- Issued:
- 2015-05-22
- Updated:
- 2015-05-22
RHBA-2015:1022 - Bug Fix Advisory
Synopsis
Red Hat Certificate System with Advanced Access enhancement and bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Red Hat Certificate System 8.1 Advanced Access is now available.
This update to Red Hat Certificate System fixes bugs and is meant as an errata which is applied on top of Red Hat Certificate System 8.1.5.
Description
Red Hat Certificate System is a complete implementation of an enterprise software system designed to manage enterprise public key infrastructure (PKI) deployments.
Bug fixes:
- In some cases, when a CRL was published to LDAP, the LDAP server failed to return any response. Consequently, the CA subsystem became unresponsive, preventing subsequent CRL publishing until after a restart. This update adds an LDAP timeout for publishing events. If no response is returned within the timeout window, the operation is aborted and no longer blocks the next CRL generation attempt. (BZ#1134405)
- When a doRevoke() call encountered an error, the error message was not cleared. Consequently, the subsequent successful revocation request returned a false error message. In addition, when coupled with the TPS token termination process, the token database got out of sync, causing revocations from TPS token database to fail. This update ensures the message is cleared after a failure, preventing this bug. (BZ#1150142)
- The PKI SELinux policy covers the Thales HSM software, including context labels for files in default locations. In the latest Thales version, the default install locations changed. Consequently, files in new locations were not labeled and therefore not accessible by Thales processes in enforcing mode. This update provides the missing labels. (BZ#1186037)
- Previously, after recovering a certificate that was revoked, expired, or both, the certificate status was always marked as "active" in the token database. This update ensures the certificate status is always properly checked and marked in the token database. In addition, a flag has been added to set if a revoked certificate is allowed to be recovered or not. (BZ#1200107)
Enhancements:
- This update adds customization to the token termination process in TPS, including the ability to choose which certificates to revoke, select a reason code for a revocation, and ignore an expired certificate. (BZ#1163867)
- With external registration on, the tokenType attribute was forced through the user record set in the directory. This bypassed the tokenType mapping as configured in the TPS CS.cfg file based on the card CUID. This update extends the existing GetTokenType filtering system to allow a single tokenType be mapped to multiple hardware tokens. (BZ#1196839)
- This update provides support for a NIST SP-800 compliant Key Derivation Function (KDF). Note that the tkstool utility is not compatible with the new KDF on HSM. For the Token Key Service be able to generate session keys and to properly upgrade the keyset when the new KDF is used, a utility native to the HSM needs to be used to generate a key of type CKK_SHA256_HMAC instead of using tkstool. (BZ#1186896)
- This update allows the administrator to perform off-card key generation for non-encryption token keys. (BZ#1196844)
- Previously, smart card clients had no way to query the number of remaining failed login attempts before having the token locked. This update adds a variable to the coolkey applet to track incorrect PIN entry attempts. Now, when a client of any kind supplies the proper APDU to the token, the applet will return the number of remaining login attempts. (BZ#1040014)
Note that when the 'External Registration' functionality is used, the versions of the pki-kra and pki-tps packages provided by this erratum must be used together, otherwise the KRA token recovery servlet will not recover the requested key.
Due to important crypto interfaces being removed from Firefox, CS configuration can no longer be performed in GUI with the latest version of Firefox. To work around this issue, downgrade your Firefox to version 31. Afterwards, you can use the latest Firefox version to interface with the server, if the internal crypto object is not used to generate and archive keys.
