Security Services 2.0.6 Readme

June 10, 2008

This file contains installation instructions and issues related to Security Services 2.0.6 (Novell® Certificate Server™, NMAS™ 3.2.1, NICI 2.7.3, and NTLS 2.0.2):

9.3.4 NTLS 2.0
9.4.2 NICI 2.7
9.4.4 NTLS 2.0
9.5.2 NICI 2.7
9.5.3 NMAS 3.1
9.5.4 NTLS 2.0
10.2 NMAS
10.3 NICI

1.0 System Requirements For Security Services 2.0.6

This bundle will install on the following platforms:

  • NetWare®

    • NetWare 6.5 SP6

    • NetWare 6.5 SP7

  • Linux*

    • SUSE® Linux Enterprise Server (SLES) 9 and 10

    • Red Hat* Advanced Server 3.0 and 4.0

    • Red Hat Enterprise Linux 5.0 (eDirectory™ 8.8 SP2 only)

  • Solaris*

    • Solaris 8 (eDirectory 8.7.3 SP9 only)

    • Solaris 9

    • Solaris 10 (eDirectory 8.8 SP2 only)

  • HP-UX*

    • HP-UX 11i

  • AIX*

    • AIX 5.2

  • Windows*

    • 2000 Advanced Server SP4

    • 2000 Professional SP4

    • Server 2003

1.1 Extending the Schema

The Security Services 2.0.6 patch copies newer schema files to the server; however, they are not extended by default. Some newer functionality (such as the new Passwords iManager plug-in) does not work until the schema has been extended manually. If you have previously extended the schema manually with the Security Services 2.0.5 patch, you do not need to re-extend the schema. For instructions on extending the schema, see the eDirectory Administration Guide.

The schema needs to be extended once per tree. The schema files that need to be extended are nmas.sch, nspm.sch, notf.sch, and nsimpm.sch.

If you are running eDirectory 8.7.3, NDSD can sometimes dump the core when shutting down NDSD or when using eMBox. If you are not using embox/dsbk, you can comment embox out of the ndsmodules.conf and restart NDSD. If you are using embox/dsbk, you can create a symbolic link (see below) after installing Security Services 2.0.6. To resolve this coring issue, recreate the softlink as follows after the install: ln -s/etc/opt/novell/nici.cfg /etc/nici.cfg. Please see TID #3154121 and TID #3950804.

This bundle has been tested with eDirectory 8.7.3 SP10a and eDirectory 8.8 SP2. Novell recommends one of these minimum versions be installed prior to installing Security Services 2.0.6.

The Security Services 2.0.6 patch installs Novell Certificate Server, NICI 2.7.3, NMAS 3.2.1, and NTLS 2.0.2 by using one integrated install script.

1.2 Minimal and Custom Install Prerequisites

If you have performed a minimal or custom install of SUSE Linux Enterprise Server (SLES) or Red Hat Advanced Server, you might lack a dependent module needed by this Security Services 2.0.6 patch. The Security Services 2.0.6 patch is dependent on the Compat library being installed on your server. You can identify whether this module is installed on your server by running the command rpm -qa |grep compat. For Open Enterprise Server (OES) or SLES, this command returns compat-2004.7.1-1.2 or later. For Red Hat, it returns compat-libstdc++-296-2.96-132.7.2 or later.

If you don’t have the Compat module installed, the module is found on your install CDs.

2.0 Installation Instructions

This section contains installation instructions in the following sections:

2.1 Downloading Security Services 2.0.6 Software

  1. Go to the Novell Download Web site.

  2. In the Product or Technology drop-down list, select Security Services.

  3. Download the necessary platform-specific files for the Security Services 2.0.6 patch:

    • For NetWare: ss206_NW.tgz

    • For Linux, Solaris, HP-UX, and AIX: ss206_SLAH.tgz

    • For Windows: SS_Setup.exe

    • For NMAS Methods updates on all platforms: nmmthd277.tgz

  4. On NetWare, Linux, Solaris, HP-UX, and AIX servers, extract the download to a temporary directory on the server.

    For NetWare, use a decompression utility that supports tgz, such as WinZip.

