Release Notes
Product Description
CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.
Product Abbreviations
| Name | Abbreviation |
|---|---|
| CipherTrust Batch Data Transformation | BDT |
| CipherTrust Manager | CM |
| CipherTrust Application Data Protection | CADP |
| CipherTrust Cloud Key Manager | CCKM |
| CipherTrust Data Protection Gateway | DPG |
| CipherTrust Database Protection (formerly known as ProtectDB) | CDP |
| CipherTrust Transparent Encryption | CTE |
| CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE) | CTE UserSpace |
| CipherTrust Intelligent Protection | CIP |
| CipherTrust Data Discovery and Classification | DDC |
| Data Protection on Demand | DPoD |
| CipherTrust Vaulted Tokenization | CT-V |
| CipherTrust Vaultless Tokenization | CT-VL |
Release Description
This release is available on the Customer Support Portal in the following formats:
An upgrade file for physical k570, k470 and k160 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.
Note
The 2.12.2 patch is not supported for Thales TCT k160 devices.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.
In addition, 2.12.x Virtual CipherTrust Manager will be available on the following public clouds, as the Community Edition:
Amazon Web Services: SafeNet Cloud Provisioning System
Google Cloud
Note
As 2.12.x is not the default version, you must use the gcloud CLI to retrieve it.
Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
Oracle Cloud
IBM Cloud
An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.
2.12.x contains a number of new features and enhancements. For the list of known issues, refer to Known Issues.
Features and Enhancements
Release 2.12.2
The 2.12.2 release includes bug fixes described in the resolved issues list list. This release also includes an internal client upgrade to maintain compatibility with the Thales Data Protection On Demand (DPoD) Luna Cloud HSM Service root-of-trust integration past January 28, 2025. Details on the Luna Cloud HSM compatibility change are available in knowledge base article KB0028422. The CipherTrust Manager change is tracked internally under reference number KY-85444.
This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.12.0, 2.12.1, 2.11.0, 2.10.x, and 2.9.x.
This release does not address all security vulnerabilities discovered after the release of 2.12.0 minor version. To obtain current security fixes, upgrade to the latest feature release.
Release 2.12.1
The 2.12.1 release includes a stability fix for virtual CipherTrust Manager instances using disk encryption. The fix is described in the resolved issues list. This release is available as a new virtual instance, or as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.12.0, 2.11.0, 2.10.x, and 2.9.x.
Release 2.12.0
Platform
New secrets management feature introduced. CipherTrust Manager now partners with Akeyless to offer Akeyless Vault Platform application secrets, protected with optional HSM root-of-trust hierarchy.
Support added to send email notifications for built-in alarms.
Added capability to renew the expiring CA certificates (server and client) in the certificate chain.
Added login authentication methods (User-Certificate and Username-Password Authentication for Web) for local users.
Support added to view the consumption of KMIP licenses in all domains (Domain Level Usage), and in individual domains on UI.
Added support to:
update non-High Availability (HA) Luna Connection to HA.
create a single partition HA Luna Connection.
In a quorum, the approver name has been made a mandatory field for vote's array.
Added provision to add custom password policies for new or existing users.
Internal mechanism is implemented to avoid full disk usage.
The
expires_atflag is added to set the expiration date for the local users to limit the user account to a certain period.Enhanced the
/v1/system/infoAPI to get the serial number (chassis_serial_number) of the CipherTrust Manager Physical Appliance.Added the ability to map groups for the OpenID Connect (OIDC) connection to authenticate CipherTrust Manager users.
Added support for authorization flow for the OpenID Connect (OIDC) connection to authenticate CipherTrust Manager users.
Added the ability to rotate the HSM Key Encryption Key (KEK) for HSM-anchored domains.
Enhancements to the UI web console:
New filter in the user detail page to view only the groups the user has a membership in.
New option to upload an external certificate as a file.
Added ability to limit user login based on client types such as unregistered, public, and confidential clients, previously available only on CLI and API. This setting is available when adding a new user or editing an existing user.
CipherTrust Manager now enforces that nodes joining a cluster must have the same CipherTrust Manager software version as nodes already in the cluster. This ensures the stability and proper functioning of production clusters.
Added support in the Elasticsearch log forwarder for Elasticsearch version 8.
Limitations
If a domain has more than 1000 cryptographic objects (keys and opaque objects), to fetch keys, it is recommended to use
KeyNamesRequestinstead ofKeyQueryRequest. The response time of KeyQueryRequest is proportional to the number of keys on the CipherTrust Manager, therefore, it may lead to a timeout exception on the client side.Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.
The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.
During client renewal, if another client (which has
authentication_modemode set todn) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
However, for local CAs, it is not required to delete the client to be renewed, rather set thedo_not_modify_subject_dnfield to false. Refer to Renewing Local CA Clients for details.