Users of Red Hat Certificate System are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat Certificate System with Advanced Access 8 x86_64
- Red Hat Certificate System with Advanced Access 8 i386
Fixes
(none)CVEs
(none)
References
(none)
Red Hat Certificate System with Advanced Access 8
SRPM | |
---|---|
idm-console-framework-1.1.5-1.el5idm.src.rpm | SHA-256: 887d3f24194557ff7028edec89c7772c0c3fb9dd4fe6ef5111d0922022ee846a |
jss-4.2.6-25.99.el5idm.src.rpm | SHA-256: 3b7e1e3b66ecb9d2204af3a88e1292eccc5da09e1bc73be1667fcb20673e5cfe |
nuxwdog-1.0.1-3.el5pki.src.rpm | SHA-256: 7a0841b7687530245c148f42846865d5a562b1babd6965ca7d4bd568455b2b87 |
osutil-1.2.0-4.el5pki.src.rpm | SHA-256: 356c0c1890d6912bf6b035b62851ac2c383eae00e2a668941823940f09ab9af2 |
perl-DBD-SQLite-1.12-6.el5idm.src.rpm | SHA-256: 351db7d702af872fcb1c589b1d78cd539a1b9a89fe8c1aa567fe6cf1e02e1141 |
perl-Parse-RecDescent-1.94-5.3.el5idm.src.rpm | SHA-256: 3c6fb3b555f57526d11400fcefaad6f8819e14558ed55f83507e6742c00c47c6 |
pki-ca-8.1.6-2.el5pki.src.rpm | SHA-256: 9c6d612b73ae5088866093984491099fe1ed21673e3b166f2b8873ef2f29d40f |
pki-common-8.1.15-1.el5pki.src.rpm | SHA-256: b70fe11a6579639437e64adb0740d5c6bc913fa071209c2d1709eea5eab00c13 |
pki-console-8.1.0-6.el5pki.src.rpm | SHA-256: f6525fe3e0601fdc6b7710de0dca63d8a495eb7d82392e922386fd15421265eb |
pki-java-tools-8.1.0-7.el5pki.src.rpm | SHA-256: 786f63744a219f6900afea2bbe330c5783a20f6bbe1fecc7b052aa3630690431 |
pki-kra-8.1.4-2.el5pki.src.rpm | SHA-256: 5a00bd1d9635aa749128b32c201dcb35421bb66b2a01c85570fca4d318e43ee0 |
pki-migrate-8.1.0-11.el5pki.src.rpm | SHA-256: 44f1e5d79ab0bfa66f14b11ec06417be80d718d4a535d6e0ed609c88833ebcbb |
pki-native-tools-8.1.0-9.el5pki.src.rpm | SHA-256: a72110daf6ae721c6c1085230e9766758a60eb1a210ea8342519551f12189bbe |
pki-ocsp-8.1.1-2.el5pki.src.rpm | SHA-256: c6db6994d8149b7a9fa7e9f9619a1d638b816b233d499dad297df0393dc7a531 |
pki-ra-8.1.0-8.el5pki.src.rpm | SHA-256: 81e971d9931837132cca34109fa90c9ff68f8e054c3467c32f1e94b96aa831b0 |
pki-selinux-8.1.3-1.el5pki.src.rpm | SHA-256: c50210d1327d6b2830792c5d8c208f85e79cee96eeae08d6f4f5b6862f92c580 |
pki-setup-8.1.0-6.el5pki.src.rpm | SHA-256: 03550c62ba7c418275620f07f0f9e86a7e6deb2f7720bc0d4a56686df189b300 |
pki-silent-8.1.0-3.el5pki.src.rpm | SHA-256: 3dd830c5d7d07f4872ec723b557557897b158fc76fa58dc6d66e09a9d7df9874 |
pki-tks-8.1.5-1.el5pki.src.rpm | SHA-256: 2368126058d6827758a7d77000d8be180a781c278fd5fc5bfbef7f222329ad1d |
pki-tps-8.1.24-1.el5pki.src.rpm | SHA-256: b38797c5ace983b3d30fa5a844f484352f900904bde081243eaeb136d5b68e4e |