    For Linux, Solaris, HP-UX, and AIX servers, use gzip and tar to decompress and extract the tarball to a temporary directory. For example, tar -zxvf ss206_SLAH.tgz.

  5. Run the installation script. For information on running the installation script, see Section 2.2, Running the Installation Script.

2.2 Running the Installation Script

The following procedures describe how to run the installation script on NetWare, Windows, Linux, Solaris, HP-UX, and AIX servers.

To run the installation script on a NetWare server:

  1. Load NWCONFIG and select Product Options > Install product not listed, then press Enter.

  2. Press F3 and enter the path to the extraction directory (for example, sys:temp\ss206_nw\).

  3. Follow the installation prompts.

To run the installation script on a Windows server:

  1. Double-click the SS_Setup.exe file.

To run the installation script on a Linux, Solaris, HP-UX, or AIX server:

  1. Navigate to the extraction directory (for example, tmp\ss206_SLAH\).

  2. Run the script.

    The script detects if you are on a Linux, Solaris, HP-UX, or AIX server, and installs the corresponding packages.

    If any component of the directory in the path for the Security Services install script contains a space, the install on Linux fails. Please verify that the path for the install script does not contain any spaces.

To install NMAS methods:

  1. Extract nmmthd277.tgz to a temporary directory, then use the NMAS iManager plug-in or nmasinst to install or update your methods.

    See nmasinst -help for more information on using nmasinst.

To use the NMAS iManager plug-in:

  1. Select NMAS Role > NMAS Login Methods.

    IMPORTANT:Methods are installed once per tree.

3.0 Security Services General Issues

This release of eDirectory does not update the security components for an eDirectory 8.8, eDirectory 8.8 SP1, or an eDirectory 8.8 SP2 tarball installation.

4.0 Certificate Server

This section contains the following sections regarding Certificate Server

For detailed Certificate Server documentation, see the Certificate Server Documentation Web site.

4.1 Issues Resolved

  • Abend when revoking Certificate with DSTrace enabled.

  • Rights issues when creating user certificates.

NOTE:Some of the libraries for PKI are 3.3.0 and some are

4.2 Installation Issues

Server abends if NPKIAPI.nlm, NPKIT.nlm, and NPKI.jar files on the server are not version 3.30 or later when installing the Security Services 2.0.6 patch on NetWare 6.5 SP6 with iManager 2.6: If the Security Services 2.0.6 patch is being installed on NetWare 6.5 SP6 with iManager 2.6, then it is crucial that the NPKIAPI.nlm, NPKIT.nlm, and npki.jar files on the server be version 3.30 or later to avoid an abend. iManager and the Novell Certificate Server plug-in use the npki.jar file in the sys:\tomcat\4\webapps\nps\WEB-INF\lib directory.

NOTE:If this step has already been done during the last install of Security Services 2.0.5, you do not need to copy the .jar file or install the latest Novell Certificate Server plug-in.

After installing Security Services 2.0.6 on NetWare 6.5 SP6 with iManager 2.6, do one of the following:

  • Install the latest version of the Novell Certificate Server plug-in (recommended).

  • Manually copy the npki.jar file found in sys:\system to sys:\tomcat\4\webapps\nps\WEB-INF\lib directory.

    If you installed NetWare 6.5 SP7 and chose to also install iManager 2.7 and the plug-ins, then the versions all match and no further user intervention is required.

4.3 Administration Issues

  • If server self-provisioning is enabled, the PKI Health Check might replace the default certificates every time PKI Health Check runs (every time PKI loads): This only occurs if you have created a CRL configuration object and you have not configured any CRL distribution points. To avoid this, do one of the following:

    • Finish configuring the CA’s CRL capability by using iManager’s Configure Certificate Authority task to create one or more CRL distribution points.

    • Delete any CRL Configuration objects (for example, CN=One - Configuration.CN=CRL Container.CN=Security).

