- Configuration of a certificate server failed with the following error: "Unable to retrieve CA chain: request failed with HTTP status 500". This occurred due to a race condition between the process reading the /etc/pki-ca/registry.cfg file and the restart process as registry.cfg was timestamped on startup. registry.cfg is now left unmodified on startup.
- On Red Hat Certificate System 8, the 64-bit pkicreate script was attempting to use libCryptoki2.so for SafeNet Luna SA and failed to load it as the library did not exist. The code has been changed and pkicreate on 64-bit platforms now uses libCryptoki2_64.so.
- The pkiremove command removed all instances of the CA (Certification Authority) type instead of removing only a specific instance. This occurred because pkiremove removed the registry directory /etc/sysconfig/pki/[subsystem_type] instead of removing only the registry entry for the specific instance in the /etc/sysconfig/pki/[type]/ directory. The command now removes only the respective type instance.
- In a NAT (Network Address Translation) environment, authentication of an IPA machine clone could fail with a NullPointerException on machine setup. This happened when the clone tried to authenticate itself with a NAT translated IP address that was different from the IP address previously used for the authentication. Therefore, the master IPA machine rejected the authentication. As the machines use a shared key throughout the connection, the IP check was redundant and has been removed.
- PKI provided Apache Tomcat configuration files which set "user:group" to "pkiuser:pkiuser". Therefore, the /var/log/tomcat6/catalina.out file was also owned by pkiuser. As the file needs to be owned by Tomcat 6, the TOMCAT_LOG variable has been added to the configuration files and Tomcat now uses "tomcat:tomcat" as its "user:group".
- The Dogtag subsystem did not detect a replication failure if the replication failed during clone setup. Therefore, Dogtag kept looking for the root directory on the directory server and got into an infinite loop as the replication failed and the root directory was never created. Dogtag now waits for the replication to finish and the problem no longer occurs.
- Due to changes in startup scripts, the PKI SElinux policy was not applied and tomcat6 instances ran unconfined. The startup scripts now applies the SElinux policy if enabled and tomcat6 instances now run with the restrictions defined in the policy.
- The default validity period of the default and constraint server certificates has been changed to 2 years.
- The number of restarts needed during installation of Dogtag Certicate Server was decreased.
- Several checks have been added to speed up installation of Dogtag Certificate Server.
- The client usage flag has been added to the caIPAserviceCert server certificate. This allows an IPA server to use the server certificate as a client certificate and authenticate itself.
- The pki-setup-proxy script that adds a configuration file to Apache Tomcat, updates the server.xml and CS.cfg files has been added. The script upgrades the proxy configuration of an existing IPA installation to the AJP (Apache JServ Protocol) proxy code introduced in upstream version 2.1.1.
- When installing IPA, the installer uses 'sslget' to communicate with the CA. The server sends out a full response to the sslget client, but the client receives only 5 bytes of the encrypted stream.