Security Services 2.0.3 Readme

October 25, 2006


About This Readme

This file contains installation instructions and issues related to Security Services 2.0.3 (Novell Certificate ServerTM 3.2, NICI 2.7.0.2, NMASTM 3.1.2, and NTLS 2.0).

1.0 Prerequisites
1.1 Minimal and Custom Install Prerequisites
2.0 Installation Instructions
3.0 Security Services General Issues
4.0 Certificate Server 3.2
4.1 Issues Resolved
4.2 Administration Issues
5.0 NICI 2.7.0.2
5.1 Issues Resolved
5.2 Administration Issues
6.0 NMAS 3.1.2
6.1 Issues Resolved
6.2 Installation Issues
6.3 Administration Issues
6.4 Universal Password Issues
7.0 NMAS Methods 2.7.3
7.1 Issues Resolved
7.2 Methods and Sequences Issues
8.0 Fixes in Previous Security Services Patches
8.1 Security Services 202
8.2 Security Services 201
9.0 Legal Notices


1.0 Prerequisites

Security Services 2.0.3 can be installed on eDirectoryTM 8.7.3 SP8, eDirectoryTM 8.7.3 SP9, or eDirectoryTM 8.8 SP1. This bundle will install on the following platforms:

NOTE: If you are installing the Security Services 2.0.3 patch on a NetWare 6.5 server with eDirectory 8.8 SP1 installed, you MUST apply TID# 2974592 eDirectory Post 8.8 SP1 FTF1 for NetWare prior to applying the Security Services 2.0.3 patch or the install will hang. If you did not apply the eDirectory 8.8 SP1 FTF1 patch before installing the Security Services 2.0.3 patch and the installation hangs, apply the above patch and rerun the Security Services 2.0.3 install.

NOTE:The files included in this patch (Security Services 2.0.3) are the same files that ship with NetWare 6.5 SP6. If you have already installed NetWare 6.5 SP6, you do NOT need to install this patch. However, if you install NetWare 6.5 SP6 and then upgrade to eDirectoryTM 8.8 or eDirectoryTM 8.8 SP1, the eDirectory install will backrev NMAS, PKIS and NICI. If this happens, reapplying this patch is appropriate.

This bundle has been fully tested with Novell iManager 2.6 and partially tested with Novell iManager 2.5.

This bundle has been fully tested with eDirectoryTM 8.7.3 SP8, eDirectoryTM 8.7.3 SP9 and eDirectoryTM 8.8 SP1. Novell recommends one of these minimum versions be installed prior to installing Security Services 2.0.3.

The Security Services 2.0.3 patch installs Novell Certificate Server 3.2, NICI 2.7.0.2, NMAS 3.1.2, and NTLS 2.0 using one integrated install script.

NOTE:  For NMAS Method updates on all platforms, download nmmthd273.tgz. To install NMAS methods, use methodInstaller.exe from a Windows workstation or nmasinst for the other platforms. Methods are installed once per tree.


1.1 Minimal and Custom Install Prerequisites

If you have performed a minimal or custom install of Open Enterprise Server (OES), SUSE Linux Enterprise Server (SLES), or Red Hat Advanced Server, you may be lacking a dependent module needed by this Security Services 2.0.3 patch. The Security Services 2.0.3 patch is dependent on the Compat library being installed on your server. You can identify the installation of this module on your server by running the following command:

rpm -qa |grep compat

For OES or SLES, look for this command to return compat-2004.7.1-1.2 or later.

For Red Hat, look for compat-libstdc++-296-2.96-132.7.2 or later.

If you don't have the Compat module installed, the module can be found on your install CDs.


2.0 Installation Instructions

  1. Search for "Security Services" at the Novell Downloads Web site and download the necessary platform-specific download for the Security Services 2.0.3 patch.

    • For NetWare - select ss203_NW.tgz
    • For Linux, Solaris, HP-UX, and AIX - select ss203_SLAH.tgz
    • For Windows - select ss_setup.exe
    • For NMAS Methods updates on all platforms - download nmmthd273.tgz
  2. On NetWare, Linux, Solaris, HP-UX, and AIX servers, extract the download to a temporary directory on the server.

    • For NetWare use a decompression utility that supports tgz, such as WinZip.
    • For Linux, Solaris, HP-UX, and AIX servers, use gzip and tar to decompress and extract the tarball to a temporary directory.

      For example, gzip -d -c ss203_SLAH.tgz | tar xvf -

  3. Run the installation script.

    NOTE: If you are installing the Security Services 2.0.3 patch on a NetWare 6.5 server with eDirectory 8.8 SP1 installed, you MUST apply TID# 2974592 eDirectory Post 8.8 SP1 FTF1 for NetWare prior to applying the Security Services 2.0.3 patch or the install will hang. If you did not apply the eDirectory 8.8 SP1 FTF1 patch before installing the Security Services 2.0.3 patch and the installation hangs, apply the above patch and rerun the Security Services 2.0.3 install.

    On NetWare servers, load NWCONFIG and select Product Options > Install product not listed, then press Enter. Press F3 and enter the path to the extraction directory (for example, sys:temp\ss203_nw\), then follow the installation prompts.

    On Windows servers, double-click the ss_setup.exe file.