  • With the iManager Certificate Server Plug-in, when you use either the Repair Default Certificates or Create Default Certificates task, the task might force the replacement of the default certificates (even if you did not specify a forced replacement): This occurs only if you have created a CRL configuration object and you have not configured any CRL distribution points. To avoid this, you can do one of the following:

    • Finish configuring the CA's CRL capability by creating one or more CRL Distribution Points using iManager's Configure Certificate Authority task.

    • Delete any CRL Configuration objects (for example, CN=One - Configuration.CN=CRL Container.CN=Security).

  • When the Certificate Authority is hosted on a server that is running a version of eDirectory prior to 8.8, you cannot use the CRL and sub-CA features: In order to use the CRL and sub-CA features, the Certificate Authority must be hosted on a server that is running eDirectory 8.8 or later. The CRL and sub-CA features are officially supported only on eDirectory 8.8 or later.

  • When attempting to make keys extractable on a version of eDirectory prior to 8.7.3, you receive a -1222 error: When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for key pair generation is running eDirectory 8.7.3 or later. If you are attempting to make the keys extractable on an eDirectory version prior to 8.7.3, you receive a -1222 error.

  • You receive an error -613 during the installation of Novell Certificate Server: Novell Certificate Server automatically creates server certificates for all the IP and DNS addresses configured on the machine. Because the maximum object name length is 64 characters, you might receive the following error during the installation of Novell Certificate Server if the combination of the server name and the DNS name is 64 characters or more:

    The PKI install was unable to create the default IP and DNS certificates. Error -613. Do you want to retry?

    The -613 error is not a fatal error; however, Novell Certificate Server cannot create the auto-generated certificates that match the long DNS name.

    To avoid this problem with future servers, make sure that the combined number of characters of the DNS name and the server name is fewer than 64 characters.

    To fix this problem on an existing server, use iManager to manually create a server certificate using the DNS name or the IP address as the certificate subject name, depending on the needs of your applications.

    For instructions on how to create server certificates, see the Novell Certificate Server Administration Guide.

    After the server certificate is created, the applications (Apache*, Tomcat, etc.) on which you want to use the new server certificate must be configured to use it.

5.0 NICI 2.7.3

This section contains the following information regarding NICI 2.7.3:

For detailed NICI documentation, see the NICI Documentation Web site.

5.1 Issues Resolved

There have been no changes since Security Services 2.0.5. The following are bugs that were fixed in Security Services 2.0.5:

  • Removed fopen from the debug code.

  • Fixed a memory leak during initial config processing.

  • Fixed a typo in the primnici man page.

5.2 Administration Issues

  • If a user loses access rights to the configuration file for any reason, a -1497 error might result: This is sometimes caused by a change of access rights or account identification. On Windows, where the user directory is based on the account name, deleting an account and creating a new one with the same name results in a new SID, which affects user access rights. On UNIX/Linux systems, the user directory name is based on the User ID and changing the UID affects access to the configuration files.

6.0 NMAS 3.2.1

This section contains the following information regarding NMAS 3.2.1:

For detailed NMAS documentation, see the NMAS Documentation Web site.

6.1 Issues Resolved

The following bugs were fixed for NMAS 3.2.1:

  • NMAS no longer cores when XML complexity policy is enabled and Verify password for compliance during login option is not enabled.

  • After migrating a hashed Simple Password to the Universal Password, the diagpwd utility no longer fails with the error -1695 (NMAS_E_INCOMPATIBLE_LOGIN_DATA).

  • NMAS no longer returns a buffer overflow when min and max numeric password values are set in the advanced password policy.

  • Fixed a small memory leak during failed login attempts when intruder detection is enabled.

  • Fixed a context leak when a password policy is not assigned to the user object, to the user object's parent container, or the user object's partition root.

  • NMAS login now treats account expiration time in the same way as eDirectory login.

  • Password policy compliance is now enforced when using LDAP.

