What's New in PGP Certificate Server Version 2.5 for Windows NT Copyright (c) 1998-99 by Network Associates Technology, Inc., and its Affiliated Companies. All Rights Reserved. Thank you for using Network Associates' products. This What's New file contains important information regarding the PGP Certificate Server. Network Associates strongly recommends that you read this entire document. Network Associates welcomes your comments and suggestions. Please use the information provided in this file to contact us. Warning: Export of this software may be restricted by the U.S. Government. ___________________ WHAT'S IN THIS FILE - New Features - Documentation - System Requirements - Installation - Starting the PGP Certificate Server - Starting the PGP Replication Engine - Known Issues - Additional Information - Year 2000 Compliance - Contacting Network Associates ____________ NEW FEATURES * New Native, Optimized Windows NT Service This is the premier release of the PGP Certificate Server as a native Windows NT service that has been optimized for this environment. This new service provides round-the-clock, standards-based PGP certificate management and lookup services for administrators and users. * Easy-to-Use Remote Console Application The new PGP Cert Server Remote Console, a native Windows NT application, gives administrators the ability to remotely monitor and manage their PGP Cert Server through an intuitive, easy-to-use interface. All communications between the console and the Cert Server is strongly authenticated and encrypted using the TLS (Transport Layer Security) protocol, thus providing a very secure foundation for remote management. * Improved Web-based Configuration Administrators can conveniently manage the Cert Servers configuration from nearly any web browser. This version improves the extensive on-line help on product configuration settings. This version provides integrated support for many popular web servers including: - Microsoft IIS 2.0 - 4.0 - Netscape Enterprise Server 3.x - Netscape FastTrack Server 3.x - Apache 1.3.x Administrators can secure the communications between the web browser and the Cert Server using the native security services provided by the web server installed with the Cert Server. * Database Size and Performance Improvements This version includes numerous performance enhancements and database optimizations. Certificate database size has been reduced by 20% - 30% from previous versions, due to improved certificate storage methods. This size reduction provides improved server performance; more certificates are now stored in the server's cache, less data is read from and written to the server's harddisk, and fewer transformations are needed on certificate data. _____________ DOCUMENTATION Also included with this release is the following manual, which can be viewed on-line as well as printed: * PGP Certificate Server Administrator's Guide This document is saved in Adobe Acrobat Portable Document Format (.PDF). You can view and print the document with Adobe's Acrobat Reader. PDF files can include hypertext links and other navigation features to assist you in finding answers to questions about your Network Associates product. To download Adobe Acrobat Reader from the World Wide Web, visit Adobe's Web site at: http://www.adobe.com/prodindex/acrobat/readstep.html * Opening the Administrator's Guide * After installing Abobe Acrobat Reader, bring up the Windows Start Menu. Then select Programs--> Network Associates-->PGP Certificate Server--> Documentation-->Administrator's Guide. If the web server support for PGP Certificate Server is installed, the Administrator's Guide is also available through a link found on the page: http://YOUR-HOST-NAME:PORT/certserver/default.htm Substitute the hostname of the machine running the PGP Certificate Server for the YOUR-HOST-NAME value. For PORT, substitute the port number for the web server that you are running on YOUR-HOST-NAME (this defaults to 80 if it is not specified). * Online Help * This release also includes integrated online help in Microsoft Windows Help format: - PGP Certificate Server online help - PGP Replication Engine online help Documentation feedback is welcome. Send e-mail to tns_documentation@nai.com. ___________________ SYSTEM REQUIREMENTS - Windows NT version 4.0 and higher - 32MB RAM minimum - 15MB disk space for software - Additional disk space for database (10MB - 500MB) - Network interface card - PGP 6.5.1 (Only required for management of secure keys). - To run the Configuration/Monitoring Wizard: Microsoft Internet Information Server (version 4 recommended) with Microsoft Internet Explorer 4 or later, or any web server and a version 4 or later browser. ____________ INSTALLATION PGP Certificate Server is distributed in either a self-extracting file or on a CD-ROM. To Install the product from a CD-ROM: 1. Start Windows. 2. Insert the CD-ROM. 3. Double-click the installation program icon found in the PGP Certificate Server subdirectory. 4. Follow the on-screen prompts. To Install the product from a downloaded self- extracting file: 1. Start Windows. 2. Download the PGP Certificate Server installation program onto your computer's hard drive. 3. Double-click the installation program. 4. Follow the on-screen prompts. ___________________________________ STARTING THE PGP CERTIFICATE SERVER After successfully installing the server, you may start it by selecting Programs-->PGP Certificate Server-->PGP Certificate Server Console from the Windows Start Menu. Click "Create Database" to create the initial database (if necessary). Then press Start to start the certificate server. To test that the server is running properly, start PGP (version 5.5 or later). You will need to add to PGP's configuration the URL of the machine running the certificate server as described in the following steps: 1. Open the PGPkeys window by selecting PGPkeys from the PGPtray menu. 2. Select Edit-->Options. 3. On the Servers page, click New to add a New server. 