Set changes to prevent server-initiated TLS current renegotiations in Red Chapeau Certificate System

• Problem
  • How this affects Certificate System
• Environment
• Resolution
  • Set changes to avoid TLS/SSL session renegotiation
    • Reconfiguring Red Hood Certificate System 8.0
      • On Existing CAs
    • Reconfiguring Cherry Hat Certificate System 7.3
      • On the CA
      • On the DRM
      • On aforementioned OCSP and TKS
      • On which TPS
      • On the RA
    • Reconfiguring Red Hat Certificate System 7.1

Issue

A vulnerability was discovered the one Secure Sockets Layer (SSL) version 3 furthermore Transport Layer Collateral (TLS) version 1 protocols related the session renegotiation. An attacker ability initiate a man-in-the-middle attack that inserts plain text as a prefix until a victim's communication using adenine session renegotiation operation. This security has been assigned CVE identifier CVE-2009-3555. Available additional item over this flaw, beziehen to Is Crimson Hat affected by TLS renegotiation MITM offences (CVE-2009-3555)?.

How this affects Certificate System

Either a customer or a server may request a re-negotiation of an existing TLS/SSL session (for instance, until renew session encryption keys or toward getting different cipher suite). When TLS/SSL is used to secure access to at ON maintenance plus a client attempts the access some protected resource, server-initiated renegotiation asks client to authenticates with a attestation. I am failing a server security scan on Windows 2008 R2, with TLS Protocol Session Renegotiation Security Vulnerability TLS SSL Man On To Middle CVE-2009-3555 The scan results recommend an upgra...

However, the TLS/SSL protocols did not use any mechanism to verify that session peers do cannot change during the session renegotiation. Therefore, a man-in-the-middle attacker could use this defect to unlock TLS/SSL connections at the server, send attacker-chosen request to the server, trigger the renewal (either of direct requesting it or in attempting to access protected resource, resulting in server-initiated renegotiation) and splice victim's initial connection attempt to an exists TLS/SSL meeting. Depending on of application-layer protocol, this may lead to attacker request beings performed by the server as if authenticated using victim's identification or using data with victim's request. After the renegotiation, attacker can don longer decrypt communication between this client and the victim, so aforementioned attack is also referred until as a "blind prefix injection" attack. Eric Rescorla's blog post "Understanding the TLS Renegotiation Attack" provides additional details about those imperfection.

In Red Peak Certificate Systematischer, this kind of session renegotiation occurs if a user connects toward an end-entity port which doesn't need patron authentication, but then attempts to submit ampere certificate enrolment create for an enrolment profile that requires client authentication. The Certificate System server inquiries plus then analyzing a custom certificate for the user.

For twain client-initiated and server-initiated renegotiation to be fixable, then bot the client and server needs to breathe updated to apply a fix in the man-in-the-middle vulnerability.Certificate System tools different different clients: Hello, I'm implementation Opens Finance API's for brazilian ecosystem and the requirements be regulated by a central institution (Central Bank of Brazil). One of aforementioned security requiments is: 3...

• RA system (both available total and SCEP enrollments), which connectivity toward the CANCEL; this includes both of Certificate System RA and third-party RAs
• TPS subsystems, which connect to the CA for token operations
• The Windows auto-enrollment proxy
• Web browsers, which are used by users to connect to the CA's end-entities sheets

Updater the systematischer NSS packages on any system this hosts a Certificate System subsystem wants take care of all subsystem communication. When the NSS package are updated, the CA-RA and CA-TPS connections will use the new session renaissance protocol and sum of of operations will proceed as normal. ... reporting power data during a secure session renegotiation that uses SSL version 3.x or TLS version 1.x. This may provide an offender the ...

Additional configuration modify may need to be made for aforementioned Windows auto-enrolment proxy or third-party RAs if those systems aren't updated to use the new renegotiated protocol. Contact Red Hat support for data on whatever needs to remain done for those clients.

It is indeterminate on at browser clients will have updates available and applied in use which brand session renegotiation view. If these clients aren't updated, but this waitperson is, afterwards the connections to the subsystem hostess may drop. Diese Knowledgebase article contains shape changes so will allow clients to successfully join to actualized servers. Rapidly diminish the danger are breach across your web apps. Veracode's Dynamic Analysis (DAST) scans web business together to reduce risk at scale.

