_setup.exe
* For NMAS Methods updates on all platforms - download nmmthd275.tgz
2.
On NetWare, Linux, Solaris, HP-UX, and AIX servers, extract the download to a temporary directory on the server.
* For NetWare use a decompression utility that supports tgz, such as WinZip.
* For Linux, Solaris, HP-UX, and AIX servers, use gzip and tar to decompress and extract the tarball to a temporary directory.
For example, gzip -d -c ss205_SLAH.tgz | tar xvf -
3.
Run the installation script.
NOTE: If you are installing the Security Services 2.0.5 patch on a NetWare 6.5 server with eDirectory 8.8 SP1 installed, you MUST apply eDirectory Post 8.8 SP1 FTF1 for NetWare (or greater) prior to applying the Security Services 2.0.5 patch or the install will hang. If you did not apply the eDirectory Post 8.8 SP1 FTF1 (or greater) patch before installing the Security Services 2.0.5 patch and the installation hangs, apply the above patch and rerun the Security Services 2.0.5 install.
On NetWare servers, load NWCONFIG and select Product Options > Install product not listed, then press Enter. Press F3 and enter the path to the extraction directory (for example, sys:temp\ss205_nw\), then follow the installation prompts.
On Windows servers, double-click the ss_setup.exe file.
On Linux, Solaris, HP-UX, and AIX servers, go to the extraction directory (for example, temp\ss205_SLAH\) and run the install.sh script. The script detects if you are on Linux, Solaris, HP-UX, or AIX and installs the corresponding packages.
NOTE: If any component of the directory in the path for the Security Services install script contains a space, the install on Linux fails. Please verify the path for the install script does not contain any spaces.
NOTE: For NMAS Method updates on all platforms, download and install nmmthd275.tgz. To install NMAS methods, extract nmmthd275.tgz to a temporary directory, then use the NMAS iManager plug-in or nmasinst to install/update your methods. (See nmasinst -help for more information on using nmasinst.) To use the NMAS iManager plug-in, select the NMAS Role | NMAS Login Methods | Select the desired NMAS Method and select "Update" | point to the zip file for the selected NMAS Method.
NOTE: Methods are installed once per tree.
3.0 Security Services General Issues
This release of Security Services will not update the security components for an eDirectoryTM 8.8 or eDirectoryTM 8.8 SP1 tarball installation. Please install eDirectoryTM 8.8 SP2 to update a tarball installation. You can download eDirectoryTM 8.8 SP2 at the Novell Downloads Web site.
4.0 Certificate Server 3.3.0
4.1 Issues Resolved in PKI 3.3.0
* Bug 147367 - Allow import of certificates without Digital Signature key usages
* Bug 184542 - Fix NPKI man pages
* Bug 192270 - Need the ability to create an AIA extension
* Bug 217512 - Remote Post-install of Certificate server fails, post-install aborts.
* Bug 224784 - (Enhancement) Add Server Self-Provisioning and User Self-Provisioning
* Bug 224903 - If the eDirectory CA acts as SubCA, PKI.NLM will export the Intermediate Trusted Root into the RootCert.der instead of the SelfSigned Trusted Root
* Bug 229640 - ndsd crashing after installing ssp 2.03 with crl list (Solaris Only)
* Bug 243930 - Change NPKIT and NPKIAPI to be 64 bit compatible
* Bug 263452 - (OES2 Enhancement) Add capability to Health Check code to export certificates/private keys to file system for local services to use
* Bug 267053 - "Path Length Violation" while running the validation process on a level three root certificate
* Bug 270101 - (Enhancement) Add IP/DNS names to Subject Alt Names during CreateDefaultCertificates
* Bug 272459 - (Enhancement) Add capability to PKI server health check to create default certificates
* Bug 275452 - (OES2 Enhancement) PKI Install should be able to configure export of certificates/private keys to file system
* Bug 275800 - (Enhancement) Allow Health Check "Create Default Certificates" to force certificate creation when CA Changes
* Bug 278873 - (OES2 Enhancement) PKI Health Check should insert the eDir CA's certificate into the System JAVA keystore
* Bug 282136 - OES2 enhancement, PKI Health Check to add servers as SDI Key Servers (W0:SDI Key Server DN list)
* Bug 283951 - Exception in NPKIAPI KMOExportClearAllValues call via npki.jar
* Bug 285673 - NPKIGetServerInfo is not returning SHA2 keys
* Bug 287708 - Fix X.509 Decode to include the extended key usages
4.2 Installation Issues
* If the Security Services 2.0.5 patch is being installed on NetWare 6.5 SP6 with iManager 2.6, it is crucial the NPKIAPI.nlm, NPKIT.nlm and npki.jar files on the server be of the same versions (3.30) to avoid an ABEND. iManager and the Novell Certificate Server plug-in use the npki.jar file in the "sys:\tomcat\4\webapps\nps\WEB-INF\lib" directory.
After installing Security Services 2.0.5 on NetWare 6.5 SP6 with iManager 2.6, do one of the following:
1. Install the latest version of the Novell Certificate Server plug-in. (recommended)
2. Manually copy the npki.jar file found in "sys:\system" to "sys:\tomcat\4\webapps\nps\WEB-INF\lib" directory
If you installed NetWare 6.5 SP7 and chose to also install iManager 2.7 and plug-ins, these version will all match and no further user intervention is required.
