Language and Page Formatting Options
Chapter 5. Authentication and Interoperability
Certificate System now supports additional strong ciphers by default
With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:
For a full list of enabled ciphers, enter:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers. (BZ#1550786)
samba rebased to version 4.8.3
The samba packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements over the previous version:
smbdservice no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the
securityparameter set to
domainnow require that the
winbinddservice is running.
- The dependency on global lists of trusted domains within the
winbinddprocess has been reduced. For installations that do not require the global list, set the
winbind scan trusted domainsparameter in the
no. For more information, see the parameter's description in the
- The trust properties displayed in the output of the
wbinfo -m --verbosecommand have been changed to correctly reflect the status of the system where the command is executed.
- Authentication from users of a one-way trust now works correctly when using the
idmap_autoridID mapping back ends.
Samba automatically updates its tdb database files when the
winbinddaemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For more information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.8.0.html. (BZ#1558560)
Directory Server rebased to version 188.8.131.52
The 389-ds-base packages have been upgraded to upstream version 184.108.40.206, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:
Certificate System rebased to version 10.5.9
The pki-core packages have been upgraded to upstream version 10.5.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557569)
jss rebased to version 4.4.4
The jss packages has been upgraded to upstream version 4.4.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557575)
The CRMFPopClient utility supports CRMF requests without key archival
With this enhancement, users can create Certificate Request Message Format (CRMF) requests without the key archival option when using the CRMFPopClient utility. This feature increases flexibility because a Key Recovery Authority (KRA) certificate is no longer required. Previously, if the user did not pass the
-b transport_certificate_fileoption to CRMFPopClient, the utility automatically used the KRA transport certificate stored in the transport.txt file. With this update, if
-b transport_certificate_fileis not specified, Certificate System creates a request without using key archival. (BZ#1585866)
Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates
This update enhances Certificate System to automatically apply ECC profiles when setting up a new root CA with ECC profiles using the
pkispawnutility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to
pkispawnwhen setting up a root CA. (BZ#1550742)
Certificate System now adds the SAN extension to server certificates
With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate. (BZ#1562423)
A low-level API to create X.509 certificates and CRLs has been added to JSS
This enhancements adds a low-level API, which can be used to create X.509 certificate and certificate revocation lists (CRL) to the Java Security Services (JSS). (BZ#1560682)
pcsc-lite-ccid driver now has support for new smart card readers
pcsc-lite-cciddriver did not detect certain smart card readers. This enhancement adds the USB-ID values of these readers to the driver. As a result,
pcsc-lite-ccidnow detects the smart card readers in the described scenario.
Note that Red Hat did not test the smart card readers whose USB-ID have been added. (BZ#1558258)
pam_pkcs11 module now has support for certificate chains
This update enhances the
pam_pkcs11module to support Public Key Infrastructure for X.509 (PKIX) certificate chains. This enables more complex chain processing, including multiple paths to the leaf certificate. As a result,
pam_pkcs11now validates PKIX certificate chains. (BZ#1578029)
dnssec-keymgr automates DNSSEC key rollovers
This update introduces
dnssec-keymgr, a utility to automate DNS Security Extensions (DNSSEC) key rollovers.
dnssec-keymgrenables automatic long-term management of DNS keys for secure zones due to its simple configurable policy. This makes it possible to roll out keys seamlessly, without interrupting the DNS service. (BZ#1510008)
DNSSEC validation can be disabled for selected domains
Previously, if DNSSEC validation was enabled and a specific domain was failing, no hosts in that domain could be reached. With this release, you can configure exemptions from DNS Security Extensions (DNSSEC) validation for selected zones if the validation fails because of incorrect configuration, not an attack. The addresses of the hosts in the failing domain are resolved as unsigned and can be reached, while all other names are validated for security risks. (BZ#1452091)
SSSD on an IdM client can now authenticate against a specific AD site or AD DC
System Security Services Daemon(SSSD) running on an Identity Management (IdM) client in a domain with a trust relationship with Active Directory (AD) can now be pinned to authenticate against a configured AD site or a configured set of AD Domain Controllers (DC).
SSSDrelied completely on DNS SRV discovery done by libkrb5. However, this did not take AD sites into account because libkrb5 has no notion of AD sites. If the administrator wanted to pin
SSSDto authenticate against a set of AD DCs, they had to set the correct Key Distribution Centre (KDC) in the
/etc/krb5.conffile, which was non-intuitive.
The enhancement is especially convenient for large environments, in which modifying the
/etc/krb5.conffile on each client individually was previously the only available solution. (BZ#1416528)