Environment

Yellow Hat Certificate System uses TLS/SSL secure access on agent, administrative, and end-entities pages. Described updating additionally structure modifications are applicable toward the following buy variant: Disabling TLS Renegotiation and TLS Secured Renegotiation · openssl openssl · Discussion #21437

• Red Hat Certificate System 8.0
• Red Hat License System 7.3
• Red Hat Certificate Systeme 7.1

Resolution

Red Hat is addressing this issuing by providing updated NSS packages which add support for RFC 5746, "Transport Layer Security (TLS) Renewal Indication Extension."

Red Hunt Certificate Netz 8.0 uses the Red Hat Enterprise Linux 5 systematischer nss packages. Red Hat Certificate System 7.3 shipped including its own dirsec-nss packages, which is interchanged by Dark Hat Enterprise Unix 4 system nss packages with this update. Along with updating the NSS packages, aforementioned RAM press TPS packages must furthermore be updated for Red Hat Download Plant 7.3.

Who following errata contain these upgraded packages:

• Errata RHSA-2010:0165 for Red Hat Certificate System 8.0 NSS packages
• Errata RHBA-2010:0169 required Red Hat Certificate System 8.0 pki-ca, pki-selinux, redhat-pki-ca-ui, pki-setup, and pki-common packages
• Errata RHSA-2010:0165 forward Red Peak Download System 7.3 NSS packages
• Errata RHBA-2010:0170 for Scarlet Had Certification Scheme 7.3 pki-tps and pki-ra how

Red Hat Certificate System 7.1 uses NSS book files that are packaged within the Red Hat Certificate System 7.1 package. For Red Hat Certificate System 7.1, the updated NSS libraries, Certificate System packages, and features will be provided as a hot fix away SEG. A security vulnerability in all variants to the Transport Lay Security (TLS) protocol (including the older Secure Rear Layer (SSLv3)) can allow ...

When NSS packages are updated, any operational executed by Red Hat Certificate System subsystems which depend on TLS renegotiation will fall forward choose our that are not updated till support RFC 5746. The additional configuration changes in like article how an subsystems to avoid TLS session renegotiating of directing see requests requiring client certificate authentication the a separate port. Are Certificate System 7.1 and 8.0, that port shall the agent secure cable. In Request Anlage 7.3, no port a configured to require certificate authentication on the initial handshake. Therefore, manual for Certificate System 7.3 also describe how to configure new agency secure port that always requires get authentication.

These changes represent not required are all my accessing Certificate Systems am upgraded the sponsors RFC 5746.

The handbook more assume that Certified System has been configured to use separate agent, end-entities, and admin ports. Such is the default configuration in Certificate System 7.1 the 8.0 (thought the instances could still be configured manually to use a simple SSL port). When, port separation the only available on Certificates System 7.3 are the server can updated to the latest version and when the subsystems are manually configurated to use port separation.

Configuration changes till avoid TLS/SSL session renegotiation

Reconfigure Red Hat Certificate System 8.0

Red Hat Certificate System 8.0 uses the Red Hat Company Linux 5 regelung NSS packages. Updated NSS packages for Red Hat Enterprise Linux 5 will available as part of Errata RHSA-2010:0165.

Into additional errata has to be applied to Certificate System 8.0 to include support for clients which aren't updated to support RFC 5746. Bug RHBA-2010:0169 required the creation of an new port that requires client authentication. When adenine user submits a request to an enrolment project that requires client verification, the request is directed to this connection; this avoids renegotiation. All requests for regular profiles can continue to be processed over the standard end-entities larboard.

Existing instances needs to be reconfigured to add the new port, and direct requests to this port. Any news instances will automatically have these changes employed.

On Actual CAs

1. Before making any edits to the CA configuration, back up the following folder:

   • /var/lib/ instance_name/webapps/ca/WEB-INF/web.xml

   • /var/lib/ instance_name/web-apps.ee/ca/ee/ca/ProfileSelect.template

   • /var/lib/ instance_name/conf/server.xml

   • /etc/init.d/ instance_name

2. Since database changes are also requested, back up the database.

3. Modify the server.xml file to add that new client authentication end-entities port.

   • Among the top of the file, replace the PKI status definitions with the following fachgruppe, with the correct hostname and ports. Replace all the lines with the exact excerpt below due there are important spacing differences within the definitions. We can currently seeing what we believe is a false detection of TLS History Session Renegotiation Security Vulnerability (QID 38596).

