Centrify® DirectSecure® 5.4.0 Release Notes

 

© 2009-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved. 

Table of Contents

 

1.        About This Release. 1

2.        Feature Changes in DirectSecure. 2

2.1.        Feature Changes in DirectSecure 5.4.0. 2

2.2.        Feature Changes in DirectSecure 5.3.1. 2

3.        Bugs Fixed. 3

3.1.        Bugs fixed in DirectSecure 5.4.0. 3

3.2.        Bugs fixed in DirectSecure 5.3.1. 3

4.        Known Issues. 3

5.        Getting Started. 5

5.1.        Installation. 5

5.2.        Uninstallation. 6

6.        Additional Information and Support. 6

 

 

1.    About This Release

 

DirectSecure is Centrify’s implementation of IPsec enablement for Linux and UNIX machines through Centrify Suite and Microsoft Active Directory. It brings the same "It Just Works" mode of operation for IPsec deployment to non-Windows platforms that Windows users enjoy in a pure Windows environment.

The software comes in the form of platform-specific bundles. Each bundle contains the following:

·        The Centrify DirectSecure Administrator's Guide, centrify-directsecure-guide.pdf, which provides information for installing, configuring, and troubleshooting Centrify DirectSecure.

·        This release notes, i.e. DirectSecure-Release-Notes.html.

·        The platform-specific software package in the form of centrifyds-<ds version number>-<os platform><os version>-<os architecture>.<package> format.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40830)

2.    Feature Changes in DirectSecure

 

For the list of supported platforms in all DirectSecure releases, refer to the document in www.centrify.com/platforms.

2.1.  Feature Changes in DirectSecure 5.4.0

·        Support for DirectControl 5.4.0 in Suite 2017

This version of DirectSecure works with DirectControl 5.4.0 but not earlier DirectControl releases.

·        It is integrated with OpenSSL 1.0.2j and stock MIT Kerberos 5-1.14.1.

·        Support is provided for the following operating systems:

-        Red Hat Enterprise Linux 4, 5, 6 (x86, x86_64) and 7 (x86_64 only)

-        Linux Ubuntu Server 12.04 LTS, 14.04 LTS, 16.04 LTS (x86, x86_64)

-        Oracle Solaris 10, 11 (x86, x86_64, SPARC)

-        SUSE Linux Enterprise Server 11 (x86, x86_64) 

 

·        Support is removed for the following operating systems:

-        SUSE Linux Enterprise Server 10 (x86, x86_64)

2.2.  Feature Changes in DirectSecure 5.3.1

·        Support for DirectControl 5.3.1 in Suite 2016.1

This version of DirectSecure works with DirectControl 5.3.1 but not earlier DirectControl releases.

·        In addition to the default RSA certificate, this version of DirectSecure supports certificates signed with Elliptic Curve Digital Signature algorithm (ECDSA-256, ECDSA-384 and ECDSA-521) for IPsec authentication on the Linux/Unix side (Ref: DS-513). It is not supported on Windows (Ref: DS-516).

·        It is integrated with OpenSSL 1.0.2g.

·        Support is provided for the following operating systems:

-        Red Hat Enterprise Linux 4, 5, 6 (x86, x86_64) and 7 (x86_64 only)

-        Linux Ubuntu Server 12.04 LTS, 14.04 LTS, 16.04 LTS (x86, x86_64)

-        Oracle Solaris 10, 11 (x86, x86_64, SPARC)

-        SUSE Linux Enterprise Server 10, 11 (x86, x86_64) 

 

·        Support is removed for the following operating systems:

-        Oracle Solaris 9 (x86, x86_64, SPARC)

-        Ubuntu 12.10, 13.04, 13.10, 14.10 (x86, x86_64)

-        SUSE Linux Enterprise Server 9 (x86, x86_64)

 

·        Note: This version of DirectSecure does not support Windows 10. (Ref: DS-524).

3.    Bugs Fixed

3.1.  Bugs fixed in DirectSecure 5.4.0

·        There are no major bug fixes in this release.

3.2.  Bugs fixed in DirectSecure 5.3.1

·        adsec –-certs now supports special characters, e.g. “(” and “)”, in the certificate template instead of just dumping out a syntax error message(Ref: DS-482).

·        The patch for CVE-2015-4047 – NULL pointer dereference and IKE daemon crash is applied (Ref: DS-503).

·        DirectSecure now supports using systemd to manage DirectSecure daemon (Ref: DS-511).

4.    Known Issues

The following sections describe common known issues or limitations associated with Centrify DirectSecure.

·        Fails to connect due to time out

When trying to connect, say with ssh, from a Solaris machine to another UNIX machine after applying IPsec group policy, the connection may fail with time-out. The reason is that Solaris does not work properly with ‘non-mirror’ or ‘any protocol’ settings in the IPsec policy (Ref: DS-521, DS-438).

