Security Services Readme File
December 19 2003
About This Readme
This file contains issues related to the shipping versions of Certificate Server 2.6 and 2.7, NICI 2.6.x, and NMAS 2.3.
1.0 Certificate Server 2.6 and 2.7
For detailed Certificate Server documentation, see the Certificate Server documentation Web site.
1.1 Administration Issues
- When creating the Organizational CA object or Server Certificate objects (also known as KMOs), extractable keys are supported only if the server you selected for the key pair generation is running eDirectory 8.6 or later on NetWare and NT platforms, or if running eDirectory 8.7 or later for UNIX platforms. If you are attempting to make the keys extractable on an unsupported platform, you will receive a -1222 error.
- Novell Certificate Server automatically creates server certificates for all the IP and DNS addresses configured on the box. You might receive the following error during the installation of Novell Certificate Server if the combination of the server name and the DNS name is 54 characters or greater due to the maximum object name length of 64 characters:
"The PKI install was unable to create the default IP and DNS certificates. Error -613. Do you want to retry?"The -613 error is not a fatal error; however, Novell Certificate Server will not be able to create the auto-generated certificates which match the long DNS name.
To avoid this problem with future servers, make sure that the combined number of characters of the DNS name and the server name is fewer than 54 characters.
To fix this problem on an existing server, use ConsoleOne or iManager to manually create a server certificate using the DNS name or the IP address as the certificate subject name, depending on the needs of your applications.
See the Novell Certificate Server Administration Guide for instructions on how to create server certificates.
After the server certificate is created, the applications (Apache, Tomcat, etc.) on which you want to use the new server certificate will need to be configured to do so.
2.0 NICI 2.6.x
For detailed NICI documentation, see the NICI documentation Web site.
The version of NICI shipping with this release contains components, such as xengexp or xengusc, that might abend under low memory conditions when running on Intel* P4 or later processors. There is no workaround at this time. To avoid this problem, ensure that the NetWare server does not run out of memory.
3.0 NMAS 2.3
For detailed NMAS documentation, see the NMAS documentation Web site.
3.1 Installation Issues
- You must have the NICI Client installed on each client that will run ConsoleOne and NMAS software.
- When upgrading NMAS on a Unix platform, it is possible that you will be prompted to replace libspmdclnt.so. If this happens, answer yes.
3.2 Methods and Sequences Issues
- nmasinst does not have an option to remove NMAS methods. This must be done using ConsoleOne. See the NMAS Administration Guide for more information.
- For products to use NMAS login methods properly, at least one NMAS 2.3 server in the eDirectory partition needs to hold a R/W replica of the User objects that will be using NMAS.
- If you do not restart the server after installing NMAS and you try to reset passwords, you will receive an error message.
- When using the NMAS ConsoleOne snap-ins to install a login method into eDirectory running on a UNIX server, you might encounter the error, "Unknown meaning for error number -1; Please call a Novell support provider. Unable to create the object due to the above error."
To resolve this, do the following:
- 1. Delete the object created when the error occurred. This object is not complete.
- 2. Install the method by running ConsoleOne from a workstation that is using Novell Client version 4.83 (SP1) or install the method from the server console using the nmasinst utility.
- The X.509 and CertMutual login methods that shipped with eDirectory 8.6.x are not compatible with eDirectory 8.7.3. When you upgrade from 8.6.x to 8.7.3, you must upgrade the X.509 and CertMutual login methods as well.
The Certificate-based NMAS methods in NMAS EE 2.0 are also incompatible with eDirectory 8.7.3.
3.3 Administration Issues
- NMAS 2.3 can authenticate alias user objects. NMAS 2.3 also handles grace logins the same way as eDirectory does (unlimited grace logins by default).
- The simple password is used for various authentication services in NetWare 6.5 SP1. This includes the authentication support for CIFS and AFP.
A problem might arise if you set or change a user's simple password from the ConsoleOne administrative snap-ins using Force Password Change. If you experience problems setting an initial password, you might need to check the Force Password Change check box. If the user already has a password set, Force Password Change might not work unless you remove the current password and specify a new one.
- If Universal Password is enabled and you attempt to send the simple password, an -1697 error message will be returned if you .
- If you add a UNIX or Linux eDirectory server to an eDirectory 8.7.3 tree, you must use nmasinst to configure the UNIX or Linux eDirectory server for NMAS and to update any login methods installed with non-UNIX or Linux eDirectory 8.7.3.
See "Using the nmasinst Utility to Configure NMAS" in the Novell eDirectory 8.7.3 Installation Guide.
- eDirectory utilities like ndsbackup, ndsrepair, and ndsmerge work with NDS passwords alone but will not work with NMAS Simple Passwords.
3.4 Universal Password Issues
- Novell iManager provides a Universal Password task that allows you to enable and disable Universal Password. This page also displays the option for NMAS to automatically synchronize the Universal Password with the Simple password whenever a user performs a password update. If you are concerned about the security properties of Simple Password, you can choose not to synchronize the Universal Password with the simple password by unchecking this option. If you have NetWare 6.0 servers in the Tree that contain AFP/CIFS users, you should check the option to synchronize the Universal Password with the simple password.
- If you add an eDirectory 8.7.3 server to an existing Tree or upgrade eDirectory 8.7 that has NMAS and the simple password method installed to eDirectory 8.7.3, users authenticating through LDAP might find that the Universal Password did not synchronize with the simple password. Configuring NMAS and simple password method once again on eDirectory 8.7.3 will resolve the issue.
- The NDS password will not be migrated to the Universal Password when doing an LDAP bind.
3.5 NMAS Client Issue
- When a user logs into a tree other than the preferred tree using the client, the client incorrectly queries the preferred tree to find the User object. If a User object with the same name exists in the preferred tree, the client will use that User object, which results in the login failing with a -601 error (No Such Object). This is because the wrong tree was used. This issue will be resolved in the next release of the client.
4.0 SecretStore
4.1 Administration Issue
- SecretStore version 3.3.0 client and server components are available for download from Novell's NDK Website.
5.0 Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 2003 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, NetWare, and ConsoleOne are registered trademark of Novell, Inc. in the United States and other countries.
eDirectory, Novell Client, Novell Certificate Server, and Novell Modular Authentication Service are trademarks of Novell, Inc.
All third-party trademarks are the property of their respective owners.