Centrify® DirectSecure® 5.2.3 Release Notes
© 2009-2015 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
DirectSecure is Centrify’s implementation of IPsec enablement for Linux and UNIX machines through Centrify Suite and Microsoft Active Directory. It brings the same "It Just Works" mode of operation for IPsec deployment to non-Windows platforms that Windows users enjoy in a pure Windows environment.
Centrify software is protected by U.S. Patents 7,591,005, 8,024,360, 8,321,523, and 9,015,103 B2.
The files for this Centrify DirectSecure release are organized in the following folders on the CD:
This folder contains files that describe the directory layout and give you access to additional information.
· Copyright.txt and Acknowledgements.txt provide copyright information and legal notices for third party and open source software used in Centrify DirectSecure.
· Centrify-DirectSecure-end-user-license-agreement.txt provides the text of the license agreement displayed during installation.
· This file, DirectSecure-Release-Notes.html provides a formatted, printable version of the release notes.
This folder contains the Centrify DirectSecure Administrator's Guide and the DirectSecure Evaluation Guide in PDF format.
Note: You must have Adobe Acrobat Reader to view and print these files.
This folder contains the installation packages for supported versions of Linux. Platform specific release notes are also provided for each supported platform in text format.
This folder contains the installation packages for supported versions of UNIX. Operating system specific release notes are also provided for each supported platform in text format.
For the list of supported platforms in all DirectSecure releases, refer to the document in www.centrify.com/platforms.
· DirectSecure version number
DirectSecure uses the same version number as DirectControl in Suite 2015.1. In this release, it is DirectSecure 5.2.3.
· Support for DirectControl 5.2.3
This version of DirectSecure works with DirectControl 5.2.3 but not earlier DirectControl releases.
· DirectSecure version number
DirectSecure uses the same version number as DirectControl in Suite 2015. In this release, it is DirectSecure 5.2.2.
· Support for DirectControl 5.2.2
This version of DirectSecure works with DirectControl 5.2.2 but not earlier DirectControl releases. On the other hand, previous DirectSecure releases do not work with DirectControl 5.2.2 or later releases.
· DirectSecure version number
DirectSecure uses the same version number as DirectControl. In this release, it is DirectSecure 5.1.1.
· Support for DirectControl 5.1.1
This version of DirectSecure works with DirectControl 5.1.1 but not earlier DirectControl releases. On the other hand, previous DirectSecure releases do not work with DirectControl 5.0.4 or later releases.
DirectSecure uses the OpenSSL installed by Centrify DirectControl. In DirectControl 5.1.1, OpenSSL 0.9.8w is installed.
· Certificate Management
The certificate management code that works with DirectSecure is in DirectControl. It is also used to manage smart card certificates.
· Certificate Revocation List
This release adds the support of LDAP in addition to HTTP to download certificate revocation list.
· Support is added for the following operating systems:
- Red Hat Enterprise Linux 6.2, 6.3, 6.4 (32- and 64-bit)
- Linux Ubuntu Server 12.04 LTS, 12.10, 13.04 (32- and 64-bit)
· Support is removed for the following operating systems:
- Fedora 13 and earlier
· Support for DirectControl 5.0.2 and 5.0.3
· It is integrated with OpenSSL 0.9.8s.
· Support for DirectControl 5.0.1
· Support for DirectControl 5.0.0
· Fedora 12 is now supported.
· NAT-T support has been added for operating systems that support it.
SLES 9.4 and Solaris 9 do not support NAT-T.
· Microsoft DirectAccess support is now provided
All UNIX and Linux platforms supported by DirectSecure can be used with DirectAccess. To use DirectSecure with other platforms you should use Microsoft Forefront Unified Access Gateway.
· This was the first release of DirectSecure.
· There are no major bug fixes in this release.
· In DirectSecure version 5.1.1, the System V init scripts for Solaris will run ipsecalgs. As the command is only available on Solaris 10 or above, the scripts will fail on Solaris 9. This problem is fixed (Ref: 56701).
· DirectSecure has historically written working data to /tmp. This version of DirectSecure uses /var/centrify/tmp for its working data. It eliminates the symlink vulnerability issue exposed by the /tmp directory, to which every user had the write access (Ref: 38986).
· Fixed the problem in validating inbound certificate: This problem occurred if the inbound certificate was not issued by the same CA that issued the machine certificate (Ref: 43795).
· Allow space characters in certificate name (Ref: 39980).
· On Solaris, DirectSecure used to sporadically go into maintenance mode. This problem is fixed (Ref: 40472).
· Upgrade from previous DirectSecure rpm does not show an "ambiguous redirect" message.
· It does not show the policy out of date message if there are no active IPsec policies.
The following sections describe common known issues or limitations associated with Centrify DirectSecure.
· Computers on which IPsec policy allows only ICMP traffic are not always able to ping
Where the effective IPsec policy allows ICMP traffic but not UDP or TCP traffic, Windows computers will be able to ping UNIX computers, but UNIX computers will not be able to ping Windows. The problem is caused by the Linux implementation of ping; it does a UDP bind to the remote machine and this causes IPsec to establish SAs even though they are not needed.
To avoid this problem, you can use the following:
ping -I <my ip address> <remote ip address>
· Certificate principal mapping is not supported
Certificate principal mapping ensures that the computer is known to Active Directory before accepting certificates. This feature is not supported in this release.
· Certificate-based IPsec to the CA is not supported
This is not a usual configuration (it is usual to allow unrestricted access to a CA), however it is possible to create this configuration by specifying, for example, a subnet-wide policy with no exclusions. This configuration is also unsupported in pure Microsoft Windows environments.
For the most up-to-date list of known issues, please log in to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.
In addition to the documentation provided with this package, the Centrify Knowledge Base gives answers to common questions and information about general or platform-specific known limitations as well as tips and suggestions.
The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately. For more information, see the Centrify Resource Center website:
You can also contact Centrify Support directly with your questions through the Centrify website, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Suite, send email to email@example.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to firstname.lastname@example.org.