  • If NDSD_TRY_NMASLOGIN_FIRST is set to True, the IDM Role Service Driver no longer fails to start with a -779 (ERR_CANNOT_GO_REMOTE) error.

  • NMAS no longer does a core dump while setting Universal Password when removing password history values.

  • Random password generation now correctly adheres to maximum consecutive character restrictions.

  • The Microsoft Complexity Policy is not checked if a disallowed attribute value is contained in the password if the attribute value is less than three characters.

  • Resolved several NMAS issues when the eDirectory process has consumed most or all of the memory available to it.

  • You can now unlock a screen saver on a server with no replicas when NMAS auditing is enabled.

6.2 Installation Issues

There are no installation issues for this release.

6.3 Administration Issues

There are no administration issues for this release.

6.4 Universal Password Issues

  • If you are using a Simple Password method version that shipped prior to eDirectory 8.7.3, you might encounter an issue with Simple Password when users authenticate through LDAP: In this case, the Universal Password might not synchronize with the Simple Password. To remedy this problem, update the Simple Password method to version 2.7.5 or later. The Simple Password method can be updated by using nmasinst or the NMAS iManager plug-in. The Simple Password method is found in the nmmthd277.tgz download. After it is extracted, the Simple Password method is found in the nmmthd277\novell\simplepassword directory.

    The NDS® password is migrated to the Universal Password when doing an LDAP bind if eDirectory 8.8.x is installed and configured to use NMAS login for LDAP binds. Information on configuring eDirectory to use the NMAS login for LDAP binds can be found at the eDirectory Documentation Web site.

7.0 NTLS 2.0.2

There have been no changes to NTLS since Security Services 2.0.5. The following issues were fixed in Security Services 2.0.5:

  • LDAP refresh no longer causes memory buildup in xmgr (NICI).

  • NDSD no longer cores while using Encrypted Replication.

  • Certmutual logins no longer fail with LDAP error 81.

8.0 NMAS Methods 2.7.7

This section contains the following information regarding NMAS Methods 2.7.7:

8.1 Issues Resolved

  • When answering challenge questions, the answers can now be masked (See TID 3794808 for more details).

  • Special characters in the challenge response no longer cause the login to fail.

  • The challenge/response method no longer fails to install the resource DLL.

  • The challenge/response security vulnerability has been fixed. Clipboard contents can be pasted into input fields.

  • Invoking the forgotten password feature no longer causes eDirectory to crash.

  • Simple Password no longer expires the password when it sets the Universal Password.

8.2 Methods and Sequences Issues

  • The following NMAS methods have been end-of-lifed and were removed from the Security Services 2.0.4 (and later) release:

    • Advanced X.509 Certificate

    • Enhanced Password

    • Entrust*

    • NDS Change Password

    • Simple X.509 Certificate

    • Universal Smartcard

    • Simple Password Login Client Module (LCM)

  • The NMAS MethodInstaller is end-of-lifed and has been replaced by the new iManager NMAS plug-in.

  • Nmasinst does not have an option to remove NMAS methods. This must be done through iManager. For more information, see the NMAS Administration Guide.

9.0 Fixes in Previous Security Services Patches

This section lists issues that have been resolved in the following security services patches:

9.1 Security Services 2.0.5 Issues Resolved

This section contains issues that were resolved in Security Services 2.0.5 for the following products:

9.1.1 Issues Resolved in PKI 3.3.0

  • Importing certificates without Digital Signature key usages is now allowed.

  • Fixed NPKI man pages.

  • You can now create an AIA extension.

  • Remote post-install of the Certificate server no longer fails.

  • Added server self-provisioning and user self-provisioning.

  • If the eDirectory CA acts as a SubCA, pki.nlm no longer exports the Intermediate Trusted Root into the RootCert.der instead of the self-signed trusted root.

  • NDSD no longer crashes after installing ssp 2.03 with a CRL list (Solaris only).

  • Changed NPKIT and NPKIAPI to be 64-bit compatible.