·        Computers on which IPsec policy allows only ICMP traffic are not always able to ping

Where the effective IPsec policy allows ICMP traffic but not UDP or TCP traffic, Windows computers will be able to ping UNIX computers, but UNIX computers will not be able to ping Windows.  The problem is caused by the Linux implementation of ping; it does a UDP bind to the remote machine and this causes IPsec to establish SAs even though they are not needed.

To avoid this problem, you can use the following:

ping -I <my ip address> <remote ip address>

·        Certificate principal mapping is not supported

Certificate principal mapping ensures that the computer is known to Active Directory before accepting certificates. This feature is not supported in this release.

·        Certificate-based IPsec to the CA is not supported

This is not a usual configuration (it is usual to allow unrestricted access to a CA), however it is possible to create this configuration by specifying, for example, a subnet-wide policy with no exclusions. This configuration is also unsupported in pure Microsoft Windows environments.

·        Restarting centrify-racbridge and centrify-racoon services on Solaris (Ref: DS-449)

"svcadm restart centrify-racbridge" does not start the centrify-racbridge and centrify-racoon services in proper order. Use "adsec -r" instead.

·        CertGP takes a long time and can get aborted on Solaris (Ref: IN-90001)

PKI certificate handling is implemented in DirectSecure as a group policy and is run by the DirectControl Group Policy mapper. On Solaris the CertGP group policy takes longer to run than on other platforms and can run longer than the default timeout value associated with group policies on DirectControl, resulting in CertGP being aborted.

To avoid this, you should increase the default timeout in /etc/centrifydc/centrifydc.conf. Locate the value

# gp.mappers.timeout: 30

and remove the "# " at the beginning to uncomment the value. Now change the value to 60 and save the file.

Restart DirectControl with:

/usr/share/centrifydc/bin/centrifydc restart

For the most up-to-date list of known issues, please log in to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

5.    Getting Started

Before installing the Centrify DirectSecure package, you should make sure you have the matching DirectControl version installed.

You must be able to log on to the console of the system where you are installing the Centrify DirectSecure package.

You must log on as root to install on any operating system.

You should ensure that there are no other IPsec implementations running on the machine.

5.1.  Installation

a.      Download the Centrify DirectSecure package to your computer.

b.      Install Centrify DirectSecure package:

·       On SUSE, RHEL

o   rpm -Uvh <centrify-directsecure-package>.rpm

·       On Solaris

o   gzip -d <centrify-directsecure-package>.tgz

o   tar -xvf <centrify-directsecure-package>.tar

o   pkgadd -d CentrifyDS

·       On Debian

o   dpkg -i <centrify-directsecure-package>.deb

c.      Ensure the package is installed:

·        On SUSE, RHEL

o   rpm -qa CentrifyDS

o   you should see something like this "CentrifyDS-<release>"

·       On Solaris

o   pkginfo -l CentrifyDS

o   pkginfo should show status of "completely installed"

·       On Debian

o   dpkg -l | grep centrifyds

o   You should see something like this "centrifyds-<release>"

d.      Special instruction on Solaris

·       Installing on Solaris computers with zones

o   Zones with their own physical network interface cards may have DirectSecure installed in them following the directions in steps a…c above. Each zone is effectively treated as a separate (virtual) computer.

o   Zones with virtual network interface cards (i.e. where the Global Zone provides the network interface) should not have DirectSecure installed in them, but instead DirectSecure should be installed in the Global Zone (using pkgadd with the -G option) and will provide DirectSecure services for all zones for which it provides a network interface.

5.2.  Uninstallation

If you need to uninstall Centrify DirectSecure, run the following command:

·        On SUSE, RHEL

o   rpm -e CentrifyDS

·       On Solaris

o   pkgrm CentrifyDS

·       On Debian

o   dpkg -P centrifyds

6.    Additional Information and Support

In addition to the documentation provided with this package, the Centrify Knowledge Base gives answers to common questions and information about general or platform-specific known limitations as well as tips and suggestions.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify website, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Suite, send email to support@centrify.com or call 1-669-444-5200, option 2.

If a problem occurs, please send a problem description to support@centrify.com. To improve the speed of resolution, please include information about the system and version of software you are using. One way of doing it is to run the following commands and paste the output into the report:

1.  hostname ; uname -a; nslookup `hostname`; rpm -qa | grep Centrify*; adsec –support (on SUSE or RHEL)

2.  hostname ; uname -a; nslookup `hostname`; pkginfo -l CentrifyDS; adsec –support (on Solaris)

3.  hostname ; uname -a; nslookup `hostname`; dpkg -l | grep centrify*; adsec –support (on Debian)

For information about purchasing or evaluating Centrify products, send email to info@centrify.com.