Release Notes
Product Description
CipherTrust Manager (formerly known as NextGen KeySecure) is a new implementation of SafeNet KeySecure Classic, designed to add the following capabilities:
A RESTful interface
A full-featured, remote CLI interface
Removes dependencies on the underlying OS
Can be deployed as a physical and virtual appliance
Backward compatibility with the KeySecure Classic NAE-XML interface and the suite of existing connectors
Changes from SafeNet KeySecure Classic
Key policies (time of day and rate limits) are no longer supported.
RC4, 56-bit DES, 112-bit Triple DES, and 168-bit Triple DES in ECB mode (CBC mode is okay) are not supported.
FPE is only supported with 256-bit keys. 128 and 192 are not supported.
RSA Export formats supported are PKCS 1 and 8 only. Certificates are not supported.
Product Abbreviations
| Name | Abbreviation |
|---|---|
| CipherTrust Batch Data Transformation | BDT |
| CipherTrust Manager | CM |
| CipherTrust Application Data Protection | CADP |
| CipherTrust Cloud Key Manager | CCKM |
| CipherTrust Database Protection (formerly known as ProtectDB) | CDP |
| CipherTrust Transparent Encryption | CTE |
| CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE) | CTE UserSpace |
| CipherTrust Teradata Protection | CTP |
| CipherTrust Data Discovery and Classification | DDC |
| Data Protection on Demand | DPoD |
| CipherTrust Tokenization | CT |
| CipherTrust Vaulted Tokenization | CT-V |
| CipherTrust Vaultless Tokenization | CT-VL |
Release Description
This release brings a number of new features and enhancements. Refer to Release 2.1.0 for details. For the list of known issues, refer to Known Issues.
Features and Enhancements
Release 2.1.0
CipherTrust Cloud Key Manager
Management of Azure cloud keys lifecycle operations using the GUI, API, and CLI. The supported operations are:
create
list
update
delete (soft/hard)
recover
upload
rotate
Note
To rotate Azure keys, CCKM Users require Add Key and Upload Key permissions.
Azure authentication support for service principle with certificates and admin consent.
Scheduler to perform key synchronization, rotation, and expiry operations.
Ability to back up and restore Azure keys.
Ability to search keys by:
tags
key operations
key expiration time
Access control lists to manage user permissions on Azure accounts.
Platform
- Support for DPoD's newest HSM service client package, which uses JSON Web Token (JWT) authentication. This client was introduced in DPoD Release 1.16.
Resolved Issues
This table lists the issue resolved in release 2.1.0.
| Issue | Synopsis |
|---|---|
| KY-19804 | In-place cluster upgrade from 1.10 fails when cluster configuration uses DNS entries. |
| KY-19362 | Listing of large number of users using the REST API is slower than release 1.8. |
| KY-19047 | System upgrades sometimes require Internet access. |
| KY-16399 | In the Internet Explorer 11, the AWS Keys detail page is not displayed properly. |
| KY-14192 | Degraded performance observed after migrating from a KeySecure Classic k460 appliance to a NextGen KeySecure k570 appliance. Fixed: Performance has been improved in this release. |
| KY-12905 | Unknown key/permission and connection errors occur when performing a large number of cryptographic operations. |
| KY-9950 | Data Objects are not listed in reports with more than 50,000 matches. Additionally, an error message NCERRInternalServerError: unexpectederror is displayed on the Data Objects report tab. This means that the Hadoop cluster takes too long (more than 30 seconds) to retrieve the list of Data Objects in the report. |
Release 2.0.0
Major Release
This is a major update to the product. It includes these new product lines:
CipherTrust Transparent Encryption Suite
CipherTrust Transparent Encryption
CipherTrust Transparent Encryption UserSpace
CipherTrust Cloud Key Manager
Platform
Product rename! NextGen KeySecure has been renamed to CipherTrust Manager. Some utilities, such as ksctl and kscfg retain the KeySecure (or ks) name for backward compatibility.
NAE crypto audit logging. An option is provided to enable detailed audit logging for NAE crypto operations. Enabling this feature will have an impact on performance. It is recommended to disable NAE crypto audit logging in performance-critical environments.
GUI For Key Rotation and Selective Backup.
Enhanced Key Query in the Key UI.
Trigger Notifications for Certificate Expiration: Configure record-based alarms to trigger email notifications for monitoring certificate expiration.
Custom DNS Entries: You can now specify custom DNS entries instead of IP addresses.
HSM Partition Labeling.
Ability to Upload CTE Client Audit Logs/Records to CipherTrust Manager.
Ability to Enable/Disable SSH, NAE, and KMIP Interfaces.
Support for the Oracle Cloud.
Network TCT HSM.
Key Management
Added support for:
Cloning of keys
MUID and keyID for opaque objects
UID in client certificates for NAE/KMIP interface
New interface mode: Password is required in Auth header with certificate-only verification
CipherTrust Data Discovery and Classification
DDC, which has been rebranded as CipherTrust Data Discovery and Classification, brings you the following new features:
Support for creating custom Infotypes
Licensing updates
Trial license extension to 90 days
New 15 TB license
Data consumption displayed on the Licensing page
General improvements
Hadoop configuration restricted to root domain (in multiple domain setups)
GUI responsiveness
More GUI error messages
CipherTrust Transparent Encryption
Ability to encrypt data on AIX, Linux, and Windows clients.
Deployment of Cloud Object Storage (COS), Standard, and Live Data Transformation (LDT) policies. COS policies are supported for Amazon S3 buckets.
Agent log upload to the CipherTrust Manager and Syslog over TLS.
Learn Mode to test policies by tracking how rules are evaluated, without enforcing the policy.
Health checks of CTE Agents.
Support for AES-128, AES-256, ARIA-128, and ARIA-256 keys.
CTE key metadata feature.
Licensing for CTE and LDT clients. The LDT feature is provided as an add-on license. To use the LDT feature, you need a CTE base license activated on the CipherTrust Manager.
Note
After a client is registered, you must change the client password using the manual password creation method. The dynamic password creation method is not supported.
CipherTrust Transparent Encryption UserSpace
Licensing for CTE UserSpace clients.
Ability to encrypt data on clients running a supported platform. CTE UserSpace supports Linux, Oracle Linux (UEK and RHCK), and SLES platforms.
