Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

Name	Abbreviation
CipherTrust Batch Data Transformation	BDT
CipherTrust Manager	CM
CipherTrust Application Data Protection	CADP
CipherTrust Application Key Management	CAKM
CipherTrust Cloud Key Manager	CCKM
CipherTrust Data Protection Gateway	DPG
CipherTrust RESTful Data Protection	CRDP
CipherTrust Database Protection (formerly known as ProtectDB)	CDP
CipherTrust Live Data Transformation	LDT
CipherTrust Transparent Encryption	CTE
CipherTrust Transparent Encryption for Kubernetes	CTE-K8s
CipherTrust Transparent Encryption for Ransomware	RWP
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)	CTE UserSpace
CipherTrust Intelligent Protection	CIP
CipherTrust Data Discovery and Classification	DDC
CipherTrust Tokenization	CT
CipherTrust Vaulted Tokenization	CT-V
CipherTrust Vaultless Tokenization	CT-VL
Data Protection on Demand	DPoD

Release Description

2.11.x is the first release to be designated as a Long Term Support (LTS) release. It is an enterprise-grade release focused on stability. Consult the CipherTrust Manager Release Model for details on support and patches.

This release is available on the Customer Support Portal in the following formats:

An upgrade file for physical k570 and k470 devices, and k170v Virtual CipherTrust Manager instances.
Warning
Thales TCT k160 devices only support release 2.11.2-tct. They do not support any other 2.11 version. The 2.11.2-tct upgrade file is available directly from TCT and not the Thales customer support portal.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.11.x Virtual CipherTrust Manager is available on the following public clouds:

Amazon Web Services: SafeNet Cloud Provisioning System
Google Cloud
Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
Oracle Cloud
IBM Cloud
- An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
- A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.11.x contains a number of new features and enhancements. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.11.6

This release is available as an upgrade file. The upgrade can be applied directly on the latest patch of 2.8.x, latest patch of 2.9.x, latest patch of 2.10.x, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, or 2.11.5 but not 2.11.1-tct or 2.11.2-tct. It fixes the bugs described in Resolved Issues.

Release 2.11.5

This release is available as an upgrade file. The upgrade can be applied directly on the latest patch of 2.8.x, latest patch of 2.9.x, latest patch of 2.10.x, 2.11.0, 2.11.1, 2.11.2, 2.11.3, or 2.11.4 but not 2.11.1-tct or 2.11.2-tct. It contains the following changes:

Added support for externally signed server certificate for Luna Network HSM root of trust.
Upgraded an internal client to maintain compatibility with the Thales Data Protection On Demand (DPoD) Luna Cloud HSM Service root-of-trust integration past January 28, 2025. Details on the Luna Cloud HSM compatibility change are available in knowledge base article KB0028422. The CipherTrust Manager change is tracked internally under reference number KY-85445.
Fixed bugs described in Resolved Issues.

Release 2.11.4

The 2.11.4 release includes bug fixes described in Resolved Issues.

This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager version 2.8.x, 2.9.x, 2.10.x, 2.11.0, 2.11.1, 2.11.2, or 2.11.3, but not 2.11.1-tct or 2.11.2-tct.

Release 2.11.3

The 2.11.3 release includes bug fixes described in Resolved Issues.

This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager version 2.8.x, 2.9.x, 2.10.x, 2.11.0, 2.11.1, and 2.11.2, but not 2.11.1-tct or 2.11.2-tct.

Release 2.11.2-tct

This release is only supported on the Thales TCT k160. It is not supported on Thales TCT k570 or any other CipherTrust Manager model. It is only available directly from Thales TCT.

This release resolves an error identified in 2.11.1-tct that prevented successful restore operations in the k160. Thales TCT recommends installing 2.11.2-tct instead of 2.11.1-tct.

Caution

In order to upgrade to V2.11.2-tct, the current version must be either V2.8.0-tct or 2.11.1-tct. Any other version will require a downgrade to V2.8.0-tct first before applying version V2.11.2-tct. It is highly recommended to take a backup before any upgrade or downgrade to ensure data is preserved. If the k160 is running V2.11 or higher (with the exception of 2.11.1-tct), take a full system backup, downgrade the appliance to V2.8.0-tct, apply the V2.11.2-tct upgrade and restore from backup. Systems running 2.11.1-tct may directly apply the 2.11.2-tct patch. Please contact TCT Customer Support for any assistance required for upgrade or downgrade.

Release 2.11.2

The 2.11.2 release includes bug fixes described in Resolved Issues.

This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager version 2.8.x, 2.9.x, 2.10.x, 2.11.0 or 2.11.1, but not 2.11.1-tct.

Release 2.11.1-tct

With the release of 2.11.2-tct, 2.11.1-tct is deprecated and should not be used.

2.11.1-tct Changes

Performance Improvements: Changes have been made to the startup process of the k160 to streamline boot up and performance.
Maintenance Mode: The CipherTrust Manager k160 supports registration of more than one token HSM. In order to prevent unexpected system restarts when inserting and removing secondary token HSMs, a “maintenance mode” has been added. This maintenance mode should only be used when registering a secondary token HSM and disabled during normal system operations.

Maintenance Mode Usage

To use Maintenance Mode, you must first install the CLI tool from the CipherTrust Manager k160.

Turn on Maintenance Mode

ksctl hsm tokens maintenance set --maintenance-on

Turn off Maintenance Mode

ksctl hsm tokens maintenance set --maintenance-off

Get Maintenance Mode Status

ksctl hsm tokens maintenance status

A response is returned similar to the following:

{
    "mode": false
}

“mode”: true indicates that Maintenance Mode is ON

“mode”: false indicates that Maintenance Mode is OFF

Note

When maintenance mode is ON, the token HSM removal event handler is disabled. Therefore, the CipherTrust services will not be restarted on a token removal.
When maintenance mode is ON, the HSM IsAlive status will remain in the same state prior to enabling the maintenance. So if the system was reporting the HSM offline prior to enabling maintenance mode, then it will still report HSM offline during maintenance mode enabled regardless if a token is inserted post enabling and vice versa.

Release 2.11.1

Caution

2.11.0 release is no longer available for download, and is not supported. As 2.11.1 includes critical bug fixes, it replaces 2.11.0, which is no longer available. Upgrade directly to 2.11.1 or deploy new 2.11.1 instances.

The 2.11.1 release includes bug fixes described in Resolved Issues.

This release is available in all the formats and locations detailed in the Release Description. The upgrade can be applied directly on CipherTrust Manager version 2.11.0, 2.10.x, 2.9.x, and 2.8.x.

Platform

USB logs are now included in the host logs, to monitor activity on physical appliance USB ports. These logs are available in the downloadable debug logs tar.gz.zip and can be set to forward to an external syslog.
We have recently determined that the USB ports on the physical appliance are enabled after the bootup sequence. We are working towards disabling them completely in a future release, and have added monitoring as an immediate mitigation.
If you upgrade to 2.11 and have an existing syslog forwarder configured for host logs, USB logs are not forwarded immediately. Consult the advisory note for steps to manually force the syslog forwarder to forward USB logs.
Registered the well known clients (KSCTL, NAE, Web-UI, and API playground) as public clients.
Expansion of the quorum feature for CTE specific bulk operations using API.
Support added for RSA-PSS padding with pre-computed hash for Sign/SignVerify operations.
Added ability to monitor KMIP and NAE cryptographic and key management operations through Prometheus and Grafana.
Extended support for Secure Trusted Channel (STC) mode to Luna network HSM connections in connection manager using the GUI.
Added support to modify the network interface settings for existing interfaces (NAE/KMIP/WEB).
Provision to re-encrypt the data using the REST interface.
Administer user login based on client types such as unregistered, public, and confidential clients.
Added control of user impersonation behavior for KMIP and ProtectApp/NAE clients
Auto registration support for NAE clients.
Option to allow unregistered clients to register them on CipherTrust Manager using NAE interface.
Support added to deploy the CipherTrust Manager AMI in AWS China region.
Introduced Prometheus metrics for CTM resources (licensing, user-management, key-rotations, and backups).
Expansion of the quorum feature to delete GWS CSE endpoints.
Support added for domain level backup and restore for CCKM resources (Projects, Google External Key Manager (EKM) Endpoints and Cryptospaces).
The default setting of the system generated auto key rotation scheduler for new deployments is now disabled. However, in the previous releases, it was enabled.
The ProtectV tile has been removed from the CipherTrust Manager GUI. Refer to ProtectV for details.
Introduced new alarm which triggers when one or more licenses is set to expire in fewer than 90 days.
Support for upgrading the embedded PCIe HSM in the TCT CipherTrust Manager k570 appliance model.
Support for using a Luna Backup HSM to backup and restore root of trust keys for Thales CipherTrust Manager k570 appliance models.
Caution
Ensure that the Thales CipherTrust Manager k570 meets the required configuration before restoring root of trust keys. Failing to do so can result in the CipherTrust Manager application becoming unavailable after reboot, requiring customer support to recover.
New offline in-place cluster upgrade available from 2.10.x or 2.11.0 to 2.11.1, which allows for upgrade in fewer steps as compared to existing cluster upgrade methods. This upgrade requires an additional cmupdate utility available on support portal.
Support for supplying existing HSM keys to be root of trust keys.
Added GUI options for creating, editing, and deleting HSM-anchored domains.
HSM-anchored domains are now fully supported and no longer technical preview.
Added support for Elasticsearch version 8 with the CipherTrust Manager Elasticsearch log forwarder.

