- Issued:
- 2011-12-06
- Updated:
- 2011-12-06
RHBA-2011:1655 - pki-core bug fix and enhancement update
Synopsis
pki-core bug fix and enhancement update
Type/Severity
Bug Fix Advisory (none)
Topic
Updated pki-core packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
Description
Red Hat Certificate System is an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat Certificate System, which contain the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this update is not intended to be used as a standalone server. It is installed and operates as a part of the Red Hat Enterprise Identity (IPA).
Bug fixes:
-
Configuration of a certificate server failed with the following error: "Unable to retrieve CA chain: request failed with HTTP status 500". This occurred due to a race condition between the process reading the /etc/pki-ca/registry.cfg file and the restart process as registry.cfg was timestamped on startup. registry.cfg is now left unmodified on startup. (BZ#698796)
-
On Red Hat Certificate System 8, the 64-bit pkicreate script was attempting to use libCryptoki2.so for SafeNet Luna SA and failed to load it as the library did not exist. The code has been changed and pkicreate on 64-bit platforms now uses libCryptoki2_64.so. (BZ#728651)
-
The pkiremove command removed all instances of the CA (Certification Authority) type instead of removing only a specific instance. This occurred because pkiremove removed the registry directory /etc/sysconfig/pki/[subsystem_type] instead of removing only the registry entry for the specific instance in the /etc/sysconfig/pki/[type]/ directory. The command now removes only the respective type instance. (BZ#691076)
-
In a NAT (Network Address Translation) environment, authentication of an IPA machine clone could fail with a NullPointerException on machine setup. This happened when the clone tried to authenticate itself with a NAT translated IP address that was different from the IP address previously used for the authentication. Therefore, the master IPA machine rejected the authentication. As the machines use a shared key throughout the connection, the IP check was redundant and has been removed. (BZ#708075)
-
PKI provided Apache Tomcat configuration files which set "user:group" to "pkiuser:pkiuser". Therefore, the /var/log/tomcat6/catalina.out file was also owned by pkiuser. As the file needs to be owned by Tomcat 6, the TOMCAT_LOG variable has been added to the configuration files and Tomcat now uses "tomcat:tomcat" as its "user:group". (BZ#693835)
-
The Dogtag subsystem did not detect a replication failure if the replication failed during clone setup. Therefore, Dogtag kept looking for the root directory on the directory server and got into an infinite loop as the replication failed and the root directory was never created. Dogtag now waits for the replication to finish and the problem no longer occurs. (BZ#726785)
-
Due to changes in startup scripts, the PKI SElinux policy was not applied and tomcat6 instances ran unconfined. The startup scripts now applies the SElinux policy if enabled and tomcat6 instances now run with the restrictions defined in the policy. (BZ#700522)
Enhancements:
-
The default validity period of the default and constraint server certificates has been changed to 2 years. (BZ#729126)
-
The number of restarts needed during installation of Dogtag Certicate Server was decreased. (BZ#689891)
-
Several checks have been added to speed up installation of Dogtag Certificate Server. (BZ#689909)
-
The client usage flag has been added to the caIPAserviceCert server certificate. This allows an IPA server to use the server certificate as a client certificate and authenticate itself. (BZ#722634)
-
The pki-setup-proxy script that adds a configuration file to Apache Tomcat, updates the server.xml and CS.cfg files has been added. The script upgrades the proxy configuration of an existing IPA installation to the AJP (Apache JServ Protocol) proxy code introduced in upstream version 2.1.1. (BZ#737179)
Users should upgrade to these updated pki-core packages, which fix the bugs and add the enhancements.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Scientific Computing | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- pki-setup-9.0.3-20.el6.noarch.rpm
- pki-silent-9.0.3-20.el6.noarch.rpm
- pki-util-javadoc-9.0.3-20.el6.noarch.rpm
- pki-core-debuginfo-9.0.3-20.el6.x86_64.rpm
- pki-ca-9.0.3-20.el6.noarch.rpm
- pki-java-tools-javadoc-9.0.3-20.el6.noarch.rpm
- pki-symkey-9.0.3-20.el6.x86_64.rpm
- pki-common-javadoc-9.0.3-20.el6.noarch.rpm
- pki-selinux-9.0.3-20.el6.noarch.rpm
- pki-core-9.0.3-20.el6.src.rpm
- pki-native-tools-9.0.3-20.el6.x86_64.rpm
- pki-core-debuginfo-9.0.3-20.el6.i686.rpm
- pki-native-tools-9.0.3-20.el6.i686.rpm
- pki-util-9.0.3-20.el6.noarch.rpm
- pki-symkey-9.0.3-20.el6.i686.rpm
- pki-common-9.0.3-20.el6.noarch.rpm
- pki-java-tools-9.0.3-20.el6.noarch.rpm
Fixes
- This content is not included.BZ - 693835
- This content is not included.BZ - 698796
- This content is not included.BZ - 700522
- This content is not included.BZ - 708075
- This content is not included.BZ - 717643
- This content is not included.BZ - 722634
- This content is not included.BZ - 726785
- This content is not included.BZ - 728651
- This content is not included.BZ - 729126
- This content is not included.BZ - 737179
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.