What's New in PGP Certificate Server
Version 2.5 for Windows NT
Copyright (c) 1998-99 by Network Associates
Technology, Inc., and its Affiliated Companies.
All Rights Reserved.
Thank you for using Network Associates' products.
This What's New file contains important
information regarding the PGP Certificate Server.
Network Associates strongly recommends that you
read this entire document.
Network Associates welcomes your comments and
suggestions. Please use the information provided
in this file to contact us.
Warning: Export of this software may be restricted
by the U.S. Government.
___________________
WHAT'S IN THIS FILE
- New Features
- Documentation
- System Requirements
- Installation
- Starting the PGP Certificate Server
- Starting the PGP Replication Engine
- Known Issues
- Additional Information
- Year 2000 Compliance
- Contacting Network Associates
____________
NEW FEATURES
* New Native, Optimized Windows NT Service
This is the premier release of the PGP Certificate
Server as a native Windows NT service that has
been optimized for this environment. This new
service provides round-the-clock, standards-based
PGP certificate management and lookup services for
administrators and users.
* Easy-to-Use Remote Console Application
The new PGP Cert Server Remote Console, a native
Windows NT application, gives administrators the
ability to remotely monitor and manage their
PGP Cert Server through an intuitive, easy-to-use
interface. All communications between the console
and the Cert Server is strongly authenticated and
encrypted using the TLS (Transport Layer Security)
protocol, thus providing a very secure foundation
for remote management.
* Improved Web-based Configuration
Administrators can conveniently manage the Cert
Servers configuration from nearly any web browser.
This version improves the extensive on-line help
on product configuration settings. This version
provides integrated support for many popular web
servers including:
- Microsoft IIS 2.0 - 4.0
- Netscape Enterprise Server 3.x
- Netscape FastTrack Server 3.x
- Apache 1.3.x
Administrators can secure the communications
between the web browser and the Cert Server
using the native security services provided by
the web server installed with the Cert Server.
* Database Size and Performance Improvements
This version includes numerous performance
enhancements and database optimizations.
Certificate database size has been reduced
by 20% - 30% from previous versions, due to
improved certificate storage methods. This size
reduction provides improved server performance;
more certificates are now stored in the
server's cache, less data is read from and
written to the server's harddisk, and fewer
transformations are needed on certificate data.
_____________
DOCUMENTATION
Also included with this release is the following
manual, which can be viewed on-line as well as
printed:
* PGP Certificate Server Administrator's Guide
This document is saved in Adobe Acrobat Portable
Document Format (.PDF). You can view and print the
document with Adobe's Acrobat Reader. PDF files
can include hypertext links and other navigation
features to assist you in finding answers to
questions about your Network Associates product.
To download Adobe Acrobat Reader from the World
Wide Web, visit Adobe's Web site at:
http://www.adobe.com/prodindex/acrobat/readstep.html
* Opening the Administrator's Guide *
After installing Abobe Acrobat Reader, bring up
the Windows Start Menu. Then select Programs-->
Network Associates-->PGP Certificate Server-->
Documentation-->Administrator's Guide. If the web
server support for PGP Certificate Server is
installed, the Administrator's Guide is also
available through a link found on the page:
http://YOUR-HOST-NAME:PORT/certserver/default.htm
Substitute the hostname of the machine running the
PGP Certificate Server for the YOUR-HOST-NAME
value. For PORT, substitute the port number for
the web server that you are running on
YOUR-HOST-NAME (this defaults to 80 if it is not
specified).
* Online Help *
This release also includes integrated online help
in Microsoft Windows Help format:
- PGP Certificate Server online help
- PGP Replication Engine online help
Documentation feedback is welcome. Send e-mail to
tns_documentation@nai.com.
___________________
SYSTEM REQUIREMENTS
- Windows NT version 4.0 and higher
- 32MB RAM minimum
- 15MB disk space for software
- Additional disk space for database (10MB - 500MB)
- Network interface card
- PGP 6.5.1 (Only required for management of
secure keys).
