Security Services 2.0.2 Readme

July 31, 2006

About This Readme

This file contains installation instructions and issues related to Security Services 2.0.2 (Novell® Certificate ServerTM 3.2, NICI 2.7, NMASTM 3.1.1, and NTLS 2.0).

1.0 Prerequisites
1.1 Minimal and Custom Install Prerequisites
2.0 Installation Instructions
3.0 Security Services General Issues
3.1 Security Services 2.0.2 Patch on SLES 8
4.0 Certificate Server 3.2
4.1 Issues Resolved
4.2 Administration Issues
5.0 NICI 2.7
6.0 NMAS 3.1.1
6.1 Issues Resolved
6.2 Installation Issues
6.3 Administration Issues
6.4 Universal Password Issues
7.0 NMAS Methods 2.7.3
7.1 Issues Resolved
7.2 Methods and Sequences Issues
8.0 Legal Notices

1.0 Prerequisites

Security Services 2.0.2 can be installed on eDirectoryTM 8.7.3, eDirectory 8.8, or eDirectory 8.8 SP1. This bundle will install on the following platforms:

This bundle has been fully tested with eDirectoryTM 8.7.3 SP8, eDirectory 8.8, and eDirectory 8.8 SP1. Novell recommends one of these minimum versions be installed prior to installing Security Services 2.0.2.

This bundle has been fully tested with Novell iManager 2.6 and partially tested with Novell iManager 2.5.

The Security Services 2.0.2 patch installs Novell Certificate Server 3.2, NICI 2.7, NMAS 3.1.1, and NTLS 2.0 using one integrated install script.

NOTE:  For NMAS Method updates on all platforms, download nmmthd273.tgz. To install NMAS methods, use methodInstaller.exe from a Windows workstation or nmasinst for the other platforms. Methods are installed once per tree.

1.1 Minimal and Custom Install Prerequisites

If you have performed a minimal or custom install of Open Enterprise Server (OES), SUSE Linux Enterprise Server (SLES), or Red Hat Advanced Server, you may be lacking a dependent module needed by this Security Services 2.0.2 patch. The Security Services 2.0.2 patch is dependent on the Compat library being installed on your server. You can identify the installation of this module on your server by running the following command:

rpm -qa |grep compat

For OES or SLES, look for this command to return compat-2004.7.1-1.2 or later.

For Red Hat, look for compat-libstdc++-296-2.96-132.7.2 or later.

If you don't have the Compat module installed, the module can be found on your install CDs.

2.0 Installation Instructions

  1. Search for Security Services at the Novell Downloads Web site and download the necessary platform-specific download for the Security Services 2.0.2 patch.

    • For NetWare - select ss202_nw.tgz
    • For Linux, Solaris, HP-UX, and AIX - select ss202_slah.tgz
    • For Windows - select ss_setup.exe
    • For NMAS Methods updates on all platforms - download nmmthd273.tgz
  2. On NetWare, Linux, Solaris, HP-UX, and AIX servers, extract the download to temporary directory on the server.

    • For NetWare use a decompression utility that supports tgz, such as WinZip.
    • For Linux, Solaris, HP-UX, and AIX servers, use gzip and tar to decompress and extract the tarball to a temporary directory.

      For example, gzip -d -c ss202_SLAH.tgz | tar xv

  3. Run the installation script.

    On NetWare servers, load NWCONFIG and select Product Options > Install product not listed, then press Enter. Press F3 and enter the path to the extraction directory (for example, sys:temp\ss202_nw\), then follow the installation prompts.

    On Linux, Solaris, HP-UX, and AIX servers, go to the extraction directory (for example, temp\ss202_slah\) and run the script. The script detects if you are on Linux, Solaris, HP-UX, or AIX and installs the corresponding packages.

    On Windows servers, double-click the ss_setup.exe file.

3.0 Security Services General Issues

This release of Security Services will not update the security components for an eDirectory 8.8 tarball installation. Please install eDirectory 8.8 SP1 to update a tarball installation. You can download eDirectory 8.8 SP1 at the Novell Downloads Web site.

