PGP Keyserver Read Me
Version 7.0 for Windows NT/2000 and UNIX
|
Copyright © 1991-2002 by PGP Corporation. All
Rights Reserved.
|
Thank you for using this PGP Corporation product. This Read Me file contains
important information regarding this release of PGP Keyserver 7.0 for
Windows NT/2000 and UNIX. PGP Corporation strongly recommends you read
this entire document.
PGP Corporation welcomes your comments and suggestions. Please use the
information provided in the Contacting PGP Corporation section to contact
us.
Warning: Export of this software may be restricted by the U.S. Government.
|
What's in this file?
About PGP Keyserver 7.0
Licensing
System Requirements
Known Issues
Installation Instructions
Starting the PGP Keyserver
Starting the Replication Engine
Documentation
Contacting PGP Corporation
Copyright
About PGP Keyserver 7.0
PGP Keyserver 7.0 for Windows NT/2000 and UNIX offers numerous improvements
as well as the following new features:
- Easy-to-Use Web Console
The new PGP Keyserver Web Console provides secure access to the Keyserver's
console from remote Web browsers, giving administrators the ability to remotely
monitor and manage their PGP Keyserver from any client with a supported Web
browser. The Web Console now features an intuitive, easy-to-use interface
for Keyservers on both Windows and Solaris platforms. The bundled Web server
enables all console communications to be encrypted using SSL, providing a
secure foundation for remote management using a turnkey installation process.
Keyserver access logs and logged system events are now available from the
Web Console, improving the information available to remote administrators.
Keyserver search and key-add functionality is now available through a Web
browser interface for use by administrators or remote Web users.
- Enterprise Management of PGP Client Preferences
PGP 7.0 introduces a valuable feature that helps administrators keep deployed
PGP client configurations up-to-date. By storing configuration options on
the PGP Keyserver, administrators can easily roll out enterprise-wide configuration
changes to deployed PGP clients.
- Configuration Wizard
A new Configuration Wizard enables turnkey configuration of everything necessary
to begin using the PGP Keyserver, making it easy to set or change such options
as security certificates for the Keyserver and Web Console as well as port
numbers, hostname, and administrator email address.
- Database Performance Improvements
This version includes numerous performance improvements and database optimizations
as well as further options for performance enhancements based on configuration
requirements. PGP user ids can be indexed by substring for complete searchability,
as with earlier versions of the Keyserver, or they can be indexed word by
word, providing a shorter time for adding keys and smaller index files for
the database.
- Windows 2000 Support
PGP Keyserver now fully supports the Windows 2000 operating system.
- Auto-Delete From Pending Area
The pending area has an enhanced self-maintenance feature. When a key added
to the Keyserver passes signature policies (having been signed by an Employee
Certification Key, for instance), the key is automatically removed from the
pending area, eliminating the need for additional administrative steps.
- Key Reconstruction Support for PGP Clients
PGP's key reconstruction feature helps users recover from lost keys or forgotten
passphrases. PGP Keyserver 7.0 supports the optional storage of reconstruction
data, supporting PGP's cryptographic key splitting technology to provide a
secure means for users to recover their private keys after answering five
questions whose answers only the user would know.
- Enhanced Logging Format
PGP Keyserver 7.0's enhanced logging format provides additional statistics
useful for usage analysis, including request processing time, number of user
id's and signatures added, and the size of the key information transmitted
to or from the client machine. Compatibility with the earlier logging format
is available by configuration option.
- PGP Key Format Support
PGP 7.0 introduces a new RSA key format (the old format is called PGP Legacy)
that supports PGP's Additional Decryption Key (ADK), designated revoker, multiple
encryption subkeys, and photo ID features. Previously these features were
only available to users with Diffie-Hellman keys. PGP Keyserver 7.0 now supports
the use of these keys.
- Support Utilities
PGPexport now creates ASCII-armored keyfiles by default when exporting keys
and reconstruction data. The binary export format used in earlier versions
can be enabled if reconstruction data is not required. PGPimport now reads
both ASCII-armored keyfiles and binary keyrings.