4. Select the Protocol to use. 5. Then enter an LDAP server name using the format: ldap://YOUR-HOST-NAME 6. Type a new domain or choose an existing one. 7. Click OK. 8. Exit the Options dialog by clicking OK. 9. In the PGPkeys window, select any key from your list of keys. 10. Select the Send To item on the Keys menu and then select the name of your new PGP Certificate Server. If the key is sent to the server successfully, your server is running properly. You can also use the search dialog in PGPkeys to search for the keys on the server. Again, be sure to set the name of your new server as the server to search. ___________________________________ STARTING THE PGP REPLICATION ENGINE If you installed the optional PGP Replication Engine component, you may start it by selecting Programs-->PGP Certificate Server-->PGP Replication Engine Console from the Windows Start Menu. PGP Replication Engine uses the same configuration file as the PGP Certificate Server. The default configuration file does not have replication enabled. The 'Replica' and 'RepLogFile' configuration tags need to be configured prior to successfully starting the server. Examples, of each are: Replica ldap://mirror.company.com RepLogFile rep.log See the Administrator's Guide for exact details on these configuration values. Pressing Start will cause the product to beginning monitoring for data to replicate. _____________________________________________ USING THE WEB CONFIGURATION/MONITORING WIZARD The PGP Certificate Server can be easily configured using a web browser-based wizard. This wizard must be setup to run under an existing web server product. Most popular web servers support the wizard. The web server must be running on the same machine as the PGP Certificate Server. If you are running the Microsoft Internet Information server (version 2.0 or later) and you requested the installer to automatically add support to IIS for the wizard, you only need to start (or restart) the web server. You can then access the configuration/monitoring wizard from your browser using the URL: http://YOUR-HOST-NAME:PORT/certserver/default.htm If you are using another web server or did not have the installer add this support, please see the Administrator's Guide for details on how to properly configure this feature. You may also directly edit the configuration file for the certificate server using any standard text editor such as Notepad. The default configuration file is found in: C:\Program Files\Network Associates\PGPcertd\etc\pgpcertd.cfg ____________ KNOWN ISSUES o Using RSA keys as Admin keys In the International and Freeware releases, RSA keys cannot be used by the server as the Server Secure KeyID. Only DSS/Diffie-Hellman keys can be used as the key the client uses to determine which server it is connecting to using TLS/SSL. o HTTP Gateway CGI Scripts The Add and Lookup CGI scripts require access to the PGPsdk DLLs. These are installed in the Windows system directory when the Certificate Server is installed. These DLLs may not be present on the machine running the HTTP server. These DLLs should be copied to the same directory as the script or into the Windows system directory. The DLLs are called PGP_SDK.dll, PGPsdkNL.dll, and PGPsdkUI.dll. ______________________ ADDITIONAL INFORMATION ** Domestic Diffie-Hellman/DSS-only release ** If you want to support RSA keys with this version of the PGP Certificate Server, you must install Microsoft's Internet Explorer Version 4.0 or later (the domestic 128-bit version). Even with this support, some RSA keys with non-standard key sizes will not work as server keys for LDAPS. ** International Diffie-Hellman/DSS-only release ** If you want to support RSA keys with this version of the PGP Certificate Server, you must install Microsoft's Internet Explorer Version 4.0 or later (the domestic 128-bit version). Even with this support, some RSA keys with non-standard key sizes will not work as server keys for LDAPS. Due to export restrictions, the 128-bit version of Microsoft's Internet Explorer 4.0 or later may not be available in your area. If this is the case, this version of the PGP Certificate Server will not support RSA keys. ** International and Freeware releases ** The International and Freeware versions of the PGP Certificate Server do not encrypt data. They do provide strong authentication. The Transport Layer Security (TLS) connection between the PGP client and the server is strongly authenticated; but the data is sent over the network without being encrypted. This means that the queries and adds that are performed by the PGP client can be viewed by others, but the identity of someone performing administrative functions is still strongly authenticated. ____________________ YEAR 2000 COMPLIANCE Information regarding NAI products that are Year 2000 compliant and its Year 2000 standards and testing models may be obtained from NAI's website at http://www.nai.com/y2k. For further information, email y2k@nai.com. _____________________________ CONTACTING NETWORK ASSOCIATES *FOR QUESTIONS, ORDERS, PROBLEMS, OR COMMENTS* Contact the Network Associates Customer Care department: 1. Phone (408) 988-3832 Monday-Friday, 6:00 A.M. - 6:00 P.M. Pacific time 2. Fax (408) 970-9727 24-hour, Group III Fax Send correspondence to the following Network Associates location: Network Associates Corporate Headquarters 3965 Freedom Circle McCandless Towers Santa Clara, CA 95054 Phone numbers for corporate-licensed customers: Phone: (408) 988-3832 Fax: (408) 970-9727 Phone numbers for retail-licensed customers: Phone: (972) 278-6100 Fax: (408) 970-9727 Or, you can receive online assistance through any of the following resources: 1. Internet E-mail: pgpsupport@pgp.com 2. Internet FTP: ftp.nai.com 3. World Wide Web: http://support.nai.com 4. America Online: keyword MCAFEE 5. CompuServe: GO NAI To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some information about your computer and your software. Please have this information ready when you call: - Program name and version number - Computer brand and model - Any additional hardware or peripherals connected to your computer - Operating system type and version numbers - Network name, operating system, and version - Network card installed, where applicable - Modem manufacturer, model, and speed, where applicable - Relevant browsers or applications and their version numbers, where applicable - How to reproduce your problem: when it occurs, whether you can reproduce it regularly, and under what conditions - Information needed to contact you by voice, fax, or e-mail We also seek and appreciate general feedback. * FOR PRODUCT UPGRADES * To make it easier for you to receive and use Network Associates products, we have established a reseller's program to provide service, sales, and support for our products worldwide. For a listing of resellers, see the resellers.txt file or contact Network Associates Customer Care for resellers near you. * FOR REPORTING PROBLEMS * Network Associates prides itself on delivering a high-quality product. If you find any problems, please take a moment to review the contents of this file. If the problem you've encountered is documented, there is no need to report the problem to Network Associates. If you find any feature that does not appear to function properly on your system, or if you believe an application would benefit greatly from enhancement, please contact Network Associates with your suggestions or concerns. * FOR ON-SITE TRAINING INFORMATION * Contact Network Associates Customer Service at (800) 338-8754.