CipherTrust Cloud Key Manager
Management of AWS cloud keys using the GUI, API, and CLI. The supported operations are: create, list, delete, update, upload, and rotate.
Ability to search AWS keys by tags.
Scheduler to perform key synchronization, rotation, and expiry operations.
Ability to back up and restore AWS keys.
Access control lists to manage user permissions on AWS accounts.
Licensing support for cloud units.
Reporting of cloud keys using the CLI and REST API.
CipherTrust Database Protection
Product rename! SafeNet ProtectDB has been renamed to CipherTrust Database Protection.
Rebranded GUI, API, CLI, and product documentation.
General Note
The k570 appliance contains a FIPS-approved HSM. However, the HSM is not in FIPS mode by default. To put the HSM into FIPS mode, refer to the Luna PCI documentation, or contact Thales Customer Support.
Resolved Issues
This table lists the issues resolved in release 2.0.0.
| Issue | Synopsis |
|---|---|
| KY-16396 | The length of ks_support challenge blob is limited to the shell width on a serial console. |
| KY-13345 | On heavily loaded systems, the ProtectV GUI may occasionally give an internal server error when listing clients. |
| KY-11139 | User cannot sort by "Owner" or "Modified" in the Report's "Data Object" tab. Even though the user interface indicates that the user can order the list of Data Objects inside a Report by clicking the column header, nothing happens when the user does that. |
| KY-10615 | Running a scan when another one is running on same data store, causes the first one to fail. When one scan is being executed and another scan is launched that includes at least one data store used in the first scan, the first scan may fail. |
| KY-11712 | ksctl does not accept the --node-id flag for the active-node command.The node that will be registered is always the one receiving the request. That is why the ksctl command does not accept the --node-id flag. |
Release 1.10.0
Platform
Base Platform Upgrade: The base OS of NextGen KeySecure has been upgraded to Ubuntu 18.04 to support the latest security patches and upgrades.
Key Rotation Support: Keys can be automatically rotated using CRON like syntax. Any set of keys can be rotated based on a query.
In this release, this feature is supported using the CLI and API. Support for the GUI will be added in a future release.Scheduled Backup Support: Backups can be scheduled and rotated automatically.
In this release, this feature is supported using the CLI and API. Support for the GUI will be added in a future release.Client certificate-based login to the NextGen KeySecure GUI.
Client certificate revocation check through CRL/ OCSP for NAE/ KMIP interface.
Ability to download System logs using the GUI and the CLI.
Sorting of records by the "By" column.
Data Discovery and Classification
Native scanning support for common types of data stores and data locations
Analysis of structured and unstructured content
Possibility to perform classification based on a large variety of data types
Classification templates for main regulations
Scheduled scans to automate execution of discovery tasks
Advanced reporting to provide all the insights from the discovered data
Remote proxy and/or Agent-based scans
Run specific scans to improve the performance
Note
• DDC is compatible with virtual NextGen KeySecure appliances only.
• DDC requires at least 16 GB of RAM. Failed scans may be seen if you run with less than 16 GB of RAM.
KMIP
Ability to change KMIP log level using the CLI.
Ability to pick username from other certificate fields.
Support for Certificate Objects, Wrap/Unwrap, Sign/SignV and Device Credentials.
ProtectFile
SafeNet ProtectFile now supports the Multiple Domains feature of NextGen KeySecure appliances.
General Notes
Upgrades are supported from versions 1.7.0, 1.8.0, 1.9.0, 1.9.1, and 1.10.0-ddc.
Due to the OS upgrade support, downgrading from version 1.10 is not supported.
The k570 appliance contains a FIPS-approved HSM. However, the HSM is not in FIPS mode by default. To put the HSM into FIPS mode, refer to the Luna PCI documentation, or contact Thales Customer Support.
ProtectV functionality has not changed since 1.9.1, therefore ProtectV customers are recommended to not upgrade to NextGen KeySecure 1.10.
Resolved Issues
This table lists the issues resolved in release 1.10.0.
| Issue | Synopsis |
|---|---|
| KY-10473 | Physical NextGen KeySecure: lcdController crashes intermittently on system boot. |
| KY-8497 | SMTP server does not accept email address with capital letters. |
| PFL-7857 | Hash error occurs when reregistering a client with the NextGen KeySecure. |
| KY-6262 | [AWS only] NextGen KeySecure instances are slow to reboot, fail to read cloud-init metadata, and reset some system information on reboot. |
| KY-9104 | Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
| KY-9399 | The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
Release 1.10.0-DDC
Data Discovery and Classification
The NextGen KeySecure appliance now supports discovery of sensitive data in different Data Stores: Linux and Windows local storages, SMB/CIFS shares, NFS shares, Oracle databases, Microsoft SQL databases, DB2 databases, and Hadoop HDFS. The classification can be done using the several provided Classification Profiles as GDPR or by creating your own. Reports for the scans will provide you a clear view on the state of your Data Objects.
Note
• NextGen KeySecure 1.10.0-DDC is compatible with virtual NextGen KeySecure appliances only.
• This release supports upgrade from NextGen KeySecure version 1.9.1 only. If you are upgrading from an older version, please first upgrade to 1.9.1 and then to 1.10.0-DDC.
• The Data Discovery functionality requires at least 16 GB RAM in any platform. It will not function properly with less than 16 GB RAM.
Release 1.9.1
This release fixes the below issues. No new features or enhancements are provided.
| Resolved Issue | Synopsis |
|---|---|
| KY-9113 | NextGen KeySecure license is required after upgrading NextGen KeySecure to 1.9.0. |
| KY-9064 | Absent email attribute in LDAP breaks user login. |
| KY-8719 | Prevent boot into Ubuntu recovery mode from console. |
| KY-8657 | KMIP: Optional password does not work in the Credential object. |
| KY-7642 | When retrieving a token, “connection” attribute should support “local” in addition to “local_account”. |
| KY-7391 | NextGen KeySecure nodes are unreachable intermittently and data replication is unsuccessful. |
| KY-4823 | LCD reads Gemalto when no network cable is attached to the NextGen KeySecure appliance during boot. |
Release 1.9.0
Platform
Multiple Domains
The k170v/k470/k570 NextGen KeySecure appliances now support Multiple Domains. This allows keys and other resources to be isolated from each other within an enterprise. Refer to the API playground for details.ProtectFile does not support the Multiple Domains feature.
