Thank you for using Network Associates' products. This ReadMe file contains important information regarding the PGP Certificate Server. Network Associates strongly recommends that you read this entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. Note: PGP freeware products are for non-commercial use only. Please refer to the included license agreement for terms and conditions of use. Note: Network Associates does not provide technical support for PGP freeware products. Warning: Export of this software may be restricted by the U.S. Government. WHAT'S IN THIS FILE Fixes in this Release New Features Documentation System Requirements Installation Starting PGP Certificate Server Starting PGP Replication Engine Using the Web Configuration/Monitoring Wizard Known Issues Additional Information Contacting Network Associates FIXES IN THIS RELEASE This release corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys. For more information about this bug, please review the PGP ADK Security Advisory available on www.pgp.com. You can download a repair tool (PGPrepair) from the web page mentioned above to determine whether an existing PGP Certificate Server database contains any keys with tampered signatures.   Fixed a problem with the indexing of the Disabled attribute on keys. On some installations, this affected the ability to find disabled keys on the server using the single search term "key status is disabled."   Resolved a replication looping issue, which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys revoked by a designated revoker were added to the server.   Added additional logging information for Delete operations, so that the full list of deleted keys is displayed in the log.   The released version of the Certificate Server, when configured with a single MustSigID and the TrimUsers and TrimSigs features enabled, would prevent that MustSigID key from being uploaded to the server. Added the ability for the server to accept that key.   Resolved an issue with the indexing of certain revoked keys. A problem existed when performing a KeyStatus-is-revoked search.   Resolved a potential looping issue which may have occurred if the replication daemon was down and a key was added to and then deleted from the server, followed by re-starting the replication daemon.   Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Certificate Server management port (port 4000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server.   Resolved a potential Denial of Service vulnerability in PGP Certificate Server 2.5.1. This may have occurred when devices attempted to connect to the PGP Replication port (port 5000 by default) if incoming DNS/NetBIOS traffic was blocked to the PGP Certificate Server.   Resolved a replication looping issue which may have occurred with two-way replication on PGP Certificate Server 2.5.1 when revoked keys were added to the server.   NEW FEATURES Improved web-based Configuration Administrators can conveniently manage the Certificate Server's configuration from nearly any web browser. This version improves the extensive on-line help on product configuration settings. This version provides integrated support for many popular web servers including: Netscape Enterprise Server 3.x Netscape FastTrack Server 3.x Apache 1.3.x Administrators can secure the communications between the web browser and the Certificate Server using the native security services provided by the web server installed with the Certificate Server. Database Size and Performance Improvements This version includes numerous performance enhancements and database optimizations. Certificate database size has been reduced by 20%-30% from previous versions, due to improved certificate storage methods. This size reduction provides improved server performance; more certificates are now stored in the server's cache, less data is read from and written to the server's hard disk, and fewer transformations are needed on certificate data.   Output Filename Options for Certificates The pgpexport command now allows the output filename to be specified as an argument. Also, the exported certificates can now be split across multiple files.   DOCUMENTATION Included with this release is the following manual, which can be viewed on-line as well as printed: PGP Certificate Server Administrator's Guide This document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print the document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site. If the web server support for PGP Certificate Server is installed, the Administrator's Guide is also available through a link found on the page: http://YOUR-HOST-NAME:PORT/certserver/default.htm Substitute the hostname of the machine running PGP Certificate Server for the YOUR-HOST-NAME value. For PORT, substitute the port number for the web server that you are running on YOUR-HOST-NAME (by default, the web server listens to port 8080). Documentation feedback is welcome. Send e-mail to tns_documentation@nai.com. SYSTEM REQUIREMENTS Sun Solaris (UNIX) Version 2.5.1 or later (Ultra Sparc recommended) (Solaris 2.6 is required for databases larger than 2GB.) Perl 5 (required for the configuration/monitoring wizard) 64MB RAM minimum 30MB disk space for software Additional disk space for database (10MB - 500MB) Network interface card INSTALLATION PGP Certificate Server Freeware is distributed as a Solaris package file. To upgrade from a previous version of the product: Sign on as root.   Modify the Solaris package administration file as follows: Make a copy of the package administration file: cd /var/sadm/install/admin cp default pgp.admin Using a text editor, change the line in the pgp.admin file from "instance=unique" to "instance=ask". Change to the directory containing the package file.   