6.2. Highlighted Updates and New Features

Red Hat Certificate System 9.2 has introduced the following new features and important updates:


Note that this document only contains release notes for features which are not available in the base Red Hat Enterprise Linux 7.4 release. Many of the new features in Red Hat Certificate System are in the pki-core, and those are documented in Red Hat Enterprise Linux 7.4 Release Notes.

New audit events have been added for SSL/TLS session events on Red Hat Certificate System servers

Red Hat Certificate System now supports several new audit log events related to SSL and TLS session events, namely successful and unsuccessful connection establishments and connection terminations.
The new log events are:
  • ACCESS_SESSION_ESTABLISH_SUCCESS for successful connections
  • ACCESS_SESSION_ESTABLISH_FAILURE for failed connections
  • ACCESS_SESSION_TERMINATED for terminated connections
These new events are logged in the server audit log file by default. Use the CS.cfg file to further configure these settings. (BZ#1404080)

Red Hat Certificate System can now display a custom banner at the start of a secure connection

New configuration options have been added to Red Hat Certificate System to allow a customizable banner to be displayed at the beginning of a secure connection. This allows organizations to display messages such as advisory notices and warning messages regarding unauthorized use. The message will be displayed each time a PKI client (the PKI command line, web user interface, or PKI Console) connects to the server using a SSL or TLS connection. The connecting user will be prompted to confirm they read the banner before resuming normal client operation.
To enable this functionality, create a file at /etc/pki/pki-tomcat/banner.txt and place the message you want to display into this file. Make sure the file is encoded as UTF-8 and readable by the pkiuser user account. To remove the banner, delete the aforementioned file. No server restart is required to add, change, or remove the banner. (BZ#1404085)

New tools to retrieve audit logs from Red Hat Certificate System server

New tools for retrieving audit logs have been added to Red Hat Certificate System in order to allow auditors to retrieve audit logs locally for inspection and verification.
To list existing audit log files, use the following command:
pki <subsystem>-audit-file-find
To retrieve a specific audit log file, use the following command:
pki <subsystem>-audit-file-retrieve <filename>
After retrieving audit logs you require, use standard tools such as grep to search for specific log entries, and the AuditVerify tool to verify their authenticity. For more information on these tools, see their respective man pages. (BZ#1417307)

New session timeout parameter for PKI Console

A new parameter, keepAliveTimeout, has been added to Certificate System's server configuration file. This parameter controls the session timeout period for PKI Console. PKI Console will be automatically disconnected from the server after it has been idle for a time period specified in this parameter; the Console will then display an error message and terminate.
The timeout is configured in the server.xml file, and accepts an integer which specifies the timeout period in miliseconds. The default value is 300000, which is 5 minutes. (BZ#1446877)

Certificate System now supports SCP03-enabled tokens

With this enhancement, Certificate System now supports the secure channel protocol 03 (SCP03) enabled Giesecke & Devrient (G&D) Smart Cafe 6 and Smart Cafe 7 tokens in Token Management System (TMS). This allows TMS users to perform token operations, such as token formatting and enrollment upon smart cards that respond to SCP03, which provides extra security using the advanced encryption standard (AES) during token token operations. (BZ#1274086)