3.1 Security Services 2.0.2 Patch on SLES 8

  • If you are reading this section prior to installing the Security Services 2.0.2 patch on SLES 8, make sure you run the install script with the "--force" option.

    For example: --force

    If you are reading this section and you have gotten the following error on SLES 8:

    The package "ntls" could not be removed. Please remove this package manually. The error output is: error: package ntls is not installed

    You can fix this problem by using the "--force" option and re-running the ./

    For example: --force

    NOTE:  This install issue appears only on SLES 8. It should not happen on SLES 9.

4.0 Certificate Server 3.2

For detailed Certificate Server documentation, see the Certificate Server documentation Web site.

4.1 Issues Resolved

  • 85166 rootcert.der needs to be created during the post-install if it doesn't exist
  • 86009 NPKIT setting umask
  • 115446 Add Private Key to PEM type
  • 160113 Import user cert, error -603
  • 161024 Removed fopen and fclose calls (Solaris)
  • 173703 Timing abend isssue in pki.nlm
  • 174590 Enable Allowable Subject Names matching for User Self-Provisioning
  • 178655 Need a way to use the newest CRL rather than a cached one when validating certificates

4.2 Administration Issues

  • In order to use the CRL and sub-CA features, the Certificate Authority (CA) must be hosted on an eDirectory 8.8 or later server. The CRL and sub-CA features are officially supported only on eDirectory 8.8 or later.
  • When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.7.3 or later. If you are attempting to make the keys extractable on an eDirectory version prior to 8.7.3, you will receive a -1222 error.
  • Novell Certificate Server automatically creates server certificates for all the IP and DNS addresses configured on the box. You might receive the following error during the installation of Novell Certificate Server if the combination of the server name and the DNS name is 64 characters or more, because the maximum object name length is 64 characters:

    "The PKI install was unable to create the default IP and DNS certificates. Error -613. Do you want to retry?"

    The -613 error is not a fatal error; however, Novell Certificate Server will not be able to create the auto-generated certificates which match the long DNS name.

    To avoid this problem with future servers, make sure that the combined number of characters of the DNS name and the server name is fewer than 64 characters.

    To fix this problem on an existing server, use iManager to manually create a server certificate using the DNS name or the IP address as the certificate subject name, depending on the needs of your applications.

    See the Novell Certificate Server Administration Guide for instructions on how to create server certificates.

    After the server certificate is created, the applications (Apache, Tomcat, etc.) on which you want to use the new server certificate must be configured to use it.

5.0 NICI 2.7

For detailed NICI documentation, see the NICI documentation Web site.

6.0 NMAS 3.1.1

For detailed NMAS documentation, see the NMAS documentation Web site.

6.1 Issues Resolved

  • 143676 NMAS is not clearing "Incorrect login count" when the "Intruder attempt reset interval" had elapsed.
  • 146019 NMAS generates Novell Audit events which in turn auto loads logevent.nlm and fills up the HD,need configuration option to turn NMAS audit off
  • 147631 nmasldap_check_login_policy() does not handle grace logins.
  • 149372 Associating Universal Password Policy on a container expires users passwords if their password doesn't comply with the Policy
  • 150726 Login with iManager for a user which has been moved to a long named OU, shutsdown the NDSD service on SLES 9
  • 151261 NMAS LSC file contains 2 entries with same ID.
  • 156122 LSM audit events should use method name not library name for "component" field in audit events
  • 156123 Update audit event file to support audit's new event groups feature
  • 156294 nmasinst for NetWare requires password in clear text on console.
  • 156949 nmasinst displays debug messages
  • 158260 MAF_DS functions need to be updated
  • 159917 NDS method is created without the sasMethodVersion attribute
  • 161308 ndsconfig add is failing
  • 164568 If the nspmExcludeList is not terminated causes an abend
  • 164929 Password history not enforced if password is expired
  • 165179 Core dump on performing LDAP Search / Add / Modify & Delete operations as different users who are members of different dynamic groups
  • 167505 Unknown error -338 occurred during ndsconfig while configuring NMAS service
  • 169483 Password History is not case sensitive
  • 169490 Password policy does not function properly when Verify password on login and Restrict days before password can be changed are both enabled
  • 173350 In certain cases, Password is expired when incorrect password is attempted.
  • 175412 With the password management property, we are currently able to set the nspmDistributionPassword, but we are not able to read the password.
  • 178722 Not able to set simple password (when treekey is DES, instead of 3DES)
  • 178777 ERROR: -1658 DALCreateLoginSession:GetXKey after uploading users with Passwords
  • 182893 After upgrading to NMAS 3.1, Post Login methods (Secure Workstation) break and give 1660 and 1652 errors
  • 184157 Login fails because Account is Locked, even though Locked By Intruder is False
  • 189684 NDS method set the UP everytime a user logs in, when the advanced UP rules are not enabled
  • 195671 NMAS memory leak in NMAS (eDirectory 8.8 SP1)
  • 197221 Potential for NMAS to cause 100% utilization when users have many authorized clearances assigned to them