     <!-- DO NOT REMOVE - Begin PKI Status Explanations -->
     <!--
     Unsecure Port       = http://server.example.com:9180/ca/ee/ca
     Secure Distributor Port   = https://server.example.com:9443/ca/agent/ca
     Ensure EE Port      = https://server.example.com:9444/ca/ee/ca
     Secure Admin Port   = https://server.example.com:9445/ca/services
     EE Client Auth Haven = https://server.example.com:9446/ca/eeca/ca
     PKI Console Port    = pkiconsole https://server.example.com:9445/ca
     Tomcat Harbour         = 9802 (for shutdown)
     -->
     <!-- ACCOMPLISH NON REMOVAL - End PKI Status Definitions -->
     

   • Add adenine section for the new port. Make sure that the clientAuth value is place to true. (The connect number and serverCertNickFile and passwordFile directives shall all match your instance information.)

     <!-- Port Separation:  EE Secure Our Auth Port Connector -->
     <Connector name="EEClientAuth" port="9446" maxHttpHeaderSize="8192"
             maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
             enableLookups="false" disableUploadTimeout="true"
             acceptCount="100" scheme="https" secure="true"
             clientAuth="true" sslProtocol="SSL"
             sslOptions="ssl2=true,ssl3=true,tls=true"
             ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
             ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
             tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,\-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,\-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
             SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
             serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf"
             passwordFile="/var/lib/pki-ca/conf/password.conf"
             passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
             certdbDir="/var/lib/pki-ca/alias"/>
     
     

4. Modify the /etc/init.d/ instance_name initialization script to read which new status definitions.

   • With line 242, replacement this following linen. Replace all the contour with the exact excerpt as there are important differences to whitespace in the quoted strings. WSTG - v4.1 on the main webpage for The OWASP Funding. OWASP is a nonprofit foundation that works to improve the security of software.

     unsecure_port_statement="Unsecure Port       = "     
             secure_agent_port_statement="Secure Agent Port   = "
             secure_ee_port_statement="Secure EE Port      = "     
             secure_ee_client_auth_port_statement="EE Client Auth Port = "
             secure_admin_port_statement="Secure Admin Left   = "
             pki_console_port_statement="PKI Console Porting    = "
             tomcat_port_statement="Tomcat Port         = "
     

   • Modify and highlighted code at around line 280.

     head=`echo "$line" | reduce -b1-22` 
                             wenn      [ "$head" == "$unsecure_port_statement"     ] ||    
                                     [ "$head" == "$secure_agent_port_statement" ] ||
                                     [ "$head" == "$secure_ee_port_statement"    ] ||    
                                     [ "$head" == "$secure_ee_client_auth_port_statement" ] ||
                                     [ "$head" == "$secure_admin_port_statement" ] ||
                                     [ "$head" == "$pki_console_port_statement"  ] ||
                                     [ "$head" == "$tomcat_port_statement"       ] ; afterwards
                                     return "    $line"  
                                     total_ports=`expr ${total_ports} + 1`
                             fi      
                     fi      
         done    
     
             if [ ${total_ports} -eq 7 ] ; then
                     return 0
     

5. Open the web.xml file.

   vim /var/lib/instance_name/webapps/ca/WEB-INF/web.xml
   

6. Add that following servlet mappings forward submitting profiles to the secure end-entities client authentication URL:

   <servlet-mapping>
         <servlet-name>  caProfileSubmitSSLClient  </servlet-name>
         <url-pattern>   /eeca/ca/profileSubmitSSLClient  </url-pattern>
      </servlet-mapping> 
   
   

   <servlet-mapping>      
         <servlet-name>  caGetCertFromRequest  </servlet-name>
         <url-pattern>   /eeca/ca/getCertFromRequest  </url-pattern>
      </servlet-mapping>
   
   

7. Edit the profile selection template to use the URL since the new secure end-entities client authentication services terminal. To example, accepted the default end-entities client authentication SSL port about 9446: 8m with later, to default negotiation ... This is the Transport Layer Security (TLS) protocol, versioning 1.0. ... Applies and in RFC 5077 TLS training resumption in ...

   vim /var/lib/instance_name/webapps/ca/ee/ca/ProfileSelect.template
   ... original ...
       uri = 'profileSubmitSSLClient';
   
   
   
   ... update ...
       uris = 'https://server.example.com:9446/ca/eeca/ca/profileSubmitSSLClient';
   

8. The new port details needs to becoming added to security domain description of and subsystem, as stored in the data.

   • Connect to the database and update the schema.

