Centrify® DirectSecure® 5.1.1 Release Notes

 

© 2009-2013 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1.  About This Release. 1

2.  CD Contents. 1

3.  New Features in DirectSecure. 2

3.1. New Features in DirectSecure 5.1.1. 2

3.2. New Features in DirectSecure 1.2.2. 3

3.3. New Features in DirectSecure 1.2.1. 3

3.4. New Features in DirectSecure 1.2.0. 3

3.5. New Features in DirectSecure 1.1.0. 3

3.6. New Features in DirectSecure 1.0.0. 3

4.   Bugs Fixed. 3

4.1. Bugs fixed in DirectSecure 5.1.1. 3

4.2. Bugs fixed in DirectSecure 1.2.2. 4

5.   Known Issues. 4

6. Additional Information and Support 5

 

1.  About This Release

DirectSecure is Centrify’s implementation of IPsec enablement for Linux and UNIX machines through Centrify Suite and Microsoft Active Directory. It brings the same "It Just Works" mode of operation for IPsec deployment to non-Windows platforms that Windows users enjoy in a pure Windows environment.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2.  CD Contents

The files for this Centrify DirectSecure release are organized in the following folders on the CD:

<root> folder

This folder contains files that describe the directory layout and give you access to additional information.

 

·         Copyright.txt and Acknowledgements.txt provide copyright information and legal notices for third party and open source software used in Centrify DirectSecure.

·         Centrify-DirectSecure-end-user-license-agreement.txt provides the text of the license agreement displayed during installation.

·         This file, DirectSecure-Release-Notes.html provides a formatted, printable version of the release notes.

 

Documentation folder

This folder contains the Centrify DirectSecure Administrator's Guide and the DirectSecure Evaluation Guide in PDF format.

 

Note: You must have Adobe Acrobat Reader to view and print these files.

 

Linux folder

This folder contains the installation packages for supported versions of Linux. Platform specific release notes are also provided for each supported platform in text format.

 

Unix folder

This folder contains the installation packages for supported versions of UNIX. Operating system specific release notes are also provided for each supported platform in text format.

3.  New Features in DirectSecure

3.1. New Features in DirectSecure 5.1.1

·         DirectSecure version number

DirectSecure uses the same version number as DirectControl.  In this release, it is DirectSecure 5.1.1.

·         Support for DirectControl 5.1.1

This version of DirectSecure works with DirectControl 5.1.1 but not earlier DirectControl releases.  On the other hand, previous DirectSecure releases do not work with DirectControl 5.0.4 or later releases.

·         OpenSSL

DirectSecure uses the OpenSSL installed by Centrify DirectControl.  In DirectControl 5.1.1, OpenSSL 0.9.8w is installed.

 

·         Certificate Management

The certificate management code that works with DirectSecure is in DirectControl.  It is also used to manage smart card certificates.

 

·         Certificate Revocation List

This release adds the support of LDAP in addition to HTTP to download certificate revocation list. 

 

·         Support is added for the following operating systems:

-    Red Hat Enterprise Linux 6.2, 6.3, 6.4 (32- and 64-bit)

-    Linux Ubuntu Server 12.04 LTS, 12.10, 13.04 (32- and 64-bit)

 

·         Support is removed for the following operating systems:

-    Fedora 13 and eariler

 

·         Refer to http://www.centrify.com/products/all-supported-platforms.asp#directsecure for the complete list.

 

3.2. New Features in DirectSecure 1.2.2

·         Support for DirectControl 5.0.2 and 5.0.3

·         It is integrated with OpenSSL 0.9.8s.

3.3. New Features in DirectSecure 1.2.1

·         Support for DirectControl 5.0.1

3.4. New Features in DirectSecure 1.2.0

·         Support for DirectControl 5.0.0

3.5. New Features in DirectSecure 1.1.0

·         Fedora 12 is now supported.

·         NAT-T support has been added for operating systems that support it.

SLES 9.4 and Solaris 9 do not support NAT-T.

·         Microsoft DirectAccess support is now provided

All UNIX and Linux platforms supported by DirectSecure can be used with DirectAccess.  To use DirectSecure with other platforms you should use Microsoft Forefront Unified Access Gateway.

3.6. New Features in DirectSecure 1.0.0

·         This was the first release of DirectSecure.

4.   Bugs Fixed

4.1. Bugs fixed in DirectSecure 5.1.1

·        DirectSecure has historically written working data to /tmp.  This version of DirectSecure uses /var/centrify/tmp for its working data.  It eliminates the symlink vulnerability issue exposed by the /tmp directory, to which every user had the write access (REF#: 38986).

·       Fixed the problem in validating inbound certificate:  This problem occurred if the inbound certificate was not issued by the same CA that issued the machine certificate (REF#: 43795).

·         Allow space characters in certificate name (REF#: 39980).

·         On Solaris, DirectSecure used to sporadically go into maintenance mode.  This problem is fixed (REF#: 40472).

4.2. Bugs fixed in DirectSecure 1.2.2

·         Upgrade from previous DirectSecure rpm does not show an "ambiguous redirect" message.

·         It does not show the policy out of date message if there are no active IPsec policies.

5.   Known Issues

 

The following sections describe common known issues or limitations associated with Centrify DirectSecure.

·         Computers on which IPsec policy allows only ICMP traffic are not always able to ping

Where the effective IPsec policy allows ICMP traffic but not UDP or TCP traffic, Windows computers will be able to ping UNIX computers, but UNIX computers will not be able to ping Windows.  The problem is caused by the Linux implementation of ping; it does a UDP bind to the remote machine and this causes IPsec to establish SAs even though they are not needed.

To avoid this problem, you can use the following:

ping -I <my ip address> <remote ip address>

·         Certificate principal mapping is not supported

Certificate principal mapping ensures that the computer is known to Active Directory before accepting certificates. This feature is not supported in this release.

·         Certificate-based IPsec to the CA is not supported

This is not a usual configuration (it is usual to allow unrestricted access to a CA), however it is possible to create this configuration by specifying, for example, a subnet-wide policy with no exclusions. This configuration is also unsupported in pure Microsoft Windows environments.

·         Windows XP fails to pick up filters in large numbers as part of a rule

Windows XP appears to have a limit of 961 filters in a rule. If there are more than 961 filters, the rule will not be picked up.  This is a limitation within Microsoft Windows.

For the most up-to-date list of known issues, please log in to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

6. Additional Information and Support

In addition to the documentation provided with this package, the Centrify Knowledge Base gives answers to common questions and information about general or platform-specific known limitations as well as tips and suggestions.

The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately.  For more information, see the Centrify Resource Center website:

http://www.centrify.com/resources/application_notes.asp

You can also contact Centrify Support directly with your questions through the Centrify website, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Suite, send email to support@centrify.com or call 1-408-542-7500, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.