Licensing
PGP uses a license number system to determine what PGP features will be active
on your computer. For complete information about PGP licensing and purchase
options, go to https://store.pgp.com.
Important: PGP Keyserver requires a PGP Enterprise license.
PGP functionality depends on the type of license you purchase:
- Personal: includes support for PGPmail, PGPkeys, PGPtray, PGPdisk, and the
personal email plugins -- Eudora, ICQ, Outlook Express, and Outlook. Although
the Outlook plugin will be installed, you will not be able to use it if you
have configured Exchange Server accounts.
- Desktop: includes support for PGPmail, PGPkeys, PGPtray, PGPdisk, and all
email plugins -- the personal email plugins plus GroupWise, Lotus Notes, and
support for Exchange Server environments in Outlook.
- Enterprise: includes support for all PGP functionality mentioned above,
plus PGPadmin and PGP Keyserver.
System Requirements
Windows NT/2000
To install PGP Keyserver on a Windows NT/2000 server:
- Windows NT version 4.0 Service Pack 6a or Windows 2000 Service Pack 3
- 64 MB RAM minimum
- 15 MB disk space for software
- Additional disk space for database (10 MB to- 500 MB)
- Network interface card
- PGP 7.0 or greater (required only for management of secure keys)
- Microsoft Internet Explorer 4.01 SP2 or greater, or Netscape 4.x or greater
UNIX
To install PGP Keyserver on a UNIX server:
- Sun Solaris for SPARC (UNIX) version 2.6 or later
- 64 MB RAM minimum
- 30 MB disk space for software
- Additional disk space for database (10 MB to 500 MB)
- Network interface card
- PGP 7.0 or greater (required only for management of secure keys)
- Microsoft Internet Explorer 4.01 SP2 or greater, or Netscape 4.x or greater
Note: The latest recommended patches from Sun are REQUIRED for Solaris
7 support. They can be obtained as a single patch bundle at the following Web
site: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access.
Known Issues
- If any other service or daemon (such as Microsoft Internet Information
Server or Apache Web Server) is using port 443, the Configuration Wizard will
issue a warning that port 443 is in use. You should either disable that service,
or assign the PGP Keyserver's Web Console to a port other than 443.
- To use the Web Console, a browser with 128-bit encryption is required. If
you use a browser that does not include support for 128-bit encryption, using
the Web Console will result in a blank browser display or a message stating
that there are no common encryption algorithms.
- PGP Keyserver should not be installed alongside PGP Desktop. PGP Desktop should be used to administer PGP Keyserver from a separate machine.
- When entering the Organization Name and Organizational Unit to generate
the X.509 Certificate in the Configuration Wizard, the use of more than 100
characters in each field or the use of non-alphanumeric characters is unsupported.
If PGPapache encounters such usage, it may fail to start, and the webserver
error log in web/logs/error_log will contain the message "Key does not
have a valid X.509 signature."
Installation Instructions
For detailed installation instructions, refer to the PGP Keyserver Administrator's
Guide.
Note: If you are installing PGP and PGP Keyserver at the same time,
install PGP first.
Windows NT/2000
PGP Keyserver is distributed in either a self-extracting file or on a CD-ROM.
To install the product from a CD-ROM:
- Start Windows.
- Insert the CD-ROM.
- Double-click the installation program icon found in the PGP Keyserver subdirectory.
- Follow the on-screen prompts.
To install the product from a downloaded self-extracting file:
- Start Windows.
- Download the PGP Keyserver installation program onto your computers
hard drive.
- Double-click the installation program.
- Follow the on-screen prompts.
UNIX
PGP Keyserver is distributed as a Solaris package file. This section includes
instructions to install the product for the first time and to upgrade from a
previous version.
To install the product for the first time:
- Sign on as root.
- Change to the directory containing the package file.
- Run the command: pkgadd -d PGPkeyserv_7.0.0_Solaris.pkg
Run the post-install script:
- Run the command: cd /opt/PGPkeysrv/web/ ; ./config-wiz.pl
- Verify that the product is installed properly:
- Run the command: pkginfo -l PGPkeysrv
The status should be "Completely Installed."
To upgrade from a previous version of the product:
- Sign on as root.