Limitations

If a domain has more than 1000 cryptographic objects (keys and opaque objects), to fetch keys, it is recommended to use KeyNamesRequest instead of KeyQueryRequest. The response time of KeyQueryRequest is proportional to the number of keys on the CipherTrust Manager, therefore, it may lead to a timeout exception on the client side.
Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.

The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.
During client renewal, if another client (which has authentication_mode mode set to dn) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.

Deprecated Feature(s)

Local database logging for server and client records is now deprecated, and disabled by default to reduce cluster traffic and disk usage. We recommend viewing records using the Loki Grafana microservice instead, visible in the GUI under Records > Loki Audit Records.

The CipherTrust Manager version 2.9 onward:

The 'global' user doesn't get generated on restart.
The 'global' user cannot be created.
While upgrading to CipherTrust Manager 2.9, the 'global' user gets deleted.
In CipherTrust Manager 2.8 and 2.9 mixed cluster environment, if a 'global' user exists, you cannot login as a 'global' user.
While upgrading to CipherTrust Manager 2.9 or in mixed cluster environment, if a 'global' user is deleted, the keys owned by the 'global' user will be accessible to the 'Key admin' or 'admin' groups. The NAE/KMIP users can also access these keys.

Application Data Protection

Added trial licensing enforcement for DPG.

CCKM

Provided GUI to manage Azure certificates and Azure secrets.
Enhanced the Scheduler GUI to automatically rotate AWS and Azure keys after a specific number of days of their creation or the last rotation.
Added capability to schedule key rotation at the Azure key vault level using the GUI.
Added support for migration of CCKM Enterprise source keys from Data Security Manager (DSM) to the CipherTrust Manager.
Added support for migration from CCKM Appliance with CipherTrust Manager as Key Source to the CipherTrust Manager.
Added capability to generate and verify Hash-based Message Authentication Codes (HMAC) for AWS symmetric keys.
Ability to get alerts/notifications for the AWS and Azure cloud key expiry events.
Added support for Cloud KMS key management mode for Google EKM via a Virtual Private Cloud (VPC) connection to allow users to create, rotate, or destroy coordinated EKM keys through the Google console.
Added support for Google EKM through a VPC.
Added capability to allow the selection of all of the versions of an existing CipherTrust Manager key when creating an EKM endpoint.
The XKS performance numbers for both the CipherTrust Manager and Luna HSM (as key sources) have improved for this 2.11.1 release.
Added the Google Cloud EKM Records public query to the available Loki filters on the GUI.

CTE

Added capability to collect and download the latest information about individual CTE Agents to the CipherTrust Manager GUI.
Added capability to automatically execute supported quorum operations as soon as the last approver approves the quorum.
Extended CipherTrust Manager's quorum control support to bulk deletion of clients and GuardPoints.
Removed the Unique to Client check box from the CTE tab of the Keys details page.

Note

CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.11 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.

CTE UserSpace

CTE UserSpace 10.0 is a new kernel-independent file encryption product based on CTE and CTE UserSpace (rebranded ProtectFile FUSE).

The resources of CTE UserSpace clients running 10.0 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can't be managed by the ProtectFile & Transparent Encryption UserSpace application.
This release does not support the following features:
- Kernel Compatibility Matrix
- Agent and System locks
- CBC and XTS keys
- COS, ESG, IDT, and LDT policies and GuardPoints
To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 10.0 or a higher version.
Added capability to collect and download the latest information about individual CTE Agents to the CipherTrust Manager GUI.
Added capability to automatically execute supported quorum operations as soon as the last approver approves the quorum.
Extended CipherTrust Manager's quorum control support to bulk deletion of clients and GuardPoints.
Removed the Unique to Client check box from the CTE tab of the Keys details page.

DDC

Agent upgrade to version 2.6.1. This resolves a few problems, such as support for filters in the Exchange and Sharepoint data stores. See the Advisory Notes below for more information.
Support for scanning binary data in MongoDB and SAP HANA.
Support for the Exchange Server data store.
Removed support for legacy reports.
Support for remediation of the root path in the SMB network storage data store.
Support for different weights per InfoType. The risk in formulas for in Data Objects and Data Stores will now be calculated based on the value and occurrences of each InfoType.
Enhanced Singaporean NRIC data type to include the new prefix "M" for Foreign Identification Numbers (FINs).

ProtectV

ProtectV is End-of-Life based on the announcement shared in the past. CipherTrust Manager 2.11 onward, the ProtectV tile has been removed from the CipherTrust Manager GUI and registering ProtectV clients is no longer supported.

Refer to End-of-Sale and End-of-Life Announcement SafeNet ProtectV for details.

Caution

DO NOT upgrade your CipherTrust Manager if you are still using ProtectV. Please decrypt any ProtectV-protected machines, remove ProtectV configurations, or discard the protected machines before upgrading to CipherTrust Manager 2.11.

CDP

Added support for the following operations on CipherTrust Manager UI for Oracle, MSSQL, and DB2:


Encrypt	Decrypt	Delete old data
Delete views and triggers	Create views and triggers	Create domain index
Resume/cancel/restore jobs	View job history	Configure migration server

For details, refer to the CDP Admin Guide.

Resolved Issues

This table lists the issues resolved in 2.11.6.

Issue	Synopsis
KY-90913	If you configure both a static network bond and disk encryption, reboot the appliance, and unlock the disk, the network does not come up.
KY-90739	CCKM: SAP key management APIs don't work behind a proxy.

This table lists the issues resolved in 2.11.5.

Issue	Synopsis
KY-82370	In a configuration with multiple Luna Network HSMs in high availability mode configured in the connection manager, when the HSM in use becomes unavailable, CCKM occasionally doesn't failover to the remaining HSMs.
KY-82266	CDP: A non-admin user of the ProtectDB Users group can't migrate tables on the CipherTrust Manager.
KY-81547	AWS: Key rotation doesn't succeed if the AWS connection no longer has access to the KMS keys.
KY-74128	If the LDAP connection property `User's distinguished name (user_dn_field)` is set to `distinguishedName` for LDAP Group Mapping, when the user or client authenticates, it loses all permissions in fewer than 5 minutes.
KY-76082	Google Workspace: Users with the Connection Admins, CCKM Admins, and CCKM Users group permissions can't create and list issuers.
KY-72210	AWS, Azure, and Luna HSM GUI: When adding a new container or changing the connection of a container, the GUI lists only 10 connections.
KY-77201	Unable to create a version, if the migrated key with the same 'id_long' value and a different 'name' exists in another domain.

This table lists the issues resolved in 2.11.4.

Issue	Synopsis
KY-75452	The auto-registered clients don't get auto-renewed after expiration.
KY-72032	When performing EC encryption and RSA signing using the same connection, the RSA signing fails.
KY-65947	If you attempt to add an alarm configuration from a specific record using the UI's Add Alarm Config from Record option, the conditions for boolean type fields are populated incorrectly. For example, the UI sets conditions such as `input.success == "true,boolean"` or `input.success == "false,boolean"` which are not in compliance with Open Policy Agent's Rego query language, and will not trigger alarms correctly.

This table lists the issues resolved in 2.11.3.

Issue	Synopsis
KY-71188	Users in the Key Admins group are unable to create a new key version for a key owned by another user.
KY-71050	If a local user is created with a different username and full name, that user cannot change its own password.
KY-66135	If you add an NTP server more than 1024 times and then restart all services, multiple services fail to restart. The server audit records contain a message `Following services have stopped after starting:` followed by a list of services.
KY-62563	After auto-registering a client, the server audit record for creating a token has an incorrect value for `client_id`.
KY-62196	CTE LDT policies which have "allow browsing" checked for the first secure rule, which is a legacy configuration from DSM version 5.x, are not migrated to CM correctly. The migration fails with the error `[NCERRBadRequest: Bad HTTP request]: Invalid Params supplied. With LDT policy, first security-rule must be created with action as key_op, effect as applykey,permit, browsing(partial_match) as disabled and without any UserSet/ProcessSet/ResourceSet present`.
KY-67193	CipherTrust Manager allows changing the key rules on active GuardPoints.
KY-61292	In a configuration with multiple Luna Network HSMs acting as root-of-trust in high availability mode, when the HSM in use becomes unavailable, the CipherTrust Manager occasionally does not failover to the remaining HSMs, and CipherTrust Manager becomes unavailable.
KY-47374	If you migrate a non-exportable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "exportable".

This table lists the issues resolved in 2.11.2.

