Centrify® DirectSecure® 5.3.1 Release Notes

 

© 2009-2016 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved. 

Table of Contents

 

1.        About This Release. 1

2.        New Features in DirectSecure. 2

2.1.        New Features in DirectSecure 5.3.1. 2

2.2.        New Features in DirectSecure 5.2.3. 3

2.3.        New Features in DirectSecure 5.2.2. 3

2.4.        New Features in DirectSecure 5.1.1. 3

3.        Bugs Fixed. 4

3.1.        Bugs fixed in DirectSecure 5.3.1. 4

3.2.        Bugs fixed in DirectSecure 5.2.3. 4

3.3.        Bugs fixed in DirectSecure 5.2.2. 4

3.4.        Bugs fixed in DirectSecure 5.1.1. 4

4.        Known Issues. 5

5.        Additional Information and Support. 6

 

 

1.    About This Release

 

DirectSecure is Centrify’s implementation of IPsec enablement for Linux and UNIX machines through Centrify Suite and Microsoft Active Directory. It brings the same "It Just Works" mode of operation for IPsec deployment to non-Windows platforms that Windows users enjoy in a pure Windows environment.

The software comes in the form of platform-specific bundles. Each bundle contains the following:

·        The Centrify DirectSecure Administrator's Guide, centrify-directsecure-guide.pdf, which provides information for installing, configuring, and troubleshooting Centrify DirectSecure.

·        This release notes, i.e. DirectSecure-Release-Notes.html.

·        The platform-specific software package in the form of centrifyds-<ds version number>-<os platform><os version>-<os architecture>.<package> format.

·        The platform-specific release notes in the form of release-notes-ds-<os platform><os version>-<os architecture>.txt.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40830)

2.    New Features in DirectSecure

 

For the list of supported platforms in all DirectSecure releases, refer to the document in www.centrify.com/platforms.

2.1.  New Features in DirectSecure 5.3.1

·        Support for DirectControl 5.3.1 in Suite 2016.1

This version of DirectSecure works with DirectControl 5.3.1 but not earlier DirectControl releases.

·        In addition to the default RSA certificate, this version of DirectSecure supports certificates signed with Elliptic Curve Digital Signature algorithm (ECDSA-256, ECDSA-384 and ECDSA-521) for IPsec authentication on the Linux/Unix side (Ref: DS-513). It is not supported on Windows (Ref: DS-516).  

·        It is integrated with OpenSSL 1.0.2g.

·        Support is provided for the following operating systems:

-        Red Hat Enterprise Linux 4, 5, 6 (x86, x86_64) and 7 (x86_64 only)

-        Linux Ubuntu Server 12.04 LTS, 14.04 LTS, 16.04 LTS (x86, x86_64)

-        Oracle Solaris 10, 11 (x86, x86_64, SPARC)

-        SUSE Linux Enterprise Server 10, 11 (x86, x86_64) 

 

·        Support is removed for the following operating systems:

-        Oracle Solaris 9 (x86, x86_64, SPARC)

-        Ubuntu 12.10, 13.04, 13.10, 14.10 (x86, x86_64)

-        SUSE Linux Enterprise Server 9 (x86, x86_64)

 

·        Note: This version of DirectSecure does not support Windows 10. (Ref: DS-524).

2.2.  New Features in DirectSecure 5.2.3

·        DirectSecure version number

DirectSecure uses the same version number as DirectControl in Suite 2015.1.  In this release, it is DirectSecure 5.2.3.

·        Support for DirectControl 5.2.3

This version of DirectSecure works with DirectControl 5.2.3 but not earlier DirectControl releases.

2.3.  New Features in DirectSecure 5.2.2

·        DirectSecure version number

DirectSecure uses the same version number as DirectControl in Suite 2015.  In this release, it is DirectSecure 5.2.2.

·        Support for DirectControl 5.2.2

This version of DirectSecure works with DirectControl 5.2.2 but not earlier DirectControl releases.  On the other hand, previous DirectSecure releases do not work with DirectControl 5.2.2 or later releases.

2.4.  New Features in DirectSecure 5.1.1

·        DirectSecure version number

DirectSecure uses the same version number as DirectControl.  In this release, it is DirectSecure 5.1.1.

