PGP Keyserver ReadMe Version 7.0 for Windows NT/2000 and UNIX Copyright (c) 1998-2000 by Networks Associates Technology, Inc., and its Affiliated Companies. All Rights Reserved. Thank you for using Network Associates' products. This ReadMe file contains important information regarding the PGP Keyserver. Network Associates strongly recommends that you read this entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. Warning: Export of this software may be restricted by the U.S. Government. ___________________ WHAT'S IN THIS FILE - New Features - Documentation - System Requirements - Known Issues - Installation - Starting the PGP Keyserver - Starting the PGP Replication Engine - Contacting Network Associates ____________ NEW FEATURES * Easy-to-Use Web Console The new PGP Keyserver Web Console provides secure access to the Keyserver's console from remote web browsers, giving administrators the ability to remotely monitor and manage their PGP Keyserver from any client with a supported web browser. The Web Console now features an intuitive, easy- to-use interface for Keyservers on both Windows and Solaris platforms. The bundled web server enables all console communications to be encrypted using SSL, providing a secure foundation for remote management using a turnkey installation process. Keyserver access logs and logged system events are now available from the Web Console, improving the information available to remote administrators. Keyserver search and key-add functionality is now available through a web browser interface for use by administrators or remote web users. * Enterprise Management of PGP Client Preferences PGP 7.0 introduces a valuable feature that helps administrators keep deployed PGP client configurations up-to-date. By storing configuration options on the PGP Keyserver, administrators can easily roll out enterprise-wide configuration changes to deployed PGP clients. * Configuration Wizard A new Configuration Wizard enables turnkey configuration of everything necessary to begin using the PGP Keyserver, making it easy to set or change such options as security certificates for the Keyserver and Web Console as well as port numbers, hostname, and administrator email address. * Database Performance Improvements This version includes numerous performance improvements and database optimizations as well as further options for performance enhancements based on configuration requirements. PGP userids can be indexed by substring for complete searchability, as with earlier versions of the Keyserver, or they can be indexed word by word, providing a shorter time for adding keys and smaller index files for the database. * Windows 2000 Support PGP Keyserver now fully supports the Windows 2000 operating system. * Auto-delete from pending area The pending area has an enhanced self-maintenance feature. When a key added to the Keyserver passes signature policies (having been signed by an Employee Certification Key, for instance), the key is automatically removed from the pending area, eliminating the need for additional administrative steps. * Key Reconstruction Support for PGP Clients PGP 7.0's new key reconstruction feature helps users recover from lost keys or forgotten passphrases. PGP Keyserver 7.0 supports the optional storage of reconstruction data, supporting PGP's cryptographic key splitting technology to provide a secure means for users to recover their private keys after answering five questions whose answers only the user would know. * Enhanced logging format PGP Keyserver 7.0's enhanced logging format provides additional statistics useful for usage analysis, including request processing time, number of user id's and signatures added, and the size of the key information transmitted to or from the client machine. Compatibility with the earlier logging format is available by configuration option. * New PGP Key format support PGP 7.0 introduces a new RSA key format that provides support for PGP's Additional Decryption Key (ADK), designated revoker, multiple encryption subkeys and photo ID features. Previously these features were only available to users with Diffie-Hellman keys. PGP Keyserver 7.0 now supports the use of these keys. * Support Utilities PGPexport now creates ASCII-armored keyfiles by default when exporting keys and reconstruction data. The binary export format used in earlier versions can be enabled if reconstruction data is not required. PGPimport now reads both ASCII-armored keyfiles and binary keyrings. _____________ DOCUMENTATION Included with this release is the following manual, which can be viewed on-line as well as printed: * PGP Keyserver Administrator's Guide * This document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print the document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site at: http://www.adobe.com/prodindex/acrobat/readstep.html The Adobe Acrobat Reader is also included on this product CD. NOTE: Adobe Acrobat 4.0 is required for best viewing of the screenimages. * Opening the Administrator's Guide * *Windows NT/2000* After installing Adobe Acrobat Reader, bring