Issue	Synopsis
KY-65653	Refresh tokens created by NAE/KMIP services are not cleaned up after closing the connection. This affects the NAE/KMIP performance when the refresh tokens count reaches couple of millions.
KY-65520	CCKM: System might appear slow when the cloud event logs are more than 10 million.
KY-64877	If you upgrade a CipherTrust Manager which has more than 100 domains and then perform a service reset, the system might fail to come up.
KY-64767	After upgrade, if a system was previously configured to send host syslog messages, USB syslog messages may not appear.
KY-64755	After creating an EKM-UDE endpoint on CCKM with Confidential VM for unwrap selected, the error associated with the decryption of data from a non-confidential VM is not logged in the CipherTrust Manager Loki logs. However, it should have been logged as this operation is not allowed for the given EKM-UDE endpoint when Confidential VM for unwrap is configured.
KY-64654	Details regarding the `keyupdate` ACL are visible in both the CCKM REST API and CLI documentation. However, this ACL should no longer be featured in the documentation as it has been superseded by the `cacheonlykeyupdate` ACL.
KY-64652	When creating a new schedule using `post /v1/scheduler/job-configs` without specifying the disabled parameter, CCKM fails to set this parameter to the default value of `false`.
KY-60595	If you attempt to create a domain with an existing name, the domain creation fails as expected. However, you can no longer delete the user specified as the domain administrator.
KY-59952	Only the 10 most recent alarm configurations are listed in the GUI.
KY-55467	NAE FPE batch crypto request fails for rapid encryption requests. This leads to failure of all crypto requests thereafter.

This table lists the issues resolved in 2.11.1.

Issue	Synopsis
CM-19	Thales TCT k570 does not support external JWT rotation.
CM-18	Thales TCT k570 model does not support HSM Firmware Upgrade (in field).
CM-17	Thales Trusted Cyber Technologies (TCT) k570 model does not support key rotation for HSM root key.
KY-62444	Google Workspace CSE: When editing an endpoint, already added authentication audience is not visible.
KY-61307	After you join a new node to a CipherTrust Manager cluster and restart cluster members, cluster member backup keys become inactive.
KY-58932	Problem: If you have configured a legacy syslog connection through Admin Settings using TCP as transport, logs with a packet size larger than 1024 are trimmed which causes partial log messages to be sent.
KY-57693	Problem: [ksctl] Migration of ProtectFile resources from SafeNet KeySecure to the CipherTrust Manager results in the error, "DFS Alias is only configurable when DFS is enabled."
KY-56713	During the key activation, the KMIP client truncates the Activation date. When a user adds the `ProcessStartDate`, it precedes the `ActivationDate` and gives the following error: "ProcessStartDate can not precede ActivationDate."
KY-60505	On upgrading the CipherTrust Manager from previous versions to 2.11, KMIP clients face authentication issues.
KY-61918, KY-61556	Problem: [Google Cloud]: The Refresh All option refreshes only 10 key rings. The remaining key rings are ignored.
KY-61913	If you attempt to use the UI to add an additional Luna T-Series HSM partition to a root-of-trust high availability group, incorrect settings are presented, such as ESN (Electronic Serial Number).
KY-60716	If you migrate RSA keys from KeySecure Classic to CipherTrust Manager, the key permissions change from encrypt to decrypt, and from decrypt to encrypt.
KY-60674	Caching of keys was not fully implemented in CCKM with the result that every encrypt request would lead to CipherTrust Manager checking the latest key version. This checking of latest key version in turn decreased CCKM's encrypt performance when compared to its decrypt performance. This issue is now resolved.
KY-60264	Problem: Issues observed in managing AWS keys through an assumed role when the CipherTrust Manager is deployed in VPC.
KY-60187, KY-60211	Can't configure KMIP connection in domains when the username is specified in the KMIP `auth` tag request.
KY-60146	After upgrade from 2.10 to 2.11, the OpenID connection available through Access Management for authenticating CM users stops working. OIDC users can no longer authenticate. Resolution: Upgrading to 2.11.1 restores OIDC connection functionality.
KY-60129	In case of auto registration, the KMIP operations in the domain fail for the assigned/created users if the registration token is created in the root domain.
KY-59971	Problem: [OCI]: Generation of a Key Aging Report for a vault with a large number of keys becomes nonresponsive.
KY-59952	Problem: Only the 10 most recent alarm configurations are listed in the GUI. Workaround: Manage alarm configurations through the `ksctl records alarm-configs` CLI commands or the `/v1/audit/alarm-configs` REST API endpoint.
KY-59969	Problem: While creating an Azure connection, thumbprint of the Application certificate generated on the CipherTrust Manager does not match with the thumbprint of the certificate after it is uploaded to Azure Service Principal (SPN).
KY-59976	Problem: [Google Cloud]: Keys cannot be uploaded using the GUI when more than 10 key rings are added to the CipherTrust Manager.
KY-59727	The KMIP and NAE clients in domains don't work properly after upgrading to 2.11. It can lead to the restart of the NAE service where NAE clients are registered.
KY-59714	AWS XKS (HYOK) in unlinked mode is not working properly. Keys created on CCKM in the unlinked mode disappear from the AWS keys list after the Refresh action on the UI and Sync operation on the API. Conversely, if an unlinked AWS XKS (HYOK) key is created on the AWS console, a new key will appear on the CCKM AWS Key List with an incorrect origin (HYOK-External) after a Refresh or Sync operation on the UI or API.
KY-59607	When attempting to verify the JWT within https://www.googleapis.com/oauth2/v3/certs, a connectivity problem occurs. After invoking `GET /api/v1/cckm/ekm:getInfo` to retry the connection, it hangs until the client abandons the attempt.
KY-59649	Problem: Encrypted virtual instances lose network connectivity after an hour.
KY-59483	Problem: OCI test connection does not work if the OCI user has access to only a sub-compartment.
KY-59304	When creating a duplicate Google EKM endpoint, the error message that displays now correctly indicates an endpoint with the same name already exists.
KY-59341	Problem: The /auth/tokens API endpoint sometimes returns a renewed Refresh Token (refresh_token) with longer than requested lifetime (`refresh_token_lifetime`).
KY-59268	Previously, when attempting to create an AWS CloudHSM key store with an invalid AWS cluster ID, the CCKM would return a status code of 409. However, CCKM should return a status code of 400. This issue has been resolved.
KY-59220	Problem: `KeyQueryRequest` doesn't work properly if the system (all domains) has more than 1000 cryptographic objects (keys and opaque objects).
KY-58956	Problem: If you test an AWS connection which has an Assume Role, the test fails with the error `AccessDenied: Cannot call GetSessionToken with session credentials`.
KY-58938	When an unauthorized user requests a resource with an incorrect relative resource name (one that does not match the key path), CipherTrust Manager returns `HTTP 400` with a status code of `INVALID_ARGUMENT`. CipherTrust Manager now correctly returns `HTTP 403` with a status code of `PERMISSION_DENIED` based on the results of its authorization check and conformance to Google's guidance relating to requested user operations and authorization checks.
KY-58932	Problem: If you have configured a legacy syslog connection through Admin Settings using TCP as transport, logs with a packet size larger than 1024 are trimmed which causes partial log messages to be sent.
KY-58716	GWS CSE: Unable to assign multiple authentication audience for GWS CSE endpoints on the GUI.
KY-58256	In KMIP, you cannot set a key's ProcessStartDate to the same value as the ActivationDate. The Result Message "ProcessStartDate can not precede ActivationDate" is returned.
KY-57268	When the CipherTrust Manager is upgraded to 2.10 or higher, decryption of Google Workspace CSE documents encrypted with an endpoint URL created on the CipherTrust Manager version 2.4 through 2.9 fails. The `unwrap` API returns the error "The authorization service doesn't match the service's wrapped Key".
KY-56836	Problem: Azure key rotation job might become nonresponsive in "running now" state.
KY-56774, KY-57495	Problem: [AWS GUI]: Unable to add an AWS key when a policy is applied using both Raw and Basic format with the roles and users.
KY-60861	Problem: In CipherTrust Manager 2.11, APIs to manage impersonated users for NAE and KMIP clients were causing issues in some use cases. These APIs have been removed.
KY-59361	Problem: [KMIP]: In CipherTrust Manager 2.11, the `GetAttributes` and `GetAttributeList` operations don't work with the unique identifier of the key.
KY-58997	RESTful Data Protection tile displayed in CM web console GUI.
KY-55908	Problem: In CipherTrust Manager 2.11, for Luna HSM connections, a connection can not use a Luna HSM Partition in a domain if there is already a connection with the same partition in other domain.
KY-55891	Creating an Azure connection using Certificate fails intermittently.
KY-53560	Google Workspace CSE: Unable to assign multiple authentication audience for GWS CSE endpoints on the GUI.
KY-53513	AWS External Key stores cannot be deleted within CCKM even when all of the keys in the key store are in a deleted state.
KY-52933	Only the ten most recent alarm configurations generate alarms for server or client audit records. For example, if you add an 11th alarm configuration, the 1st alarm configuration is no longer used for generating alarms.
KY-52498	CTE for Windows Clients: Directories under drives on clients are invisible and cannot be browsed when creating GuardPoints on client groups.
KY-52289	If you have multiple nShield Connect HSMs configured as root of trust, you cannot delete the HSM in the CipherTrust Manager web console GUI.
KY-52290	You cannot add an additional nShield Connect HSM as a root of trust through the CipherTrust Manager web console UI, to operate in high availability with an existing nShield Connect HSM.
KY-52237	The state of a pending CA changes to expired after the restart. This breaks the connection/integration of any KMIP or VSAN client.
KY-52180	The Re-sign Settings toggle on the Client Settings tab remains enabled after settings are pushed to the CTE agent.
KY-52213	If you restore a backup and attempt to create a backup shortly afterwards, the backup stays in progress for a long time and eventually fails.
KY-52172	If you deselect a region for a custom key store, resources from that region are still visible.
KY-52134	XKS Performance impact due to validations of account and region.
KY-52075	You are not prevented from restoring a backup from an HSM-anchored domain to a target domain without the correct domain KEK. The domain contents are inaccessible after restore.
KY-51920	CipherTrust Manager k570 models can sometimes lose network connectivity, showing the errors `PCIe link lost, device now detached` and `igb 0000:01:00.1 eth1: malformed Tx packet detected and dropped, LVMMC:0xffffffff` in kern.log and syslog host log files available in debug logs download or through ksadmin SSH access.
KY-51759, KY-51754	When quorum is enabled, if you perform an operation to delete clients or GuardPoints in bulk, the quorum is created in pre-active state.
KY-51707	GUI displays options for key rotation for Google EKM keys, including applying a rotation schedule. These options are inapplicable for Google EKM keys.
KY-49086	The POLICIES section of the AWS Keys details page does not show the roles associated with the key in the basic policy view.
KY-46776	GUI shows EC and RSA key types when adding keys to Azure-managed HSM vaults. These key types are no longer visible on the GUI when adding keys to Azure-managed HSM vaults.
KY-42685	Unable to resolve the database conflict, when: 1. Two nodes are disconnected and a user is created with the same name on both the nodes. 2. The same `subject_dn value` is updated. 3. Nodes are reconnected.
KY-20310	When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error. Workaround: Disregard the timeout error.