pki-util-8.1.1-4.el5pki.src.rpm | SHA-256: 3c9a1f6c8b5bd0141f49764585ecb2d1eb51741880027268b6c4caa1ed3e235f |
redhat-pki-ca-ui-8.1.0-10.el5pki.src.rpm | SHA-256: a9cf31a79e923cfb871214c61e57d4c643f2935aebbd29c9223270cfed10f938 |
redhat-pki-common-ui-8.1.0-4.el5pki.src.rpm | SHA-256: 5c2ea9f0c96171fb27144bfa1feb2ef081eae6f582954d2e111a0f0d07e4d673 |
redhat-pki-console-ui-8.1.0-4.el5pki.src.rpm | SHA-256: 2c4bdb212439470cac58be21f9de192bb2cdb91317dbf17bdf21106188083961 |
redhat-pki-kra-ui-8.1.0-8.el5pki.src.rpm | SHA-256: 3bf1a08987eb720addac745ca4254fce0a2c0e02042acebb49df2fd5b7605277 |
redhat-pki-ocsp-ui-8.1.0-7.el5pki.src.rpm | SHA-256: 53eba8638f0a1b94caa1afe480c0e2243648be01d0b4fd585bd0a70482d82dbe |
redhat-pki-ra-ui-8.1.0-6.el5pki.src.rpm | SHA-256: 6abbf1a730313b840cd2a38dc5657d91572394f97103ab08c74eac3462a921eb |
redhat-pki-tks-ui-8.1.0-6.el5pki.src.rpm | SHA-256: dff4771560264401145e8c385f69fc30e9a413f5a9a8f2268660cf0a4383b4e3 |
redhat-pki-tps-ui-8.1.0-9.el5pki.src.rpm | SHA-256: 67d66a786fd946e54ba60f33b8bc8e7d06df24d76a6d109c061c548db9b9da6c |
symkey-1.2.6-1.el5pki.src.rpm | SHA-256: d740984b1da10e1e0258cb7cfcf6799e30e770e714a7e5b105e45fac781d523a |
tomcatjss-1.1.4-5.el5idm.src.rpm | SHA-256: 6fca314b5ae1db6d3e358c55e3d8f436f2b008c461d1538e42e78b414c9f263a |
x86_64 | |
idm-console-framework-1.1.5-1.el5idm.noarch.rpm | SHA-256: 50a1c649c6403b7539b44cf68db7af2675eb3b5fa91b4bb1ae3b2ff3f02c4d2b |
jss-4.2.6-25.99.el5idm.x86_64.rpm | SHA-256: 108b85399b57333b8ce992b79e75e1646b73484123a0c3bff5f0b65e24f4a6bb |
jss-javadoc-4.2.6-25.99.el5idm.x86_64.rpm | SHA-256: 4cda93ce939f6787e38cb7a42622e345c18d9616afd691f8cff56958a0986041 |
nuxwdog-1.0.1-3.el5pki.x86_64.rpm | SHA-256: 0a63a1248097097c88b0dcf2689e35b859581cb5ebfb7c3eb40f4c12aa59c0ca |
nuxwdog-client-java-1.0.1-3.el5pki.x86_64.rpm | SHA-256: d3a9b3e12aa9505de2298d8d146ad479d03b42c4539694147673345d1b3a22c6 |
nuxwdog-devel-1.0.1-3.el5pki.x86_64.rpm | SHA-256: 90ada952d0122ed53978de74e3a302be9fb4b34b9bdbb667dbc8605b31fee891 |
osutil-1.2.0-4.el5pki.x86_64.rpm | SHA-256: 1ebbc4d02db9965e2eaa4b0089fde57148ba5106cf6175018571e8c67858787c |
perl-DBD-SQLite-1.12-6.el5idm.x86_64.rpm | SHA-256: e8ea10ec020a594d566d4f5b3078ee9b54d7b3e49a63788c0d4dfa571d80ab28 |
perl-Parse-RecDescent-1.94-5.3.el5idm.noarch.rpm | SHA-256: 42bce17ef55a0387c2ca8dd360134ad531bbf12dc1c14d6d0fcbe4942f8e4c87 |
pki-ca-8.1.6-2.el5pki.noarch.rpm | SHA-256: 6c7117e6077eba39d9cb83e4122f7aca620b8ddfca58f9adc93052a883840fdf |
