/****************************************************************************\ DAS Release for Solaris, Linux, and Windows

Transcription

1 /****************************************************************************\ DAS Release for Solaris, Linux, and Windows Copyright Information Security Corp. All rights reserved. This document was last modified on: 14 December 2012 \****************************************************************************/ 1 Version New Features and Operational Changes Added support for processes acting on behalf of authorized entities with proxy authenticators Added proxy ticket and signature audit trails (disabled by default) Check membership service can now be independently enabled Removed path validation and authenticator configuration from New CoI page; default settings are no path validation and no authenticator Updated management API to support proxy authenticators Updated the sample program that illustrates use of the management API (das/sample/dasmanagementsample.java) Updated the default XML configuration file (das/conf/das.xml): o added a proxy-authenticators element (with attributes requireall and enabled) to the coi element o added proxy elements to the audit trail section Updated the configuration DTD file (das/conf/das.dtd) Capabilities section renamed Protocols on New CoI and Edit CoI pages 1.2 Installation This DAS release is distributed as a compressed tar or zip archive whose name indicates the specific target platform on which the package is to be installed: das sol.tar.gz das lnx.tar.gz das win.zip Solaris/SPARC Linux x86 (Intel) Windows For full/upgrade installation instructions, please refer to the separate installation document: DAS.pdf 1.3 Known Issues LDAP authenticator using TLS client authentication At runtime, the client keystore location and password are stored in the Java system variables isc.das.ldaps.keystore and isc.das.ldaps.keystorepassword respectively. We recommend using the same client key to authenticate to all LDAP servers when multiple CoIs are set up to use different LDAP authenticators with TLS client authentication enabled. Make sure that the TLS port you specify for an LDAP authenticator actually supports the selected authentication scheme. DAS may hang if a non-tls port is specified for an LDAP authenticator configured to use TLS, or if a TLS port is specified for an LDAP authenticator configured to use anonymous binding or simple authentication.

2 2 Version History 2.1 Version AES-256, rather than AES-192, is now used for the encryption of private key material as CMS PDUs Added support for custom authenticators Added support for multiple authenticators per CoI Added service redirection functionality Added support for uploading DAS credentials in PKCS#12 format Added ECDH key derivation Added Trusted CA page to the sysadmin interface: o added management of trusted Java keystore o added subordinate CA list for path validation Added path validation for certificates in the key admin, CoI admin, and CoI manager ACLs Added an option to generate a self-signed CoI certificate with the CoI name as an othername field in its subjectaltname extension Added support for CoI key pair generation based on a self-signed certificate or certificate request CoI name no longer allows leading or trailing spaces Updated HyperSQL database library to version Updated management API to support service redirection, multiple authenticators, custom authenticators, and PKCS#12 DAS credentials upload Updated the sample program that illustrates use of the management API (das/sample/dasmanagementsample.java) Updated the default XML configuration file (das/conf/das.xml): o added an authenticators element with requireall attribute to the coi element o all authenticator elements (null-auth, ldap-auth, db-auth and local-db-auth) moved to children of the authenticators element o added custom-auth elements Updated the configuration DTD file (das/conf/das.dtd) Updated the administration site interface Removed daskg program from the distribution Removed support for CoI certificates on DSA keys Rekey operation now rewraps the encrypted HSM PIN for a CoI that uses HSM credentials 2.2 Version A Windows installer was added to the automated installation process Added support for a local database that optionally starts when DAS does Added a Local Database authenticator option to the CoI configuration settings; if enabled, a Local Database item will now appear in the Authenticator drop-down list The Database authenticator of previous versions has been renamed and is now referred to as a Network Database authenticator (to distinguish it from the local database option) Updated the sample program that illustrates use of the management API (das/sample/dasmanagementsample.java) Updated the default XML configuration file (das/conf/das.xml): o added a local-database-file element to the das section o added an optional local-db-auth element to the coi element Updated the configuration DTD file (das/conf/das.dtd)

3 2.3 Version JRE 1.5 or above is now required for proper operation of DAS (JRE 1.4.x is no longer supported) Dropped SecretAgent from the product name; it s now just DAS Updated key generation command line utility (<das home>/tools/daskg) When the DAS server shuts down, a 32-byte persistent pseudo-random seed is written to the file <das home>/bin/.entropy. Upon restart, DAS seeds its internal pseudo-random number generator (PRNG) with the contents of that file (if exists), and always pulls additional entropy from dev/random and dev/urandom. This updating of the internal state of the PRNG is performed prior to its use for asymmetric key generation. Added support for CoI certificates with the CoI name specified within a subjectaltname extension as an othername value prefixed by the OID CoI certificates generated from the administrative web interface will have both encryption and signing capabilities (key usage: key encipherment, key agreement, digital signature and nonrepudiation) rather than just encryption capability If an error occurs during the processing of a rewrap request, the server will return one of the following customized HTTP status codes (rather than simply returning 400:bad request ): o 600: system PIN/password has not been set o 601: CoI not found o 602: user is not member of the CoI o 603: path validation of user certificate failed o 604: rewrap failed o 605: invalid request (one of the required parameters is missing) o 606: unknown (any unexpected/runtime error) o 607: rewrap request disabled Added signature API to sign a supplied message digest value if user is a member of the specified CoI Added check membership API to check if a user is a member of the specified CoI. Added the ability to individually enable/disable CoI capabilities: rewrap, sign and check membership Status section on CoI page replaced by Capabilities section with rewrap, sign and check membership options Changed default key sizes for RSA to 2048 (from 1024) Updated the management API o added ability to update member certificate path validation setting o added ability to update CoI s capabilities (rewrap, sign and check membership) Updated the management API sample program file (das/sample/dasmanagementsample.java) Updated the default configuration XML file (das/conf/das.xml) o added rewrap-request, sign-request, check-membership elements to audit trail section o removed enable attribute from coi element o added capabilities attribute to coi element Updated the configuration DTD file (das/conf/das.dtd) 2.4 Version Added support for dynamic groups to the LDAP authenticator: o Added Include static groups with member attribute and Include dynamic groups with memberurl attribute options to the LDAP authenticator section of CoI page Restricted the CoI manager role to the management of a particular CoI (rather than all of them): o Enable/disable CoI

4 o Manage CoI credentials o Manage path validation settings o Manage authenticator Added a CoI admin role: o Create and remove CoIs o Administrate all CoIs and their settings o Maintain CoI manager ACLs: Added CoI Manager ACL section to the CoI page Updated the default configuration XML file (das/conf/das.xml) Updated the configuration DTD file (das/conf/das.dtd) Updated management API: o Added required parameter coiname when uploading a certificate to the CoI manager ACL using action=uploadcoimanagercert o Support uploading a certificate to the CoI admin ACL using action=uploadcoiadmincert o Rename groupattr parameter to staticgroupattr when creating a new CoI with LDAP authenticator using action=createcoildapauth Updated the management API sample program file (das/sample/dasmanagementsample.java) 2.5 Version Added support for CoI credential creation and installation: o Added a Create New Credentials option to the Create a New CoI page as well as to the CoI Add Credentials page o Added a Create New Credentials page to generate a new key pair and either a self-signed certificate or a certificate request o Added an Install button to the Credentials page to replace a pending certificate request with the corresponding certificate once it has been issued Added interface elements that allow CoI credentials to be installed in PKCS#12 format: o Added an Upload a PKCS#12 File option to the Create a New CoI and Add Credentials pages to allow credentials to be uploaded in PKCS#12 format (the correct password must be provided) o Management API: updated to support the installation of PKCS#12 credentials Added a View button to the CoI page to view all HSM-based credentials that match the CoI name Added an Export button to the CoI Credentials page to support the saving of CoI certificates and certificate requests to specified locations Log4j engine: updated from version to version Updated audit trail: o Events can be rolled over daily or stored in a single file o Updated audit trail view: if daily rollover of logs is enabled, the user can specify the dates for which log file entries will be displayed: today, last 7 days, last 30 days, or custom from/to dates Created a new Key Management Utility (das/tools/kmu.bat or.sh) o A quick start option creates DAS system, SSL server, and administrator credentials as well as the required Java keystore to jumpstart the installation/configuration process o A second option facilitates management of the Java keystore Added a new web interface for management of the CoI membership database: o Added a View Members button to the Create a New CoI and database authenticator selection pages o Added a Manage Members button to the database authenticator section on the View CoI page to manage the membership list

5 CA certificates are now ignored when user certificates are installed into the keyadmin and CoI manager ACLs. Similarly, end-user certificates are ignored when installing trusted CA certificates to be used for certificate path validation of CoI members AES-192 rather than DES3 (TDES) is now used for the encryption of private key material as CMS PDUs Updated the configuration DTD file (das/conf/das.dtd) Java system property isc.das.home must be set to the DAS installation directory when starting the webserver 2.6 Version LDAP authenticator now supports TLS with client authentication. Administrative interface now permits the creation of CoIs with HSM-based credentials. HSM PINs are encrypted using the DAS system key and stored in the configuration file. Database Server Utility (das/tools/dbserver.sh or.bat) enhancements: o manager command launches the DAS Database Manager Utility instead of the DAS Database Authenticator Manager; the Database Manager provides an interface to more easily manage user accounts while still providing access to the Database Authenticator Manager. o Removed the add/remove user commands. o Removed the change user password command. o init command no longer accepts a password parameter; it defaults to password. o stop command accepts an optional password parameter; if a password is not specified, the user will be prompted for it. Audit Trail page: added Export button to save the log to a file. Hypersonic SQL Database Engine: updated from version to version Management API: updated to permit the creation of CoIs using the database authenticator. The configuration DTD file (das/conf/das.dtd): updated. A new script (das/tools/version.sh or.bat) has been added to display the current DAS release number. 2.7 Version Supports database authenticator Supports DAS HSM Proxy Added administrative interface for sysadmins o Add, remove, and rekey DAS Credentials o Rekey CoI credentials and authenticator passwords o Manage keyadmin access control list Allows creation of CoIs using null and LDAP authenticators without binding information if DAS credentials have not been set or system password has not been entered. Allows creation of CoIs if DAS certificate has been uploaded but the private key has not Updated management interface o Changed upload DAS Credentials task Role requirement is changed from keyadmin to sysadmin private key parameter changed from prv or p7m to prvkey o Added the ability to rekey DAS (HSM) credentials with a new HSM certificate o Added the ability to upload a certificate to the keyadmin access control list o Updated sample/managementsample.java CoI name accepts a-z, A-Z, 0-9, ' ', '.', '-' and '_' characters. Updated audit trail format

6 Updated configuration file DTD (das/conf/das.dtd).