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

Key Refresh Issue with Unlinked AWS XKS (HYOK) Keys

In CCKM v2.10.0, v2.10.1, and v2.10.2, AWS XKS (HYOK) in unlinked mode is not working properly. Keys created on CCKM in the unlinked mode disappear from the AWS keys list after the Refresh action on the UI or Sync operation on the API.

Conversely, if an unlinked AWS XKS (HYOK) key is created on the AWS console, a new key will appear on the CCKM AWS Key List with an incorrect origin (HYOK-External) after a Refresh or Sync operation on the UI or API.

Thales recommends customers running CCKM with AWS XKS (HYOK) in unlinked mode to not trigger the Refresh or Sync operation on the UI or API and upgrade to version 2.11.1, 2.12.0, or higher when available.

USB Host Logs are Not Immediately Forwarded on Upgrade

If you have an existing syslog forwarder configured for host logs, and upgrade to 2.11, the USB host logs are not immediately forwarded. You need to manually force the syslog forwarder to update completely. This can be achieved by:

Using the modify command.
1. Use kscfg syslog forwarder modify --id <syslog_forwarder_id> --<another_option> <temporary_value> force the update.
2. Use kscfg syslog forwarder modify --id <syslog_forwarder_id> --<another_option> <original_value> to reset to the original value.
Deleting and recreating the syslog forwarder.
1. View the syslog forwarder's current configuration values with kscfg syslog forwarder get --id. Note down or otherwise retain these configuration values.
2. Delete the existing the syslog forwarder with kscfg syslog forwarder delete --id <syslog forwarder_id>.
3. Re-create the syslog forwarder with kscfg syslog forwarder add, including any options necessary to set the original configuration values. These options are documented here.

NextGen KeySecure and ProtectFile End-of-Support in 2023

NextGen KeySecure firmware and the ProtectFile connector will be End of Support in December 2023.

In most cases, you can upgrade from NextGen KeySecure to CipherTrust Manager directly. If you are running the legacy k450 or k460 hardware model, you must migrate data to the k470 or k570 model.

We strongly recommend migrating ProtectFile to CTE or CTE Userspace.

Luna Network HSM 5.x and 6.x are no longer supported as Root-of-Trust for CipherTrust Manager

As Thales has passed the end-of-support date for Luna Network HSM 5.x and 6.x, CipherTrust Manager no longer supports those versions for root of trust. CipherTrust Manager does not enforce against setting up those versions for root-of-trust, so upgrading will not disrupt existing root-of-trust connections to our knowledge. Consult the End of Sale and End of Support announcement, Luna Network HSM 7 documentation, and Data Protection on Demand and Luna Cloud HSM documentation for migration information.

Quorum

Do not enable quorum on the ManagePolicyAttachment and DeletePolicy operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.

KeySecure Classic Hardware No Longer Supported

CipherTrust Manager firmware version 2.8 or above is not supported on KeySecure Classic k450 and k460 hardware. Refer to Migrate from KeySecure Classic for information on migrating KeySecure Classic data to CipherTrust Manager hardware.

SMB Connection

The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

Caution

The IV value used for an encryption request is needed to decrypt the data later.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4 to 2.11, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.

When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.
When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.
When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.
When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.
When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

System Upgrade and Downgrade Supported Releases

System upgrades on a single unclustered device have been tested from the latest patch versions of 2.8.x, 2.9.x, and 2.10.x. As well, we tested upgrades from a lower 2.11.x patch version, such as 2.11.2, to a higher patch version, such as 2.11.5.

Note

If you are upgrading a Thales TCT k160 device to 2.11.2-tct, refer to the Release 2.11.2-tct feature descriptions for supported upgrade paths and details.

Note

Upgrades from other versions have not been tested and may not work correctly.

An unclustered CipherTrust Manager 2.11.x can be downgraded to 2.10.x for test purposes. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Warning

As we cannot guarantee stability, we strongly recommend using downgraded systems for test environments only. Do not use a downgraded CipherTrust Manager in a production environment.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade.

The cluster upgrade section provides instructions to perform an upgrade on a cluster of devices. Supported upgrade paths depend on the method used to upgrade the cluster.

In-place offline cluster upgrade is supported from 2.10.x, 2.11.0, 2.11.1, 2.11.2, or 2.11.3.
Cluster remove/rebuild is supported from 2.8.x, 2.9.x, 2.10.x, 2.11.0, 2.11.1, 2.11.2, or 2.11.3.
In-place cluster upgrade is performed from one minor version at a time, so there is no limit on starting version.

Restoring a backup from release 2.8 or later is supported; however, restoring a newer backup to an older version is never supported.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Key Usage Mask Selection

If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.

DDC

Upgrading DDC

After you upgrade to version 2.11 you will not be able to downgrade it to any of the previous versions.

Clusters

Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.
DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).

Licensing

Overlapping licenses are not supported (except for the trial license).

EOS for Legacy Reports

The support for Legacy Reports has been dropped in DDC 2.11.

EOS for KCT Datastore

End of Support for KCT Datastore Format in DDC 2.11.

Upcoming End of Support for Platforms and Features

Linux 2.4 Node Agents
Email Targets - Microsoft Exchange (EWS)
Microsoft 365 - Exchange Online (EWS)
Web Browser - Internet Explorer

Compatibility

This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

Interface	Minimum TLS version	Maximum TLS version	Default Minimum TLS version
Web UI	TLS 1.2	TLS 1.3	TLS 1.2
NAE	TLS 1.0	TLS 1.3	TLS 1.2
KMIP	TLS 1.0	TLS 1.3	TLS 1.2

Caution

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)
TLS_AES_128_GCM_SHA256 (TLSv1.3)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS Deprecation Notices

Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA

Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Caution

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

CADP for .NET Core: minimum version 8.11.0
CADP for C: minimum version 8.14.0
CADP for Java: minimum version 8.13.0

CipherTrust Application Key Management

CAKM for Oracle TDE: minimum version 8.10.0
CAKM for Microsoft SQL Server EKM: minimum version 8.5.0

CipherTrust Cloud Key Manager

Minimum version 1.6.3.20532

CipherTrust Database Protection

CDP for Oracle: minimum version 8.12.0
CDP for MSSQL: minimum version 8.12.0
CDP for DB2: minimum version 8.12.0
CDP pdbctl: minimum version 1.5.1
CipherTrust Teradata Protection: minimum version 6.4.0.12
Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 10.0

CipherTrust Transparent Encryption for Kubernetes

Minimum version 1.0.0

CipherTrust Vaulted Tokenization

Minimum version 8.7.1

CipherTrust Batch Data Transformation

Minimum version 2.2.0.2816

CipherTrust Vaultless Tokenization

Minimum version 2.5.2.19

ProtectFile

Note

ProtectFile will be End of Support in December 2023. We strongly recommend migrating to CTE or CTE Userspace.