Run the following command (where x.x.x is the Certificate Server version number): pkgadd -d PGPcertserv_x.x.x_Solaris -a /var/sadm/install/admin/pgp.admin Create Web Configuration/Monitoring wizard logins, as directed onscreen. To install the product for the first time: Sign on as root.   Change to the directory containing the package file.   Run the command: pkgadd -d PGPcertserv_x.x.x_Solaris Create Web Configuration/Monitoring wizard logins, as directed onscreen. Verify that the install succeeded: Run the command: pkginfo -l PGPcertd Verify that the status is "Completely Installed" STARTING PGP CERTIFICATE SERVER After successfully installing the server, you may start it by following these steps. Sign on as root.   Change to the product bin directory (this assumes the default install directory of /opt/PGPcertd). cd /opt/PGPcertd/bin Create the initial database. ./pgpcertd -n -f ../etc/pgpcertd.conf Start the server. ./pgpcertd -f ../etc/pgpcertd.conf Verify that the server is running. ps -fu root | grep pgpcertd If the server is not running, you can troubleshoot by checking the syslog file for errors or starting the server with the Check Configuration (-c) flag. To test that the server is running properly: Start PGP version 5.5 or later.   Add the URL of the machine running PGP Certificate Server to PGP's configuration by selecting PGP Preferences from PGPtray's popup menu (or from the Edit/Preferences menu of PGPkeys).   On the Servers page, add a new server: Enter a new domain or choose an existing one.   Enter an LDAP server using the format: ldap://YOUR-HOST-NAME From PGPkeys, select any key from your list of keys, then select the Send Key to Server item on the Keys menu. Be sure to select the name of your new PGP Certificate Server. If the key is successfully sent to the server, your server is running properly. You can also use the Search dialog box in PGPkeys to search the keys on the server. Again, be sure to set the name of your new server as the server to search. STARTING PGP REPLICATION ENGINE PGP Replication Engine uses the same configuration file as the PGP Certificate Server. The default configuration file does not have replication enabled. The 'Replica' and 'RepLogFile' configuration tags must be configured before you can start the engine. Examples of each are: Replica ldap://mirror.company.com RepLogFile rep.log See the Administrator's Guide for exact details on these configuration values. If you installed the optional PGP Replication Engine component and performed the above configuration, you may start the engine by following these steps: Sign on as root.   Change to the product bin directory (this assumes the default install directory of /opt/PGPcertd). cd /opt/PGPcertd/bin Start the product. ./pgprepd -f ../etc/pgpcertd.conf Verify that the engine is running. ps -fu root | grep pgprepd If the server is not running, you can troubleshoot by checking the syslog file for errors or starting the server with the Check Configuration (-c) flag. USING THE WEB CONFIGURATION/MONITORING WIZARD You use a web browser-based wizard running with an existing web server product to configure PGP Certificate Server; most popular web servers support the wizard. (The web server must be running on the same machine as PGP Certificate Server.) Note: The wizard requires Perl 5. If you do not have Perl 5 installed, please see the Administrator's Guide for details on obtaining it. If you used the installer to install the Apache web server supplied with PGP Certificate Server, you may need to (re)start the web server before you can run the wizard. To do this, sign on as root and issue one of the following commands: /opt/PGPcertd/web/apachectl start or /opt/PGPcertd/web/apachectl restart You can then access the configuration/monitoring wizard from your browser using the URL: http://YOUR-HOST-NAME:PORT/certserver/index.html If you are using another web server or did not use the installer to install the Apache server, see the Administrator's Guide for details on how to properly configure the wizard. You can also use any standard text editor to directly edit the Certificate Server configuration file, located at /opt/PGPcertd/etc/pgpcertd.conf. KNOWN ISSUES Using RSA keys as Admin keys In the International and Freeware releases, RSA keys cannot be used by the server as the Server Secure KeyID. Only DSS/Diffie-Hellman keys can be used as the key the client uses to determine which server it is connecting to using TLS/SSL. Replication Engine Running in One Shot Mode Running Replication Engine in One Shot mode with an empty or non-existent replication log may cause the program to hang. The process can be killed without harming the system. Note that this situation would not normally occur. ADDITIONAL INFORMATION International and Freeware releases The International and Freeware versions of the PGP Certificate Server do not encrypt data. They do provide strong authentication. The Transport Layer Security (TLS) connection between the PGP client and the server is strongly authenticated; but the data is sent over the network without being encrypted. This means that the queries and adds that are performed by the PGP client can be viewed by others, but the identity of someone performing administrative functions is still strongly authenticated. CONTACTING NETWORK ASSOCIATES Note: Network Associates does not provide technical support for PGP freeware products. To purchase a commercial version of PGP, please contact the Network Associates Customer Service department at: Phone: (972) 308-9960 Email: cust_care@nai.com Web: www.pgp.com Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054