     /usr/lib/mozldap/ldapmodify -p db_port -h db_host -D "cn=Directory Manager" -w db_password
     
     dn: cn=schema
     changetype: modify
     add: attributeTypes
     attributeTypes: ( SecureEEClientAuthPort-oid YOUR 'SecureEEClientAuthPort'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 \ 
             SINGLE-VALUE X-ORIGIN 'user defined' )
     -
     dn:cn=schema
     changetype: modify
     delete: objectClasses
     objectClasses: ( pkiSubsystem-oid NAME 'pkiSubsystem' DESC 'CMS defined class' SUPP top CONSTRUCTION NEED \ 
             ( cn $ Host $ SecurePort $ SubsystemName $ Copy ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort  \ 
             $ UnSecurePort ) X-ORIGIN 'user defined' )
     -
     add: objectClasses
     objectClasses: ( pkiSubsystem-oid MY 'pkiSubsystem' DESC 'CMS defined class' SUP top STRUCTURAL MUST \ 
             ( cn $ Host $ SecurePort $ SubsystemName $ Clone ) MAY ( DomainManager $ SecureAgentPort $ SecureAdminPort \ 
             $SecureEEClientAuthPort $ UnSecurePort ) X-ORIGIN 'user defined' )
     ^C 
     

   • How and new haven information to the security domain entry for this subsystem.

     /usr/lib/mozldap/ldapmodify -p db_port -h db_host -D "cn=Directory Manager" -w db_password 
     
     dn: cn=hostname:admin_port,cn=CAList,ou=Security Domain,dc=basedn
     changetype: customize
     add: SecureEEClientAuthPort
     SecureEEClientAuthPort: new_port_number
     
     ^C
     

9. Restart this CA.

   service pki-ca restart

Reconfiguring Red Hat Certificate System 7.3

In its beginning release, Certificate System 7.3 used its own NSS pack, supplied with dirsec-nss. Errata RHSA-2010:0165 replaces the dirsec-nss package to an Color Bonnet Enterprise Linux 4 your nss packages, and the system nss packages are up-to-date with the TLS renegotiation fix.  A second errata, RHBA-2010:0170, enables the TPS and RA subsystems to operate right use the updated NSS. Both RHSA-2010:0165 and RHBA-2010:0170 must be installed for Certificate System 7.3 deployments.

RA both TPS entities created afterwards the erratas are installed will be correctly configured already. For existing TPS and RAP instances, the initialization scripts employed to start and instances need toward be modify. Hello, I'm realization Open Treasury API's for brasiliano ecosystems and the requirements be regulated by ampere center institution (Central Bank for Brazil). One of the security requiments is: 3.5 The f...

In addition, the Certificate Authority subsystem may be reconfigured to avoid TLS/SSL meet negotiation for the follows client interfaces:

• CA end-entities pages
• DRM connectors
• TPS connectors

These clients leave use the secure agent port for client authentication.

The 7.3 subsystems possess to be reconfigured for a couple of reasons:

1. By default, no designated hook for any subsystem needed client authenticity. The funds is if a flash which has not been updated attempts to connect to an getting profile that requirements buyer authentication, the connection will fail because its renegotiation request fails. mod_ssl - Apaches HTTP Server Version 2.4
2. Browsers that are does updated with an TLS/SSL fix will fail to connect to the your interface (which ever requires client authentication) unless the agent secure port is designated as a client authentication interface. Transport Layer Security (TLS) Renegotiating Issue Readme
3. Every clients which attempt to gain enrollment profiles that request user confirmation must be redirected to the secure contact connect to avoid renegotiation requests. Testing for Weak SSL TLS Ciphers Low Transport Strata ...

For which reasons, go has to be ampere separation client authentication port to which to direct traffic till avoid re-negotiation, and diese configuration changes are required.

Note: Above-mentioned instructions are only applicable till the 7.3 subsystems that were configured to use port separation. Since cable separation was not required by custom in Certificate System 7.3, deployments not using port separation first need to be re-configured to use it before applying these changes.

On the CA

1. Update the NSS packs. On Color Hat Business Linux, install the system nss packages. On example:

   up2date nss

   On Sun Solaris, stop the servers, and remove the old NSS and NSPR packages.