Minimum version:

ProtectFile Windows 8.12.3
ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)

The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

Note

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP 3.1.5.1 or newer.

If you have an existing TDP 3.1.5 cluster, you should apply the patch 3.1.5.1.
Following the TDP upgrade users are required to Configure TDP service HDFS again and also Configure TDP service Livy.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

Reference	Synopsis
KY-92312	Problem: If you attempt to configure an HSM root-of-trust on the CipherTrust Web UI, the UI sometimes displays a timeout error, but the HSM configuration succeeds. Workaround: Wait two minutes and refresh the page to see if the HSM configuration succeeded. If the HSM configuration fails, retry with the `ksctl hsm setup --timeout 120` CLI command.
KY-91730	Problem:If a network interface connection goes down on a node, the cluster status for that node displays as `ready` on other nodes, even though the node is unreachable.
KY-80554, KY-81695	Problem: If a client certificate contains both OCSP and CRL URLs, the certificate revocation check (for NAE and KMIP clients) only considers the OCSP and never falls back to check the CRL even if the OCSP URL is inaccessible.
KY-80453	Problem: If you are using Entrust nShield Connect HSM as a root of trust, remove the admin card from the HSM, and then attempt to reboot the CipherTrust Manager, the CipherTrust Manager does not reboot successfully. Workaround: None.
KY-81695	Problem: If a client certificate contains both OCSP and CRL URLs, the certificate revocation check (for NAE and KMIP clients) only considers the OCSP and never falls back to check the CRL even if the OCSP URL is inaccessible.
KY-77181	Problem: Prometheus metrics with the `node_` prefix are not exported. An error `msg:fetching metrics for node_exporter:9100 failed with error: Get "http://node_exporter:9100/metrics` is present in the debug logs.
KY-74556, KY-74128	Problem: If the LDAP connection property `User's distinguished name (user_dn_field)` is set to `distinguishedName` for LDAP Group Mapping, when the user or client authenticates, it loses all permissions in fewer than 5 minutes. Solution: Update the LDAP connection property `User's distinguished name (user_dn_field)` to `dn`.
CM-111	Problem: : When creating a backup on a k160 HA, the first attempt receives `"errorMessage": "could not get wrapped mkek: [NCERRInternalServerError: unexpected error]:"` Workaround: Attempt the backup again.
KY-71188	Problem: Users in the Key Admins group are unable to create a new key version for a key owned by another user. Workaround: Create a custom policy for a group to be able to perform key rotations on all keys.
KY-71050	Problem: If a local user is created with a different username and full name, the user cannot change its own password. Workaround:A user in the Users Admin group can edit the full name value to match the username value.
KY-70603	Problem: If you attempt to add an HSM-anchored domain through the CipherTrust Manager GUI, the operation times out with the error `Failed to create domain kek` in the debug logs. Workaround: Set the `KSCTL_TIMEOUT` value to `60` (corresponding to 60 seconds), and then use the `ksctl domains create` command to add the HSM-anchored domain.
KY-66135	Problem: If you add an NTP server more than 1024 times and then restart all services, multiple services fail to restart. The server audit records contain a message `Following services have stopped after starting:` followed by a list of services. Workaround: SSH in as ksadmin and restart host daemon service using `sudo systemctl restart host-daemon`.
KY-65539	Problem: If the client registration fails when registering the client using the certificate, then an invalid entry may be displayed in the response. Workaround: Delete the client using the `Delete /v1/client-management/clients/{id}` API.
KY-64600	Problem: If you create multiple automatic key rotation scheduled jobs, and they are scheduled to run at the same time, a key rotation intermittently fails with the message 'There is an ongoing key rotation job, cannot add another'. Workaround: Schedule automatic key rotation jobs to run at different times from one another.
KY-64562	Problem: Policy attachments can be detached (deleted) from system policies even though those policies are read-only. Workaround: Restart CipherTrust Manager to populate the deleted system policy attachment.
KY-66351, KY-63083	Problem: Clients registered in a deleted domain are not excluded from the License usage. Workaround: 1. Log on to the root shell. 2. Delete the entries of the clients registered with the deleted domain from the database.
KY-63347	Problem: The SNMP trap notification `linkDown`, indicating a network interface is down, is not sent immediately in a multi-NIC environment. The trap notification is sent after CipherTrust Manager reboot.
KY-61517	If you create a group mapping for an LDAP Access Management connection on a child domain, the UI lists an additional LDAP connection prefixed with the domain name.
KY-61056	Problem: After first restart/reboot of CipherTrust Manager for cluster certificate renewal, cluster nodes statuses still display as down. Workaround: Restart all CipherTrust Manager nodes one at a time once again.
KY-60913	Problem: Occasionally, if you change from a child domain to the root domain on the UI, an error "The connection does not exist." displays. Workaround: Log out and log in to the UI.
KY-60595	Problem: If you attempt to create a domain with an existing name, the domain creation fails as expected. However, you can no longer delete the user specified as the domain administrator. Workaround: Contact customer support to delete the user.
KY-59762	Problem: UI Search results are not retained for users when navigated to another page.
KY-57097	Problem: Users in the `Read-Only Admins` group are not able to download files for debug logs, web activity logs, NAE activity logs, or KMIP activity logs. Workaround: Create a new group and attach a policy with these allowed `actions`: `"Read", "List", "Get*","DownloadLogs", "UpdateLogLevel", "DownloadActivityLogs", "DownloadDebugLogs"`.
KY-56358	Problem: If you have a saved query for Loki audit server records, upgrade to 2.11.x, and attempt to load one, the UI shows blank page. Workaround: Delete the saved queries and recreate them.
KY-56072	If you create a domain-specific backup containing a pkcs12 key with one or more certificates, and then attempt to restore the backup, the pkcs12 key fails to restore. The message `ERR \| key-hash mismatch error message:failed verifying key hash for key record: <key_id> err:failed verifying key fingerprints errVerbose:` is present in the `/opt/keysecure/logs` directory accessible in a ksadmin SSH session.
KY-64593	Problem: If you create a Loki log forwarder connection with TLS configuration in connection manager and use the test connection function, the test fails with the error `400 Bad Request`. Workaround: Disregard the test results and continue with Loki log forwarder configuration. To confirm records are being forwarded, perform an operation such as creating a test key and then check the Loki server to see if the operation appears in the logs.
KY-61054	Problem: While migrating from KeySecure Classic to CipherTrust Manager, if the local CA is signed by an external CA, the migration will fail for the local CA even if the external CA is added to the known CA list. Workaround: If an externally imported CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, the CA will be migrated as an external CA, but the certificates will not be migrated to the CipherTrust Manager. Therefore, to use the same certificate for the NAE/KMIP interface on the CipherTrust Manager, select the migrated external CA and upload its certificate manually by editing the NAE interface on the CipherTrust Manager. Similarly, if a local CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, use auto-generation or issue a new certificate and upload the certificate to the interface.
KY-61892	Problem: The NAE and KMIP clients get auto-registered even if the system property, `ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN`, is disabled, the user impersonated by the client certificate is not created in the root domain, and the registration token is generated in the root domain. However, the client won't be able to communicate to the CipherTrust Manager on any interface.
KY-61722	Problem: Deleting a domain that contains an NAE (ProtectApp) client returns status code `500`.
KY-60057, KY-60048	Problem: Adding more than 26 external trusted CAs to KMIP interface throws "pq: payload string too long" error.
KY-59993	Problem: CipherTrust Manager does not validate the CA certificate file on creating or updating a legacy syslog connection in Admin Settings.
KY-59762	Problem: UI Search results are not retained for users when navigated to another page.
KY-59705	Problem: UI always shows server/client records disabled and logs ReadProperties authorization error for users in the `Audit Admins` group.
KY-57097	Problem: Users in the `Read-Only Admins` group are not able to download files for debug logs, web activity logs, NAE activity logs, or KMIP activity logs. Workaround: Create a new group and attach a policy with these allowed `actions`: `"Read", "List", "Get*","DownloadLogs", "UpdateLogLevel", "DownloadActivityLogs", "DownloadDebugLogs"`.