- To run the Configuration/Monitoring Wizard:
Microsoft Internet Information Server (version
4 recommended) with Microsoft Internet Explorer
4 or later, or any web server and a version 4 or
later browser.
____________
INSTALLATION
PGP Certificate Server is distributed in either a
self-extracting file or on a CD-ROM.
To Install the product from a CD-ROM:
1. Start Windows.
2. Insert the CD-ROM.
3. Double-click the installation program
icon found in the PGP Certificate
Server subdirectory.
4. Follow the on-screen prompts.
To Install the product from a downloaded self-
extracting file:
1. Start Windows.
2. Download the PGP Certificate Server
installation program onto your
computer's hard drive.
3. Double-click the installation program.
4. Follow the on-screen prompts.
___________________________________
STARTING THE PGP CERTIFICATE SERVER
After successfully installing the server, you may
start it by selecting Programs-->PGP Certificate
Server-->PGP Certificate Server Console from the
Windows Start Menu.
Click "Create Database" to create the initial
database (if necessary). Then press Start to
start the certificate server.
To test that the server is running properly, start
PGP (version 5.5 or later). You will need to add
to PGP's configuration the URL of the machine
running the certificate server as described in the
following steps:
1. Open the PGPkeys window by selecting PGPkeys
from the PGPtray menu.
2. Select Edit-->Options.
3. On the Servers page, click New to add a New
server.
4. Select the Protocol to use.
5. Then enter an LDAP server name using the
format:
ldap://YOUR-HOST-NAME
6. Type a new domain or choose an existing one.
7. Click OK.
8. Exit the Options dialog by clicking OK.
9. In the PGPkeys window, select any key from
your list of keys.
10. Select the Send To item on the Keys menu and
then select the name of your new PGP
Certificate Server.
If the key is sent to the server successfully,
your server is running properly.
You can also use the search dialog in PGPkeys
to search for the keys on the server. Again,
be sure to set the name of your new server as
the server to search.
___________________________________
STARTING THE PGP REPLICATION ENGINE
If you installed the optional PGP Replication
Engine component, you may start it by selecting
Programs-->PGP Certificate Server-->PGP
Replication Engine Console from the Windows Start
Menu.
PGP Replication Engine uses the same configuration
file as the PGP Certificate Server. The default
configuration file does not have replication
enabled. The 'Replica' and 'RepLogFile'
configuration tags need to be configured prior to
successfully starting the server.
Examples, of each are:
Replica ldap://mirror.company.com
RepLogFile rep.log
See the Administrator's Guide for exact details on
these configuration values.
Pressing Start will cause the product to beginning
monitoring for data to replicate.
_____________________________________________
USING THE WEB CONFIGURATION/MONITORING WIZARD
The PGP Certificate Server can be easily
configured using a web browser-based wizard. This
wizard must be setup to run under an existing web
server product. Most popular web servers support
the wizard. The web server must be running on the
same machine as the PGP Certificate Server.
If you are running the Microsoft Internet
Information server (version 2.0 or later) and you
requested the installer to automatically add
support to IIS for the wizard, you only need to
start (or restart) the web server. You can then
access the configuration/monitoring wizard from
your browser using the URL:
http://YOUR-HOST-NAME:PORT/certserver/default.htm
If you are using another web server or did not
have the installer add this support, please see
the Administrator's Guide for details on how
to properly configure this feature.
You may also directly edit the configuration file
for the certificate server using any standard text
editor such as Notepad. The default configuration
file is found in:
C:\Program Files\Network Associates\PGPcertd\etc\pgpcertd.cfg
____________
KNOWN ISSUES
o Using RSA keys as Admin keys
In the International and Freeware releases, RSA
keys cannot be used by the server as the Server
Secure KeyID. Only DSS/Diffie-Hellman keys can
be used as the key the client uses to determine
which server it is connecting to using TLS/SSL.
o HTTP Gateway CGI Scripts
The Add and Lookup CGI scripts require access to
the PGPsdk DLLs. These are installed in the
Windows system directory when the Certificate
Server is installed. These DLLs may not be
present on the machine running the HTTP server.