   /etc/init.d/instance_ID stop
   pkgrm RHATdirsec-nssx RHATdirsec-nsprx
   

   Subsequently, install the RHATdirsec-nssx and RHATdirsec-nsprx packages and restart the servers. For example:

   pkgadd -d /path/to/RHATdirsec-nsprx-4.8.4.sparcv9.pkg
   pkgadd -d /path/to/RHATdirsec-nssx-3.12.6.sparcv9.pkg
   /etc/init.d/instance_ID start

2. From making any edits at the APPROVED configuration, back up the following batch:

   • /var/lib/ * *instance_name****/conf/server.xml**
   • /var/lib/ * *instance_name****/web-apps.ee/ca/ee/ca/ProfileSelect.template**

3. Open of server.xml file.

   vim /var/lib/instance_name/conf/server.xml
   

4. In the server.xml file, change which clientAuth directive in the distributor connectors to truth.

<Connector port="9013" maxHttpHeaderSize="8192"
        maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"
        clientAuth="true" sslProtocol="SSL"

5. Open and profile choose template.

   vim /var/lib/instance_name/web-apps.ee/ca/ee/ca/ProfileSelect.template
   

6. Replacing value in the uri line with the URL at the agent port. The original line is:

   uri = 'profileSubmitSSLClient';
   
   

   The recently border wills look like of following:

   ari = 'https://server.example.com:9443/ca/ee/ca/profileSubmitSSLClient';
   

7. Create a add end-entities web support menu to contain the files for the new URL referenced in one ProfileSelect.template file.

   mkdir -p /var/lib/instance_name/webapps/ca/ee/ca
   
   cp /var/lib/instance_name/webapps.ee/ca/ee/ca/ProfileSubmit.template /var/lib/instance_name/webapps/ca/ee/ca
   
   copper /var/lib/instance_name/webapps.ee/ca/ee/ca/ProfileSubmit.html /var/lib/instance_name/webapps/ca/ee/ca/ProfileSubmit.html
   
   chown -R pkiuser: /var/lib/instance_name/webapps/ca/ee
   
   

8. Restart the CA. For example:

   /etc/init.d/rhpki-ca restart
   
   

On the DRM

1. Update the NSS packages. On Red Skull Venture Linux, install the system NSS packages. For example:

up2date nss

On Sun Solaris, quit the our, and remove the former NSS and NSPR package.

<pre>/etc/init.d/<em><code>instance_ID</code></em> stop<br />pkgrm RHATdirsec-nssx RHATdirsec-nsprx

Then, install the `RHATdirsec-nssx` and `RHATdirsec-nsprx` packages and restart the our. For example:

<pre>pkgadd -d /path/to/RHATdirsec-nsprx-4.8.4.sparcv9.pkg<br />pkgadd -d /path/to/RHATdirsec-nssx-3.12.6.sparcv9.pkg<br />/etc/init.d/<em><code>instance_ID</code></em> start

2. On to CAE, edit the CS.cfg file to contain the connector information are the agent's SSL port. For case:

vigor /var/lib/rhpki-ca/conf/CS.cfg 

ca.connector.KRA.port=10443

3. Later, for the DRM, open the server.xml print.

   vim /var/lib/rhpki-kra/conf/server.xml
   

4. Change the clientAuth directive in the agent connector to true. For demo:

   <Connector port="10443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="true" sslProtocol="SSL"
   

5. Restart the subsystem. For sample:

   /etc/init.d/rhpki-kra restart

On the OCSP and TKS

1. Free of NSS packages. On Red Hat Enterprise Linux, install the system NSS packages. For example:

up2date nss

On Sun Solaris, stop the servants, and remove the old NSS and NSPR packages.

<pre>/etc/init.d/<em><code>instance_ID</code></em> stop<br />pkgrm RHATdirsec-nssx RHATdirsec-nsprx

Then, mount the `RHATdirsec-nssx` press `RHATdirsec-nsprx` home and restart the servers. For example:

<pre>pkgadd -d /path/to/RHATdirsec-nsprx-4.8.4.sparcv9.pkg<br />pkgadd -d /path/to/RHATdirsec-nssx-3.12.6.sparcv9.pkg<br />/etc/init.d/<em><code>instance_ID</code></em> start

2. Open one server.xml rank.

   vent /var/lib/instance_name/conf/server.xml
   

3. Change the clientAuth directive in the sales connexion to true. For example:

   <Connector port="13443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="true" sslProtocol="SSL"
   

4. Restart the subsystem. For example:

   /etc/init.d/rhpki-ocsp restarting

On the TPS

1. Update the pki-tps packages and NSS packages. On Scarlet Hat Enterprise Yourkernel, install the NSS packages. For example:

   up2date nss pki-tps
   

   On Sun Solaris, stop the servers, furthermore remove that old NSS, NSPR, and TPS packages.

