What's New in PGP Certificate Server
Version 2.5 for Unix-Sun Solaris
Copyright (c) 1998-99 by Network Associates
Technology, Inc., and its Affiliated Companies.
All Rights Reserved.
Thank you for using Network Associates' products.
This What's New file contains important
information regarding the PGP Certificate Server.
Network Associates strongly recommends that you
read this entire document.
Network Associates welcomes your comments and
suggestions. Please use the information provided
in this file to contact us.
Warning: Export of this software may be restricted
by the U.S. Government.
___________________
WHAT'S IN THIS FILE
- New Features
- Documentation
- System Requirements
- Installation
- Starting the PGP Certificate Server
- Starting the PGP Replication Engine
- Using the Web Configuration/Monitoring Wizard
- Known Issues
- Additional Information
- Year 2000 Compliance
- Contacting Network Associates
____________
NEW FEATURES
* Improved Web-based Configuration
Administrators can conveniently manage the Cert
Servers configuration from nearly any web browser.
This version improves the extensive on-line help
on product configuration settings. This version
provides integrated support for many popular web
servers including:
- Netscape Enterprise Server 3.x
- Netscape FastTrack Server 3.x
- Apache 1.3.x
Administrators can secure the communications
between the web browser and the Cert Server
using the native security services provided by
the web server installed with the Cert Server.
* Database Size and Performance Improvements
This version includes numerous performance
enhancements and database optimizations.
Certificate database size has been reduced
by 20% - 30% from previous versions, due to
improved certificate storage methods. This size
reduction provides improved server performance;
more certificates are now stored in the
server's cache, less data is read from and
written to the servers harddisk, and fewer
transformations are needed on certificate data.
_____________
DOCUMENTATION
Also included with this release is the following
manual, which can be viewed on-line as well as
printed:
* PGP Certificate Server Administrator's Guide
This document is saved in Adobe Acrobat Portable
Document Format (.PDF). You can view and print the
document with Adobe's Acrobat Reader. PDF files
can include hypertext links and other navigation
features to assist you in finding answers to
questions about your Network Associates product.
To download Adobe Acrobat Reader from the World
Wide Web, visit Adobe's Web site at:
http://www.adobe.com/prodindex/acrobat/readstep.html
If the web server support for PGP Certificate
Server is installed, the Administrator's Guide is
also available through a link found on the page:
http://YOUR-HOST-NAME:PORT/certserver/default.htm
Substitute the hostname of the machine running the
PGP Certificate Server for the YOUR-HOST-NAME
value. For PORT, substitute the port number for
the web server that you are running on
YOUR-HOST-NAME (by default, the web server listens
to port 8080).
Documentation feedback is welcome. Send e-mail to
tns_documentation@nai.com.
___________________
SYSTEM REQUIREMENTS
- Sun Solaris (UNIX) Version 2.5.1 or later (Ultra
Sparc recommended) (Solaris 2.6 is required for
databases larger than 2GB.)
- Perl 5 (required for the configuration/
monitoring wizard)
- 64MB RAM minimum
- 30MB disk space for software
- Additional disk space for database (10MB - 500MB)
- Network interface card
____________
INSTALLATION
PGP Certificate Server comes shipped on a CD-ROM
in the form of a Solaris package file.
To Upgrade from a previous version of the product
from a CD-ROM:
1. Sign on as root.
2. Modify the Solaris package administration
file:
A. Make a copy of the package administration
file:
cd /var/sadm/install/admin
cp default pgp.admin
B. Using a text editor, change the line in the
pgp.admin file from "instance=unique" to
"instance=ask".
3. Insert the CD-ROM.
4. Mount the CD-ROM drive (if it isn't auto-
mounted).
5. Change to the directory containing the package
file.
6. Run the command:
pkgadd -d PGPcertserv_2.5_Solaris
-a /var/sadm/install/admin/pgp.admin
7. Create Web Configuration/Monitoring wizard
logins, as directed onscreen.
