Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
8.3. Highlighted Updates and New Features
Red Hat Certificate System 9.0 on Red Hat Enterprise Linux 7.1 requires packages from the Optional repository
When the Red Hat Certificate System 9.0 layered product is deployed on Red Hat Enterprise Linux 7.1, it requires access to packages that only exist in the Red Hat Enterprise Linux
Optional repository. These are the required packages:
resteasy-base-client >= 3.0.6-1 is needed by pki-base-10.2.4-2.el7.noarch resteasy-base-jackson-provider >= 3.0.6-1 is needed by pki-base-10.2.4-2.el7.noarch libsvrcore.so.0()(64bit) is needed by pki-tps-10.2.4-2.el7.x86_64 jss-javadoc >= 4.2.6-35 is needed by redhat-pki-10.2.4-1.el7.noarch nuxwdog-client-java >= 1.0.1-11 is needed by pki-server-10.2.4-2.el7.noarch
resteasy-base-client >= 3.0.6-1 is needed by pki-base-10.2.4-2.el7.noarch
resteasy-base-jackson-provider >= 3.0.6-1 is needed by pki-base-10.2.4-2.el7.noarch
libsvrcore.so.0()(64bit) is needed by pki-tps-10.2.4-2.el7.x86_64
jss-javadoc >= 4.2.6-35 is needed by redhat-pki-10.2.4-1.el7.noarch
nuxwdog-client-java >= 1.0.1-11 is needed by pki-server-10.2.4-2.el7.noarchNote
Note that as of Red Hat Enterprise Linux 7.2, these packages will be added among common dependencies, thus eliminating the requirement to use the
Optional repository.
A New pki Command-line Utility
Red Hat Certificate System 9 introduces a new
pki command-line utility that provides an interface to access PKI services on a PKI server. The main purpose of the utility is to:
- allow commonly used CA and KRA functionality to be usable from the command line for end users and for simple scripting and automation purposes.
- allow use of the new REST API operations from the command line.
For more information about the
pki utility, see the pki man page.
Simplified Installation and Deployment
Several new features for simplified installation and deployment have been introduced in Red Hat Certificate System 9.0 to provide the following functions:
- Simplify silent installation by using INI-like configuration files instead of command-line arguments
- Instance creation and configuration can be performed in a single automated operation
- Multiple subsystems can be deployed in a single Tomcat instance.
For more information about the improvements to installation and deployments, see the pkispawn man page.
Technology Preview: Global Platform 2.1.1 in TPS
Note
Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
The latest version of Global Platform has been included and supported in the version of TPS that comes with Red Hat Certificate System 9. TPS is now able to provision cards that support newer versions of Global Platform and the latest cryptographic operations. In particular, the
gp211 applet has been introduced that provides support for Secure Channel Protocol 02 (SCP02). SCP02 has been tested with SafeNet Assured Technologies Smart Card 650.
REST Web Service APIs
Red Hat Certificate System 9 provides a new set of REST APIs to access various web services of the Certificate System. It also provides Java and Python client libraries to allow easier integration with other applications.
Technology Preview: New Java-based Token Processing System
Note
Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
Red Hat Certificate System 9 replaces the Apache HTTPD-based TPS with a Java Tomcat-based TPS. The new Java-based TPS retains feature parity with the existing C-based implementation and provides a new user interface for better user experience.
KRA Enhancements
Previously, the Key Recovery Authority (KRA) only archived private (asymmetric) encryption keys when enrolling certificates using certain profiles in the CA. In Red Hat Certificate System 9, KRA has been extended to archive other types of secrets, such as passphrases or symmetric keys. These keys can be archived and retrieved by agents contacting the new KRA REST interfaces directly.
This capability allows KRA to function as a secure and audited vault for all kinds of secrets. In fact, KRA serves as the secure back-end store for the Vault feature in Red Hat Identity Management.
In addition, KRA's ability to generate and archive asymmetric keys to support server-side key generation for TMS workflows has been extended to allow the generation of symmetric key. This feature has also been exposed to the KRA REST interface.
Support for KRA Transport Key Rotation
Employing transport key rotation in a large enterprise environment with cloned certificate system instances may be impractical as it required shutdowns for the transition. Red Hat Certificate System 9 introduces a KRA transport key rotation feature that allows for seamless transition between CA/KRA subsystem instances using a current and a new transport key. This feature allows KRA transport keys to be periodically rotated for enhanced security by allowing both old and new transport keys to operate during the time of the transition; individual subsystem instances take turns being configured while other clones continue to serve with no downtime.
External Authorization LDAP Server
Red Hat Certificate System 9 introduces an "External Authorization" mechanism to work in conjunction with the directory-based authentication during enrollments. When any of the directory-based authentications is defined, new parameters pertaining to the group evaluation of the users can also be defined. This feature enhances the authentication methods with authorization so that if required, certain profile enrollment can be restricted to users of certain group(s) defined in the external authentication/authorization LDAP server.
Adding SAN to a Server Certificate during Installation
Previously, administrators had no control over the Subject Alternative (SAN) Extension that is used for system SSL certificates. In this release, a new feature has been added to allow the administrators to specify a SAN extension in the
pkispawn configuration.
Common Criteria Evaluation
Red Hat Certificate System 9 has not yet been evaluated for Common Criteria.
The PKI Configuration Has Been Removed from the GUI-based Installation Wizard
Previously, Certificate System provided a web interface for the public key infrastructure (PKI) configuration. Due to unclear support of features associated with the GUI in Firefox, the PKI configuration has been removed from Red Hat Certificate System 9.0. To install and configure PKI instances, use the
pkispawn utility.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}