This document provides information about Security Manager Administration 8.1 SP1. Browse through the topics below to find out about system requirements, installation, limitations, and known issues for this release.

See the following topics for information:

• Minimum system requirements
• New features
• Fixed in this release
• Changed in this release
• Known issues
• Contacting Entrust support

Minimum system requirements  [top]

The Entrust Platform Support and Integration Center contains information about supported platforms and compatibility with Entrust and third-party software and hardware products.

Supported Microsoft® Windows® operating systems

Security Manager Administration 8.1 SP1 is supported on the following Microsoft® Windows® operating systems:

• Windows Server® 2008 R2, Standard or Enterprise Edition (64-bit only)
  Note: Security Manager Administration only supports Full Installation. Security Manager Administration does not support Server Core Installation.
• Windows Vista® SP2, Business or Enterprise Edition (32-bit only)
• Windows® 7, all editions (32-bit or 64-bit)

Note: Itanium-based systems are not supported.

Supported Tokens

For the most recent list of supported tokens, see the Entrust Platform Support and Integration Center. Security Manager Administration supports tokens only with RSA keys. Consult your token documentation for supported key sizes and operating system requirements.

New features  [top]

This release includes the following new features:

Enhanced ability to retain expired certificates on revocation lists

Security Manager 8.1 SP1 introduced extended abilities to Master Users for retaining expired certificates on revocation lists (see the Security Manager 8.1 SP1 Release Notes). These abilities extend to Security Manager Administration.

Previously, administrators could set the Revoked certificates that have expired remain on the partitioned CRL option in the Security Policy to retain expired certificates on partitioned revocation lists. In Security Manager Administration 8.1 SP1, administrators now have greater control over how expired certificates remain on revocation lists:

• The Revoked certificates that have expired remain on the partitioned CRL option is replaced with a new Retain expired certificates on partitioned CRL option. This option matches the ExpiredOnPartitionRL advanced variable in Security Manager. This option allows you to specify how long (in months) that expired certificates will remain on partitioned revocation lists; or a date, where any certificates that expired after that date are retained on partitioned revocation lists.
• You can see how Security Manager retains expired certificates on combined CRLs with the Retain expired certificates on combined CRL option. You can only view this option in Security Manager Administration. Only Master Users can control how expired certificates are retained on combined CRLs. (169494)

Fixed in this release  [top]

The following known issues are resolved for this release of Security Manager Administration. Numbers in parenthesis are for internal tracking purposes.

Could not use some TCL commands with bulk processing

Prior to Security Manager Administration 8.1, you could use some TCL commands (such as the clock command) in bulk input files. In Security Manager Administration 8.1, these commands no longer worked. This problem has been fixed in this release. (171170)

An Entrust PKI administrator could not log in if past privateKeyUsagePeriod extension time

In previous releases, if the privateKeyUsagePeriod extension indicated that a private key update should have taken place, Security Manager Administration did not allow an administrator to log in, even though the certificate had not yet reached the end of its validity time. This problem is fixed in this release.

Changed in this release  [top]

This section provides information about the changes that occurred between this release and Security Manager Administration 8.0. Numbers in parenthesis are for internal tracking purposes.

Ability to issue cross-certificates with lifetimes greater than 60 months

In previous releases, you could issue cross-certificates with lifetimes no greater than 60 months (5 years). In this release, you can now issue cross-certificates with lifetimes up to 420 months (35 years). Note that cross-certificates cannot exceed the lifetime of the issuing CA, and cannot extend beyond the end of year 2037. You can set cross-certificate lifetimes by specifying a custom lifetime when issuing the cross-certificate, or by changing the global cross-certificate lifetime value set in the Security Policy in Security Manager Administration. (171017, 171051, 171192)

Renamed user policy settings

Currently Security Manager includes the following user policy settings:

• Private key usage
• Exclude privateKeyUsage

These settings refer to a certificate's private key usage period, but the name and description of the settings did not include the word "period".