  • (OES2 Enhancement) Added capability to the Health Check code to export certificates/private keys to the file system for local services to use.

  • Fixed a path length violation while running the validation process on a level three root certificate.

  • Added IP/DNS names to subject alt names for the CreateDefaultCertificates API.

  • Added the capability to create default certificates to the PKI server health check.

  • On OES 2, the PKI Install can now configure the export of certificates/private keys to the file system.

  • Health check Create Default Certificates can now force certificate creation when the CA changes.

  • On OES 2, the PKI Health Check now inserts the eDirectory CA's certificate into the system Java keystore.

  • On OES 2, the PKI Health Check now adds servers as SDI Key Servers (W0:SDI Key Server DN list).

  • There is no longer an exception in NPKIAPI KMOExportClearAllValues call via npki.jar.

  • NPKIGetServerInfo is now returning SHA2 keys.

  • Fixed X.509 Decode to include the extended key usages.

9.1.2 Issues Resolved in NICI 2.7.3

  • Removed fopen from debug code.

  • Fixed memory leak during initial config processing.

  • Fixed typo in primnici man page.

9.1.3 Issues Resolved in NMAS 3.2.0

  • Increased LDAP Bind performance with NDSD_TRY_NMASLOGIN_FIRST=true.

  • After applying SSP201 scrsaver.nlm will now unlock screen saver with users that have a network address restriction applied equal to the server IP Address.

  • Intruder detection. Now allows account to be locked indefinitely.

  • NMAS can now use external Certificates for Novell Audit.

  • Scrsaver.nlm no longer fails to unlock screen if the admin user has a default sequence defined.

  • When a user has a default login method that is not possible, the client fails over to NDS method.

  • NMAS can now evaluate X number of characters to support character limited systems.

  • Minimum and Maximum upper and lower case rules are no longer confusing.

  • Added functionality to remove values from the password history if the attempt to decrypt the value fails with a -1416 or a -1518 error.

  • Limited Universal password access only to administrators of a special group.

  • NMAS spmnwcc no longer 'breaks' legacy functionality of address restrictions.

  • You no longer get an NMAS error -1642 when trying to autoprovision for the first time with NCP.

  • Bug 260538 - Unable to get nspm password(2) failed, -1697

  • You no longer get 16022 errors in IDM trace when no maximum password length is specified or if minimum and maximum password lengths are set to be the same value.

  • Generate Password token no longer gives -6022 NMAS error when nspmMinUniqueCharacters is equal to nspmMaximumLength.

  • 3rd party NMAS method now works multiple times.

  • Password expiration is no longer set forward when the user cancels out of password change.

  • Generate Password noun now abides by rules with Microsoft Complexity*.

  • When using Microsoft Complexity, setting a user’s Universal Password in iManager 2.6 no longer changes the user’s Minimum password length to 0.

9.1.4 Issues Resolved in NMAS Methods 2.7.5

  • Challenge Response LSM no longer returns successful authentication on unparseable XML challenge set.

  • Fixed typo in Challenge Response method file.

  • Attempting to authenticate using Challenge Response method no longer causes core dump on SLES 9 server.

  • No longer get error FFFFFDA5(603) if NMAS sequence is set to Challenge/Response but user has no challenge set.

  • DIGEST-MD5 (2.7.4) authentication no longer fails with Invalid credentials (49) or -1632.

9.2 Security Services 2.0.4 Issues Resolved

This section contains issues that were resolved in Security Services 2.0.4 for the following products:

9.2.1 Issues Resolved in PKI 3.2.2

  • PKI is now calculating UTC minutes when populating a KMO's NDSPKI:Not Before and Not After values.

  • No longer get a CA not operational error when you try to Issue Now a CRL.

  • The default certificate SSL CertificateDNS is now been created in Solaris.

  • No longer get an error when trying to add a Novell Extension to a certificate when the CA doesn't have a Novell Extension.

  • Added EKU of Encrypting File System support.

  • Added support for RFC 2985 (Certificate Extensions in a CSR).