- Export the existing database.
a. Stop the PGP Keyserver (use ps -fu root to locate the process ID, and use
the kill command to send a SIGTERM signal to the PGP Keyserver: kill <process
ID>).
b. Change to the /opt/PGPcertd/bin directory.
c. Use the PGPexport utility to export the database: ./pgpexport ../data
/opt/dump.pgp
- Install the PGP Keyserver as you would for a brand new installation.
- Configure the PGP Keyserver as described in the Administrator's Guide
and restart the program to institute the updated policies.
- Re-import the keys from the old database.
a. Change to the /opt/PGPkeysrv/bin directory.
b. Use the PGPimport utility to re-import the database: ./pgpimport /opt/dump.pgp
ldap://localhost
- Re-disable any keys that were disabled in the old installation.
Starting the PGP Keyserver
Windows NT/2000
The PGP Keyserver starts automatically after installation and reboot.
UNIX
To start the PGP Keyserver after configuring it, use the Web Console's Restart
button (Server Control panel) or run the SysV init script: /etc/init.d/pgpkeyserver
start
Windows NT/2000 and UNIX
To view the PGP Keyserver's Web Console, enter the following URL in the location
field of any Web browser: https://<hostname or IP address>[:<port>]/keyserver/
To test to see if the PGP Keyserver is running properly:
- Start PGP version 5.5 or later.
- Add the URL of the machine running PGP Keyserver to PGP's configuration
by selecting PGP Options from PGPtray's popup menu (or the Options command
from the Edit menu of PGPkeys).
- On the Servers page, add a new server:
- Enter a new domain or choose an existing one.
- Enter an LDAP server using the format: ldap://YOUR-HOST-NAME
- From PGPkeys, select any key from your list of keys, then select the Send
Key to Server command on the Server menu. Be sure to select the name
of your new PGP Keyserver. If the key is successfully sent to the PGP
Keyserver, it is running properly. You can also use the Search screen in PGPkeys
to search the keys on the server. Again, be sure to set the name of your new
PGP Keyserver as the server to search.
Starting the Replication Engine
Windows NT/2000 and UNIX
If you installed the optional PGP Replication Engine component, you must install
the PGP Keyserver on the slave servers. After you have installed the additional
software, you must identify the hosts you want to replicate the database to
and the replication log file before you start the PGP Replication Engine.
To do this:
- Display the Web Console by entering the following URL in the location field
of any Web browser: https://<hostname or IP address>[:<port>]/keyserver/
- Click Replication, left side of console.
- Identify the PGP Keyservers you want to replicate the database to; for
example, ldap://mirror.company.com.
- Identify the replication log file; for example, rep.log.
- Click Save Changes (top of console).
- Click Server Control (left side of Web Console).
- Click Restart under Replication (top right corner of Web Console).
See the PGP Keyserver Administrator's Guide for exact details on on
the configuration parameters.
Documentation
The PGP Keyserver Administrator's Guide is included as a PDF file with
the PGP Keyserver product. It can be viewed using the following instructions:
- Windows NT/2000: After installing Adobe Acrobat Reader, bring up
the Windows Start Menu. Then select Programs -> PGP Corporation-> PGP
Keyserver -> Documentation -> Administrator's Guide.
- Windows NT/2000 and UNIX: If the Web server support for PGP Keyserver
is installed, the Administrator's Guide is also available through a link found
on the page:
https://YOUR-HOST-NAME:PORT
Substitute the hostname of the machine running the PGP Keyserver for the
YOUR-HOST-NAME value. For PORT, substitute the port number for the Web server
that you are running on YOUR-HOST-NAME (this defaults to 443 if it is not
specified).
Documentation feedback is welcome. Send email to pgpdocs@pgp.com.
Contacting PGP Corporation
For general information about PGP Corporation, please visit the PGP Web site:
www.pgp.com.
For Product Support or Customer Service issues, please go to the Support section
of the PGP Web site.
For any other contacts at PGP, please go to the Contact Us section of the PGP
Web site.
Copyright
Copyright © 1991-2002 by PGP Corporation. All Rights Reserved.