Certificate System now supports additional strong ciphers by default
With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:
For a full list of enabled ciphers, enter:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers. (BZ#1550786
samba rebased to version 4.8.3
The samba packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements over the previous version:
smbd service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the
security parameter set to
domain now require that the
winbindd service is running.
The dependency on global lists of trusted domains within the
winbindd process has been reduced. For installations that do not require the global list, set the
winbind scan trusted domains parameter in the
/etc/samba/smb.conf file to
no. For more information, see the parameter's description in the
smb.conf(5) man page.
The trust properties displayed in the output of the
wbinfo -m --verbose command have been changed to correctly reflect the status of the system where the command is executed.
Authentication from users of a one-way trust now works correctly when using the
idmap_autorid ID mapping back ends.
Samba automatically updates its tdb database files when the
winbind daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
Directory Server rebased to version 18.104.22.168
The 389-ds-base packages have been upgraded to upstream version 22.214.171.124, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:
Certificate System rebased to version 10.5.9
packages have been upgraded to upstream version 10.5.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557569
jss rebased to version 4.4.4
packages has been upgraded to upstream version 4.4.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557575
The CRMFPopClient utility supports CRMF requests without key archival
With this enhancement, users can create Certificate Request Message Format (CRMF) requests without the key archival option when using the CRMFPopClient utility. This feature increases flexibility because a Key Recovery Authority (KRA) certificate is no longer required. Previously, if the user did not pass the
option to CRMFPopClient, the utility automatically used the KRA transport certificate stored in the transport.txt file. With this update, if
is not specified, Certificate System creates a request without using key archival. (BZ#1585866
Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates
This update enhances Certificate System to automatically apply ECC profiles when setting up a new root CA with ECC profiles using the
utility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to
when setting up a root CA. (BZ#1550742
Certificate System now adds the SAN extension to server certificates
With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate. (BZ#1562423
A low-level API to create X.509 certificates and CRLs has been added to JSS
This enhancements adds a low-level API, which can be used to create X.509 certificate and certificate revocation lists (CRL) to the Java Security Services (JSS). (BZ#1560682
pcsc-lite-ccid driver now has support for new smart card readers
pcsc-lite-ccid driver did not detect certain smart card readers. This enhancement adds the USB-ID values of these readers to the driver. As a result,
pcsc-lite-ccid now detects the smart card readers in the described scenario.
Note that Red Hat did not test the smart card readers whose USB-ID have been added. (BZ#1558258
pam_pkcs11 module now has support for certificate chains
This update enhances the
pam_pkcs11 module to support Public Key Infrastructure for X.509 (PKIX) certificate chains. This enables more complex chain processing, including multiple paths to the leaf certificate. As a result,
pam_pkcs11 now validates PKIX certificate chains. (BZ#1578029)
dnssec-keymgr automates DNSSEC key rollovers
This update introduces
dnssec-keymgr, a utility to automate DNS Security Extensions (DNSSEC) key rollovers.
dnssec-keymgr enables automatic long-term management of DNS keys for secure zones due to its simple configurable policy. This makes it possible to roll out keys seamlessly, without interrupting the DNS service. (BZ#1510008)
DNSSEC validation can be disabled for selected domains
Previously, if DNSSEC validation was enabled and a specific domain was failing, no hosts in that domain could be reached. With this release, you can configure exemptions from DNS Security Extensions (DNSSEC) validation for selected zones if the validation fails because of incorrect configuration, not an attack. The addresses of the hosts in the failing domain are resolved as unsigned and can be reached, while all other names are validated for security risks. (BZ#1452091
SSSD on an IdM client can now authenticate against a specific AD site or AD DC
System Security Services Daemon (SSSD) running on an Identity Management (IdM) client in a domain with a trust relationship with Active Directory (AD) can now be pinned to authenticate against a configured AD site or a configured set of AD Domain Controllers (DC).
SSSD relied completely on DNS SRV discovery done by libkrb5. However, this did not take AD sites into account because libkrb5 has no notion of AD sites. If the administrator wanted to pin
SSSD to authenticate against a set of AD DCs, they had to set the correct Key Distribution Centre (KDC) in the
/etc/krb5.conf file, which was non-intuitive.
The enhancement is especially convenient for large environments, in which modifying the
file on each client individually was previously the only available solution. (BZ#1416528