7.3. Highlighted Updates and New Features
Red Hat Certificate System 9.1 has introduced the following new features and important updates:
Important
Note that this document only contains release notes for features which are not available in the base Red Hat Enterprise Linux 7.3 release. Many of the new features in Red Hat Certificate System are in the pki-core, and those are documented in Red Hat Enterprise Linux 7.3 Release Notes.
New Java-based Token Processing System
Red Hat Certificate System 9.1 replaces the Apache HTTPD-based Token Processing System (TPS) with a Java Tomcat-based TPS. The new Java-based TPS retains feature parity with the existing C-based implementation and provides a new user interface for better user experience.
Note
This feature was offered as a Technology Preview in the previous release of Red Hat Certificate System. This release changes the feature status to fully supported.
Global Platform 2.1.1 in the Token Processing System
The latest version of Global Platform has been included and supported in the version of TPS that comes with Red Hat Certificate System 9. TPS is now able to provision cards that support newer versions of Global Platform and the latest cryptographic operations. In particular, the
gp211 applet has been introduced that provides support for Secure Channel Protocol 02 (SCP02). SCP02 has been tested with SafeNet Assured Technologies Smart Card 650.
Note
This feature was offered as a Technology Preview in the previous release of Red Hat Certificate System. This release changes the feature status to fully supported.
Certificate System now supports setting SSL ciphers for individual installation
Previously, if an existing Certificate Server had a customized cipher set that did not overlap with the default ciphers used during the installation, a new instance could not be installed to work with existing instances. With this update, Certificate System enables you to customize the
SSL cipher using a two-step installation, which avoids this problem.
To set the ciphers during a Certificate System instance installation:
- Prepare a deployment configuration file that includes the
pki_skip_configuration=Trueoption. - Pass the deployment configuration file to the
pkispawncommand to start the initial part of the installation. - Set the ciphers in the
sslRangeCiphersoption in the/var/lib/pki/instance/conf/server.xmlfile. Replace instance with the instance name. - Replace the
pki_skip_configuration=Trueoption set in the first step withpki_skip_installation=Truein the deployment configuration file. - Run the same
pkispawncommand to complete the installation.
Man pages updates
Man pages for many tools provided by Red Hat Certificate System 9 have been added, rewritten or significantly updated in this release. Important usage information that was previously published in the Red Hat Certificate System 9 Command-Line Tools Guide is now in man pages, ensuring access to this information on any system where Certificate System is installed, even without internet access. At the same time, the Command-Line Tools Guide is deprecated for Red Hat Certificate System 9.1 and will not be published on the Red Hat Customer Portal.
Certificate System now uses a specific JDK and version and no longer supports alternatives
Red Hat Certificate System 9.1 no longer relies on the system java selectable using the
/usr/sbin/alternatives mechanism. Instead, Red Hat Certificate System 9.1 always uses its own specified JDK and version. For Red Hat Certificate System 9.1, this JDK is java-1.8.0-openjdk, and the version is 1:1.8.0.
