4.231. pki-core

Updated pki-core packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which contain the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this update is not intended to be used as a standalone server. It is installed and operates as a part of the Red Hat Enterprise Identity (IPA).

Bug Fix

BZ#698796
Configuration of a certificate server failed with the following error: "Unable to retrieve CA chain: request failed with HTTP status 500". This occurred due to a race condition between the process reading the /etc/pki-ca/registry.cfg file and the restart process as registry.cfg was timestamped on startup. registry.cfg is now left unmodified on startup.
BZ#728651
On Red Hat Certificate System 8, the 64-bit pkicreate script was attempting to use libCryptoki2.so for SafeNet Luna SA and failed to load it as the library did not exist. The code has been changed and pkicreate on 64-bit platforms now uses libCryptoki2_64.so.
BZ#691076
The pkiremove command removed all instances of the CA (Certification Authority) type instead of removing only a specific instance. This occurred because pkiremove removed the registry directory /etc/sysconfig/pki/[subsystem_type] instead of removing only the registry entry for the specific instance in the /etc/sysconfig/pki/[type]/ directory. The command now removes only the respective type instance.
BZ#708075
In a NAT (Network Address Translation) environment, authentication of an IPA machine clone could fail with a NullPointerException on machine setup. This happened when the clone tried to authenticate itself with a NAT translated IP address that was different from the IP address previously used for the authentication. Therefore, the master IPA machine rejected the authentication. As the machines use a shared key throughout the connection, the IP check was redundant and has been removed.
BZ#693835
PKI provided Apache Tomcat configuration files which set "user:group" to "pkiuser:pkiuser". Therefore, the /var/log/tomcat6/catalina.out file was also owned by pkiuser. As the file needs to be owned by Tomcat 6, the TOMCAT_LOG variable has been added to the configuration files and Tomcat now uses "tomcat:tomcat" as its "user:group".
BZ#726785
The Dogtag subsystem did not detect a replication failure if the replication failed during clone setup. Therefore, Dogtag kept looking for the root directory on the directory server and got into an infinite loop as the replication failed and the root directory was never created. Dogtag now waits for the replication to finish and the problem no longer occurs.
BZ#700522
Due to changes in startup scripts, the PKI SElinux policy was not applied and tomcat6 instances ran unconfined. The startup scripts now applies the SElinux policy if enabled and tomcat6 instances now run with the restrictions defined in the policy.

Enhancements

BZ#729126
The default validity period of the default and constraint server certificates has been changed to 2 years.
BZ#689891
The number of restarts needed during installation of Dogtag Certicate Server was decreased.
BZ#689909
Several checks have been added to speed up installation of Dogtag Certificate Server.
BZ#722634
The client usage flag has been added to the caIPAserviceCert server certificate. This allows an IPA server to use the server certificate as a client certificate and authenticate itself.
BZ#737179
The pki-setup-proxy script that adds a configuration file to Apache Tomcat, updates the server.xml and CS.cfg files has been added. The script upgrades the proxy configuration of an existing IPA installation to the AJP (Apache JServ Protocol) proxy code introduced in upstream version 2.1.1.
Users should upgrade to these updated pki-core packages, which fix the bugs and add the enhancements.
Updated pki-core packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. pki-core contains fundamental packages required by Red Hat Certificate System, which contain the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this update is not intended to be used as a standalone server. It is installed and operates as a part of Identity Management (IPA) in Red Hat Enterprise Linux.

Bug Fix

BZ#772222
When installing IPA, the installer uses 'sslget' to communicate with the CA. The server sends out a full response to the sslget client, but the client receives only 5 bytes of the encrypted stream.
Users should upgrade to these updated pki-core packages, which fix the listed bug.