License Revocation
Licenses (except default trial licenses) can now be removed from the system.Secure Support Access
The ability to gain root access to the system now requires an interaction with Thales Customer Support.E-mail Notifications
The system can be configured to send e-mail notifications to specific addresses when system alarms are triggered. In this release, this feature is supported for alarms configured by users.Syslog Improvements
Alarm functionality is added to indicate unreachable Syslog servers. If a Syslog server is unreachable, an alarm will be raised on the system. This feature is supported for Syslog servers configured over TLS only.
A new column, domain_id, is added to logs redirected to Syslog servers. This column indicates the domain associated with the log message.
Records Improvements
The Lineage column has been renamed as Client on the Records page of the UI.
The Lineage column has been replaced with Client IP in API and CLI.
Support for CCKM
Added support for CCKM as a key repository. This allows transfer of NextGen KeySecure keys to AWS KMS, Azure KeyVault, or Salesforce Shield.UI Improvements
An App Launcher is introduced to open applications. The App Launcher contains Keys & Access Management, Admin Settings, ProtectDB, ProtectFile, ProtectV, ProtectApp, and KMIP applications.
ProtectDB
Session Management
Added functionality to configure whether to receive prompts for database credentials when accessing tables for the first time in a GUI session.Error Replacement Support for MSSQL Server
Error Replacement feature is supported for MSSQL Server.Upload of SSL Certificate from GUI
Option to upload SSL certificates for Oracle and DB2 databases is added to the NextGen KeySecure GUI.Handling of Non-supported Data Types
Encryption property for non-supported data types can no longer be configured on NextGen KeySecure.
ProtectV
ProtectV supports the Multiple Domains feature of NextGen KeySecure appliances.
KMIP Improvements
KMIP Client Registration: Added registration enforcement for existing and new KMIP clients.
Anonymous Login: Added anonymous login functionality to achieve support for global keys. Only certificate will be validated, username is not required.
New Cryptographic Operations: Added support for cryptographic operations Encrypt, Decrypt, Mac, and MacV.
New Attributes: Added support for new attributes Alternative Name, Digest, Cryptographic Usage Mask, and Fresh.
Wildcard for KMIP Locate: Added wildcard support for the Locate operation.
Resolved Issues
This table lists the issues resolved in release 1.9.0.
| Issue | Synopsis |
|---|---|
| PFW-10949 | When an encryption rule is removed from NextGen KeySecure, changes are not pushed to other non-transformer/cluster nodes during the next polling interval. |
| PFW-10945 | Access logs are not sent to the Syslog server. |
| KY-3680 | In a clustered environment, if an SSL certificate is uploaded to one node, the SSL certificate is automatically replicated on other nodes. However, if you uploaded another SSL certificate to one node, the SSL certificate is not replicated on other nodes. |
| KY-3675 | GUI: In the Alarms table, the "State Changed at' column is obsolete as of release 1.8.0. In this release, the column is replaced with "Triggered At". |
| KY-3444 | LDAP user cannot log in to the domain for which he is administrator. |
| KY-1286 | (was NC-3431) Key names with only spaces are considered valid. |
Release 1.8.1
This is a critical patch for customers using the Data Protection on Demand service HSM on demand as a Root of Trust. Other customers can ignore this patch.
Note
This patch must be applied to the NextGen KeySecure version 1.8.0 only. Earlier versions of NextGen KeySecure must be upgraded to 1.8.0 before applying this patch. Refer to "System Upgrade" for details.
Applying the Patch
To apply the patch:
Download the patch file, ks_patch_1.8.1.tar.gz.gpg, from the Customer Support Portal.
Copy the file to all NextGen KeySecure instances.
scp -i <my-ssh-key> ./ks_patch_1.8.1.tar.gz.gpg ksadmin@<keysecure-ip>:Log on to NextGen KeySecure.
ssh -i <my-ssh-key> ksadmin@<keysecure-ip>Apply the patch.
sudo /opt/keysecure/ks_upgrade.sh -f ks_patch_1.8.1.tar.gz.gpg
If the NextGen KeySecure appliance is using the DPoD HSM, the KeySecure services will restart.
Note
• If you need to set up new NextGen KeySecure instances to use the HSM DPoD root of trust after applying this patch, it is recommended to retrieve a new client bundle directly from DPoD.
• Older client bundles may not be compatible. This is not an issue for systems already configured to use DPoD. The patch will update existing client configuration.
• If an HSM was not configured prior to installing this patch, you will need to manually restart the NextGen KeySecure service with the following command:systemctl restart keysecure
Resolved Issues
This table lists the issues resolved in release 1.8.1.
| Issue | Synopsis |
|---|---|
| KY-6073 | Add support for the latest SafeNet Data Protection On Demand (DPoD) clients for enhanced performance and improved service resilience. |
Release 1.8.0
KeySecure
Multi Domain Support Preview
NextGen KeySecure supports the concept of “Domains” as a way to segregate the data a specific user is capable of accessing. Domains can be created using the ksctl command, and then specific requests can be scoped to a Domain. To create and use domains, refer to the CLI help for ksctl domains. This is a preview of this new feature, so there are these limitations:No UI Support - only ksctl and API are supported.
Limited user configuration - users must be assigned to a domain when it is created.
Not all resources supported - only Keys resources have been validated. ProtectFile, ProtectV, and ProtectApp resources are not yet supported.
Login Banner
A pre-authentication and post-authentication login banner are supported via the API, CLI and GUI.In-place Cluster Upgrades
A cluster can now be upgraded in-place to release 1.8.0. The only supported version that can be upgraded in-place is version 1.7.0. For further details, go to the Advisory Notes > In-place Cluster Upgrade.Cluster Operations via the GUI
In addition to the CLI, you can now perform normal cluster operations using the GUI.Audit record based Alarms
Support for Alarm generation based on Audit record conditions.NAE - Added support for
UUID
MUID
KMIP
A new implementation of KMIP Server. Supported operations are in accordance with spec br1.4.
Multiple KMIP ports
Multiple local and external CA for KMIP
TLS-1.0 for KMIP; the default is TLS-1.2
Re-keying of key pairs
Usability of 'KMIP created keys' over the NAE interface
KMIP Licensing:
If unlicensed, KMIP operations will stop working after the 90-day trial period.
If you are upgrading from NextGen KeySecure version 1.6.0 or earlier, you must contact the Customer Support Portal to obtain a KMIP license.