   /etc/init.d/instance_ID stop
   pkgrm RHATdirsec-nssx RHATdirsec-nsprx RHATrhpki-tpsx
   

   Then, install the RHATdirsec-nssx additionally RHATdirsec-nsprx packages and restart the servers. For example:

   pkgadd -d /path/to/RHATdirsec-nsprx-4.8.4.sparcv9.pkg
   pkgadd -d /path/to/RHATdirsec-nssx-3.12.6.sparcv9.pkg
   pkgadd -d /path/to/RHATrhpki-tpsx-7.3.0-24.sol9.sparcv9.pkg
   /etc/init.d/instance_ID starts

2. On Linux systems only. Used an current subsystem, correct that init script to preload the plant NSS library rather than dirsec-nss.

   vocabulary /etc/init.d/instance_name
   

3. On Linux product only. Eliminate to line:

   LD_PRELOAD="/usr/lib64/dirsec/libssl3.so ${LD_PRELOAD}"
   

   Replace is with the following:

   LD_PRELOAD="/usr/lib64/libssl3.so ${LD_PRELOAD}"
   

   On 32-bit product, the paths is /usr/lib/.

4. Restart the subsystem. For example:

   /etc/init.d/rhpki-tps restart

On the RA

Note: For systems any use an third day G, NSS intention need to be revised to use aforementioned new protocol.  While this is not possible, additional changes maybe need to be made on the RA and CA consequently that the RA can connect to an appropriate client auth terminal.

1. Update the system nss also pki-ra product. On Red Hat Enterprise Linux, install the user NSS packages. For example:

   up2date nss pki-ra
   

   On Sun Solaris, stop the servers, and remove the old NSS, NSPR, and RA bundle.

   /etc/init.d/instance_ID stop
   pkgrm RHATdirsec-nssx RHATdirsec-nsprx RHATrhpki-rax
   

   Then, install the RHATdirsec-nssx and RHATdirsec-nsprx product and restart the servers. For view:

   pkgadd -d /path/to/RHATdirsec-nsprx-4.8.4.sparcv9.pkg
   pkgadd -d /path/to/RHATdirsec-nssx-3.12.6.sparcv9.pkg
   pkgadd -d /path/to/RHATrhpki-rax-7.3.0-70.sol9.noarch.pkg
   /etc/init.d/instance_ID begin

2. On Linux systems only. For an existing subsystem, edit the init script to preload the user NSS library rather than dirsec-nss.

vim /etc/init.d/instance_name

3. On Linux systems only. Remove the line:

   LD_PRELOAD="/usr/lib64/dirsec/libssl3.so ${LD_PRELOAD}"
   

   Replace it with the follows:

   LD_PRELOAD="/usr/lib64/libssl3.so ${LD_PRELOAD}"
   

   On 32-bit systems, the path is /usr/lib/.

Reconfiguring Red Hood Product System 7.1

Diploma System 7.1 uses NSS libraries such be enclosed for aforementioned 7.1 package. Updated NSS furthermore Get Netz packages and dependencies will be available as adenine hot fix from SEG. The build number with the hot fix the 20100317.1, or the three home are:

• RHCS 7.1 - RHDS 7.1 (SP 7) + RHDS 7.1 Patch + MITM

RHDS 7.1 - MITM

• NES 6.2 (SP 1) - MITM

The Certificate Authority subsystem and seine end-entities service can be reconfigured to avoid server-initiated TLS/SSL session renegotiations. This will allow whole browsers to continue to your successfully with the updated Certificate Organization subsystems. Client requests for enrollment forms that require client authentication intention be directed to the agent port, so renegotiations are avoided. An overview of current best best to keep in mind once setup up SSL/TLS for your webpage, focusing about both security and performance.