KY-56426	Problem: Deleted groups still show up in the key details information on the CipherTrust Manager.
KY-55987	Problem: If you have a scheduled job set to run on a particular cluster node, remove the node from cluster, and then rejoin it, the scheduled job runs on all cluster nodes instead. Workaround: After making any changes to cluster membership, update the scheduled job `run_on` parameter to reflect the current cluster node ID.
KY-55416	Problem: Alarms table does not support retention policy. Record based alarms will fill up the table. Workaround: Contact customer support.
KY-54374	• With legacy Syslog servers, there is a performance drop after increasing 20 Syslog entries in the system. • The new log forwarders support a maximum of 100 connections internally. Each domain consists of four matrices/labels. If there are 25 domains (including root) in the system and all four matrices are enabled, then only for a maximum of 25 domains the logs will be forwarded.
KY-54039, KY-55544	Problem: Syslog message redirection from child domains to parent domains stops when 30 or more child domains enable this feature.
KY-61402, KY-61299	Problem: The `emptyMaterial` parameter is set to `false` for a destroyed key. As the key material is deleted, `emptyMaterial` should be set to `true`.
KY-64823	Problem: In a CipherTrust Manager cluster, when the same user (for example, user1) is created from disconnected cluster members and updated with same DN, on re-connect, duplicate users get created. This causes clients not able to retrieve their keys. Workaround: Delete the duplicate users.
KY-59807	Problem: Start CipherTrust Platform Evaluation request takes 18-20 seconds and Stop CipherTrust Platform Evaluation takes 12-15 seconds, and occasionally times out. Workaround: Reload the page.
KY-59471	Problem: The trusted CAs, in the existing custom interfaces, don't get replicated on a new node joining in a cluster. This leads to failure of the client (NAE, KMIP, and REST) authentication on the new node. Workaround: Update the trusted CA manually on the interface of that node where the issue persists.
KY-59893	Problem: Signature rules are not copied to a clone policy. Workaround: On the policy details page, manually add the missing signature rules.
KY-59595, KY-56611	Problem: In the GUI wizard to create a new registration token, the default local CA's common name incorrectly displays as "KeySecure Root CA". The KeySecure Root CA no longer exists on CipherTrust Manager. Workaround: Disregard this common name. This is a display issue only, and the Default CA's common name is "CipherTrust Manager Root CA.
KY-56213	Problem: If you attempt to create a Luna Network HSM STC partition in connection manager and upload a partition identity file, the upload fails with the `error Code 14: NCERRInternalServerError: unexpected error`. This is because CipherTrust Manager doesn't recognize the format of the partition identity file downloaded from Luna Network HSM. Workaround: Use the Linux command `base64 -wo` on the partition identity file to convert it to base64 format, and then re-attempt the STC partition creation.
KY-56071	Problem: The Ciphertrust Manager GUI cannot list keys when the number of keys on which the key policies are applied increases. Workaround: Do not apply key policies to a large number of keys.
KY-55725	Unable to update the password of an SCP connection for backups.
KY-56258	A NonFatalError occurs when shutting down the CipherTrust Manager through vSphere.
KY-55634	Two quorums are generated for download backup key.
KY-53816	The activity.nae logs show key version 0 always.
KY-53681	Problem: You cannot delete the default backup key if it is uploaded from another domain. Workaround: Contact customer support.
KY-53631	Problem: OIDC group mapping is allowed even though it is not supported. If a user in the group attempts to login, the login fails with server error response. Workaround: Delete the invalid group mapping.
KY-52137	Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded. Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys.
KY-51664	Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a `ServerAccessDenied` error, and CipherTrust Manager raises the `HSM is offline` system alarm. Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts.
KY-49376	Problem: If a CipherTrust Manager is deployed at a version lower than 2.8, a CTE license is installed, and the CipherTrust Manager is upgraded to 2.8 or higher, the displayed CTE license usage count is incorrect. Workaround: In a domain with pre-existing CTE clients, create or register a new CTE client, and then delete the new client.
KY-49126	Problem: After the external CA is uploaded on the CipherTrust Manager, the GN and DC fields are not displayed as part of the record.
KY-49082	Problem: If you set a CipherTrust Manager to use a non-default port for the web interface, other than 443, you cannot join the CipherTrust Manager to a cluster. The join operation hangs and never completes. Workaround: Enter the IP address and port in the Public address of the new node field, disable the Cluster address is the same as the Public address checkbox, and then enter the IP address without the port in the Cluster network address of the new node field.
KY-48284	Problem: Domain backups with local users cannot be restored into another domain in the same cluster. Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered.
KY-47184	Problem: After upgrade, services sometimes fail to restart with an error message starting with `Forcing migration for retry`. Workaround: Contact customer support to recover from this state.
KY-55166	Problem: If you edit the default port value on the web or KMIP interface, and then join the CipherTrust Manager to a cluster, web or KMIP requests directed to the changed port value fail on other nodes. This is true even though the nodes in the cluster display the new, correct port value for these interfaces. Workaround: On CipherTrust Manager nodes with failing requests, change the interface port number to a temporary value, and then change the interface port number again to the desired value.
KY-39354	Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid. Workaround: If scheduled backup through SCP is needed, create a System Backup.
KY-39235	If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain.
KY-37961	Problem: If you add a user only to the "CTE Admins" group and attempt to create a registration token on the UI, the operation hangs and never completes. Workaround: Add the user to the "admin" or "CA Admins" group in addition to the "CTE Admins" group.
KY-27450	Local Certificate Authorities (CAs) do not allow commas `,` in any of the fields. Workaround: Configure an External CA instead. Use a backslash `\` in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, `C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test` is an accepted value. All other printable characters are allowed, as per RFC 5280 definition of PrintableString. `@` and `&` are also allowed, beyond the definitions of the RFC.
KY-25152	You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the `admin` user on Oracle Cloud instances. Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the `admin` user on this login.
KY-17338	KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13617	Domain scoped backup fails to restore on another domain when a key with the same name and version already exists. Workaround: To handle this issue, try either of the following: Retain both keys. Take the backup without the conflicting key with filters. Export/import the key material and import it separately. Retain only the backup key. Delete the key with duplicate name on the restore system. Restore the domain scoped backup.
KY-13343	Uploading an existing backup results in error but is displayed in the list with status "Uploading". Workaround: Delete the backup using the "uploadID" as backup ID.
KY-11517	[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-7289	When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic: Decrypt the data using KeySecure Classic. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288	When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic: Decrypt the data using KeySecure Classic. Encrypt the data with keys stored on CipherTrust Manager. After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7193	Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups. Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-6383	Users with a pipe in their user names (for example, `user1\|something`) cannot log on using NAE/KMIP.
KY-3670	Cluster join operation can fail, but rarely, leaving joining node in a bad state. Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join. If you still cannot log on to the node: `ssh` in as the `ksadmin` user. Reset the node by running the `ksctl reset` command.
KY-2482	(was NC-3480) Signing with EC keys does not work via the REST API.
KY-1394	(was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: `NotFound error`. The error should be: `insufficient permissions.`
KY-504	Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-3573	Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT. Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
NC-3572	Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager. Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration. Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
NC-2063	If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Cloud Key Manager