Syslog
Added support for the new Syslog formats, RFC-5424, CEF, and LEEF. The default format is RFC-5424.Records
Added severity, source, and lineage columns to the Records page. All fields support sorting and filtering.
ProtectV
SafeNet ProtectV Licensing
SafeNet ProtectV is offered through the following licensing models:Trialware: Provides the fully-functional SafeNet ProtectV solution for free for 90 days with pre-installed trial license.
Term Licensing Model: Provides the fully-functional SafeNet ProtectV solution for a prepaid charge for a specific period of time, for a specific number of clients. This license comes with a grace period of 90 days.
Perpetual Licensing Model: Provides the fully-functional SafeNet ProtectV solution for a prepaid charge with no time limit, for a specific number of clients.
A NextGen KeySecure appliance administrator can install the SafeNet ProtectV license. Refer to the SafeNet ProtectV Server Administrator Guide for details.
ProtectDB
Support for New Databases
This release adds support for management of database operations on following databases:DB2: Following operations can be performed on the NextGen KeySecure:
Adding database connections
Managing user mappings
Configuring column-level properties
MSSQL Server: Following operations can be performed on the NextGen KeySecure:
Adding database connections
Managing user mappings
Configuring column-level encryption properties
Teradata: Following operations can be performed on the NextGen KeySecure:
Adding database connections
Managing user mappings
Support for SSL Based Connections
This release adds support for SSL-based connections for Oracle and DB2 databases. The upload of SSL certificate is allowed only through the NextGen KeySecure API Playground.
Resolved Issues
This table lists the issues resolved in release 1.8.0.
| Issue | Synopsis |
|---|---|
| KY-4511 | Replication might lose data for "large" objects or break cluster connectivity. |
| KY-1395 | (was NC-2257) GUI: In Firefox, sometimes "insufficient permissions" popup does not appear. |
| KY-1203 | (was NC-3897) Any user can change the name of the system. |
| KY-500 | The "ksctl pf client-rule-assn list" command returns the error code 403. |
| KY-492 | The "ksctl pf client-rule-assn update" command does not perform the specified operation. |
| NC-4239 | ISO installation does not enable VGA login console. Workaround: Press Alt+F2 to go to tty1 and then press Alt+F1 to go back to tty0. |
| NC-4003 | NAE/KMIP: Interface only supports a single trusted CA. |
| NC-3290 | JCE: GCM File Encryption throwing "Read Timed out" Exception with large files. |
Release 1.7.0
KeySecure
NIC Bonding
NIC bonding is supported via the command line utility nmcli. Bonding provides redundancy and performance improvements by aggregating two or more network interfaces into a single logical network interface.kcstl changes
The ksctl utility now will display a version number. Note that this version number is different from the server version.
ksctl now supports a "login" command which provisions the user with a token valid for 30 days. This removes the need to keep a password in the config.yaml file.
SNMP Support
Standard MIBs are supported (SNMP v1, v2c, v3)
Internet Standard MIBs are supported
The Host Resources MIB is supported
The Distributed Management MIB is supported
System Start with Missing Root of Trust
If the HSM Root of Trust is not available, the system will come up and present a message to the user.HKDF Support
HKDF is a simple key derivation function (KDF) based on a hash-based message authentication code (HMAC).
Use Hash Algorithm for key generation using HKDF. Default is hmac-sha256. The Options are:hmac-sha1
hmac-sha224
hmac-sha256
hmac-sha384
hmac-sha512
KMIP/NAE: NAE Updates:
XML support is added for Certificate and CA requests, Group/policy for local mode,
Support for PKCS#12 format,
AES-GCM PKCS5 Padding,
HKDF Support.
Added
System Resetaskscfgcommand
System Reset performs a hard reset of the k170(v).Warning
System Reset is a destructive operation and wipes all data on the k170(v). It should be used with care.
Network Configuration Utility
Supports configuration of multiple network interfaces and bonding these interfaces to achieve redundancy and performance improvements.
ProtectFile
SafeNet ProtectFile Licensing
SafeNet ProtectFile is offered through the following licensing models:
Trialware: Provides the fully-functional SafeNet ProtectFile solution for free for 30 days. This license does not require activation during the trial period. After the trial period expires, SafeNet ProtectFile configurations on the NextGen KeySecure appliance become read-only. A trialware SafeNet ProtectFile license comes bundled with the NextGen KeySecure appliance.
Term Licensing Model: Provides the fully-functional SafeNet ProtectFile solution for a prepaid charge for a specific period of time, for a specific number of clients. The NextGen KeySecure appliance console starts showing a notification about the remaining license time. The license renewal can be ordered before the license expires. Functionality will not be immediately disabled at time of license expiry. Maintenance and Support Fees are included within the term license.
Perpetual Licensing Model: Provides the fully-functional SafeNet ProtectFile solution for a prepaid charge with no time limit, for a specific number of clients. Customers will be invoiced on a predetermined interval for Maintenance and Support.
A NextGen KeySecure appliance administrator can install the SafeNet ProtectFile license.
Migration of Clusters from KeySecure Classic
This release supports migration of SafeNet ProtectFile clusters from the SafeNet KeySecure Classic to the NextGen KeySecure appliance.
Progress Reporting
The NextGen KeySecure appliance now shows the progress of cryptographic operations being performed by SafeNet ProtectFile on a path under a rule. Reason of failed rules is also displayed.
Configurable Polling Interval
This allows configuring optimal polling interval value that best suits customer environments.
ProtectV
Rekey
SafeNet ProtectV includes automatic key renewal, also known as key rotation or rekey. Rekey is the process of re-encrypting partitions with a new encryption key. The rekey feature is disabled by default. This feature can be helpful in meeting regulatory requirements concerning the change of encryption keys.
A SafeNet ProtectV administrator can configure the feature on the NextGen KeySecure appliance console.
When configuring the feature, specify the number of days after which encryption keys should be changed automatically. If enabled on the NextGen KeySecure appliance console, the default rekey interval is 180 days.
In-transit Key Wrapping
SafeNet ProtectV supports encryption of keys while they are moving between the NextGen KeySecure appliance and ProtectV clients. This is referred to as in-transit key wrapping.
Enable in-transit key wrapping to protect KEKs against TLS attacks. The KEK is wrapped with a public key by the NextGen KeySecure appliance. By default, this feature is disabled. A SafeNet ProtectV administrator can enable this feature on the NextGen KeySecure appliance console.