In this release, these user policy settings are renamed to:

• Private key usage period
• Exclude privateKeyUsagePeriod

The description for these user policy settings have also been updated. (171583)

Additional permissions for the User Reg Service (Admin Services) role

In this release, the the User Reg Service (Admin Services) role now includes the following user permissions:

• Modify properties
• Update Key Pairs
• Modify Key update options
• Perform PKIX requests

Note: These permissions are included in the default User Reg Service (Admin Services) role for new installations. When upgrading or migrating Security Manager, the new permissions are also included if the role User Reg Service (Admin Services) exists. If the role does not exist (for example, you deleted or renamed the role), the new permissions are not added. If you previously renamed the User Reg Service (Admin Services) role, you must manually add these permissions after you upgrade Security Manager. (162887)

Known issues  [top]

This section describes the known issues in Security Manager Administration. Numbers in parenthesis are for internal tracking purposes.

Some bulk command parameters are not converted from escaped UTF8 to local characters when extended characters are used

Security Manager Administration allows you to enter international characters for bulk command parameters if you enter them as escaped UTF8. When processing the bulk file, some parameters, such as role name, are not converted from escaped UTF8 to local characters when extended characters are used. (152052)

Some fields in Security Manager Administration are not converted from escaped UTF8 to local characters when extended characters are used

Security Manager Administration allows you to enter international characters into text fields if you enter them as escaped UTF8. Some fields in Security Manager Adminstration, such as Role Name, are not converted from escaped UTF8 to local characters when extended characters are used. (151912)

Multi-byte characters are not supported in path names

Security Manager Administration is supported on non-English operating systems (for example, a Japanese operating system). However, you must use only ASCII characters in path names (for example, for .epf file names). Multi-byte characters are not supported in path names. (152067)

Secure LDAP is not supported when using certain algorithms

After successfully installing Security Manager, you can configure Security Manager and Security Manager Administration to connect to the directory using secure LDAP rather than the default LDAP connection. However, secure LDAP is not supported when using certificates signed with RSA-PSS or elliptic curves. (143850)

Cannot auto-populate the permanent identifier subjectAltName component if not DER-encoded

You cannot auto-populate permanent identifier values from a directory into the subjectAltName extension if they are not DER-encoded. To automatically populate the permanentIdentifer component of a subjectAltName from a directory attribute, store the value as a DER-encoded otherName in plain text (not raw binary). (108568)

An Entrust PKI administrator cannot create a group even if the role it belongs to permits such operation

If an administrator creates a role with permissions to add new groups, but no permission to administer its own role, then Security Manager Administration will not allow users of that role to add new groups.

As a workaround, allow the role to administer itself. (106551)

Unexpected directory error when changing a user's DN

If you select Rename existing Directory entry when you change a user’s DN in the Change DN dialog box, you may attempt to add mandatory attributes that already exist in the directory for the entry. If so, some Directories may return unexpected errors and the Change DN operation may fail. If this happens, re-enter the Change DN information and choose Keep old entry in the Directory. If this option is not feasible, you can use your own directory tools to change the DN and reassign the new DN to your user.

Security Manager Administration includes a NULL terminator when writing to token devices

When writing to a token device, Security Manager Administration includes a NULL terminator in the Cryptoki CK_CHARs and CK_UTF8CHARs. (145539)

Contacting Entrust support  [top]

Entrust offers telephone, email, and online support. When you contact Entrust with an issue, please provide as much detail as possible. Providing the information suggested below will give Customer Support personnel a good start at understanding the situation and providing a solution:

• your contact information
• the product name, version, and OS information
• your hardware and software information
• your deployment scenario
• the issue itself
• the log file(s) containing any error messages
• the conditions under which the error occurred
• any troubleshooting activities you have already attempted

Telephone number

For telephone assistance within North America, call 1-877-754-7878.

For telephone numbers outside North America, and other contact information go to the Customer Care Contact page on the Entrust TrustedCare Web site.