Issue	Synopsis
KY-92814	Problem: CCKM GUI: After applying a filter to a column, if you navigate away from the screen and return back, the filter may not persist. Workaround: Apply the filter again.
KY-87019	Problem: GWS GUI: When creating a new endpoint, the Identity Provider list displays only 10 identity providers. Workaround: Use the API to create a new endpoint using the required identity provider.
KY-89969	Problem: Cloud key management APIs don't work behind a proxy for Google EKM, Google Workspace CSE, SAP, and DSM. Workaround: Add the proxy URLs for your cloud to the proxy exception list and allow this URL in the firewall. Refer to URLs to Whitelist for Running CipherTrust Manager Behind Proxy.
KY-86980	Problem: Salesforce GUI: When adding a new Salesforce key using DSM to configure the source key, the DSM Domain field on the Configure DSM Key screen may not display all the available DSM domains. Workaround: Use the API to add a new Salesforce key by uploading a DSM key created in a specific DSM domain.
KY-91057	Problem: GUI: Adding an HTTPS proxy that contains a certificate returns the error "certificate signed by unknown authority." Workaround: Use the API to add an HTTPS proxy that contains a certificate.
KY-84440	Problem: AWS GUI: Alias specified when linking an unlinked AWS HYOK key is not attached to the key. Workaround: Add the alias on the detail page of the key.
KY-81514	Problem: SFDC: Refresh operations on CCKM don't remove certificates that are deleted from the SFDC console.
KY-76609	Problem: The custom policy statement doesn't update when rotating an AWS key on which the encrypt permissions are disabled (the "Disable Encrypt Permissions on Current Key" check box is selected).
KY-73679	Problem: Azure GUI: While importing an Azure certificate, if you select Yes for "Is Certificate File Password Protected?" and specify a password, later if you change to No without clearing the entered password, the password parameter is still picked up from the GUI. Workaround: Clear the specified password, and select the No option for "Is Certificate File Password Protected?".
KY-71243	Problem: [GUI]: Intermittent: If the key source has a large number of keys (say, in thousands), fetching all the keys may take a significant amount of time or the request may time out. Workaround: Use the API or CLI to fetch the keys.
KY-71194	Problem: [AWS GUI]: Intermittent: If the CipherTrust Manager has a large number of keys (in thousands), while adding an external key store, request to fetch the health check keys times out. The Health Check Key drop-down list does not display the existing keys. Workaround: Add the external key store using the API or CLI.
KY-65165	Problem: [SAP]: A delete key job remains in the PENDING state for long time and fails intermittently.
KY-65151	Problem: If you navigate to Cloud Key Manager > Containers > Oracle Vaults, an error is displayed in the browser console, "Why is lifecycle_state not in {region {...}} ". Workaround: Disregard this error. It does not indicate any malfunction in Oracle Vaults.
KY-64955	Problem: [Azure] If a vault (say `vault-1`) is first added and synchronized in the CipherTrust Manager in a domain (say `domain-1`), and later added to another domain, the associated `key_vault_id` is changed for keys in `domain1`, leaving keys in `domain-1` unuseable. Now, if `vault-1` in `domain-1` is refreshed, all the keys (except those marked as `DELETED`) are again useable. Note that, even after the refresh, the users cannot perform any operations on the keys marked as `DELETED` in `domain-1`.
KY-64933	Problem: A CCKM User with the View BYOK ACL on AWS KMS can view the AWS Native keys. The user can view BYOK keys if it only has the View Native ACL.
KY-64700	Problem: [AWS GUI]: While configuring a key policy, the Key Admins and Key Users tabs show 100 admins/users only. Workaround: Add/update the key policy in the Raw view.
KY-61252	Problem: When using an AWS Assume Role KMS account, the ARN of a modified key policy on CCKM is different than the key policy ARN on the AWS cloud. Workaround: Refresh the AWS Assume Role KMS account.
KY-60614	Problem: When a policy template (`P1`) is created in a KMS (for example, `K1`), then if the KMS is deleted, and re-added with the same name (`K1`), the policy template can be listed, but its details cannot be viewed.
KY-60380	Problem: [Azure Certificates]: When a certificate issued by DigiCert is pending approval from them, CCKM does not show the in progress, failed, or cancelled certificates. They are marked as deleted.
KY-60354	Problem: [AWS]: When a key is created, the path is not concatenated with the admin and user name in the policy. Workaround: When creating a key, specify the policy in the Raw View.
KY-59906	Problem: [AWS GUI] When updating the region of a KMS created with AssumeRole, the GUI displays all the available regions. They should be separated according to the assumed role.
KY-59495	Problem: [AWS]: The Create Key Policy page becomes nonresponsive when adding a policy with formatting issues. Workaround: Retry with the correct policy format.
KY-59291	Problem: [SAP Cloud] Incorrect key operation attributes are displayed in the Key Version section even after updating the key attributes successfully.
KY-58241, KY-58239	Problem: While generating or deleting a report for all clouds, the GUI shows a generic error `Unable to generate Google report for given parameters` for unauthorized users.
KY-57030	Azure GUI: While configuring a key rotation schedule, if you select All Keys Based on Creation/Last Rotation Date, but without making any changes switch to the All Keys or Only Expiring Keys option, then any changes under the selected option cannot be saved. Workaround: Make any change under the All Keys Based on Creation/Last Rotation Date option, and switch to the All Keys or Only Expiring Keys option. The changes can be saved.
KY-56614	The OCI Key Aging Report generation takes an indefinite time and shows the status "in_progress" in the response.
KY-56569	Problem: The SMB Connection field on the Create GuardPoint screen is not displayed while creating a GuardPoint for a CIFS path using the Browse option. Workaround: Manually type or paste the complete network path and create the GuardPoint.
KY-56452	When creating a key from Google Cloud KMS using the same name and relative resource name of an existing key in the same CCKM EKM cryptospace in which the existing key resides, CCKM sends an HTTP response code of 200 OK indicating the request was successful. However, the following warning message displays in the Google Cloud KMS audit logs: `Create EKM endpoint "errorMessage": "GoogleCloudEKM error : Error in creating EKM E2E Endpoint: ERROR: duplicate key value violates unique constraint \"ekm_keys_name_account_key\" (SQLSTATE 23505)"` This message is incorrectly displayed in this case. Workaround: You can ignore the warning message. The functionality of idempotency for the request to create a key in an EKM cryptospace works as expected.
KY-56372	Users, who are not CipherTrust Manager administrators (`admin` group), cannot perform any operations on the Google Workspace CSE resources through CCKM. Workaround: 1. Create a policy for Google CSE operations. Run the API `post /v1/admin/policies`, as follows: { "name": "Google CSE policy", "allow": true, "effect": "allow", "resources":["kylo::cckm:"], "actions": ["GoogleWorkspaceCSE"], "conditions": [], "obligations": [], "includeDescendantAccounts": false } This will return a policy resource `id`. 2. Attach the policy to the "CCKM Admins" group. Run the API `post /v1/admin/policy-attachments`, as follows: { "policy": "<policy-id>", "principalSelector": { "cust":{ "groups": [ "CCKM Admins" ] }}, "jurisdiction": "" } Here, `<policy-id>` is the policy resource `id` returned in the previous step.
KY-55676	Azure GUI: On the certificate details page, the X.509 SHA-1 Thumbprint is displayed as base64url encoded.
KY-55597	Problem: Azure GUI: If an overriding schedule is added to an Azure vault, the size and source of the key rotation are not visible on the Key details page. Workaround: View and change the size and source of the key rotation using the API.
KY-53643	When a region in an AWS account is selected and then deselected, the HYOK keys in that region are displayed but grayed out.
KY-42082	SAP Data Custodian: SAP key activity report doesn't show any data.
KY-39123	SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error". Workaround: Refresh the newly added group, add the key again, and retry operations.
KY-35220	When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned. Workaround: Refresh all the key vaults.
KY-31186	If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate. Workaround: Add an exception (`cloudkms.googleapis.com`) with `no_proxy` or use the proxy with username and password, and restart the services.
KY-31058	The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.
KY-27583	CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state. This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state. Workaround: Delete the running and scheduled jobs from the API playground, and retry.
KY-17213	When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