up the Windows Start Menu. Then select Programs--> Network Associates--> PGP Keyserver--> Documentation-->Administrator's Guide. *Windows NT/2000 and UNIX* If the web server support for PGP Keyserver is installed, the Administrator's Guide is also available through a link found on the following page: https://YOUR-HOST-NAME[:PORT] Substitute the hostname of the machine running the PGP Keyserver for the YOUR-HOST-NAME value. For PORT, substitute the port number for the web server that you are running on YOUR-HOST-NAME (this defaults to 443 if it is not specified). Documentation feedback is welcome. Send e-mail to tns_documentation@nai.com. ___________________ SYSTEM REQUIREMENTS *Windows NT/2000* To install PGP Keyserver on a Windows NT/2000 server: - Windows NT version 4.0 Service Pack 6a or Windows 2000 Service Pack 1 - 64MB RAM minimum - 15MB disk space for software - Additional disk space for database (10MB - 500MB) - PGP 7.0 is required for key management on the same machine. Any version of PGP can be used for key management on a different machine. - Network interface card - Microsoft Internet Explorer 4.01 SP2 or later, or Netscape 4.x. *UNIX* To install PGP Keyserver on a UNIX server: - Sun Solaris for SPARC (UNIX) version 2.6 or later - 64MB RAM minimum - 30MB disk space for software - Additional disk space for database (10MB - 500MB) - PGP 7.0 is required for key management on the same machine. Any version of PGP can be used for key management on a different machine. - Network interface card - Microsoft Internet Explorer 4.01 SP2 or later, or Netscape 4.x NOTE: The latest recommended patches from Sun are REQUIRED for Solaris 7 support. They can be obtained as a single patch bundle at the following web site: http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access ____________ KNOWN ISSUES * If any other service or daemon (such as Microsoft Internet Information Server or Apache Web Server) is using port 443, the Configuration Wizard will issue a warning that port 443 is in use. You should either disable that service, or assign the PGP Keyserver's Web Console to a port other than 443. * To use the Web Console, a browser with 128-bit encryption is required. If you use a browser that does not include support for 128-bit encryption, using the Web Console will result in a blank browser display or a message stating that there are no common encryption algorithms. * Any PGP 7.0 client or server product installed after PGP Keyserver 7.0 will cause failure to start PGP Keyserver (error message: DLL entry point not found). Any such product must be installed BEFORE PGP Keyserver 7.0. Any PGP 7.0.1 software can be safely installed before or after PGP Keyserver 7.0. * When entering the Organization Name and Organizational Unit to generate the X.509 Certificate in the Configuration Wizard, the use of more than 100 characters in each field or the use of non-alphanumeric characters is unsupported. If PGPapache encounters such usage, it may fail to start, and the webserver error log in web/logs/error_log will contain the message "Key does not have a valid X.509 signature". ____________ INSTALLATION Warning: If you are installing PGP Desktop Security 7.0 and PGP Keyserver 7.0, install PGP Desktop Security first. *Windows NT/2000* PGP Keyserver is distributed in either a self-extracting file or on a CD-ROM. To install the product from a CD-ROM: 1. Start Windows. 2. Insert the CD-ROM. 3. Double-click the installation program icon found in the PGP Keyserver subdirectory. 4. Follow the on-screen prompts. To install the product from a downloaded self-extracting file: 1. Start Windows. 2. Download the PGP Keyserver installation program onto your computer’s hard drive. 3. Double-click the installation program. 4. Follow the on-screen prompts. *UNIX* PGP Keyserver is distributed as a Solaris package file. This section includes instructions to install the product for the first time and to upgrade from a previous version. To install the product for the first time: 1. Sign on as root. 2. Change to the directory containing the package file. 3. Run the command: pkgadd -d PGPkeyserv_7.0.0_Solaris.pkg Run the post-install script: 1. Run the command: cd /opt/PGPkeysrv/web/ ; ./config-wiz.pl Verify that the product is installed properly: 1. Run the command: pkginfo -l PGPkeysrv The status should be "Completely Installed." To upgrade from a previous version of the product: 1. Sign on as root. 2. Export the existing database. - Stop the PGP Certificate Server (use the use ps -fu root to locate the process ID, and use the kill command to send a SIGTERM signal to the PGP Keyserver: kill ). - Change to the /opt/PGPcertd/bin directory. - Use the PGPexport utility to export the database: ./pgpexport ../data /opt/dump.pgp 3. Install the PGP Keyserver as you would for a brand new installation. For more information, see the instructions in the previous section. 4. Configure the PGP Keyserver as described in the documentation and restart the program to institute the updated policies. 