Windows Auto Protection
SafeNet ProtectV includes the Windows Auto Protection option to configure automatic encryption behavior of Windows client images on registration. By default, encryption of a Windows image starts as soon as it is registered with the NextGen KeySecure appliance.
A SafeNet ProtectV administrator can disable this configuration. When disabled, encryption of newly registered Windows images does not start immediately. This allows selecting specific Windows partitions for encryption for the first time. Encryption of selected partitions starts automatically within an hour as the NextGen KeySecure appliance is contacted between 5 and 60 minutes continuously. Alternatively, reboot the client image to start the encryption of selected partitions immediately.
Global Autoscaling
Autoscaling refers to whether new clones of images will be granted keys automatically. Previous release supported autoscaling of individual ProtectV client images.
This release includes an option to configure autoscaling for all SafeNet ProtectV images. This is called global autoscaling. A SafeNet ProtectV administrator can configure global autoscaling.
By default, global autoscaling is turned off. New clones will not be granted keys automatically. When global autoscaling is turned on, encryption keys will be granted to new clones of SafeNet ProtectV client images that will be created in future.
Auto Keys Deletion
An option is included to configure automatic deletion of encryption keys on deletion of the associated ProtectV Client virtual machines.
By default, this option is disabled. In this case, the keys with which an image’s partitions are encrypted will not be deleted if the image is deleted. However, when the option is enabled, deletion of the encrypted image will automatically delete the linked encryption keys.
Migration from KeySecure Classic
Support is added to migrate encrypted SafeNet ProtectV clients from the SafeNet KeySecure Classic to the NextGen KeySecure appliance.
ProtectDB
GUI support provided for the following operations for the Oracle database type:
Add, delete, or modify database connection.
View the list of existing database connections.
Add, delete, or modify user mapping for a database (NAE user mapped with the database user).
View the list of user mappings for a database.
Configure the column level encryption properties including error replacement feature.
View the list of encrypted tables for a database.
Note
More databases will be supported in a future release.
Resolved Issues
This table lists the issues resolved in release 1.7.0.
| Issue | Synopsis |
|---|---|
| NC-3948 | Retain node license on reset. |
| NC-3920 | System Upgrade: If there is not enough disk space available during a system upgrade, the upgrade will fail Workaround: Perform a system reset, ensure there is at least 12 GB of space available (not including the upgrade file), and then try the system upgrade again. |
| NC-3871 | Single node cluster fails to perform upgrade |
| NC-3869 | NAE interface Refresh Tokens are not being deleted |
| NC-3850 | The "secrets" API has been deprecated and replaced by an object type in "keys2". |
| NC-3841 | Restoring backup causes ProtectFile and ProtectV Manager malfunction. |
| NC-3826 | Records: Audit record logs are periodically deleted (eventually all) once it utilizes disk size of 10 GB. |
| NC-3823 | Default NAE port (9000) requires a restart after making configuration changes. |
| NC-3779 | Backup Download Failure with large backup files |
| NC-3778 | Command kscfg network interface list has empty values on AWS. |
| NC-3750 | Backup: CLI (ksctl) out of memory error occurs on large backup download. |
| NC-3470 | PA-ICAPI: Init Update Final does not work with SEED for chunk sizes other than 1024 bytes. |
| NC-3301 | JCE: GCM Encryption result in Remote and Local modes does not match with Version Key. |
| NC-1629 | NAE-XML VersionRequest returns invalid server version. |
Release 1.6.1
This release resolves known issues listed in section: Resolved Issues. No new features or enhancements are provided.
Resolved Issues
This stable lists the issues resolved in release 1.6.1.
| Issue | Synopsis |
|---|---|
| NC-3903 | Re-enabled 'cluster delete' command; was removed in release 1.5.0. |
| NC-3871 | Single node cluster fails to perform upgrade. |
| NC-3869 | NAE interface Refresh Tokens are not being deleted. |
| NC-3860 | kscfg: Modifying static IPv6 configuration fails when netmask is not provided. Workaround: Include setting netmask when modifying static IPv6 configuration. |
| NC-3841 | Restoring backup causes ProtectFile and ProtectV Manager malfunction. |
| NC-3826 | Records: Audit record logs are periodically deleted (eventually all) once it utilizes disk size of 10 GB. |
| NC-3750 | Backup: CLI (ksctl) out of memory error on large backup download |
Release 1.6.0
Note
Release 1.6.0 supports both the SafeNet KeySecure k570 appliance and the SafeNet Virtual KeySecure k170v.
Physical Appliance Installation ISO
An ISO Image is available for existing customers to upgrade their k450/k460 appliance with the k170 software. Refer to the SafeNet NextGen KeySecure Deployment Guide for instructions.
Multi NIC Support
Multiple NICs can be configured for Physical and Private Cloud images using the kscfg utility.
kscfg can only be used to configure interfaces on a Physical Appliance or in a Private Cloud, VMware vSphere, and HyperV etc. It cannot configure interfaces in public clouds, AWS,
Note
and Azure etc.
Downgrade Support
Downgrade support has been added in release 1.6.0. This means that future releases will be able to downgrade but not to a version earlier than release 1.6.0.
Backup Encryption Changes
Beginning with release 1.6.0, backups are encrypted when they are created, rather than when they are downloaded. This is more secure, and simplifies management of backups.
Note
During an upgrade, any existing backups are encrypted using the default backup key.
Backups and Backup Keys Retained
Backups and Backup Keys are retained, even if a system is reset.
GUI Backup Support
Backups and Backup Keys can be managed via the GUI
Debug File Rotation Improvements
Debug file rotation has been improved. Debug files are rotated once they reach 1GB in size, and a maximum of 30 files are retained. Additionally, all but the last two debug log files are compressed.
Local Audit Log Disable
Logging Audit records to local store (database) can be disabled via the CLI and the API - audit logs are still forwarded to syslog. Clusters that support a large number of transactions should be configured with local audit logging disabled. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl 'properties' command to disable audit logging.
ProtectV Support (BETA)
ProtectV is supported via the CLI, API and GUI. An updated client is required to use ProtectV with the NextGen KeySecure. This is a BETA feature - migration of existing ProtectV clients is not yet supported and certain features may not be available.
New API Playground (BETA)
A new API playground is included with improved formatting and performance. This is a BETA feature and in addition to the existing one.