To Install the product from a CD-ROM (first-time
install):
1. Sign on as root.
2. Insert the CD-ROM.
3. Mount the CD-ROM drive (if it isn't auto-
mounted).
4. Change to the directory containing the package
file.
5. Run the command:
pkgadd -d PGPcertserv_2.5_Solaris
6. Create Web Configuration/Monitoring wizard
logins, as directed onscreen.
Verify the install succeeded:
1. Run the command:
pkginfo -l PGPcertd
2. Verify that the status is "Completely
Installed"
___________________________________
STARTING THE PGP CERTIFICATE SERVER
After successfully installing the server, you may
start it by following these steps.
1. Sign on as root.
2. Change to the product bin directory (this
assumes the default install directory of
/opt/PGPcertd).
cd /opt/PGPcertd/bin
3. Create the initial database.
./pgpcertd -n -f ../etc/pgpcertd.conf
4. Start the server.
./pgpcertd -f ../etc/pgpcertd.conf
5. Verify the server is running.
ps -fu root | grep pgpcertd
If the server is not running, check the syslog
file for errors or try starting the server with
the Check Configuration flag (-c) to see why the
server did not start.
To test that the server is running properly, start
PGP (version 5.5 or later). You will need to add
to PGP's configuration the URL of the machine
running the certificate server. You can do this
by selecting PGP Preferences from PGPtray's popup
menu (or from PGPkeys' Edit/Preferences menu).
From the Servers page, add a New server. Enter a
new domain or choose an existing one. Then enter
an LDAP server using the form:
ldap://YOUR-HOST-NAME
Now from PGPKeys, select any key from your list of
keys. Then select the Send Key to Server item on
the Keys menu. Be sure to select the name of your
new PGP Certificate Server. If the key gets sent
to the server successfully, your server is running
properly. You can also use the search dialog in
PGPkeys to search the keys on the server. Again,
be sure to set the name of your new server as the
server to search.
___________________________________
STARTING THE PGP REPLICATION ENGINE
PGP Replication Engine uses the same configuration
file as the PGP Certificate Server. The default
configuration file does not have replication
enabled. The 'Replica' and 'RepLogFile'
configuration tags need to be configured prior to
successfully starting the engine. Examples of each
are:
Replica ldap://mirror.company.com
RepLogFile rep.log
See the Administrator's Guide for exact details on
these configuration values.
If you installed the optional PGP Replication
Engine component and performed the above
configuration, you may start the engine by
following these steps.
1. Sign on as root.
2. Change to the product bin directory (this
assumes the default install directory of
/opt/PGPcertd).
cd /opt/PGPcertd/bin
3. Start the product.
./pgprepd -f ../etc/pgpcertd.conf
4. Verify the engine is running.
ps -fu root | grep pgprepd
If the server is not running, check the syslog
file for errors or try starting the server with
the Check Configuration flag (-c) to see why the
server did not start.
_____________________________________________
USING THE WEB CONFIGURATION/MONITORING WIZARD
The PGP Certificate Server can be easily
configured using a web browser-based wizard. This
wizard must be setup to run under an existing web
server product. Most popular web servers support
the wizard. The web server must be running on the
same machine as the PGP Certificate Server.
NOTE: Perl 5 needs to be installed on your machine
for the wizard to work. If you do not have Perl 5
installed, please see the Administrator's Guide
for details on where to get Perl 5.
If you are running the Apache web server supplied
with PGP Certificate Server and you requested the
installer to install the web server, you may need
to start (or restart) the web server. This is
done by signing on as root and issuing the
command:
/opt/PGPcertd/web/apachectl start
or
/opt/PGPcertd/web/apachectl restart
You can then access the configuration/monitoring
wizard from your browser using the URL:
http://YOUR-HOST-NAME:PORT/certserver/index.html
If you are using another web server or did not
have the installer add this support, please see
the Administrator's Guide for details on how to
properly configure this feature.