5. Re-import the keys from the old database. - Change to the /opt/PGPkeysrv/bin directory. - Use the PGPimport utility to re-import the database: ./pgpimport /opt/dump.pgp ldap://localhost 6. Re-disable any keys that were disabled in the old installation. __________________________ STARTING THE PGP KEYSERVER *Windows NT/2000* The PGP Keyserver starts automatically after installation and reboot. *UNIX* To start the PGP Keyserver after configuring it, use the Web Console's Restart button (Server Control panel), or run the SysV init script: /etc/init.d/pgpkeyserver start *Both Windows and UNIX* To view the PGP Keyserver's Web Console, enter the following URL in the location field of any Web browser: https://[:]/keyserver/ To test to see if the PGP Keyserver is running properly: 1. Start PGP version 5.5 or later. 2. Add the URL of the machine running PGP Keyserver to PGP's configuration by selecting PGP Preferences from PGPtray's popup menu (or from the Edit/Preferences menu of PGPkeys). 3. On the Servers panel, add a new server: A. Enter a new domain or choose an existing one. B. Enter an LDAP server using the format: ldap://YOUR-HOST-NAME 4. From PGPkeys, select any key from your list of keys, then select the Send Key to Server item on the Server menu. Be sure to select the name of your new PGP Keyserver. If the key is successfully sent to the PGP Keyserver, it is running properly. You can also use the Search dialog box in PGPkeys to search the keys on the Keyserver. Again, be sure to set the name of your new PGP Keyserver as the Keyserver to search. ___________________________________ STARTING THE PGP REPLICATION ENGINE *Both Windows and UNIX* If you installed the optional PGP Replication Engine component, you must install the PGP Keyserver on the slave servers. After you have installed the additional software, you must identify the hosts that you want to replicate the database to, and the replication log file before you start the PGP Replication Engine. To do so, follow these steps: 1. Display the Web Console by entering the following URL in the location field of any Web browser: https://[:]/keyserver/ 2. Click Replication, left side of console. 3. Identify the PGP Keyservers you want to replicate the database to, for example, ldap://mirror.company.com. 4. Identify the replication log file, for example, rep.log. 5. Click Save Changes (top of console). 6. Click Server Control (left side of Web Console). 3. Click Restart under Replication, top right corner of Web Console. See the Administrator's Guide for exact details on on the configuration parameters. _____________________________ CONTACTING NETWORK ASSOCIATES *FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS* Contact the Network Associates Customer Service department: Network Associates Customer Service 4099 McEwen, Suite 500 Dallas, Texas 75244 U.S.A. The department's hours of operation are 8 a.m. to 8 p.m. Central time, Monday through Friday. Other contact information for corporate-licensed customers: Phone (972) 308-9960 E-mail: services_corporate_division@nai.com World Wide Web: http://support.nai.com Other contact information for retail-licensed customers: Phone: 972 308-9960 E-mail: cust_care@nai.com World Wide Web: http://www.pgp.com * FOR TECHNICAL SUPPORT* PGP Security and Network Associates are famous for their dedication to customer satisfaction. The companies have continued this tradition by making their sites on the World Wide Web valuable resources for answers to technical support issues. PGP Security encourages you to make this your first stop for answers to frequently asked questions, for updates to PGP Security and Network Associates software, and for access to news and virus information. World Wide Web: http://support.nai.com If the automated services do not have the answers you need, contact Network Associates at one of the following numbers between 8 a.m. and 8 p.m. Central time, Monday through Friday, to find out about Network Associates technical support plans. For corporate-licensed customers: Phone: (972) 308-9960 For retail-licensed customers: Phone: (972) 855-7044 To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please include this information in your correspondence: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system type and version numbers - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and speed, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or e-mail We also seek and appreciate general feedback. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use Network Associates products, we have established a reseller's program to provide service, sales, and support for our products worldwide. For a listing of resellers, see the resellers.txt file or contact Network Associates Customer Service for resellers near you. * TO REPORT PROBLEMS * Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered is documented, there is no need to report the problem to Network Associates. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates with your suggestions or concerns. * FOR ON-SITE TRAINING INFORMATION * Contact Network Associates Customer Service at (972) 308-9960.