These DLLs should be copied to the same
directory as the script or into the Windows system
directory. The DLLs are called PGP_SDK.dll,
PGPsdkNL.dll, and PGPsdkUI.dll.
______________________
ADDITIONAL INFORMATION
** Domestic Diffie-Hellman/DSS-only release **
If you want to support RSA keys with this version
of the PGP Certificate Server, you must install
Microsoft's Internet Explorer Version 4.0 or later
(the domestic 128-bit version). Even with this
support, some RSA keys with non-standard key sizes
will not work as server keys for LDAPS.
** International Diffie-Hellman/DSS-only release **
If you want to support RSA keys with this version
of the PGP Certificate Server, you must install
Microsoft's Internet Explorer Version 4.0 or later
(the domestic 128-bit version). Even with this
support, some RSA keys with non-standard key sizes
will not work as server keys for LDAPS. Due to
export restrictions, the 128-bit version of
Microsoft's Internet Explorer 4.0 or later may not
be available in your area. If this is the case,
this version of the PGP Certificate Server will
not support RSA keys.
** International and Freeware releases **
The International and Freeware versions of the PGP
Certificate Server do not encrypt data. They do
provide strong authentication. The Transport Layer
Security (TLS) connection between the PGP client
and the server is strongly authenticated; but the
data is sent over the network without being
encrypted. This means that the queries and adds
that are performed by the PGP client can be viewed
by others, but the identity of someone performing
administrative functions is still strongly
authenticated.
____________________
YEAR 2000 COMPLIANCE
Information regarding NAI products that are Year
2000 compliant and its Year 2000 standards and
testing models may be obtained from NAI's website
at http://www.nai.com/y2k.
For further information, email y2k@nai.com.
_____________________________
CONTACTING NETWORK ASSOCIATES
*FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS*
Contact the Network Associates Customer Care
department:
1. Phone (408) 988-3832 Monday-Friday,
6:00 A.M. - 6:00 P.M. Pacific time
2. Fax (408) 970-9727 24-hour, Group III Fax
Send correspondence to the following Network
Associates location:
Network Associates Corporate Headquarters
3965 Freedom Circle
McCandless Towers
Santa Clara, CA
95054
Phone numbers for corporate-licensed customers:
Phone: (408) 988-3832
Fax: (408) 970-9727
Phone numbers for retail-licensed customers:
Phone: (972) 278-6100
Fax: (408) 970-9727
Or, you can receive online assistance through any
of the following resources:
1. Internet E-mail: pgpsupport@pgp.com
2. Internet FTP: ftp.nai.com
3. World Wide Web: http://support.nai.com
4. America Online: keyword MCAFEE
5. CompuServe: GO NAI
To provide the answers you need quickly and
efficiently, the Network Associates technical
support staff needs some information about your
computer and your software. Please have this
information ready when you call:
- Program name and version number
- Computer brand and model
- Any additional hardware or peripherals connected
to your computer
- Operating system type and version numbers
- Network name, operating system, and version
- Network card installed, where applicable
- Modem manufacturer, model, and speed, where
applicable
- Relevant browsers or applications and their
version numbers, where applicable
- How to reproduce your problem: when it occurs,
whether you can reproduce it regularly, and
under what conditions
- Information needed to contact you by voice, fax,
or e-mail
We also seek and appreciate general feedback.
* FOR PRODUCT UPGRADES *
To make it easier for you to receive and use
Network Associates products, we have established a
reseller's program to provide service, sales, and
support for our products worldwide. For a listing
of resellers, see the resellers.txt file or
contact Network Associates Customer Care for
resellers near you.
* FOR REPORTING PROBLEMS *
Network Associates prides itself on delivering a
high-quality product. If you find any problems,
please take a moment to review the contents of
this file. If the problem you've encountered is
documented, there is no need to report the problem
to Network Associates.
If you find any feature that does not appear to
function properly on your system, or if you
believe an application would benefit greatly from
enhancement, please contact Network Associates
with your suggestions or concerns.
* FOR ON-SITE TRAINING INFORMATION *
Contact Network Associates Customer Service at
(800) 338-8754.