Multiport Support for NAE Server
Multiple instances of NAE Server can be instantiated on different ports and network interfaces.
Key States Support
Key States support is added over NAE-XML. The key states are compatible with corresponding states on KeySecure Classic.
Release 1.5.0
Migration for KeySecure Classic
The NextGen KeySecure now supports importing a backup file from KeySecure Classic (k450, k460 and k450v) to assist users with the upgrade process. All Keys, Users and LDAP connections are imported into NextGen KeySecure. For details, refer to: "SafeNet KeySecure k170v Deployment Guide > Migrating from KeySecure Classic".
Static IP Configuration
Static IP can now be set via a command line utility "kscfg". SSH into the system as "ksadmin" and type kscfg net interfaces modify -h command for details.
Private Cloud Image Disk Size Increase
The size of the Private Cloud Image Disk was increased from 16 GB to 30 GB. It can also be set to a larger value and will re-size automatically.
Note
An encrypted instance cannot be resized.
NAE and KMIP Certificate Separation
NAE and KMIP certificates are now separate and can be managed individually.
Backup Chunking Support
Very large backup files can be optionally uploaded in chunks to support restart and to work around size limits.
SEED and ARIA algorithms are now supported.
ECC algorithm is now supported.
LDAP Group Support
Groups from and LDAP connection can be mapped to a local group for authorization control.
The maximum number of nodes in a cluster has been increased from 6 to 10.
New Crypto API
There is a new REST Crypto API for simpler encryption and decryption. Go to the API Playground for details.
Secret Object Support
Secret Objects are supported via the KMIP interface. There is also a REST interface for managing text and opaque secrets.
Support for SafeNet Data Protection On Demand (DPoD) root of trust HSM.
See https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace/ to sign up for DPoD.
Refer to DPoD service setup configuration.
Release 1.4.0
New Features and Enhancements
Added support for SafeNet ProtectFile
The SafeNet Virtual KeySecure k170 version 1.4.0 extends support for encryption of local file system using SafeNet ProtectFile 8.7.10. This release provides CLI, REST API, and GUI to create and manage the following types of policies:
Access Control and Encryption
Access Control Only
Added Alarm support
API lists available alarms
Alarm events are sent to syslog
See Alarms for details.
Added TLS/SSL certificate provisioning for web interface.
Added a “user friendly” name can now be set for each NextGen KeySecure instance.
Interface certificates are now automatically issued when a new node joins a cluster.
“beta” has been removed from the API path; existing applications that use "v1beta" in the API path will continue to work.
Release 1.3.0
Support for IPv6 configuration
Added the ability to configure IPv6 to either 'dhcp' or 'auto’ via cloud-init. The default is “auto”.
Note
For IPv6 to operate correctly in AWS, this should be changed to “dhcp” in the startup cloud-init script. Refer to the Deployment Guide for details.
AWS CloudHSM
Added support for AWS CloudHSM (Cavium).
Password History Policy
Added support for Password History Policy that retains the user's password history to prevent users from reusing their previous
passwords. Hybrid HSM Support
Although it is the most secure configuration, nodes in a cluster are no longer required to be connected to the same HSM. Each node can be now connected to a different supported HSM partition, or to no HSM. Refer to Hardware Security Module for details and security considerations.
Support for a “status” API
There is a new API called services/status that returns the status of the NAE-XML and KMIP interfaces, as well as an overall status. This can be used to determine if system is ready to accept connections.
New System Defined Groups
A number of new System Defined Groups are now created by default, which give granular permissions to users. A user must be in one or more of these groups to have access to resources in the system. This is different from previous releases where all users had key access by default. If an upgrade is performed from 1.1.0 or 1.2.0, existing non-admin users must be placed in the “Key Users” group for them to have appropriate access. Refer to Groups for details on these new groups.
Disk Encryption Performance Improvements
Encrypting a k170v instance now takes significantly less time. Try it!
Elliptical Curve Key Support
The API now supports creation of EC keys. Encryption/Decryption operations coming soon.
New Deployment Guide
A Deployment Guide is now available as part of the documentation set, describing how to deploy k170v in various environments.
Release 1.2.0
Support for Luna HSM HA Groups
Multiple Luna HSMs can now be configured in an HA group. Updates to the API and CLI support this configuration.
Initial Password Changes
The initial admin password now defaults to "admin" and must be changed on first login. A random initial password can be generated optionally - requires a cloud-init configuration, and must be retrieved via SSH.
Force Password Change
A user can be forced to change their password on their next login attempt.
Password Expiration
An expiration policy can be set for local system passwords. Users will be forced to change their passwords after expiration.
Updates to Interface Settings
Various authentication options can be set for the NAE interface. See API documentation for details. GUI support is also added.
Changes to Key UUID format
To be compatible with SafeNet KeySecure Classic, the UUID format for Keys has been changed to be a 64-byte string.
IPv6 Support
IPv6 addresses will be configured automatically if available.
NTP Support
Multiple authenticated NTP servers can be configured via the API, CLI, or GUI.
Google Compute Support (Preview)
Google Compute is supported as a preview. Contact Thales Customer Support directly to evaluate a Google Compute image.
Hyper-V Support
Configurable root ca (via cloud-init)
API Support for system Reset and Restart.
KMIP Register Operation Support
Advisory Notes
This section highlights important issues you should be aware of before deploying the CipherTrust Manager.
System Downgrade
CipherTrust Manager 2.1.0 can be downgraded to 2.0.0. For release-specific upgrade/downgrade information, refer to the release notes for your release.
System Upgrade
Caution
Please read this section carefully before performing an system upgrade.
Supported Releases
System upgrades have been tested from releases 1.9.x, 1.10.x, and 2.0.0.
Note
Upgrades from other versions have not been tested and may not work correctly.
To apply a system upgrade
System upgrades are supplied in the form of a signed archive file available from the Support Portal.
Before proceeding, ensure there is at least 12 GB of space available (not including the upgrade file).
Create and download a backup with corresponding backup key, in case there are any problems.
scpthe archive file to the CipherTrust Manager:$ scp -i <identity_file> <update file name> ksadmin@<ip>:.sshinto the CipherTrust Manager asksadminand run the following command:$ sudo /opt/keysecure/ks_upgrade.sh -f <~/filename>
The signature of the archive file is verified and the upgrade is applied.
Restoring a Backup from a Previous Version
Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.
