Security Services 2.0.1 Readme

March 10, 2006


About This Readme

This file contains installation instructions and issues related to Security Services 2.0.1 (Novell® Certificate ServerTM 3.1.1, NICI 2.7, NMASTM 3.1, and NTLS 2.0).

1.0 Prerequisites
1.1 Minimal and Custom Install Prerequisites
2.0 Installation Instructions
3.0 Security Services General Issues
4.0 Certificate Server 3.1.1
4.1 Issues Resolved
4.2 Administration Issues
5.0 NICI 2.7
6.0 NMAS 3.1
6.1 Issues Resolved
6.2 Installation Issues
6.3 Administration Issues
6.4 Universal Password Issues
7.0 NMAS Methods 2.7.2
7.1 Issues Resolved
7.2 Methods and Sequences Issues
8.0 Legal Notices


1.0 Prerequisites

Security Services 2.0.1 can be installed on eDirectoryTM 8.7.3 or eDirectory 8.8. This bundle will install on the following platforms:

This bundle has been tested with eDirectoryTM 8.7.3 SP7, eDirectory 8.7.3 SP8, and eDirectory 8.8. Novell recommends one of these minimum versions be installed prior to installing Security Services 2.0.1. Of the eDirectory 8.7.3 versions, SP8 is recommended.

The ssp201.tgz file installs NMAS 3.1, Certificate Server 3.1.1, NTLS 2.0, and NICI 2.7 using one integrated install script.

NOTE:  NMAS Methods 2.7.2 are also included in this download; however, they are not installed by default. To install NMAS methods, use methodInstaller.exe from a Windows workstation or nmasinst for the other platforms. Methods are installed once per tree. The NMAS methods are found in the /ssp201/nmmthd272/novell directory.


1.1 Minimal and Custom Install Prerequisites

If you have performed a minimal or custom install of SLES or Red Hat Advanced Server, you may be lacking a dependent module needed by this eDirectory Security Support Pack. eDirectory security is dependent on the Compat library being installed on your server. You can identify the installation of this module on your server by running the following command:

rpm -qa |grep compat

For SLES, look for this command to return compat-2004.7.1-1.2 or later. For Red Hat, look for compat-libstdc++-296-2.96-132.7.2 or later.

If you don't have the Compat module installed, the module can be found on your install CDs.


2.0 Installation Instructions

  1. Download ssp201.tgz from the Novell Downloads Web site.

  2. Extract ssp201.tgz to a temporary directory on the server.

    On Windows and NetWare servers, use a Windows decompression utility that supports tgz, such as WinZip.

    On Linux and UNIX servers, use gzip and tar to decompress and extract the tarball to a temporary directory. For example, gzip -d -c ssp201.tgz | tar xv

  3. Run the installation script.

    On NetWare servers, load NWCONFIG and select Product Options > Install product not listed, then press Enter. Press F3 and enter the path to the extraction directory (for example, sys:temp\ssp201\nw), then follow the installation prompts.

    On Windows servers, go to the extraction directory (for example, temp\ssp201\nt) and double-click the ssp_setup.exe file.

    On Linux and UNIX servers, go to the extraction directory (for example, temp\ssp201\unix) and run the install.sh script. The script detects if you are on Linux or UNIX. If the system is UNIX, the script detects the correct platform and installs the corresponding packages.


3.0 Security Services General Issues


4.0 Certificate Server 3.1.1

For detailed Certificate Server documentation, see the Certificate Server documentation Web site.


4.1 Issues Resolved

  • 128484 Cert Server is selected by default for a post-install on NetWare 6.5/OES. Files are downgraded if the post-install is over eDirectory 8.8.
  • 130661 Fix for the dynamic load of DClient symbols problem.
  • 143988 Fix for ASN.1 error with decoding CRL Distribution List.
  • 148939 Pkiinst now creates security objects.
  • 150533 A CRL is now created when the CA is created on second server.


4.2 Administration Issues

  • In order to use the CRL and sub-CA features, the Certificate Authority (CA) must be hosted on an eDirectory 8.8 or later server. The CRL and sub-CA features are officially supported only on eDirectory 8.8 or later. The features might work on eDirectory 8.7.x, but they have not been tested.
  • When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.7.3 or later. If you are attempting to make the keys extractable on an eDirectory version prior to 8.7.3, you will receive a -1222 error.
  • Novell Certificate Server automatically creates server certificates for all the IP and DNS addresses configured on the box. You might receive the following error during the installation of Novell Certificate Server if the combination of the server name and the DNS name is 64 characters or more, because the maximum object name length is 64 characters:

    "The PKI install was unable to create the default IP and DNS certificates. Error -613. Do you want to retry?"

    The -613 error is not a fatal error; however, Novell Certificate Server will not be able to create the auto-generated certificates which match the long DNS name.

    To avoid this problem with future servers, make sure that the combined number of characters of the DNS name and the server name is fewer than 64 characters.

    To fix this problem on an existing server, use iManager to manually create a server certificate using the DNS name or the IP address as the certificate subject name, depending on the needs of your applications.

    See the Novell Certificate Server Administration Guide for instructions on how to create server certificates.

    After the server certificate is created, the applications (Apache, Tomcat, etc.) on which you want to use the new server certificate must be configured to use it.


5.0 NICI 2.7

For detailed NICI documentation, see the NICI documentation Web site.

No new NICI issues for this release.


6.0 NMAS 3.1

For detailed NMAS documentation, see the NMAS documentation Web site.


