What's New in PGP Certificate Server Version 2.5 for Unix-Sun Solaris Copyright (c) 1998-99 by Network Associates Technology, Inc., and its Affiliated Companies. All Rights Reserved. Thank you for using Network Associates' products. This What's New file contains important information regarding the PGP Certificate Server. Network Associates strongly recommends that you read this entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. Warning: Export of this software may be restricted by the U.S. Government. ___________________ WHAT'S IN THIS FILE - New Features - Documentation - System Requirements - Installation - Starting the PGP Certificate Server - Starting the PGP Replication Engine - Using the Web Configuration/Monitoring Wizard - Known Issues - Additional Information - Year 2000 Compliance - Contacting Network Associates ____________ NEW FEATURES * Improved Web-based Configuration Administrators can conveniently manage the Cert Servers configuration from nearly any web browser. This version improves the extensive on-line help on product configuration settings. This version provides integrated support for many popular web servers including: - Netscape Enterprise Server 3.x - Netscape FastTrack Server 3.x - Apache 1.3.x Administrators can secure the communications between the web browser and the Cert Server using the native security services provided by the web server installed with the Cert Server. * Database Size and Performance Improvements This version includes numerous performance enhancements and database optimizations. Certificate database size has been reduced by 20% - 30% from previous versions, due to improved certificate storage methods. This size reduction provides improved server performance; more certificates are now stored in the server's cache, less data is read from and written to the servers harddisk, and fewer transformations are needed on certificate data. _____________ DOCUMENTATION Also included with this release is the following manual, which can be viewed on-line as well as printed: * PGP Certificate Server Administrator's Guide This document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print the document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site at: http://www.adobe.com/prodindex/acrobat/readstep.html If the web server support for PGP Certificate Server is installed, the Administrator's Guide is also available through a link found on the page: http://YOUR-HOST-NAME:PORT/certserver/default.htm Substitute the hostname of the machine running the PGP Certificate Server for the YOUR-HOST-NAME value. For PORT, substitute the port number for the web server that you are running on YOUR-HOST-NAME (by default, the web server listens to port 8080). Documentation feedback is welcome. Send e-mail to tns_documentation@nai.com. ___________________ SYSTEM REQUIREMENTS - Sun Solaris (UNIX) Version 2.5.1 or later (Ultra Sparc recommended) (Solaris 2.6 is required for databases larger than 2GB.) - Perl 5 (required for the configuration/ monitoring wizard) - 64MB RAM minimum - 30MB disk space for software - Additional disk space for database (10MB - 500MB) - Network interface card ____________ INSTALLATION PGP Certificate Server comes shipped on a CD-ROM in the form of a Solaris package file. To Upgrade from a previous version of the product from a CD-ROM: 1. Sign on as root. 2. Modify the Solaris package administration file: A. Make a copy of the package administration file: cd /var/sadm/install/admin cp default pgp.admin B. Using a text editor, change the line in the pgp.admin file from "instance=unique" to "instance=ask". 3. Insert the CD-ROM. 4. Mount the CD-ROM drive (if it isn't auto- mounted). 5. Change to the directory containing the package file. 6. Run the command: pkgadd -d PGPcertserv_2.5_Solaris -a /var/sadm/install/admin/pgp.admin 7. Create Web Configuration/Monitoring wizard logins, as directed onscreen. To Install the product from a CD-ROM (first-time install): 1. Sign on as root. 2. Insert the CD-ROM. 3. Mount the CD-ROM drive (if it isn't auto- mounted). 4. Change to the directory containing the package file. 5. Run the command: pkgadd -d PGPcertserv_2.5_Solaris 6. Create Web Configuration/Monitoring wizard logins, as directed onscreen. Verify the install succeeded: 1. Run the command: pkginfo -l PGPcertd 2. Verify that the status is "Completely Installed" ___________________________________ STARTING THE PGP CERTIFICATE SERVER After successfully installing the server, you may start it by following these steps. 1. Sign on as root. 2. Change to the product bin directory (this assumes the default install directory of /opt/PGPcertd). cd /opt/PGPcertd/bin 3. Create the initial database. ./pgpcertd -n -f ../etc/pgpcertd.conf 4. Start the server. ./pgpcertd -f ../etc/pgpcertd.conf 5. Verify the server is running. ps -fu root | grep pgpcertd If the server is not running, check the syslog file for errors or try starting the server with the Check Configuration flag (-c) to see why the server did not start. To test that the server is running properly, start PGP (version 5.5 or later). You will need to add to PGP's configuration the URL of the machine running the certificate server. You can do this by selecting PGP Preferences from PGPtray's popup menu (or from PGPkeys' Edit/Preferences menu). From the Servers page, add a New server. Enter a new domain or choose an existing one. Then enter an LDAP server using the form: ldap://YOUR-HOST-NAME Now from PGPKeys, select any key from your list of keys. Then select the Send Key to Server item on the Keys menu. Be sure to select the name of your new PGP Certificate Server. If the key gets sent to the server successfully, your server is running properly. You can also use the search dialog in PGPkeys to search the keys on the server. Again, be sure to set the name of your new server as the server to search. ___________________________________ STARTING THE PGP REPLICATION ENGINE PGP Replication Engine uses the same configuration file as the PGP Certificate Server. The default configuration file does not have replication enabled. The 'Replica' and 'RepLogFile' configuration tags need to be configured prior to successfully starting the engine. Examples of each are: Replica ldap://mirror.company.com RepLogFile rep.log See the Administrator's Guide for exact details on these configuration values. If you installed the optional PGP Replication Engine component and performed the above configuration, you may start the engine by following these steps. 