pki-common-8.1.15-1.el5pki.noarch.rpm | SHA-256: 0a182dcc17999c5a1e867c2ae648c053ce0d5fdce97897df62eee8d52281a151 |
pki-common-javadoc-8.1.15-1.el5pki.noarch.rpm | SHA-256: b59a7bef95b0efa6a8915c0a736a8dd609b2d3e8f4d81833c20a888977d65291 |
pki-console-8.1.0-6.el5pki.noarch.rpm | SHA-256: 5c0bcbaa2f48dcc82654af6ffb007f97de92d5819ca4b092425b5beba52a6230 |
pki-java-tools-8.1.0-7.el5pki.noarch.rpm | SHA-256: abaa1fe8eeb42d9885a5855a33b163bea9a01f9b15ad4ed2c9d783965e3daf89 |
pki-java-tools-javadoc-8.1.0-7.el5pki.noarch.rpm | SHA-256: 894efcecb545151cf467164540f0ae5fe2afa0fc4bfd88220f7f34719310f226 |
pki-kra-8.1.4-2.el5pki.noarch.rpm | SHA-256: b187966c4e216d6aeb503b9b0e1c7b16372aef119f7eec88c26c67c89a461b00 |
pki-migrate-8.1.0-11.el5pki.noarch.rpm | SHA-256: 7316dc6cfa0cf646fd72aded5fc9c045ecb49bf12a19ee88ef2554961423d1f3 |
pki-native-tools-8.1.0-9.el5pki.x86_64.rpm | SHA-256: edb99c2ebb85d6b08c5b03eefa9d2b8c962b7862ba8a4173bf9b588377849876 |
pki-ocsp-8.1.1-2.el5pki.noarch.rpm | SHA-256: 54122c4a3fbfba160602e99030bd03a39c4585bf14408a614a91a9638391375d |
pki-ra-8.1.0-8.el5pki.noarch.rpm | SHA-256: 8eaf07db062301a58b23e41e849282a7500642c175a76cd62b2c0645ad1a1e73 |
pki-selinux-8.1.3-1.el5pki.noarch.rpm | SHA-256: 68874c8ee7f0da002ac7ec2d7c48ebef1ea8272a66a50cc3238abbcb38880a45 |
pki-setup-8.1.0-6.el5pki.noarch.rpm | SHA-256: 620e3cf91c24039c828457350cbb6b5a8b5ada778945f6427c17ce43281de029 |
pki-silent-8.1.0-3.el5pki.noarch.rpm | SHA-256: 19beafd0be008c9ca81f65e20a3a0e6c755e1b9f42eec343d49e1e5c4dc4d91f |
pki-tks-8.1.5-1.el5pki.noarch.rpm | SHA-256: 116bdb5474dc08eaede3b297c151ee8313fa18a5d7dacc42e6b941d1827639b8 |
pki-tps-8.1.24-1.el5pki.x86_64.rpm | SHA-256: 7e9313bef6546bf495a908851aa1d6bf9f6dcbbbce2fddf9c328c8e0da6d3b45 |
pki-util-8.1.1-4.el5pki.noarch.rpm | SHA-256: 1b3620ce537d25b5be0146a8a47c3a4b8a5fca055ca5fc93bb84d9dc8961a25f |
pki-util-javadoc-8.1.1-4.el5pki.noarch.rpm | SHA-256: 66570e133ee20d03edff88c3c9ce410ada93d7934367f82ba812248d866234ff |
redhat-pki-ca-ui-8.1.0-10.el5pki.noarch.rpm | SHA-256: d53a525fdcff82c83dad005ab367527f9cdaafac5f9b528c1a25845c9f668082 |
redhat-pki-common-ui-8.1.0-4.el5pki.noarch.rpm | SHA-256: e3917d694e8bd010b179af07ab89f44dc99434e62f8cfce85e84ba09e8be25f1 |
redhat-pki-console-ui-8.1.0-4.el5pki.noarch.rpm | SHA-256: c4eca1d6de53ae9d0ff1faf0c2c7628b50dd9ba74c6a4f41e2835633f1b908f5 |
redhat-pki-kra-ui-8.1.0-8.el5pki.noarch.rpm | SHA-256: c5ff1effb45d780f239492195f28a8dd76bee7bdb2ed723024760fcaeafd729e |
redhat-pki-ocsp-ui-8.1.0-7.el5pki.noarch.rpm | SHA-256: 78e1e56bc194ede7824dada0b8a4d6cf9c1686362cc7e14bfcbe850fa40cf4a8 |