6.1 Issues Resolved

  • 71160 Added Verify Password Meets Policy on Login support for Client32TM (4.9.1 SP2).
  • 84957 Added an NMAS LDAP extension to force NMAS policy refresh for all platforms.
  • 85016 Added NMAS LDAP extension to check the login policy for a user and to update a user's login statistics.
  • 85024 NDS Proxy LCM no longer times out setting the Universal Password if NDS LSM fails.
  • 85042 Added AD complexity Password Policy.
  • 85054 Added Filtered Replica Support for Universal Password.
  • 85129 With 2000 concurrent client binds, an NMAS server no longer runs out of threads.
  • 85567 Notification of intruder lock on Windows is now to a log file, not in message boxes.
  • 97843 A remote upgrade from NW65 to NW65 SP4 no longer returns NMAS Login Methods could not be created errors.
  • 97779 Setting Simple Password no longer fails with error -603.
  • 105869 Ldapbinds from 300 clients no longer gives errors -669 and -6038.
  • 114164 There is no long delay when setting password.
  • 114187 Clients login test to mixed Linux and NW tree no longer gets System could not log you into the network" errors.
  • 115031 When a users password has expired, it now shows the change password screen in iManager 2.5.
  • 117472 Can now set Simple password through LDAP after applying NMAS 2.3.9.
  • 120572 Ldapsearch no longer fails with -632 error with wrong password before migrating the password (after enabling UP).
  • 124321 IPX login no longer fails with Network Address Restrictions set to all nodes FFFFFFFFFFFF and with NMAS enabled.
  • 131328 IPX Address restriction has been corrected.
  • 133910 NDSD no longer cores in NMAS after applying Solaris 8 cluster patch dated 11/10/05.
  • 134196 When user has address restrictions set, a client login no longer causes NMAS to abend.
  • 136716 Segmentation fault was corrected in spmDDCAtLoginEndCallBack when DDCVerifyPassword is called.
  • 137705 Added configurable login delay.
  • 142068 Added an API to retrieve the previous distribution password.
  • 142221 Policy Refresh Rate setting is now effective.
  • 143676 The intruder count is now cleared after exceeding the intruder expire date.
  • 144147 LDAP bind no longer fails when password is expired and the number of grace remaining is not zero.
  • 144358 Password lifetime is not enforced when the password is expired.
  • 145614 A trace message has been provided to report invalid SASL mechanism.
  • 147780 User can now do NMAS authentication via IPX after applying NMAS 2.3.9 or NMAS 2.4.0.


6.2 Installation Issues

No installation issues for this release.


6.3 Administration Issues

  • When a user attempts to change his or her password from the Novell ClientTM, it calls the NMAS Client to read the Universal Password policy. In eDirectory 8.8, a new feature was added to cache the needed information from the Security Container on eDirectory 8.8 external references servers (eDirectory 8.8 servers that don't hold a real copy of the Security Container). NMAS Clients older than NMAS Client 3.2 must walk to the real object and if the Security Container is not available, the password change may fail.

    This issue has been resolved in the NMAS Client 3.2 by allowing the NMAS Client to resolve to an eDirectory 8.8 external reference server to read the Universal Password policy. To install NMAS Client 3.2, download and install Novell Client 32 4.91 SP2. NMAS Client 3.2 is included in the Novell Client 32 4.91 SP2 download and install.


6.4 Universal Password Issues

  • Novell iManager provides a Universal Password task that allows you to enable and disable Universal Password. The page also displays the option for NMAS to automatically synchronize the Universal Password with the simple password whenever a user performs a password update. If you are concerned about the security properties of the simple password, you can choose not to synchronize the Universal Password with the simple password by deselecting this option. If you have NetWare 6.0 servers in the tree that contain AFP/CIFS users, you should select the option to synchronize the Universal Password with the simple password.
  • If you are using a Simple Password method version that shipped previous to eDirectory 8.7.3, you may run into an issue with Simple Password when users authenticate through LDAP. You might find that the Universal Password did not synchronize with the Simple Password. To remedy this problem, update the Simple Password method to the version included in this release. The Simple Password method can be updated by using nmasinst, methodinstaller.exe, or ConsoleOne. The Simple Password method is found in the ssp201\nmmthd272\novell\simplepassword directory.
  • The NDS® password is not migrated to the Universal Password when doing an LDAP bind.


7.0 NMAS Methods 2.7.2


7.1 Issues Resolved

  • 83967 MethodInstaller.exe program execution no longer fails on French Canadian Windows.
  • 94307 A description of a Challenge Response item has been added in the NMAS dialog box.
  • 115108 Added embedded version and build numbers in the UNIX shared objects.
  • 116521 Simple password stored as a hash migration to Universal Password no longer fails.
  • 116884 Challenge Response LCM now updates Add/Remove Programs with version info.
  • 121530 Uninstalling Challenge Response after uninstalling NMAS no longer returns an error.
  • 148057 Simple password no longer randomly hangs with NSL login.


7.2 Methods and Sequences Issues

  • The following NMAS methods are in the end of life phase and will be removed from a future release of the NMAS methods:
    • Advanced X.509 Certificate
    • Enhanced Password
    • Entrust*
    • NDS Change Password
    • Simple X.509 Certificate
    • Universal Smartcard
    • Simple Password Login Client Module (LCM)
  • The readme.pdf files for the Universal Smart Card, Entrust, and Advanced X.509 methods were not updated in the build. The updated readme.pdf files are available on the NMAS documentation Web site.
  • nmasinst does not have an option to remove NMAS methods. This must be done using iManager. See the NMAS Administration Guide for more information.


8.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell and NetWare are registered trademark of Novell, Inc. in the United States and other countries.

eDirectory, Novell Client, Novell Certificate Server, and NMAS are trademarks of Novell, Inc.

All third-party trademarks are the property of their respective owners.