Security Services 2.0.6
This document (5030502) is provided subject to the disclaimer at the end of this document.
patches this patch supersedes
| File | Product | Status | Patch |
|---|---|---|---|
| ss205_SLAH.tgz | Security Services 2.0 | Obsolete | Security Services 2.0.5 |
patches that supersede this patch
patch attributes
document
abstract
Security Services 2.0.6 patch contains updates for PKI, NICI, NMAS and NTLS. This patch contains bug fixes and enhancements for the above products. Please see the readme for more detailed information on what is resolved in this release.
details
Security Services 2.0.6
About This Readme
This file contains installation instructions and issues related to Security Services 2.0.6 (Novell® Certificate Server TM 3.3.0.1, NMAS TM 3.2.1, NICI 2.7.3, and NTLS 2.0.2).
1.0 Prerequisites
1.1 Minimal and Custom Install Prerequisites
2.0 Installation Instructions
3.0 Security Services General Issues
4.0 Certificate Server 3.3.0.1
4.1 Issues Resolved
4.2 Installation Issues
4.3 Administration Issues
5.0 NICI 2.7.3
5.1 Issues Resolved
5.2 Administration Issues
6.0 NMAS 3.2.1
6.1 Issues Resolved
7.0 NTLS 2.0.2
7.1 Issues Resolved
8.0 NMAS Methods 2.7.7
8.1 Issues Resolved
8.2 Methods and Sequences Issues
1.0 Prerequisites
Security Services 2.0.6 can be installed on eDirectoryTM 8.7.3 SP10b or eDirectoryTM 8.8 SP2 only!
Do NOT install Security Services 2.0.6 on eDirectory 8.8 SP3!!!!!!!!!!
This bundle will install on the following platforms:
* NetWare®
o NetWare® 6.5 SP6
o NetWare® 6.5 SP7
* Linux*
o SUSE® Linux Enterprise Server (SLES) 9 and 10
o Red Hat* Advanced Server 3.0 and 4.0
o Red Hat* Enterprise Linux 5.0 (eDirectoryTM 8.8 SP2 only)
* Solaris*
o Solaris 8 (eDirectoryTM 8.7.3 SP10b only)
o Solaris 9
o Solaris 10 (eDirectoryTM 8.8 SP2 only)
* HP-UX*
o HP-UX 11i
* AIX*
o AIX 5.2
* Windows*
o 2000 Advanced Server SP4
o 2000 Professional SP4
o Server 2003
NOTE: The Security Services 2.0.6 patch copies newer schema files to the server, however they are not extended by default. Some newer functionality (such as the new Passwords iManager plug-in) will not work until schema has been extended manually. Please see eDirectory Documentation for instructions on extending schema. Schema needs to be extended once per tree. (The schema files which need to be extended are: nmas.sch, nspm.sch, notf.sch, and nsimpm.sch)
NOTE: If running eDirectory 8.7.3 or eDirectory 8.8 SP2 in certain cases NDSD can core when shutting down ndsd or when using embox. If you are NOT using embox/dsbk, you can comment embox out of the ndsmodules.conf and restart ndsd. If you are using embox/dsbk, you can create a symbolic link (see below) after installing Security Services 2.0.6.
To resolve this coring issue, recreate the softlink as follows after the install:
ln -s /etc/opt/novell/nici.cfg /etc/nici.cfg
Please see TID# 3154121 and TID# 3950804 for more details.
This bundle has been tested with eDirectory TM 8.7.3 SP10b and eDirectory TM 8.8 SP2. Novell recommends that one of these versions be installed prior to installing Security Services 2.0.6.
The Security Services 2.0.6 patch installs Novell Certificate Server 3.3.0.1, NICI 2.7.3, NMAS 3.2.1, and NTLS 2.0.2 using one integrated install script.
1.1 Minimal and Custom Install Prerequisites
If you have performed a minimal or custom install of SUSE Linux Enterprise Server (SLES) or Red Hat Advanced Server, you may be lacking a dependent module needed by this Security Services 2.0.6 patch. The Security Services 2.0.6 patch is dependent on the Compat library being installed on your server. You can identify the installation of this module on your server by running the following command:
rpm -qa |grep compat
For SLES, look for this command to return compat-2004.7.1-1.2 or later.
For Red Hat, look for compat-libstdc++-296-2.96-132.7.2 or later.
If you don't have the Compat module installed, the module can be found on your install CDs.
2.0 Installation Instructions
1. Select "Security Services" from the "Product or Technology" dropdown at the Novell Downloads Web site and download the necessary platform-specific download for the Security Services 2.0.6 patch.