1. Sign on as root. 2. Change to the product bin directory (this assumes the default install directory of /opt/PGPcertd). cd /opt/PGPcertd/bin 3. Start the product. ./pgprepd -f ../etc/pgpcertd.conf 4. Verify the engine is running. ps -fu root | grep pgprepd If the server is not running, check the syslog file for errors or try starting the server with the Check Configuration flag (-c) to see why the server did not start. _____________________________________________ USING THE WEB CONFIGURATION/MONITORING WIZARD The PGP Certificate Server can be easily configured using a web browser-based wizard. This wizard must be setup to run under an existing web server product. Most popular web servers support the wizard. The web server must be running on the same machine as the PGP Certificate Server. NOTE: Perl 5 needs to be installed on your machine for the wizard to work. If you do not have Perl 5 installed, please see the Administrator's Guide for details on where to get Perl 5. If you are running the Apache web server supplied with PGP Certificate Server and you requested the installer to install the web server, you may need to start (or restart) the web server. This is done by signing on as root and issuing the command: /opt/PGPcertd/web/apachectl start or /opt/PGPcertd/web/apachectl restart You can then access the configuration/monitoring wizard from your browser using the URL: http://YOUR-HOST-NAME:PORT/certserver/index.html If you are using another web server or did not have the installer add this support, please see the Administrator's Guide for details on how to properly configure this feature. You may also directly edit the configuration file for the certificate server using any standard text editor. The default configuration file is found in: /opt/PGPcertd/etc/pgpcertd.conf ____________ KNOWN ISSUES o Using RSA keys as Admin keys In the International and Freeware releases, RSA keys cannot be used by the server as the Server Secure KeyID. Only DSS/Diffie-Hellman keys can be used as the key the client uses to determine which server it is connecting to using TLS/SSL. o Replication Engine Running in One Shot Mode Running the Replication Engine in One Shot mode with an empty or non-existent replication log may cause the program to hang. The process can be killed without harming the system. Note that this situation would not normally occur. ______________________ ADDITIONAL INFORMATION ** International and Freeware releases ** The International and Freeware versions of the PGP Certificate Server do not encrypt data. They do provide strong authentication. The Transport Layer Security (TLS) connection between the PGP client and the server is strongly authenticated; but the data is sent over the network without being encrypted. This means that the queries and adds that are performed by the PGP client can be viewed by others, but the identity of someone performing administrative functions is still strongly authenticated. ____________________ YEAR 2000 COMPLIANCE Information regarding NAI products that are Year 2000 compliant and its Year 2000 standards and testing models may be obtained from NAI’s website at http://www.nai.com/y2k. For further information, email y2k@nai.com. _____________________________ CONTACTING NETWORK ASSOCIATES *FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS* Contact the Network Associates Customer Care department: 1. Phone (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III Fax Send correspondence to the following Network Associates location: Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 Phone numbers for corporate-licensed customers: Phone: (408) 988-3832 Fax: (408) 970-9727 Phone numbers for retail-licensed customers: Phone: (972) 278-6100 Fax: (408) 970-9727 Or, you can receive online assistance through any of the following resources: 1. Internet E-mail: pgpsupport@pgp.com 2. Internet FTP: ftp.nai.com 3. World Wide Web: http://support.nai.com 4. America Online: keyword MCAFEE 5. CompuServe: GO NAI To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system type and version numbers - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and speed, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or e-mail We also seek and appreciate general feedback. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use Network Associates products, we have established a reseller's program to provide service, sales, and support for our products worldwide. For a listing of resellers, see the resellers.txt file or contact Network Associates Customer Care for resellers near you. * FOR REPORTING PROBLEMS * Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered is documented, there is no need to report the problem to Network Associates. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates with your suggestions or concerns. * FOR ON-SITE TRAINING INFORMATION * Contact Network Associates Customer Service at (800) 338-8754.