redhat-pki-ra-ui-8.1.0-6.el5pki.noarch.rpm | SHA-256: 1df0c9297715e9bfe2adc4824d0d9ada9b86e156a93906181f8e73311719ecaa |
redhat-pki-tks-ui-8.1.0-6.el5pki.noarch.rpm | SHA-256: d2277664850527457579147b178bfae7a2780b28900f689c120da6d8f5047580 |
redhat-pki-tps-ui-8.1.0-9.el5pki.noarch.rpm | SHA-256: 82c8e663e39ff45550d08e1686e5fbaee59d6ec184929223c8e1fa013c37e9cb |
symkey-1.2.6-1.el5pki.x86_64.rpm | SHA-256: da19008c92254a4e7c5afd3ae2a9a510da6a1a667615c6c92c40b43c9430fb46 |
tomcatjss-1.1.4-5.el5idm.noarch.rpm | SHA-256: 57db37c287e1d4dbf22f9e94f87897989bfa6f22caa1f11f481b8cec879f5ae1 |
i386 | |
idm-console-framework-1.1.5-1.el5idm.noarch.rpm | SHA-256: 50a1c649c6403b7539b44cf68db7af2675eb3b5fa91b4bb1ae3b2ff3f02c4d2b |
jss-4.2.6-25.99.el5idm.i386.rpm | SHA-256: ae276d5d3210768cc89f064f0b23bf7dbadef395f2ef8f01f8ed19fc38850326 |
jss-javadoc-4.2.6-25.99.el5idm.i386.rpm | SHA-256: 525684f35916e66eae57d38cd5ec1230ab3237e5293e60f9b89406a6c9aa781f |
nuxwdog-1.0.1-3.el5pki.i386.rpm | SHA-256: 5abc63bfcdde800178016e4a85d86fe3814542176f3e4c67923b0546ef3828b0 |
nuxwdog-client-java-1.0.1-3.el5pki.i386.rpm | SHA-256: 922d8c70a3e95cb24ba872831f38b3a2b9e19ea6e1060d105ce75d79cb998654 |
nuxwdog-devel-1.0.1-3.el5pki.i386.rpm | SHA-256: 61fece1e904c4973ac680fe8dab92d879acbd0c3ef105592715165efb86aefe7 |
osutil-1.2.0-4.el5pki.i386.rpm | SHA-256: 1c3eb3a6c1f3f4beb836530b43cb9d705a7c91e5ff2aab1d94b9b5c782e18cab |
perl-DBD-SQLite-1.12-6.el5idm.i386.rpm | SHA-256: 3ecd1cd20368eb5d5ab414d0f27c5d7510a0075e8b2239c26c02c8133b0c1842 |
perl-Parse-RecDescent-1.94-5.3.el5idm.noarch.rpm | SHA-256: 42bce17ef55a0387c2ca8dd360134ad531bbf12dc1c14d6d0fcbe4942f8e4c87 |
pki-ca-8.1.6-2.el5pki.noarch.rpm | SHA-256: 6c7117e6077eba39d9cb83e4122f7aca620b8ddfca58f9adc93052a883840fdf |
pki-common-8.1.15-1.el5pki.noarch.rpm | SHA-256: 0a182dcc17999c5a1e867c2ae648c053ce0d5fdce97897df62eee8d52281a151 |
pki-common-javadoc-8.1.15-1.el5pki.noarch.rpm | SHA-256: b59a7bef95b0efa6a8915c0a736a8dd609b2d3e8f4d81833c20a888977d65291 |
pki-console-8.1.0-6.el5pki.noarch.rpm | SHA-256: 5c0bcbaa2f48dcc82654af6ffb007f97de92d5819ca4b092425b5beba52a6230 |
pki-java-tools-8.1.0-7.el5pki.noarch.rpm | SHA-256: abaa1fe8eeb42d9885a5855a33b163bea9a01f9b15ad4ed2c9d783965e3daf89 |
pki-java-tools-javadoc-8.1.0-7.el5pki.noarch.rpm | SHA-256: 894efcecb545151cf467164540f0ae5fe2afa0fc4bfd88220f7f34719310f226 |
pki-kra-8.1.4-2.el5pki.noarch.rpm | SHA-256: b187966c4e216d6aeb503b9b0e1c7b16372aef119f7eec88c26c67c89a461b00 |
