|
|
|
New Features in Reflection PKI Services Manager 1.1 and Release Notes
Technical Note 2486
Last Reviewed 04-Mar-2010
Applies To
Reflection for Secure IT UNIX Client version 7.1 or higher
Reflection for Secure IT UNIX Server version 7.1 or higher
Reflection for Secure IT Windows Server version 7.1 or higher
Summary
Technical Note 2486
Last Reviewed 04-Mar-2010
Applies To
Reflection for Secure IT UNIX Client version 7.1 or higher
Reflection for Secure IT UNIX Server version 7.1 or higher
Reflection for Secure IT Windows Server version 7.1 or higher
Summary
This technical note outlines the new features available in the Reflection PKI Services Manager 1.1 release, a component of Reflection for Secure IT, as well as product release notes and information about how to obtain and install the component.
This note includes the following information:
Reflection PKI Services Manager 1.1 New Features
Release Notes
Obtaining Your Component Upgrade
Supported Platforms
Installing Reflection PKI Services Manager Upgrade
Release Notes
Obtaining Your Component Upgrade
Supported Platforms
Installing Reflection PKI Services Manager Upgrade
Reflection PKI Services Manager 1.1 New Features
- SOCKS proxy support
You can configure PKI Services Manager to connect to remote servers via a SOCKS proxy. When a SOCKS proxy is configured, connections made to remote servers for OCSP queries, or to download intermediate certificates or CRLs, are routed through the SOCKS proxy.
- pki-client command line utility
You can use the pki-client command line utility to query PKI Services Manager for information about whether a certificate is valid, and which servers or user clients are allowed to authenticate using the certificate. You can run pki-client on the PKI Services Manager host, or run it from a remote computer. (Java 1.5 or newer is required.)
- Certificates signed with the MD2 RSA hash are no longer allowed by default
A new setting is available if you need to enable use of intermediate certificates signed using this deprecated hash algorithm. From the console, enable "Allow MD2 signed certificates". Or, in the configuration file, set AllowMD2Certificates = yes.
Note: MD2 hashes in X.509 certificates might allow remote attackers to spoof intermediate CA certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. The scope of this issue is currently limited because the amount of computation required is still large. (This is a related issue to CVE-2009-2409.)
- Support for HSPD-12
PKI Services Manager now supports the bridge certificate architecture mandated by Homeland Security Presidential Directive 12.
- PKCS#7 support
PKI Services Manager can now use certificates that are stored in PKCS#7 files on the local computer or on an LDAP or HTTP server.
- Support for LDAP servers that respond with more than one certificate
When an LDAP server response includes multiple certificates, PKI Services Manager can now determine the correct certificate to use when building a certificate path.
- Console updates to support trust-specific revocation settings
The console now includes options that enable you to use trust-specific revocation settings that override global values. This functionality was previously available only by modifying the configuration file.
Release Notes
The following issues were resolved in this release:
- The presence of unrecognized OIDs in a certificate's SubjectAltName no longer causes an ASN error.
- The PKI Services Manager now displays a warning message when a map file contains multiple default rules (rules that have no defining condition). The warning message helps clarify that only the first default rule will be applied, and subsequent rules will be ignored.
Obtaining Your Component Upgrade
The directions for obtaining the Reflection PKI Services Manager add-on vary depending on the type of customer: maintained or new customers, or evaluating customers.
Note: You can install or upgrade the PKI Services Manager component without upgrading Reflection for Secure IT, as long as you have Reflection for Secure IT version 7.1 or higher installed.
Maintained or New Customers
Maintained customers are eligible to download PKI Services Manager 1.1 from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.
New Volume Purchase Account customers can use link(s) in the e-mail message sent to the order "ship to" contact to download PKI Services Manager files.
The PKI Services Manager file downloads for various platforms are listed in the Download Library under the heading, "Supplemental File – Utility or Add-On," which appears below the "Current Product Release" and "Service Pack or Patch" headings.
You will be prompted to login and accept the Software License Agreement before you can select and download the PKI Services Manager file. For more information on using the Download Library web site, see Technical Note 0200.
Evaluating Customers
PKI Services Manager 1.0 is available to evaluate when you request an evaluation copy of the following Reflection for Secure IT products from the Attachmate web site (http://www.attachmate.com/Evals/rsit/rsit-eval.htm):
Reflection for Secure IT UNIX Client
Reflection for Secure IT UNIX Server
Reflection for Secure IT Windows Server
Reflection for Secure IT UNIX Server
Reflection for Secure IT Windows Server
You will be prompted to fill out a form and then will receive e-mail with instructions about downloading the evaluation software.
The PKI Services Manager file downloads are intermixed in the file listing of Reflection for Secure IT product downloads, both of which are organized by available platforms under the "Description" heading. The PKI Services Manager file downloads include "PKI Add-On" at the end of the platform description.
If you downloaded the Reflection for Secure IT evaluation software, you must navigate back to the file listing page to obtain the PKI Add-On. Alternatively, you can click the link in the original e-mail to return to the file listing page.
Supported Platforms
For information about Reflection PKI Services Manager supported platforms, see Technical Note 2427.
Installing Reflection PKI Services Manager Upgrade
Reflection PKI Services Manager version 1.1 is a full product installation and does not require 1.0 to be installed. Installation instructions vary depending on platform. For detailed installation instructions on a Windows or UNIX platform, see the PKI Services Manager 1.1 User Guide on the documentation page: http://support.attachmate.com/manuals/pki.html.