4.3 Administration Issues
* Server Self-Provisioning - If you enable server self-provisioning, the PKI Health Check may replace the default certificates every time the PKI Health Check is ran (which is each time pki loads). This will only occur if you have created a CRL configuration object and you have not configured any CRL distribution points. To avoid this, you can do one of the following:
1) Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points using iManager's Configure Certificate Authority task
2) Delete any CRL Configuration objects (ex. CN=One - Configuration.CN=CRL Container.CN=Security)
* iManager Certificate Server plug-in - When you use either the Repair Default Certificates or Create Default Certificates task, the task may force the replacement of the default certificates (even if you did not specify a forced replacement). This will only occur if you have created a CRL configuration object and you have not configured any CRL distribution points. To avoid this, you can do one of the following:
1) Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points using iManager's Configure Certificate Authority task
2) Delete any CRL Configuration objects (ex. CN=One - Configuration.CN=CRL Container.CN=Security)
* In order to use the CRL and sub-CA features, the Certificate Authority (CA) must be hosted on an eDirectory 8.8 or later server. The CRL and sub-CA features are officially supported only on eDirectory 8.8 or later.
* When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.7.3 or later. If you are attempting to make the keys extractable on an eDirectory version prior to 8.7.3, you will receive a -1222 error.
5.0 NICI 2.7.2
5.1 Issues Resolved
* Bug 249971 - Remove fopen from debug code
* Bug 270704 - Memory leak during initial config processing
* Bug 276425 - Typo in primnici man page
6.0 NMAS 3.2.0
6.1 Issues Resolved
* Bug 169581 - (Enhancement) Increased LDAP Bind performance with NDSD_TRY_NMASLOGIN_FIRST=true
* Bug 198083 - After applying SSP201 scrsaver.nlm will not unlock screensaver with users that have a network address restriction applied equal to the server IP Address
* Bug 207777 - (Enhancement) Intruder detection, allow account to be locked indefinitely
* Bug 222419 - (Enhancement) Allow NMAS to use external Certificates for Novell Audit
* Bug 230950 - Scrsaver.nlm fails to unlock screen if admin user has a default sequence defined
* Bug 233069 - (Enhancement) Fail over to NDS method when default is not possible
* Bug 235403 - (Enhancement) NMAS evaluates X number of characters to support character limited systems
* Bug 235884 - Minimum and Maximum upper and lower case rules confusing.
* Bug 240427 - Remove Password history values if they can't be decrypted on password changes/FFFFFA78 error when trying to change a password
* Bug 258105 - (Enhancement) Limit Universal password access to only admins of a special group
* Bug 253852 - NMAS spmnwcc 'breaks' legacy functionality of addr restrictions
* Bug 254685 - NMAS error -1642 when trying to autoprovision for the first time with NCP.
* Bug 260538 - Unable to get nspm password(2) failed, -1697
* Bug 267496 - 16022 errors in IDM trace when no maximum password length specified or if minimum and maximum password lengths are set to be the same value
* Bug 267748 - Generate Password token gives -6022 NMAS error when nspmMinUniqueCharacters is equal to nspmMaximumLength
* Bug 274573 - 3rd party NMAS method only works one time, next authenticiation -1662
* Bug 285723 - (Enhancement) Don't set pwd expiration forward when user cancels out of password change
* Bug 291259 - Generate Password noun does not abide by rules with Microsoft Complexity
* Bug 299984 - Minimum password length is changing to 0 when using Microsoft Complexity Policy
7.0 NTLS 2.0.2
7.1 Issues Resolved
* Bug 286166 - ldap refresh causes memory build up in xmgr(NICI)
* Bug 326676 - ndsd core using Encrypted Replication
* Bug 329130 - Certmutual logins fail with ldap error 81
8.0 NMAS Methods 2.7.5
8.1 Issues Resolved
* Bug 222681 - Challenge Response LSM returns successful authentication on unparseable XML challenge set
* Bug 257677 - Typo in Challenge Response method file
* Bug 261059 - Attempting to authenticate using Challenge Response method causes core on SLES 9 server
* Bug 275840 - If NMAS sequence is set to Challenge/Response but user has no challenge set, error FFFFFDA5(603)
* Bug 279684 - DIGEST-MD5 (2.7.4) authentication fails with Invalid credentials (49) or -1632
8.2 Methods and Sequences Issues
* The following NMAS methods have been end of lifed and were removed from Security Services 2.0.4 (and greater) release:
o Advanced X.509 Certificate
o Enhanced Password
o Entrust*
o NDS Change Password
o Simple X.509 Certificate
o Universal Smartcard
o Simple Password Login Client Module (LCM)
Note: The NMAS MethodInstaller is end of lifed and has been replaced by the new iManager NMAS plug-in.
Note: nmasinst does not have an option to remove NMAS methods. This must be done using iManager. See the NMAS Administration Guide for more information.
file contents
| Files Included | Size | Date |
|---|---|---|
| nmmthd275.tgz | 10.8 MB (11398227) | 2007-10-03 14:37:58 |
| ss205_NW.tgz | 3.2 MB (3392941) | 2007-10-03 14:38:06 |
| ss205_SLAH.tgz | 29.6 MB (31044021) | 2007-10-03 14:38:15 |
| SS_Setup.exe | 5.0 MB (5284273) | 2007-10-03 14:37:50 |
| readme_5006501.html | N/A | 2008-05-13 22:12:13 |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.
© 2007 Novell, Inc. All Rights Reserved.