* For NetWare - select ss206_NW.tgz
* For Linux, Solaris, HP-UX, and AIX - select ss206_SLAH.tgz
* For Windows - select SS_Setup.exe
* For NMAS Methods updates on all platforms - download nmmthd277.tgz
2. On NetWare, Linux, Solaris, HP-UX, and AIX servers, extract the download to a temporary directory on the server.
* For NetWare use a decompression utility that supports tgz, such as WinZip.
* For Linux, Solaris, HP-UX, and AIX servers, use gzip and tar to decompress and extract the tarball to a temporary directory.
For example, tar -zxvf ss206_SLAH.tgz
3. Run the installation script.
On NetWare servers, load NWCONFIG and select Product Options > Install product not listed, then press Enter. Press F3 and enter the path to the extraction directory (for example, sys:temp\ss206_nw\), then follow the installation prompts.
On Windows servers, double-click the SS_Setup.exe file.
On Linux, Solaris, HP-UX, and AIX servers, go to the extraction directory (for example, tmp\ss206_SLAH\) and run the install.sh script. The script detects if you are on Linux, Solaris, HP-UX, or AIX and installs the corresponding packages.
NOTE: If any component of the directory in the path for the Security Services install script contains a space, the install on Linux fails. Please verify the path for the install script does not contain any spaces.
NOTE: For NMAS Method updates on all platforms, download and install nmmthd277.tgz. To install NMAS methods, extract nmmthd277.tgz to a temporary directory, then use the NMAS iManager plug-in or nmasinst to install/update your methods. (See nmasinst -help for more information on using nmasinst.) To use the NMAS iManager plug-in, select the NMAS Role | NMAS Login Methods | Select the desired NMAS Method and select "Update" | point to the zip file for the selected NMAS Method.
NOTE: Methods are installed once per tree.
3.0 Security Services General Issues
This release of Security Services will not update the security components for an eDirectoryTM 8.8, eDirectoryTM 8.8 SP1, eDirectoryTM8.8 SP2 tarball installation.
4.0 Certificate Server 3.3.0.1
4.1 Issues Resolved
* Bug 390486 - Abend when revoking Certificate with DSTrace enabled
* Bug 363063 - Rights issues when creating user certificates
NOTE: Some of the libraries for PKI will be 3.3.0 and some will be 3.3.0.1, this is expected.
4.2 Installation Issues
* If the Security Services 2.0.6 patch is being installed on NetWare 6.5 SP6 with iManager 2.6, it is crucial the NPKIAPI.nlm, NPKIT.nlm and npki.jar files on the server be version 3.30 or greater to avoid an ABEND. iManager and the Novell Certificate Server plug-in use the npki.jar file in the "sys:\tomcat\4\webapps\nps\WEB-INF\lib" directory. Note: if this step has already been done during the last install Security Services 2.0.5, you will not need copy the jar file or install the latest Novell Certificate Server plug-in.
After installing Security Services 2.0.6 on NetWare 6.5 SP6 with iManager 2.6, do one of the following:
1. Install the latest version of the Novell Certificate Server plug-in. (recommended)
2. Manually copy the npki.jar file found in "sys:\system" to "sys:\tomcat\4\webapps\nps\WEB-INF\lib" directory
If you installed NetWare 6.5 SP7 and chose to also install iManager 2.7 and plug-ins, these version will all match and no further user intervention is required.
4.3 Administration Issues
* Server Self-Provisioning - If you enable server self-provisioning, the PKI Health Check may replace the default certificates every time the PKI Health Check is ran (which is each time pki loads). This will only occur if you have created a CRL configuration object and you have not configured any CRL distribution points. To avoid this, you can do one of the following:
1) Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points using iManager's Configure Certificate Authority task
2) Delete any CRL Configuration objects (ex. CN=One - Configuration.CN=CRL Container.CN=Security)
* iManager Certificate Server plug-in - When you use either the Repair Default Certificates or Create Default Certificates task, the task may force the replacement of the default certificates (even if you did not specify a forced replacement). This will only occur if you have created a CRL configuration object and you have not configured any CRL distribution points. To avoid this, you can do one of the following:
1) Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points using iManager's Configure Certificate Authority task
2) Delete any CRL Configuration objects (ex. CN=One - Configuration.CN=CRL Container.CN=Security)
* In order to use the CRL and sub-CA features, the Certificate Authority (CA) must be hosted on an eDirectory 8.8 or later server. The CRL and sub-CA features are officially supported only on eDirectory 8.8 or later.