In-place Cluster Upgrade
A cluster can be upgraded in-place since version 1.9.0. The upgrade is generally limited to one minor version at a time, for example, from 1.9.0 to 1.10.0; from 1.10 to 2.0.0; or from 2.0.0 to 2.1.0. The exception is that you can upgrade directly from 1.10 to 2.1.0. Be aware of the following considerations when performing an in-place cluster upgrade.
Note
If you attempt to upgrade to 1.10 from 2.0 with DNS entries in the cluster configuration, that upgrade might fail with database errors. In this situation, run kscfg system reset on the affected node, upgrade your other nodes from 1.10 directly to 2.1, upgrade the affected node to 2.1, and re-join the cluster.
The node being upgraded will be inaccessible during the upgrade. This may be as long at 10 or more minutes. Clients must be able to handle this outage.
There will be a brief period of time (under 30 seconds) where the database will be locked while upgrading the first node. This affects all nodes at the same time, and some nodes may give error responses during this time.
All nodes in the cluster should be upgraded as soon as possible - nodes running different version of the firmware will behave differently, potentially causing problems with applications.
To perform an in-place cluster upgrade, do the following:
Before doing any upgrade operation, ensure that you have a backup, and that you have downloaded the backup and associated backup key.
Ensure all nodes in the cluster are up and operating normally. Resolve any issues (like removing any obsolete nodes) before performing the upgrade.
Perform a system upgrade on each node, one at a time. Ensure the upgrade of each node is complete and that the node is operating normally, before proceeding to the next node.
Note
When updating the first node in a cluster, the cluster nodes may briefly experience slower than usual response times. This occurs because the shared database schema for the cluster is updated with the first node.
Alternative to In-place Cluster Upgrade
To upgrade a cluster using the cluster remove/rebuild method:
On one of the cluster nodes, create and download a backup with corresponding backup key, in case there are any problems.
Remove all nodes from the cluster except one.
Perform the upgrade on that remaining node.
Ensure there is at least 12 GB of space available (not including the upgrade file) before proceeding.
scp the archive file to the CipherTrust Manager:
$ scp -i <identity_file> <update file name> ksadmin@<ip>:.SSH into the CipherTrust Manager as ksadmin and run the following command:
$ sudo /opt/keysecure/ks_upgrade.sh -f <~/filename>
The signature of the archive file is verified and the upgrade is applied.
Rebuild the cluster by creating a new cluster on this node.
Perform the upgrade on all other removed nodes.
Note
If a previously used node is to be re-used, the cluster must first be deleted from that system.
Join new instances to the cluster.
Clusters with a Large Number of Transactions
Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.
To disable local audit logging
Set the property ENABLE_RECORDS_DB_STORE to false using the ksctl command:
$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false
If configured, Audit logs will be still be sent to a syslog server.
Cluster Synchronization
Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
Compatibility
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
| Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
|---|---|---|---|
| Web UI | TLS 1.2 | TLS 1.2 | TLS 1.2 |
| NAE | TLS 1.0 | TLS 1.2 | TLS 1.1 |
| KMIP | TLS 1.0 | TLS 1.2 | TLS 1.2 |
Caution
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
Client Platforms
The following client Platforms are supported by the CipherTrust Manager.
Caution
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
ProtectApp JCE: minimum version 8.6.1
ProtectApp .NET: minimum version 8.11.0
ProtectApp ICAPI: minimum version 8.10.0
ProtectApp Oracle TDE: minimum version 8.9.0
ProtectApp SQL EKM: minimum version 8.3.2
CipherTrust Cloud Key Manager
Minimum version 1.6.3.20532
CipherTrust Database Protection
ProtectDB Oracle: minimum version 8.8.0
ProtectDB SQL: minimum version 8.9.0
ProtectDB DB2: minimum version 8.7.0
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 9.0.0
CipherTrust Vaulted Tokenization
Tokenization Manager: minimum version 8.7.1
Vaultless Tokenization Manager: minimum version 8.8.0
CipherTrust Batch Data Transformation
Minimum version 2.2.0.2816
CipherTrust Tokenization
Minimum version 2.5.2.19
CipherTrust Teradata Protection
Minimum version 6.4.0.12
ProtectFile
Minimum version 8.10.11
ProtectV
Minimum version 4.7.3
Known Issues
This section lists the issues known to exist in the product at the time of release.
CipherTrust Manager
| Issue | Synopsis |
|---|---|
| KY-19730 | The CipherTrust Manager registers duplicate clients with KMIP auto registration enabled. |
| KY-27366, KY-27361 | If a connection to the KMIP or NAE interface is left idle for more than 24 hours, client authentication fails. The following error message is logged: [5/NCERRUnauthorizedAccess]: Wrong username or password. Contact customer support if you encounter this situation. |
| KY-24645 | If you attempt to create a domain-scoped backup when any keys are in a "Destroyed" state, the backup fails. Workaround: While creating the backup, use a filter to only include keys with "Pre-Active", "Active", "Deactivated", and "Compromised" states. An example ksctl command to filter for these states is ksctl backup create --scope domain --filters { "states": [ "Pre-Active", "Active", "Deactivated", "Compromised" ] } |
| KY-24102 | Client can authenticate with expired password if the CipherTrust Manager is not restarted. |
| KY-22668 | NAE and KMIP crypto operations performance is affected with high CPU and memory utilization. |
| KY-21901 | If you add a DNS host entry to the CipherTrust Manager using the /v1/dns-hosts API endpoint, and attempt to create a cluster specifying the hostname from that entry, cluster creation fails with the message "A generic connection error occurred while creating the cluster. This type of error typically occurs when the host is invalid. Please retry using a valid IP or hostname." Workaround: Create the cluster specifying a hostname from an external DNS service, or specifying an IP address. |
| KY-21307 | You cannot apply disk encryption when installing a Virtual CipherTrust Manager with cloud-init in Google Cloud. Workaround: You can encrypt the disk after initial deployment with the /v1/locker/diskenc/setup endpoint in the API. |
| KY-20828 | Upgrade to 2.0 or 2.1 fails in a rare situation with incorrect configuration, and the system does not start up. If your CipherTrust Manager is in a clustered environment, continuing to upgrade other nodes would cause those nodes to not start up, as well. Workaround: Contact customer support to guide you through adjusting your system configuration for a safe upgrade. Alternatively, if you do not need any data stored on the appliance or in the cluster, run kscfg system reset on your own to hard reset the appliance. Note that in this scenario, backups taken before upgrade cannot be restored on the reset appliance without assistance from customer support. |
| KY-20310 | When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error. Workaround: Disregard the timeout error. |
| KY-17662 | In-place cluster upgrade does not enforce upgrading only one version. |
| KY-17338 | KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration. |
| KY-14871 | After a cluster is created, the default NAE/KMIP interfaces are inaccessible from the secondary node. Workaround: Restart the secondary node. |