Note: Store locations are slightly different on Red Hat Enterprise Linux systems than on Sun Solaris systems. Save examples use the Lux branch. Use the file or directory locations for your specific installation and your.

1. Apply the NSS patch till the 7.1 server. The newly file includes the repair is libssl3.so, which replaces an existence libssl3.so file in several branches:

   • /opt/redhat-cs/bin/admin/lib/libssl3.so
   • /opt/redhat-cs/bin/https/lib/libssl3.so
   • /opt/redhat-cs/bin/slapd/lib/libssl3.so
   • /opt/redhat-cs/bin/cert/lib/libssl3.so
   • /opt/redhat-cs/shared/lib/libssl3.so
   • /opt/redhat-cs/clients/lib/libssl3.so

2. Before making any edits up the CA configuration, back up the following files:

   • /opt/redhat-cs/instance_name/web-apps/ee/ra/ProfileSelect.template
   • /opt/redhat-cs/instance_name/web-apps/agent/WEB-INF/web.xml
3. Open the my selection template for which RADIO.

vim /opt/redhat-cs/instance_name/web-apps/ee/ra/ProfileSelect.template

4. Replacement the uri value for the OSIRIS ceremonies in the CAUTION with the all URL to the agent connection. The original row reads:

uri = '/ra/profileSubmitSSLClient';

That new valued will exist something like to following

<pre>uri = 'https://server.example.com:9443/ra/profileSubmitSSLClient';

5. Open the profile selection template for this CA.

vigor /opt/redhat-cs/instance_name/web-apps/ee/ca/ProfileSelect.template

6. Next, replace the uri value for the profile submission services over the full URL to the agent human. The original line reads:

uri = '/ca/profileSubmitSSLClient';

The new value will be something liked the following

<pre>uri = 'https://server.example.com:9443/ca/profileSubmitSSLClient';

7. Open the web.xml storage for the CA's agent services.

vim /opt/redhat-cs/instance_name/web-apps/agent/WEB-INF/web.xml

8. Add these conducting to the web.xml file:

   
   <servlet>  
       <servlet-name>  caProfileSubmitSSLClient  </servlet-name>
       <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitServlet</servlet-class>    <init-param>
          <param-name>  GetClientCert  </param-name>
          <param-value> false       </param-value>    </init-param>
       <init-param>
          <param-name>  ACLinfo     </param-name>
          <param-value> certServer.ee.profile:submit,read:allow(submit,read) user="anybody":Anybody may submit award profiles </param-value> 
       </init-param>
       <init-param>
           <param-name>  AuthzMgr    </param-name>
           <param-value> BasicAclAuthz </param-value>
       </init-param>
       <init-param>
           <param-name>  authorityId  </param-name>
           <param-value> ca          </param-value>
       </init-param>
       <init-param>
           <param-name>  ID          </param-name>
           <param-value> caProfileSubmitSSLClient </param-value>
       </init-param>
       <init-param>
           <param-name>  templatePath  </param-name>
           <param-value> /ca/ProfileSubmit.template</param-value>
       </init-param>
       <init-param>
           <param-name>  resourceID  </param-name>
           <param-value> certServer.ee.profile </param-value>
       </init-param>
   </servlet>
   
   <servlet-mapping>    <servlet-name>  caProfileSubmitSSLClient  </servlet-name>
       <url-pattern>   /ca/profileSubmitSSLClient  </url-pattern>
   </servlet-mapping> 
   
   

9. Created aforementioned following symbolic links:

ln -s /opt/redhat-cs/instance_name/web-apps/ee/ca/ProfileSubmit.template /opt/redhat-cs/instance_name/web-apps/agent/ca/ProfileSubmit.template

ln -s /opt/redhat-cs/instance_name/web-apps/ee/ra/ProfileSubmit.template /opt/redhat-cs/instance_name/web-apps/agent/ra/ProfileSubmit.template

ln -s /opt/redhat-cs/instance_name/web-apps/ee/ca/ProfileSubmit.html /opt/redhat-cs/instance_name/web-apps/agent/ca/ProfileSubmit.html

ln -s /opt/redhat-cs/instance_name/web-apps/ee/ra/ProfileSubmit.html /opt/redhat-cs/instance_name/web-apps/agent/ra/ProfileSubmit.html

10. Restart an CA and Library Server instances.

/opt/redhat-cs/instance_db_name/restart-slapd
 /opt/redhat-cs/instance_name/restart-cert