  • verifyCertificate API is no longer getting error Basic Constraints: Subject Path Length violation -1258.

  • eDirectory no longer cores in module NPKI when restarting server

9.2.2 Issues Resolved in NICI 2.7.2

  • Implemented changes in NICI to meet FIPS requirements.

  • Fixed Bsafe vulnerabilities VU#845620-

  • NW Password Hash sometimes does now process null passwords correctly.

  • With the NMAS and NICI clients installed, the nwtray no longer shuts down when attempting to log in.

  • No longer abends PFPE in XMGR.NLM at code start +000184DDh.

9.2.3 Issues Resolved in NMAS 3.1.3

  • Enabled Excluded Passwords list to include wildcards.

  • nmasinst can now log in to the tree without -h option on Linux.

  • Added Universal Password setting to not expire passwords when changed by admin.

  • Added Password change timestamp attribute.

  • Expanded containment rules for nspmPasswordPolicy, nsimChallengeSet, nspmPasswordPolicyContainer.

  • Added an option that removes the oldest passwords from the password history when the number of passwords in the history exceeds a configured limit.

  • NMAS Simple Password method binds are no longer failing on Linux and UNIX.

  • Added an NMAS Attribute ID that will return a typefull DN.

  • No longer experiencing an ndsd core dump on AIX in nmasRefresh.

  • No longer experiencing an ndsd core dump on Linux in nmasRefresh.

  • No longer experiencing a Core/Abend when Blank or Null password is set.

  • Can now read Post Login Config or SecretStore from a PLSM.

  • When password history is full, and "Verify whether existing password complies..." turned on, with each login the user password is no longer expired.

  • NMAS no longer abends after updating to NMAS 3.1.2 on BorderManager 3.8 SP5 VPN serverv.

  • nmasinst.nlm is now updating local server with nmas extensions.

  • Added additional trace messages for failures loading and unloading methods.

  • Removing Universal Password attributes with "Verify" option enabled, no longer causes password migration or states that the password is expired.

  • NMAS no longer causes a core dump when there is not a handler for the trace messages.

  • Fixed IDM setting/reading simple password error 1659, 9065.

9.2.4 Issues Resolved in NTLS 2.0.1

  • Fixed double-free of NICI ctx inside ssl_ctx_read_kmo.

  • Fixed openSSL vulnerability -RSA Signature Forgery (CVE-2006-4339).

  • CertMutual method no longer fails with -16049 error - SLES 9 SP3 server.

  • NetWare 6.5 SP6 no longer abends if LDAP server is associated to an empty Trusted Roots container.

  • NetWare 6.5 SP6 no longer abends when loading Apache.

9.2.5 Issues Resolved in NMAS Methods 2.7.4

  • jndi md5-digest no longer fails with international chars in username due to using "ISO-8859-1" charset for username in hash.

  • Now receive text strings from challenge/response in utf-8.

  • Long questions in Challenge/Response no longer give -1639 error.

  • Ampersand (&) in Challenge/Response question or answer no longer causes NMAS error -1665.

  • The 2.7.2 DigestMD5 LSM no longer hangs while unloading on Netware.

  • The 2.7.2 CertMutual LSM no longer hangs while unloading on Netware.

9.3 Security Services 2.0.3 Issues Resolved

This section contains issues that were resolved in Security Services 2.0.3 for the following products:

9.3.1 NPKIAPI 3.21

(npkiapi) Downgrading CA no longer causes new certificate creation to fail.

9.3.2 NICI

NICI keys now migrate when running Migration Wizard.

9.3.3 NMAS 3.1.2

  • nmasinst for NetWare no longer requires password in clear text on console.

  • Expiring a user's password with grace logins no longer resets after one login without changing the password.

  • NMAS - removed fopen, fclose, etc calls.

  • Require a password is now being honored correctly.

  • Failed login delay now resets to default after Login Policy attribute is deleted.

  • Fixed Security Vulnerability - NMAS BerDecodeLoginDataRequest DoS Vulnerability.