pki-migrate-8.1.0-11.el5pki.noarch.rpm | SHA-256: 7316dc6cfa0cf646fd72aded5fc9c045ecb49bf12a19ee88ef2554961423d1f3 |
pki-native-tools-8.1.0-9.el5pki.i386.rpm | SHA-256: d707261d1bf3462396c3e5658eaf79ee940eac79598d5b71e2646cf91b19eb56 |
pki-ocsp-8.1.1-2.el5pki.noarch.rpm | SHA-256: 54122c4a3fbfba160602e99030bd03a39c4585bf14408a614a91a9638391375d |
pki-ra-8.1.0-8.el5pki.noarch.rpm | SHA-256: 8eaf07db062301a58b23e41e849282a7500642c175a76cd62b2c0645ad1a1e73 |
pki-selinux-8.1.3-1.el5pki.noarch.rpm | SHA-256: 68874c8ee7f0da002ac7ec2d7c48ebef1ea8272a66a50cc3238abbcb38880a45 |
pki-setup-8.1.0-6.el5pki.noarch.rpm | SHA-256: 620e3cf91c24039c828457350cbb6b5a8b5ada778945f6427c17ce43281de029 |
pki-silent-8.1.0-3.el5pki.noarch.rpm | SHA-256: 19beafd0be008c9ca81f65e20a3a0e6c755e1b9f42eec343d49e1e5c4dc4d91f |
pki-tks-8.1.5-1.el5pki.noarch.rpm | SHA-256: 116bdb5474dc08eaede3b297c151ee8313fa18a5d7dacc42e6b941d1827639b8 |
pki-tps-8.1.24-1.el5pki.i386.rpm | SHA-256: 57dea55d3951e299e3cf0e3682849617847de1076ee2c401248f7c3cb2afba57 |
pki-util-8.1.1-4.el5pki.noarch.rpm | SHA-256: 1b3620ce537d25b5be0146a8a47c3a4b8a5fca055ca5fc93bb84d9dc8961a25f |
pki-util-javadoc-8.1.1-4.el5pki.noarch.rpm | SHA-256: 66570e133ee20d03edff88c3c9ce410ada93d7934367f82ba812248d866234ff |
redhat-pki-ca-ui-8.1.0-10.el5pki.noarch.rpm | SHA-256: d53a525fdcff82c83dad005ab367527f9cdaafac5f9b528c1a25845c9f668082 |
redhat-pki-common-ui-8.1.0-4.el5pki.noarch.rpm | SHA-256: e3917d694e8bd010b179af07ab89f44dc99434e62f8cfce85e84ba09e8be25f1 |
redhat-pki-console-ui-8.1.0-4.el5pki.noarch.rpm | SHA-256: c4eca1d6de53ae9d0ff1faf0c2c7628b50dd9ba74c6a4f41e2835633f1b908f5 |
redhat-pki-kra-ui-8.1.0-8.el5pki.noarch.rpm | SHA-256: c5ff1effb45d780f239492195f28a8dd76bee7bdb2ed723024760fcaeafd729e |
redhat-pki-ocsp-ui-8.1.0-7.el5pki.noarch.rpm | SHA-256: 78e1e56bc194ede7824dada0b8a4d6cf9c1686362cc7e14bfcbe850fa40cf4a8 |
redhat-pki-ra-ui-8.1.0-6.el5pki.noarch.rpm | SHA-256: 1df0c9297715e9bfe2adc4824d0d9ada9b86e156a93906181f8e73311719ecaa |
redhat-pki-tks-ui-8.1.0-6.el5pki.noarch.rpm | SHA-256: d2277664850527457579147b178bfae7a2780b28900f689c120da6d8f5047580 |
redhat-pki-tps-ui-8.1.0-9.el5pki.noarch.rpm | SHA-256: 82c8e663e39ff45550d08e1686e5fbaee59d6ec184929223c8e1fa013c37e9cb |
symkey-1.2.6-1.el5pki.i386.rpm | SHA-256: 2f8049aafee4a6a756fd680a969acf66e3d2b03fc331714c46634606fb5d260d |
tomcatjss-1.1.4-5.el5idm.noarch.rpm | SHA-256: 57db37c287e1d4dbf22f9e94f87897989bfa6f22caa1f11f481b8cec879f5ae1 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.