5.0 NICI 2.7.3
5.1 Issues Resolved
NOTE: No changes since Security Services 2.0.5
* Bug 249971 - Remove fopen from debug code
* Bug 270704 - Memory leak during initial config processing
* Bug 276425 - Typo in primnici man page
5.2 Administration Issues
* A -1497 error can result if a user loses access to his configuration files for any reason. This is sometimes caused by a change of access rights or account identification. On Windows, where the user directory is based on the account name, deleting an account and creating a new one by the same name results in a new SID, which effects user access rights. On Unix/Linux systems, the user directory name is based on the User ID and changing the UID will effect access to the configuration files.
6.0 NMAS 3.2.1
6.1 Issues Resolved
* Bug 307962 - After migrating a hashed Simple Password to the Universal Password, the diagpwd utility fails with the error -1695 (NMAS_E_INCOMPATIBLE_LOGIN_DATA)
* Bug 326893 - NMAS returns buffer overflow when min and max numeric password values set in advanced password policy
* Bug 334597 - Small memory leak during failed login attempts when intruder detection is enabled
* Bug 338686 - Context leak when a password policy is not assigned to the user object, to the user object's parent container, or the user object's partition root
* Bug 341012 - NMAS login does not treat account expiration time in the same way as eDirectory login
* Bug 344416 - Password policy compliance not being enforced when using ldap
* Bug 353146 - If NDSD_TRY_NMASLOGIN_FIRST is set to true the IDM Role Service Driver will fail to start with a -779 (ERR_CANNOT_GO_REMOTE) error
* Bug 353606 - NMAS cores while setting Universal Password when removing password history values
* Bug 357864 - Random password generation not correctly adhering to maximum consecutive character restrictions
* Bug 372830 - Microsoft Complexity Policy - Don't check if a disallowed attribute value is contained in the password if the attribute value is less than three characters
* Bug 372864 - Resolved several NMAS issues when the eDirectory process has consumed most or all of the memory available to it
* Bug 391388 - Unable to unlock scrsaver on server with no replicas when NMAS auditing is enabled
* Bug 401408 - NMAS cores when XML complexity policy is enabled and "Verify password for compliance during login" option is not enabled.
7.0 NTLS 2.0.2
7.1 Issues Resolved
NOTE: No changes since Security Services 2.0.5
* Bug 286166 - ldap refresh causes memory build up in xmgr(NICI)
* Bug 326676 - ndsd core using Encrypted Replication
* Bug 329130 - Certmutual logins fail with ldap error 81
8.0 NMAS Methods 2.7.7
8.1 Issues Resolved
* Bug 134210 - Enhancement: When answering Challenge Questions allow answers to be masked (See TID#3794808 for more details)
* Bug 340150 - Special characters in the Challenge response causes login failed
* Bug 341202 - Challenge/Response Method fails to install resource DLL
* Bug 341363 - Challenge/Response Security Vulnerability in which clipboard contents can be pasted into input fields
* Bug 379693 - Invoking the forgotten password feature may cause eDirectory to crash
* Bug 331004 - Simple Password always expires the password when it sets the Universal Password
8.2 Methods and Sequences Issues
* The following NMAS methods have been end of lifed and were removed from Security Services 2.0.4 (and greater) release:
o Advanced X.509 Certificate
o Enhanced Password
o Entrust*
o NDS Change Password
o Simple X.509 Certificate
o Universal Smartcard
o Simple Password Login Client Module (LCM)
* The NMAS MethodInstaller is end of lifed and has been replaced by the new iManager NMAS plug-in.
* nmasinst does not have an option to remove NMAS methods. This must be done using iManager. See the NMAS Administration Guide for more information.
change log
Added Statement to clarify that Security Services 2.0.6 should NOT be installed on eDirectory 8.8.3. Doing so will backrev modules.
eDirectory 8.8 SP3 has newer modules than shipped with Security Services 2.0.6.
file contents
| Files Included | Size | Date |
|---|---|---|
| ss206_SLAH.tgz | 29.7 MB (31143941) | 2008-07-15 11:07:18 |
| nmmthd277.tgz | 13.5 MB (14246444) | 2008-07-15 11:07:00 |
| ss206_NW.tgz | 3.2 MB (3394323) | 2008-07-15 11:07:08 |
| SS_Setup.exe | 5.0 MB (5263221) | 2008-07-15 11:06:50 |
| readme_5030502.html | N/A | 2010-02-05 05:39:17 |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.
© 2007 Novell, Inc. All Rights Reserved.