You may also directly edit the configuration file
for the certificate server using any standard text
editor. The default configuration file is found
in:
/opt/PGPcertd/etc/pgpcertd.conf
____________
KNOWN ISSUES
o Using RSA keys as Admin keys
In the International and Freeware releases, RSA
keys cannot be used by the server as the Server
Secure KeyID. Only DSS/Diffie-Hellman keys can
be used as the key the client uses to determine
which server it is connecting to using TLS/SSL.
o Replication Engine Running in One Shot Mode
Running the Replication Engine in One Shot mode
with an empty or non-existent replication log may
cause the program to hang. The process can be
killed without harming the system. Note that this
situation would not normally occur.
______________________
ADDITIONAL INFORMATION
** International and Freeware releases **
The International and Freeware versions of the PGP
Certificate Server do not encrypt data. They do
provide strong authentication. The Transport Layer
Security (TLS) connection between the PGP client
and the server is strongly authenticated; but the
data is sent over the network without being
encrypted. This means that the queries and adds
that are performed by the PGP client can be viewed
by others, but the identity of someone performing
administrative functions is still strongly
authenticated.
____________________
YEAR 2000 COMPLIANCE
Information regarding NAI products that are Year 2000 compliant
and its Year 2000 standards and testing models may be obtained
from NAI’s website at http://www.nai.com/y2k.
For further information, email y2k@nai.com.
_____________________________
CONTACTING NETWORK ASSOCIATES
*FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS*
Contact the Network Associates Customer Care
department:
1. Phone (408) 988-3832 Monday-Friday,
6:00 A.M. - 6:00 P.M. Pacific time
2. Fax (408) 970-9727 24-hour, Group III Fax
Send correspondence to the following Network
Associates location:
Network Associates Corporate Headquarters
3965 Freedom Circle
McCandless Towers
Santa Clara, CA
95054
Phone numbers for corporate-licensed customers:
Phone: (408) 988-3832
Fax: (408) 970-9727
Phone numbers for retail-licensed customers:
Phone: (972) 278-6100
Fax: (408) 970-9727
Or, you can receive online assistance through any
of the following resources:
1. Internet E-mail: pgpsupport@pgp.com
2. Internet FTP: ftp.nai.com
3. World Wide Web: http://support.nai.com
4. America Online: keyword MCAFEE
5. CompuServe: GO NAI
To provide the answers you need quickly and
efficiently, the Network Associates technical
support staff needs some information about your
computer and your software. Please have this
information ready when you call:
- Program name and version number
- Computer brand and model
- Any additional hardware or peripherals connected
to your computer
- Operating system type and version numbers
- Network name, operating system, and version
- Network card installed, where applicable
- Modem manufacturer, model, and speed, where
applicable
- Relevant browsers or applications and their
version numbers, where applicable
- How to reproduce your problem: when it occurs,
whether you can reproduce it regularly, and
under what conditions
- Information needed to contact you by voice, fax,
or e-mail
We also seek and appreciate general feedback.
* FOR PRODUCT UPGRADES *
To make it easier for you to receive and use
Network Associates products, we have established a
reseller's program to provide service, sales, and
support for our products worldwide. For a listing
of resellers, see the resellers.txt file or
contact Network Associates Customer Care for
resellers near you.
* FOR REPORTING PROBLEMS *
Network Associates prides itself on delivering a
high-quality product. If you find any problems,
please take a moment to review the contents of
this file. If the problem you've encountered is
documented, there is no need to report the problem
to Network Associates.
If you find any feature that does not appear to
function properly on your system, or if you
believe an application would benefit greatly from
enhancement, please contact Network Associates
with your suggestions or concerns.
* FOR ON-SITE TRAINING INFORMATION *
Contact Network Associates Customer Service at
(800) 338-8754.