  • Null character on Simple Password is no longer dropped when UP writes to Simple.

  • User is now able to do NMAS authentication via IPX™ after applying NMAS 3.1.1.

  • Mapping a volume via CIFS no longer abends server in NMAS.NLM (Owned by CIFSPROX.NLM).

  • Maximum password length is now enforced for password change or set.

  • nmasldap_check_login_policy does not cause NetWare to abend.

  • Invalid parameters to nmasldap_set_address_policy do not cause server to abend.

  • Challenge Response questions\answers are no longer being written to multiple servers.

  • Fixed memory leak in MAF_MemMalloc.

  • NMAS no longer abending when logging in with NCP cilent.

  • No longer get a 659 error in nmas trace while doing ldapbinds, even when time is in sync.

  • Network address restriction is now being enforced with SSP 202.

  • No longer abends when auditing is enabled.

  • SPMNWCC.NLM no longer causes FTP logins to go through NMAS and experience long delays on exref server.

  • NMAS Simple Password Binds are no longer failing in AIX 5.2 with eDirectory

9.3.4 NTLS 2.0

There have been no NTLS bugs fixed since the last release.

9.3.5 NMAS Methods 2.7.3

  • Challenge ResponseClient no longer truncates Challenge question if longer than 77 characters.

  • Random ASCII characters are no longer displayed in place of é in the French challenge questions when displayed from the Novell Client.

9.4 Security Services 2.0.2 Issues Resolved

This section contains issues that were resolved in Security Services 2.0.2 for the following products:

9.4.1 Certificate Server 3.2

  • rootcert.der is now created during the post-install if it doesn't exist.

  • Bug 86009 - Fixed NPKIT umask setting.

  • Added Private Key to PEM type.

  • No longer get a -603 erro when importing a user certificate.

  • Removed fopen and fclose calls (Solaris).

  • Fixed timing abend issue in pki.nlm.

  • Allowable Subject Names matching enabled for User Self-Provisioning.

  • Can now use the newest CRL rather than a cached one when validating certificates.

9.4.2 NICI 2.7

No NICI bugs were fixed since the last release.

9.4.3 NMAS 3.1.1

  • NMAS is now clearing "Incorrect login count" when the "Intruder attempt reset interval" has elapsed.

  • Added configuration option to turn NMAS audit off so that NMAS no longer generates Novell Audit events that auto load logevent.nlm and fill up the HD.

  • nmasldap_check_login_policy() now handles grace logins.

  • Associating Universal Password Policy on a container no longer expires users passwords if their password doesn't comply with the Policy.

  • Login with iManager for a user which has been moved to a long named OU no longer shuts down the NDSD service on SLES 9.

  • NMAS LSC file no longer contains 2 entries with the same ID.

  • LSM audit events now use the method name, not the library name for the component field in audit events.

  • Updated audit event file to support audit's new event groups feature.

  • nmasinst for NetWare no longer requires password in clear text on console.

  • nmasinst no longer displays debug messages.

  • MAF_DS functions are now updated.

  • NDS method is now created with the sasMethodVersion attribute.

  • ndsconfig add is no longer failing.

  • No longer causes an abend if the nspmExcludeList is not terminated.

  • Password history is now enforced when password is expired.

  • Core dump no longer occurs on performing LDAP Search / Add / Modify & Delete operations as different users who are members of different dynamic groups.

  • Fixed unknown error -338, which occurred during ndsconfig while configuring NMAS service.

  • Password History is now case sensitive.

  • Password policy now functions properly when Verify Password on Login and Restrict Days Before Password Can Be Changed are both enabled.

  • Password is no longer expired when incorrect password is attempted.

  • With the password management property, you are able to set the nspmDistributionPassword, and you are now able to read the password.

  • Now able to set simple password (when treekey is DES, instead of 3DES).

  • Fixed error -1658 DALCreateLoginSession:GetXKey after uploading users with Passwords.

  • After upgrading to NMAS 3.1, Post Login methods (Secure Workstation) no longer break or give 1660 and 1652 errors.