Issue	Synopsis
PDB-3293	If `datatype` of a column changes from `char` family to `blob` after migration, the Return replacement value option for the Error Replacement feature does not work.
KY-81007	`DatabaseID` is not set in `metadb ing_property`. Workaround: Perform `adddb` operation using the pdbctl utility once.

Application Data Protection

Issue	Synopsis
KY-56049	The Application page shows incorrect count of registered application.
KY-56048	The delete application operation fails when the number of clients reaches 300.
KY-56047	The Protection Policy page crashes when the name of protection policy exceeds 50 characters.

CipherTrust Data Discovery and Classification

Issue	Synopsis
KY-9098	DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails. Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104	Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399	The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990	Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts.
KY-24205	The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store. Solution: For possible solutions, check the following: Make sure a compatible Agent is properly installed. Check the compatibility table in the “Agent Configurations” section in the “DDC Deployment Guide”. For a local Data Store, make sure that the Agent is installed on the same host where the Data Store is located. For remote connections, make sure that the network connectivity between the Agent and the Data Store is not blocked by a network firewall. Verify the configured credentials, and make sure that they have permission to connect and read the Data Store contents. When you make sure that the Agent is up and with connectivity, go back to DDC and select the button "Find Agent" for the Data store with the issue. Make sure that you do not have two (or more) Agents with the same hostname (for example, as a result of VMs cloning). Configure the Data Store using a hostname, instead of an IP Address.
	None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution: Run `ksctl ddc active-node` to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP. If the node identified by `ksctl ddc active-node` does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666	DDC may not scan big Data Objects for Data Stores other than local storage. The threshold to consider is a file as big as half of the assigned scan RAM. When a DDC scan encounters a file exceeding this threshold, it may completely skip the file or scan just up to that threshold. The user has no way to identify the issue from DDC reports. Possible Workarounds: Download large files to a local storage, and run the scan on this local storage data store. Increase the scan RAM as indicated in the Tuning Scan Settings section.
KY-13618	Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted. When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled. Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost.
KY-19763	OracleDB and IBM DB2: uppercase schema/table name issues. User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase. Workaround: Set the target path in uppercase.
KY-21981	Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again.
KY-27855	"Something went wrong" message when generating a report with many scans.Report with many scans cannot be generated due to timeout in the requests between CM and the TDP servers. Workaround: Verify the TDP health. Verify the network speed and latency between CM and TDP.
KY-27102	Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports.
KY-34462	In G-Drive DDC scans all the path to which the scan path is prefixed. When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan.
KY-30138	MongoDB reports will only contain information for the first 1M documents even when more than 1M documents are scanned. Workaround: Run scans with less than 1M documents.
KY-46340	Office365: OneDrive for Business - Using wrong OneDrive domain while probing or scanning does not return an error. Also a scan with the wrong domain and path does not return any error and it completes successfully.
KY-48874	A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service".
KY-49115	Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9. These infotypes show discrepancies: - Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10) - China Union Pay: 1000 (in 2.9), 921 (in 2.10) - Discover: 1001 (in 2.9), 919 (in 2.10) - Diners Club: 1001 (in 2.9), 1002 (in 2.10)
KY-51301	For SMB Data Stores with remediation enabled, scans performed after remediation completes may not find matches in encrypted files. Workaround: Automatic agent selection does not narrow the selection of DDC Agents to those installed on host with a CTE Agent in the Agent Group protecting the SMB Guard Point. If DDC selects any of those agents, further scans on the SMB will read the encrypted content and therefore will be unable to find any match. In order to avoid this issue, please assign use labels to force DDC to select only the right agents as follows: - Add one dedicated label to the DDC Agents installed on the hosts with valid CTE Agent, - Associate that same label to the SMB Data Store, in order to guide automatic agent selection algorithm.
KY-51306	DDC Agent version 2.6 fails to configure for SMB datastore using hostname or IP. Workaround: If the hostname or IP do not work as credentials, instead try only the username.
KY-51550	Office365: OneDrive for Business - Scan progress reaches more than 100%.
KY-51586	A scan of a LONGBLOB file in MySQL gets stuck while scanning. DDC should be able to scan a 20 MB table, as LONGBLOB data type supports up to 4 GB of data, yet it fails.
KY-51623	Partial Scan in BLOBs of size greater than 100 MB in MSSQL. NOTE: If a file is partially scanned, it will be considered in the inaccessible location list.
KY-52297	DDC scan fails with an empty GuardPoint path for a SMB data store. Solution: A GuardPoint for a data store must always have a path configured in CTE.
KY-51695	DDC is only able to scan the initial 4 KB of any text file stored as a large binary object in database tables.
KY-52494	From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version.
KY-52532	Autopause feature not working as expected in Azure Table scans. A scan of Azure Table with the "Autopause" feature enabled has the following issues: it fails to resume after autopause end time after it enters the "Autopaused" state from the "Pending" state, it fails to enter the "Autopaused" state from the "Running" state.
KY-42593, KY-42491	Launching a second scan with any Data Stores in common with a running scan may restart the first scan progress on the shared Data Store, or even fail it if the first scan is manually paused. Workaround: Minimize scan concurrency on any given Data Store and use automatic pause, as automatically paused scans normally do not fail.
KY-23163	A scan goes into an interrupted state for CIFS after restarting the agent. This only happens on Windows Server agents and for the Exchange Server and Windows Local Storage. Solution: 1) Restart the Windows agent with the scan in the "Paused" state. Then resume the scan, and it will go into the "Scheduled" state. 2)Restart the Windows agent one more time and the scan comes back to normal.
KY-55916	Full DS scan on SAP HANA fails with an "Internal Error". SAP HANA scans on specific target paths (the schema to which the user has privileges) are successful. The database can contain schemas to which the user does not have privileges. The scan on a full datastore will try to scan all schemas that are present in the database and as a result the scan will fail due to the lack of privileges on some schemas.
KY-56181, KY-56104	Scan progress and Scan Status windows are stuck at partial progress for a scan path with many folders / tables. The scan progress gets stuck as it receives too many scan sub-paths and fails to display the updated information, but the scan keeps running and will eventually complete. Workaround: Run several partial scans for the data store.
KY-56387	The count of data stores in the Agent List section does not change for the Exchange Server data store. The number of data stores linked to an agent on the agents page is updated once the data store is ready, except for the Exchange Server data store.
KY-56389	Scan does not get triggered if it is scheduled for the Asia/Kolkata time zone after 12 am. When using the API to create a scan and scheduling it for the Asia/Kolkata time zone from 12:00 am to 5:30 am, it is necessary to set a date that is one day before, otherwise the scan will not activate and commence.
KY-53620	Targeted scans of a smaller dataset in a G-Drive data store take a long time, if the overall data that is stored in G-Drive is of a larger size (for example, over 500 GB).
KY-56390	Scanning of any data from an Exchange Server data store works only if the agent is installed on the same machine as the Exchange Server.
KY-60437	Scan failing with an internal error when scanning the whole SMB share. An existing SMB scans will fail with an error "The network path not found" if you migrate from CM2.10 to CM2.11. This is because the SMB credentials are not stored in the database. Workaround: Option 1. Migrate to CM2.11.1 and run the "Find Agent" option from datastore page for the same SMB datastore, once it is in the Ready state. Run the SMB scan. In the future, if you change the SMB credentials then it will all get updated automatically once you run the "Find Agent" option before running the scan. Option 2. If you migrate to CM 2.11, then create a new SMB datastore with the same credentials and update the scan configuration to point to the new datastore before running the SMB scan. In the future, if you change the SMB credentials then you have to create the SMB datastore again to save the new credentials in the database before running the scan.

CipherTrust Transparent Encryption

Issue	Synopsis
KY-75787	Problem: When new configurations are done on a CipherTrust Manager's cluster node not reachable by the clients, the clients don't receive new configurations from the reachable nodes of the cluster. Workaround: • Create or update configurations on the CipherTrust Manager's cluster node that is reachable by all clients. • If configuration is already there, but it is not pushed to the clients, use the browse option on the cluster node reachable by the clients. Browsing initiates an authenticated route from the clients.
KY-72180	Problem: Secure Start configuration changes on the CipherTrust Manager are not pushed to the CTE Agent. Workaround: Manually restart the VMD service (`secfs restart`) on the client or change other configurations such as the linked profile on the CipherTrust Manager.
KY-56890	Problem: CTE log forwarding to CipherTrust Manager causes high resource usage, leading to CTE management microservice restarting. Workaround: On the CTE client profile, disable log upload before upgrading CipherTrust Manager to 2.11.
KY-56057	Problem: On the CipherTrust Manager GUI, the Client Settings field does not allow the hash character `#`. If specified, the Client Settings tab cannot be accessed. Workaround: Run the `/v1/transparent-encryption/clients/{id}/auth-binaries` API to configure the Client Settings with the hash character.
KY-55739	Problem: When a CipherTrust Manager user having only CTE Admins group permissions initiates a Quorum-dependent operation, a corresponding Quorum is created. After the required Quorum approvals, the operation does not auto-trigger in the background. Workaround: Retry the operation after the required Quorum approvals.
KY-55511, KY-55527, KY-55275, KY-55528	Problem: Simultaneous composite operations (for example, update and delete) are not supported for quorums.
KY-55273	Problem: If quorum is activated for client group deletion, then bulk client group deletion generates multiple quorums in pre-active state. Workaround: Delete client groups individually.
KY-55064, KY-54442	Problem: In case of bulk client or client GuardPoint deletion, the quorum details may not be available. However, quorum operations (such as approval, rejection) can be performed. This issue has no impact on functionality.
KY-62435	Problem: When quorum is enabled, if you perform an operation to delete client groups in bulk, the quorum is created in pre-active state. Workaround: Activate the quorum using the `/v1/quorum-mgmt/quorums/{id}/activate` API.
KY-51135	Problem: Group members cannot be imported from ldap for user sets.
KY-34329	Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths. Workaround: Create GuardPoints by manually entering the raw device paths.

ProtectApp

Issue	Synopsis
KSCH-16415	The Host Name field on the Client Registration screen does not have validation for host availability. Workaround: Add clients using the API.

ProtectFile

Issue	Synopsis
KSCH-573	Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568	Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567	Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564	Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.

Suggest A Change

Release Notes

Product Description

Product Abbreviations

Release Description

Features and Enhancements

Release 2.11.6

Release 2.11.5

Release 2.11.4

Release 2.11.3

Release 2.11.2-tct

Release 2.11.2

Release 2.11.1-tct

2.11.1-tct Changes

Maintenance Mode Usage

Turn on Maintenance Mode

Turn off Maintenance Mode

Get Maintenance Mode Status

Release 2.11.1

Platform

Limitations

Deprecated Feature(s)

Application Data Protection

CCKM

CTE

CTE UserSpace

DDC

ProtectV

CDP

Resolved Issues

Advisory Notes

Key Refresh Issue with Unlinked AWS XKS (HYOK) Keys

USB Host Logs are Not Immediately Forwarded on Upgrade

NextGen KeySecure and ProtectFile End-of-Support in 2023

Luna Network HSM 5.x and 6.x are no longer supported as Root-of-Trust for CipherTrust Manager

Quorum

KeySecure Classic Hardware No Longer Supported

SMB Connection

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

Some Key States Change After Upgrade

System Upgrade and Downgrade Supported Releases

Protect the ksadmin Private SSH Key

TLS/SSL Must be Enabled in a Production System

Key Usage Mask Selection

DDC

Upgrading DDC

Clusters

Licensing

EOS for Legacy Reports

EOS for KCT Datastore

Upcoming End of Support for Platforms and Features

Compatibility

TLS Compatibility

TLS Deprecation Notices

Client Platforms

CipherTrust Application Data Protection

CipherTrust Application Key Management

CipherTrust Cloud Key Manager

CipherTrust Database Protection

CipherTrust Transparent Encryption

CipherTrust Transparent Encryption UserSpace

CipherTrust Transparent Encryption for Kubernetes

CipherTrust Vaulted Tokenization

CipherTrust Batch Data Transformation

CipherTrust Vaultless Tokenization

ProtectFile

Data Discovery and Classification Agents

TDP Version Compatibility

Known Issues

CipherTrust Manager

CipherTrust Cloud Key Manager

CipherTrust Database Protection

Application Data Protection

CipherTrust Data Discovery and Classification

CipherTrust Transparent Encryption

ProtectApp

ProtectFile

On this page