6.2 Installation Issues

No installation issues for this release.

6.3 Administration Issues

  • When a user attempts to change his or her password from the Novell ClientTM, it calls the NMAS Client to read the Universal Password policy. In eDirectory 8.8, a new feature was added to cache the needed information from the Security Container on eDirectory 8.8 external references servers (eDirectory 8.8 servers that don't hold a real copy of the Security Container). NMAS Clients older than NMAS Client 3.2 must walk to the real object and if the Security Container is not available, the password change may fail.

    This issue has been resolved in the NMAS Client 3.2 by allowing the NMAS Client to resolve to an eDirectory 8.8 external reference server to read the Universal Password policy. To install NMAS Client 3.2, download and install Novell Client 32 4.91 SP2. NMAS Client 3.2 is included in the Novell Client 32 4.91 SP2 download and install.

6.4 Universal Password Issues

  • If you are using a Simple Password method version that shipped previous to eDirectory 8.7.3, you may run into an issue with Simple Password when users authenticate through LDAP. You might find that the Universal Password did not synchronize with the Simple Password. To remedy this problem, update the Simple Password method to the version included in this release. The Simple Password method can be updated by using nmasinst, methodinstaller.exe, or ConsoleOne. The Simple Password method is found in the ssp202\nmmthd272\novell\simplepassword directory.
  • The NDS® password is migrated to the Universal Password when doing an LDAP bind if eDirectory 8.8.x is installed and configured to use NMAS login for LDAP binds. Information on configuring eDirectory to use NMAS login for LDAP binds can be found at the eDirectory Documentation Web site.

7.0 NMAS Methods 2.7.3

7.1 Issues Resolved

  • 155575 Challenge ResponseClient truncates Challenge question if longer than 77 characters.
  • 161037 Random ASCII characters displayed in place of in the French challenge questions when displayed from the Novell Client.

7.2 Methods and Sequences Issues

  • The following NMAS methods are in the end of life phase and will be removed from a future release of the NMAS methods:
    • Advanced X.509 Certificate
    • Enhanced Password
    • Entrust*
    • NDS Change Password
    • Simple X.509 Certificate
    • Universal Smartcard
    • Simple Password Login Client Module (LCM)
  • The NMAS Method Installer is in the end of life phase and will be removed from a future release. You can now use iManager to install login methods.
  • The readme.pdf files for the Universal Smart Card, Entrust, and Advanced X.509 methods were not updated in the build. The updated readme.pdf files are available on the NMAS documentation Web site.
  • nmasinst does not have an option to remove NMAS methods. This must be done using iManager. See the NMAS Administration Guide for more information.

8.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell and NetWare are registered trademark of Novell, Inc. in the United States and other countries.

eDirectory, Novell Client, Novell Certificate Server, and NMAS are trademarks of Novell, Inc.

All third-party trademarks are the property of their respective owners.