  • When Locked By Intruder is False, login does not fail due to account being locked.

  • NDS method no longer sets the Universal Password every time a user logs in, when the advanced Universal Password rules are not enabled.

  • Fixed NMAS memory leak in NMAS (eDirectory 8.8 SP1).

  • Fixed Radius authentication that was causing NMAS to cause 100% CPU utilization when users have many authorized clearances assigned to them.

9.4.4 NTLS 2.0

No NTLS bugs were fixed since the last release.

9.5 Security Services 2.0.1 Issues Resolved

This section contains issues that were resolved in Security Services 2.0.1 for the following products:

9.5.1 Certificate Server 3.1.1

  • Certificate Server is no longer selected by default for a post-install on NetWare 6.5/OES. If the post-install is over eDirectory 8.8, the user is now warned if files are downgraded.

  • Fixed the dynamic load of DClient symbols problem.

  • Fixed ASN.1 error with decoding CRL Distribution List.

  • Pkiinst now creates security objects.

  • A CRL is now created when the CA is created on second server.

9.5.2 NICI 2.7

No NICI bugs were fixed since the last release.

9.5.3 NMAS 3.1

  • Added Verify Password Meets Policy on Login support for Client32TM (4.9.1 SP2).

  • Added an NMAS LDAP extension to force NMAS policy refresh for all platforms.

  • Added NMAS LDAP extension to check the login policy for a user and to update a user's login statistics.

  • NDS Proxy LCM no longer times out setting the Universal Password if NDS LSM fails.

  • Added Active Directory complexity Password Policy.

  • Added Filtered Replica Support for Universal Password.

  • With 2000 concurrent client binds, an NMAS server no longer runs out of threads.

  • Notification of intruder lock on Windows is now to a log file, not in message boxes.

  • A remote upgrade from NW65 to NW65 SP4 no longer returns NMAS Login Methods could not be created errors.

  • Setting Simple Password no longer fails with error -603.

  • Ldapbinds from 300 clients no longer gives errors -669 and -6038.

  • There is no longer a long delay when setting a password.

  • Clients login test to mixed Linux and NW tree no longer gets System could not log you into the network errors.

  • When a user’s password has expired, it now shows the Change Password screen in iManager 2.5.

  • Can now set Simple password through LDAP after applying NMAS 2.3.9.

  • Ldapsearch no longer fails with -632 error with wrong password before migrating the password (after enabling Universal Password).

  • IPX login no longer fails with Network Address Restrictions set to all nodes FFFFFFFFFFFF and with NMAS enabled.

  • IPX address restriction has been corrected.

  • NDSD no longer does a core dump in NMAS after applying Solaris 8 cluster patch dated 11/10/05.

  • When user has address restrictions set, a client login no longer causes NMAS to abend.

  • Segmentation fault is corrected in spmDDCAtLoginEndCallBack when DDCVerifyPassword is called.

  • Added configurable login delay.

  • Added an API to retrieve the previous distribution password.

  • Policy Refresh Rate setting is now effective.

  • The intruder count is now cleared after exceeding the intruder expire date.

  • LDAP bind no longer fails when password is expired and the number of grace logins remaining is not zero.

  • Password lifetime is not enforced when the password is expired.

  • A trace message has been provided to report invalid SASL mechanism.

  • User can now do an NMAS authentication via IPX after applying NMAS 2.3.9 or NMAS 2.4.0.

9.5.4 NTLS 2.0

No NTLS bugs were fixed since the last release.

10.0 Online Product Documentation

This section provides information on accessing online documentation for the following Security Services 2.0.6 products:

10.1 Certificate Server

For online documentation regarding Novell Certificate Server, see the Novell Certificate Server Web site.

10.2 NMAS

For online documentation regarding NMAS, see the Novell Modular Authentication Services (NMAS) Web site.

10.3 NICI

For online documentation regarding NICI, see the Novell International Cryptography Infrastructure (NICI) Web site.

11.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark