Thank you for using Network Associates' products. This ReadMe file
contains important information regarding the PGP Certificate Server Freeware. Network
Associates strongly recommends that you read this entire document.
Network Associates welcomes your comments and suggestions. Please use
the information provided in this file to contact us.
Note: PGP freeware products are for non-commercial use only.
Please refer to the included license agreement for terms and conditions of use.
Note: Network Associates does not provide technical support for
PGP freeware products.
Warning: Export of this software may be restricted by the U.S.
Government.
WHAT'S IN THIS FILE
FIXES IN THIS RELEASE
-
This release corrects a security-related bug with
Additional Decryption Keys (ADKs) that may allow
sophisticated attackers to add unauthorized ADK
key IDs to the unhashed areas of PGP public keys.
For more information about this bug, please
review the PGP ADK Security Advisory available
on www.pgp.com.
You can download a repair tool (PGPrepair) from
the web page mentioned above to determine whether an existing
PGP Certificate Server database contains any
keys with tampered signatures.
-
Resolved a replication looping issue, which may
have occurred with two-way replication on PGP
Certificate Server 2.5.1 when revoked keys revoked
by a designated revoker were added to the server.
- Added additional logging information for Delete
operations, so that the full list of deleted keys
is displayed in the log.
- The released version of the Certificate Server,
when configured with a single MustSigID and the
TrimUsers and TrimSigs features enabled, would
prevent that MustSigID key from being uploaded
to the server. Added the ability for the server to
accept that key.
- Resolved an issue with the indexing of certain
revoked keys. A problem existed when
performing a KeyStatus-is-revoked search.
- Resolved a potential looping issue which may have
occurred if the replication daemon was down and a
key was added to and then deleted from the
server, followed by re-starting the replication
daemon.
- Resolved a potential Denial of Service vulnerability
in PGP Certificate Server 2.5.1. This may have
occurred when devices attempted to connect
to the PGP Certificate Server management port
(port 4000 by default) if incoming DNS/NetBIOS
traffic was blocked to the PGP Certificate Server.
- Resolved a potential Denial of Service vulnerability
in PGP Certificate Server 2.5.1. This may
have occurred when devices attempted to connect to
the PGP Replication port (port 5000 by default) if
incoming DNS/NetBIOS traffic was blocked to the PGP
Certificate Server.
- Resolved a replication looping issue which may have
occurred with two-way replication on PGP Certificate
Server 2.5.1 when revoked keys were added to the
server.
DOCUMENTATION
Included with this release is the following
manual, which can be viewed on-line as well as
printed:
- PGP Certificate Server Administrator's Guide
This document is saved in Adobe Acrobat Portable
Document Format (.PDF). You can view and print the
document with Adobe's Acrobat Reader. PDF files
can include hypertext links and other navigation
features to assist you in finding answers to
questions about your Network Associates product.
To download Adobe Acrobat Reader from the World
Wide Web, visit
Adobe's Web site.
The Adobe Acrobat Reader is also included on this
product CD.
Opening the Administrator's Guide:
After installing Adobe Acrobat Reader, bring up
the Windows Start Menu. Then select Programs > Network Associates > PGP Certificate Server >
Documentation > Administrator's Guide. If the web
server support for PGP Certificate Server is
installed, the Administrator's Guide is also
available through a link found on the page:
http://YOUR-HOST-NAME:PORT/certserver/default.htm
|
Substitute the hostname of the machine running the
PGP Certificate Server for the YOUR-HOST-NAME
value. For PORT, substitute the port number for
the web server that you are running on
YOUR-HOST-NAME (this defaults to 80 if it is not
specified).
This release also includes integrated online help
in Microsoft Windows Help format:
- PGP Certificate Server online help
- PGP Replication Engine online help
Documentation feedback is welcome. Send e-mail to
tns_documentation@nai.com.
NEW FEATURES
SYSTEM REQUIREMENTS
- Windows NT version 4.0 and higher
- 32MB RAM minimum
- 15MB disk space for software
- Additional disk space for database (10MB - 500MB)
- Network interface card
- PGP 6.5.2 (Only required for management of secure keys).
- To run the Configuration/Monitoring Wizard:
- Microsoft Internet Information Server (version
4 recommended) with Microsoft Internet Explorer
4 or later
or
- Any web server and a version 4 or
later browser
INSTALLATION
PGP Certificate Server Freeware is distributed as a self-extracting file.
To install the product from a downloaded self-extracting file:
- Start Windows.
- Download the PGP Certificate Server installation program onto your computers hard drive.
- Double-click the installation program.
- Follow the on-screen prompts.
STARTING PGP CERTIFICATE SERVER
After successfully installing the server, you can start it by following these steps.
- Choose Programs > PGP Certificate Server > PGP Certificate Server Console from the
Windows Start Menu.
- Click "Create Database" to create the initial database (if necessary).
- Click Start to start Certificate Server.
To test that the server is running properly:
- Start PGP version 5.5 or later.
- Add the URL of the machine running PGP Certificate Server to PGP's configuration as follows:
- Open the PGPkeys window by selecting PGPkeys from the PGPtray menu.
- Select Edit > Options.
- On the Servers page, click New to add a New server.
- Select the Protocol to use.
- Enter an LDAP server name using the format:
ldap://YOUR-HOST-NAME
- Type a new domain or choose an existing one and click OK.
- Click OK to exit the Options dialog box.
- In the PGPkeys window, select any key from your list of keys, then
select the Send Key to Server item on the Keys menu. Be sure to select the name of your
new PGP Certificate Server.
If the key is successfully sent to the server, your server is running properly. You can also
use the search dialog in PGPkeys to search the keys on the server. Again, be sure to set the name
of your new server as the server to search.
STARTING THE PGP REPLICATION ENGINE
If you installed the optional PGP Replication
Engine component, you can start it by selecting
Programs > PGP Certificate Server > PGP
Replication Engine Console from the Windows Start
Menu.
PGP Replication Engine uses the same configuration
file as the PGP Certificate Server. The default
configuration file does not have replication
enabled. The 'Replica' and 'RepLogFile'
configuration tags need to be configured prior to
successfully starting the server.
Examples of each are:
Replica | ldap://mirror.company.com |
RepLogFile | rep.log |
See the Administrator's Guide for exact details on
these configuration values.
Pressing Start will cause the product to beginning
monitoring for data to replicate.
USING THE WEB CONFIGURATION/MONITORING WIZARD
You use a web browser-based wizard running
with an existing web server product to
configure PGP Certificate Server; most
popular web servers support the wizard. (The
web server must be running on the same machine
as PGP Certificate Server.)
If you are running version 2.0 or later of the
Microsoft Internet Information Server and you
automatically installed support for the wizard,
you can run the wizard by (re)starting the web
server. You can then access the
configuration/monitoring wizard from your browser
using the URL:
http://YOUR-HOST-NAME:PORT/certserver/default.htm
If you are using another web server or did not
have the installer add this support, please see
the Administrator's Guide for details on how
to properly configure this feature.
You can also use any standard text editor to directly
edit the Certificate Server configuration file, located at
C:\Program Files\Network Associates\PGPcertd\etc\
pgpcertd.cfg.
KNOWN ISSUES
- Using RSA keys as Admin keys
In the International and Freeware releases, RSA
keys cannot be used by the server as the Server
Secure KeyID. Only DSS/Diffie-Hellman keys can
be used as the key the client uses to determine
which server it is connecting to using TLS/SSL.
ADDITIONAL INFORMATION
International and Freeware releases
The International and Freeware versions of the PGP
Certificate Server do not encrypt data. They do
provide strong authentication. The Transport Layer
Security (TLS) connection between the PGP client
and the server is strongly authenticated; but the
data is sent over the network without being
encrypted. This means that the queries and adds
that are performed by the PGP client can be viewed
by others, but the identity of someone performing
administrative functions is still strongly
authenticated.
CONTACTING NETWORK ASSOCIATES
Note: Network Associates does not provide
technical support for PGP freeware products.
To purchase a commercial version of PGP, please
contact the Network Associates Customer Service
department at:
Network Associates Corporate Headquarters
3965 Freedom Circle
McCandless Towers
Santa Clara, CA 95054
|