    On Linux, Solaris, HP-UX, and AIX servers, go to the extraction directory (for example, temp\ss203_SLAH\) and run the install.sh script. The script detects if you are on Linux, Solaris, HP-UX, or AIX and installs the corresponding packages. NOTE: If any component of the directory in the path for the Security Services install script contains a space, the install on Linux fails. Please verify the path for the install script does not contain any spaces.


3.0 Security Services General Issues

This release of Security Services will not update the security components for an eDirectoryTM 8.8 tarball installation. Please install eDirectory 8.8 SP1 to update a tarball installation. You can download eDirectory 8.8 SP1 at the Novell Downloads Web site.


4.0 Certificate Server 3.2

For detailed Certificate Server documentation, see the Certificate Server documentation Web site.


4.1 Issues Resolved in NPKIAPI 3.21


4.2 Administration Issues


5.0 NICI 2.7.0.2

For detailed NICI documentation, see the NICI documentation Web site.


5.1 Issues Resolved


5.2 Administration Issues


6.0 NMAS 3.2

For detailed NMAS documentation, see the NMAS documentation Web site.


6.1 Issues Resolved

  • 156294 nmasinst for NetWare requires password in clear text on console.
  • 163512 Expiring a user's password with grace logins resets after one login without changing the password.
  • 164979 NMAS - remove fopen, fclose, etc calls
  • 178618 Require a password not being honored correctly
  • 189988 Failed login delay not reset to default after Login Policy attribute deleted
  • 195516 Security Vulnerability - NMAS BerDecodeLoginDataRequest DoS Vulnerability
  • 196276 Null charactor on Simple Password is dropped when UP writes to simple
  • 201321 User unable to do NMAS authentication via IPX after applying NMAS 3.1.1
  • 201688 Mapping a volume via CIFS abends server in NMAS.NLM (Owned by CIFSPROX.NLM)
  • 201975 Maximum password length not enforced for password change or set
  • 201991 nmasldap_check_login_policy can cause NetWare to ABEND
  • 202028 Invalid parameters to nmasldap_set_address_policy can cause server to ABEND
  • 204330 Challenge Response questions\answers being written to multiple servers
  • 204358 Memory leak in MAF_MemMalloc
  • 205436 NMAS abending when logging in with NCP cilent
  • 206878 659 in nmas trace while doing ldapbinds, even when time is in sync
  • 207307 Network address restriction is not being enforced with SSP 202
  • 209313 Abend when auditing enabled
  • 209857 SPMNWCC.NLM causes FTP logins to go through NMAS and experience long delays on exref server
  • 210217 NMAS Simple Password Binds are Failing in AIX 5.2 with eDirectory 8739


6.2 Installation Issues

No installation issues for this release.


6.3 Administration Issues

  • When a user attempts to change his or her password from the Novell ClientTM, it calls the NMAS Client to read the Universal Password policy. In eDirectory 8.8, a new feature was added to cache the needed information from the Security Container on a eDirectory 8.8 external reference server. However, if users are using Forgotten Password or are changing their password, the NMAS Client will walk to the real object instead of looking at the cached attributes. This has been reported to Novell engineering.


6.4 Universal Password Issues

  • If you are using a Simple Password method version that shipped previous to eDirectory 8.7.3, you may run into an issue with Simple Password when users authenticate through LDAP. You might find that the Universal Password did not synchronize with the Simple Password. To remedy this problem, update the Simple Password method to the version included in this release. The Simple Password method can be updated by using nmasinst, methodinstaller.exe, or ConsoleOne. The Simple Password method is found in the nmmthd273.tgz download. Once extracted, the Simple Password Method is found in the nmmthd273\novell\simplepassword directory.
  • The NDS password is migrated to the Universal Password when doing an LDAP bind if eDirectory 8.8.x is installed and configured to use NMAS login for LDAP binds. Information on configuring eDirectory to use NMAS login for LDAP binds can be found at the eDirectory Documentation Web site.


7.0 NMAS Methods 2.7.3


7.1 Issues Resolved

  • 155575 Challenge ResponseClient truncates Challenge question if longer than 77 characters.
  • 161037 Random ASCII characters displayed in place of in the French challenge questions when displayed from the Novell Client.


7.2 Methods and Sequences Issues

  • The following NMAS methods are in the end of life phase and will be removed from the next release (Security Servives 2.0.4) of the NMAS methods:
    • Advanced X.509 Certificate
    • Enhanced Password
    • Entrust*
    • NDS Change Password
    • Simple X.509 Certificate
    • Universal Smartcard
    • Simple Password Login Client Module (LCM)
  • The NMAS Method Installer is in the end of life phase and will be removed in the next release. You can now use iManager NMAS plug-ins to install login methods.
  • The readme.pdf files for the Universal Smart Card, Entrust, and Advanced X.509 methods were not updated in the build. The updated readme.pdf files are available on the NMAS documentation Web site.
  • nmasinst does not have an option to remove NMAS methods. This must be done using iManager. See the NMAS Administration Guide for more information.


8.0 Fixes in Previous Security Services Patches


8.1 Security Services 202 Issues Resolved


Certificate Server 3.2


NICI 2.7


NMAS 3.1.1


NTLS 2.0


8.2 Security Services 201 Issues Resolved


Certificate Server 3.1.1


NICI 2.7


NMAS 3.1


NTLS 2.0


9.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell and NetWare are registered trademark of Novell, Inc. in the United States and other countries.

eDirectory, Novell Client, Novell Certificate Server, and NMAS are trademarks of Novell, Inc.

All third-party trademarks are the property of their respective owners.