·        Support for DirectControl 5.1.1

This version of DirectSecure works with DirectControl 5.1.1 but not earlier DirectControl releases.  On the other hand, previous DirectSecure releases do not work with DirectControl 5.0.4 or later releases.

·        OpenSSL

DirectSecure uses the OpenSSL installed by Centrify DirectControl.  In DirectControl 5.1.1, OpenSSL 0.9.8w is installed. 

·        Certificate Management

The certificate management code that works with DirectSecure is in DirectControl.  It is also used to manage smart card certificates. 

·        Certificate Revocation List

This release adds the support of LDAP in addition to HTTP to download certificate revocation list.   

·        Support is added for the following operating systems:

-        Red Hat Enterprise Linux 6.2, 6.3, 6.4 (32- and 64-bit)

-        Linux Ubuntu Server 12.04 LTS, 12.10, 13.04 (32- and 64-bit)

 

·        Support is removed for the following operating systems:

-        Fedora 13 and earlier 

3.    Bugs Fixed

3.1.  Bugs fixed in DirectSecure 5.3.1

·        adsec –-certs now supports special characters, e.g. “(” and “)”, in the certificate template instead of just dumping out a syntax error message(Ref: DS-482).

·        The patch for CVE-2015-4047 – NULL pointer dereference and IKE daemon crash is applied (Ref: DS-503).

·        DirectSecure now supports using systemd to manage DirectSecure daemon (Ref: DS-511).

3.2.  Bugs fixed in DirectSecure 5.2.3

·        There are no major bug fixes in this release.

3.3.  Bugs fixed in DirectSecure 5.2.2

·        In DirectSecure version 5.1.1, the System V init scripts for Solaris will run ipsecalgs. As the command is only available on Solaris 10 or above, the scripts will fail on Solaris 9. This problem is fixed (Ref: 56701).

3.4.  Bugs fixed in DirectSecure 5.1.1

·        DirectSecure has historically written working data to /tmp.  This version of DirectSecure uses /var/centrify/tmp for its working data.  It eliminates the symlink vulnerability issue exposed by the /tmp directory, to which every user had the write access (Ref: 38986).

·        Fixed the problem in validating inbound certificate:  This problem occurred if the inbound certificate was not issued by the same CA that issued the machine certificate (Ref: 43795).

·        Allow space characters in certificate name (Ref: 39980).

·        On Solaris, DirectSecure used to sporadically go into maintenance mode.  This problem is fixed (Ref: 40472).

4.    Known Issues

The following sections describe common known issues or limitations associated with Centrify DirectSecure.

·        Fails to connect due to time out

When trying to connect, say with ssh, from a Solaris machine to another UNIX machine after applying IPsec group policy, the connection may fail with time-out. The reason is that Solaris does not work properly with ‘non-mirror’ or ‘any protocol’ settings in the IPsec policy (Ref: DS-521, DS-438).

·        Computers on which IPsec policy allows only ICMP traffic are not always able to ping

Where the effective IPsec policy allows ICMP traffic but not UDP or TCP traffic, Windows computers will be able to ping UNIX computers, but UNIX computers will not be able to ping Windows.  The problem is caused by the Linux implementation of ping; it does a UDP bind to the remote machine and this causes IPsec to establish SAs even though they are not needed.

To avoid this problem, you can use the following:

ping -I <my ip address> <remote ip address>

·        Certificate principal mapping is not supported

Certificate principal mapping ensures that the computer is known to Active Directory before accepting certificates. This feature is not supported in this release.

·        Certificate-based IPsec to the CA is not supported

This is not a usual configuration (it is usual to allow unrestricted access to a CA), however it is possible to create this configuration by specifying, for example, a subnet-wide policy with no exclusions. This configuration is also unsupported in pure Microsoft Windows environments.

For the most up-to-date list of known issues, please log in to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

5.    Additional Information and Support

In addition to the documentation provided with this package, the Centrify Knowledge Base gives answers to common questions and information about general or platform-specific known limitations as well as tips and suggestions.

The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately.  For more information, see the Centrify Resource Center website:

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify website, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Suite, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.