| KY-13617 | Domain scoped backup fails to restore on another domain when a key with the same name and version already exists. Workaround: To handle this issue, try either of the following:
|
| KY-13343 | Uploading an existing backup results in error but is displayed in the list with status "Uploading". Workaround: Delete the backup using the "uploadID" as backup ID. |
| KY-12602 | Manual page refresh is required to show the Pending CAs list. |
| KY-11517 | [ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding. |
| KY-11498 | When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it. |
| KY-7818 | [ProtectApp Application] The Interface Name field on the Create Client Profile page should show the nae interface only. Currently, it also shows kmip, snmp, and web.Workaround: Use the Interface Name field on the Create Client Profile page to create an nae profile only. Create a kmip profile on the Client Profile page of the KMIP application. |
| KY-7289 | When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|
| KY-7288 | When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|
| KY-7258 | NAE and KMIP might not be connectable after cluster join. Workaround: Restart the newly joined node or at a minimum restart the KeySecure service. Restart the service either from the UI or by running ksctl services restart. |
| KY-7193 | Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups. Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created. |
| KY-6383 | Users with a pipe in their user names (for example, user1 |
| KY-3670 | Cluster join operation can fail, but rarely, leaving joining node in a bad state. Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join. If you still cannot log on to the node:
|
| KY-2482 | (was NC-3480) Signing with EC keys does not work via the REST API. |
| KY-2423 | (was NC-2318) KMIP: Result Reason may not be accurate or have enough detail. |
| KY-2418 | (was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves. |
| KY-1397 | (was NC-2253) Last Login and Logins count are not updated for global user. |
| KY-1396 | (was NC-2256) Group membership change for yourself does not take effect until after re-login. |
| KY-1394 | (was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error. The error should be: insufficient permissions. |
| KY-1373 | (was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used. |
| KY-1270 | (was NC-3567) User Admin should not have authority to manage system groups. |
| KY-1199 | (was NC-3904) Trimming of audit table (at 10 million records) takes significant time and causes temporary performance issues Workaround: Disable audit table logging for a very active cluster. |
| KY-1166 | (was NC-4098) NAE/KMIP multiport iptables rules are not replicated. Workaround: Perform NAE restart on each node. |
| KY-504 | Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster. |
| NC-3573 | Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT. Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface. |
| NC-3572 | Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager. Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration. Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface. |
| NC-2063 | If a user is deleted (or LDAP connection name changes), they fail to display in the keys table. |
CipherTrust Cloud Key Manager
| Issue | Synopsis |
|---|---|
| KY-17446 | When rotating a key using the GUI, a new version of an existing CipherTrust Manager key cannot be created. The key can only be rotated to an existing version. Workaround: Manually create a new version of the key and rotate the key. To do so:
|
| KY-17213 | When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group. |
| KY-42033 | Unable to use the key version created through CCKM for Azure SQL EKM. This issue will be resolved in CipherTrust Manager v2.8.0. |
CipherTrust Database Protection
| Issue | Synopsis |
|---|---|
| PDB-3293 | If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work. |
CipherTrust Data Discovery and Classification
| Issue | Synopsis |
|---|---|
| KY-20051 | NCERRInternalServerError: unexpected error displayed on the Data Objects report tab. This happens with reports with a high number of Data Objects (with ~500K, as tested on the recommended TDP deployment, although the actual number of Data Objects depends on multiple parameters such as the number of TDP nodes and their hardware configuration). If the Hadoop cluster takes too long (more than 24 seconds) to retrieve the list of Data Objects in the report, they will not be listed in the report and an error message NCERRInternalServerError: unexpected error is displayed on the Data Objects report tab. Workaround: Please contact your Hadoop expert to tune your TDP cluster. For many TDP clusters, creating a global covered secondary index will work. You create this index in the data_object_report table including columns scan_execution_id, depth and covering the following columns: name, scan_id, datastore_id, datastore_version, owner, path, type, last_modified, info_types, matches, sensitivity_level_id, regulations, mismatch Please note that creating any index will increase the processing time for subsequent scans. |
| KY-8526 | Hadoop configuration does not allow PQS schema changes. After the initial PQS Hadoop connection settings in DDC, you should not reconfigure them. If you do, you will lose all the data from the previous scan executions. |
| KY-9098 | DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails. Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store. |
| KY-9104 | Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
| KY-9399 | The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
| KY-8990 | Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts. |
| KY-9094 | “Something went wrong” displayed when saving a recently created SMB Data Store or trying to launch a scan on an SMB Data Store. When searching for the Agent to use, or checking whether the assigned Agent is up and running, the DDC Server may need to wait for the duration of the defined Network timeout if communication fails. Workaround: In case of a scan, you should reduce the number of SMB Data Stores in the scan. |
| A Data Store never transitions to a “ready” state and displays “A valid agent could not be found”. The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store. Solution: For possible solutions, check the following:
| |
| None of the clustered KeySecure nodes responds to requests to DDC API. DDC is only active in one of the KeySecure nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution:
| |
| KY-9149 | The `Owner' and 'Modified' fields are not retrieved for some files in the "Data Objects" tab. Due to a known limitation of the processing engine, the information on the Owner and Modified is usually not listed in the report details. |
| KY-13618 | Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted. When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled. Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost. |
ProtectFile
| Issue | Synopsis |
|---|---|
| KY-12731 | GUI does not update the Syslog protocol specified in the client profile. Workaround: Use the API playground to update the protocol. |
| KY-10749 | Configuring a Syslog server with its hostname in the client profile does not work. Workaround: Use the IP address of the Syslog server. |
| KSCH-573 | Encryption rules cannot be modified to reset values for include and exclude extension parameters. |
| KSCH-568 | Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously. |
| KSCH-567 | Modifying a file level encryption rule to set the “isRecursive” flag does not return error. |
| KSCH-564 | Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress. |
