Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 5. Authentication and Interoperability

Certificate System now supports additional strong ciphers by default

With this update, the following additional ciphers, which are compliant with the Federal Information Processing Standard (FIPS), are enabled by default in Certificate System:
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
For a full list of enabled ciphers, enter:
# /usr/lib64/nss/unsupported-tools/listsuites | grep -B1 --no-group-separator "Enabled"
If you use a Hardware Security Module (HSM) with Certificate System, see the documentation of the HSM for supported ciphers. (BZ#1550786)

samba rebased to version 4.8.3

The samba packages have been upgraded to upstream version 4.8.3, which provides a number of bug fixes and enhancements over the previous version:
  • The smbd service no longer queries user and group information from Active Directory domain controllers and NT4 primary domain controllers directly. Installations with the security parameter set to ads or domain now require that the winbindd service is running.
  • The dependency on global lists of trusted domains within the winbindd process has been reduced. For installations that do not require the global list, set the winbind scan trusted domains parameter in the /etc/samba/smb.conf file to no. For more information, see the parameter's description in the smb.conf(5) man page.
  • The trust properties displayed in the output of the wbinfo -m --verbose command have been changed to correctly reflect the status of the system where the command is executed.
  • Authentication from users of a one-way trust now works correctly when using the idmap_rid and idmap_autorid ID mapping back ends.
Samba automatically updates its tdb database files when the smbd, nmbd, or winbind daemon starts. Back up the databases files before starting Samba. Note that Red Hat does not support downgrading tdb database files.
For more information about notable changes, read the upstream release notes before updating: https://www.samba.org/samba/history/samba-4.8.0.html. (BZ#1558560)

Directory Server rebased to version 1.3.8.4

The 389-ds-base packages have been upgraded to upstream version 1.3.8.4, which provides a number of bug fixes and enhancements over the previous version. For a complete list of notable changes, read the upstream release notes before updating:

Certificate System rebased to version 10.5.9

The pki-core packages have been upgraded to upstream version 10.5.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557569)

jss rebased to version 4.4.4

The jss packages has been upgraded to upstream version 4.4.4, which provides a number of bug fixes and enhancements over the previous version. (BZ#1557575)

The CRMFPopClient utility supports CRMF requests without key archival

With this enhancement, users can create Certificate Request Message Format (CRMF) requests without the key archival option when using the CRMFPopClient utility. This feature increases flexibility because a Key Recovery Authority (KRA) certificate is no longer required. Previously, if the user did not pass the -b transport_certificate_file option to CRMFPopClient, the utility automatically used the KRA transport certificate stored in the transport.txt file. With this update, if -b transport_certificate_file is not specified, Certificate System creates a request without using key archival. (BZ#1585866)

Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates

This update enhances Certificate System to automatically apply ECC profiles when setting up a new root CA with ECC profiles using the pkispawn utility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to pkispawn when setting up a root CA. (BZ#1550742)

Certificate System now adds the SAN extension to server certificates

With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate. (BZ#1562423)

A low-level API to create X.509 certificates and CRLs has been added to JSS

This enhancements adds a low-level API, which can be used to create X.509 certificate and certificate revocation lists (CRL) to the Java Security Services (JSS). (BZ#1560682)

The pcsc-lite-ccid driver now has support for new smart card readers

Previously, the pcsc-lite-ccid driver did not detect certain smart card readers. This enhancement adds the USB-ID values of these readers to the driver. As a result, pcsc-lite-ccid now detects the smart card readers in the described scenario.
Note that Red Hat did not test the smart card readers whose USB-ID have been added. (BZ#1558258)

The pam_pkcs11 module now has support for certificate chains

This update enhances the pam_pkcs11 module to support Public Key Infrastructure for X.509 (PKIX) certificate chains. This enables more complex chain processing, including multiple paths to the leaf certificate. As a result, pam_pkcs11 now validates PKIX certificate chains. (BZ#1578029)

dnssec-keymgr automates DNSSEC key rollovers

This update introduces dnssec-keymgr, a utility to automate DNS Security Extensions (DNSSEC) key rollovers. dnssec-keymgr enables automatic long-term management of DNS keys for secure zones due to its simple configurable policy. This makes it possible to roll out keys seamlessly, without interrupting the DNS service. (BZ#1510008)

DNSSEC validation can be disabled for selected domains

Previously, if DNSSEC validation was enabled and a specific domain was failing, no hosts in that domain could be reached. With this release, you can configure exemptions from DNS Security Extensions (DNSSEC) validation for selected zones if the validation fails because of incorrect configuration, not an attack. The addresses of the hosts in the failing domain are resolved as unsigned and can be reached, while all other names are validated for security risks. (BZ#1452091)

SSSD on an IdM client can now authenticate against a specific AD site or AD DC

The System Security Services Daemon (SSSD) running on an Identity Management (IdM) client in a domain with a trust relationship with Active Directory (AD) can now be pinned to authenticate against a configured AD site or a configured set of AD Domain Controllers (DC).
Previously, SSSD relied completely on DNS SRV discovery done by libkrb5. However, this did not take AD sites into account because libkrb5 has no notion of AD sites. If the administrator wanted to pin SSSD to authenticate against a set of AD DCs, they had to set the correct Key Distribution Centre (KDC) in the /etc/krb5.conf file, which was non-intuitive.
The enhancement is especially convenient for large environments, in which modifying the /etc/krb5.conf file on each client individually was previously the only available solution. (BZ#1416528)