Deprecated Feature(s)
Removed the ProtectV tile from the CipherTrust Manager. However, if you upgrade to CipherTrust Manager 2.12 from the lower versions, the
ProtectV Admins,ProtectV Clients, andProtectV Usersgroups still show up but are not usable. These groups can be manually removed if required.Removed support for the CTE symmetric keys migration from DSM to the CipherTrust Manager if
Unique to Hostflag is set for the keys.
Application Data Protection
Added support for access policies that allow you to select how to display data in a RESTful API call during the reveal operation based on the user. The data can be revealed as:
Plaintext
CipherText
Masked Value
Error/Replacement Value
Added licensing enforcement for DPG.
CCKM
GA API support of Cloud KMS key management mode for Google EKM via a Virtual Private Cloud (VPC) connection to allow users to create, rotate, or destroy coordinated EKM keys through the Google console. Note that in this release, this feature is incorrectly tagged as "Tech Preview" in the CCKM API playground. This tag will be removed in the next release.
Added capability to enable and disable success event logs for AWS XKS and Google EKM.
Added capability to update AWS key store credential when key store is in a connected state.
Added mutual TLS support for AWS Custom key store.
Provided support for Salesforce mutual TLS.
Support for Google Access Control Policy for Cryptospace EKM endpoints and Cryptospaces is now available.
Re-adding removed Luna partitions now restore existing key relations.
Added granular access control for reports.
Added support for management of Azure key vaults based on Active Directory (AD) groups in the root domain.
Added support for AWS bulk jobs to perform operations on multiple AWS keys in one attempt through the API. A maximum of 100 keys are supported for bulk operations.
Restricted key version to "import only" for Google CMEKs through the API.
Added capability to manage Dynamic Key References (DKR) for the SAP cloud through the API.
Added capability to update the version of SAP cloud keys through the API.
CTE
Added capability to the CTE for Windows Agent for detection of Ransomware and protection of sensitive data from Ransomware. The CTE Agents can monitor the volumes, analyze the data, and look for processes that might perform suspicious activities on the sensitive data.
Added a dashboard to the Reports page. The dashboard shows the total number of:
Registered and unregistered clients
Consumed CTE, CTE UserSpace, and K8s licenses
GuardPoints configured on the clients
Active and inactive GuardPoints
Added capability to specify whether a CTE for Windows client can be added to an LDT communication group. This feature can be used to ensure smaller and efficient groups, which will participate on LDT operations like rekey, are allowed to join an LDT communication group.
Added ability to monitor CTE resources through Prometheus and Grafana on the CipherTrust Manager CTE Resources dashboard. This dashboard:
Shows the statistics for various CTE resources on the CTE Clients, CTE Groups, CTE GuardPoints, and CTE Clients Health Status graphs.
Displays the total number of operations performed with respective to the CTE Clients and CTE Groups.
Note
CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.12 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.
Support for CTE clients with the Efficient Storage GuardPoints (ESG) capability will be deprecated from CipherTrust Manager 2.14 onward.
CTE UserSpace
CTE UserSpace 10.0 is a new kernel-independent file encryption product based on CTE and CTE UserSpace (rebranded ProtectFile FUSE).
The resources of CTE UserSpace clients running 10.0 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can't be managed by the ProtectFile & Transparent Encryption UserSpace application.
This release does not support the following features:
Kernel Compatibility Matrix
Agent and System locks
CBC and XTS keys
COS, ESG, IDT, and LDT policies and GuardPoints
To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 10.0 or a higher version.
Added a dashboard to the Reports page. The dashboard shows the total number of:
Registered and unregistered clients
Consumed CTE, CTE UserSpace, and K8s licenses
GuardPoints configured on the clients
Active and inactive GuardPoints
Added ability to monitor CTE resources through Prometheus and Grafana on the CipherTrust Manager CTE Resources dashboard. This dashboard:
Shows the statistics for various CTE resources on the CTE Clients, CTE Groups, CTE GuardPoints, and CTE Clients Health Status graphs.
Displays the total number of operations performed with respective to the CTE Clients and CTE Groups.
CIP
Added capability to display remediation status and progress while remediation is in progress for the following:
Standard and LDT policies for Linux local storage and NFS
Standard and LDT policies for Windows local storage
LDT policies for Windows NFS
Added support for OpenSSL(3.x) for Windows
DDC
Enhanced Agent Selection Flow - During the scan execution validation phase, agent selection is always triggered again if no available agent is found, and the data store is scanned using an available agent. The data store is also updated to be associated with the new agent as part of this flow.
Integrated CTE Remediation Status - Reports are now generated with the CIP information included only after Remediation is applied. This way the user knows which files were remediated at each execution.
Hide Labelling for NFS - The labelling option is hidden for the NFS Data Store in the UI.
Advanced Scan Settings - Advanced scan configuration parameters added in the first step of the Scan Wizard ("General Info" > "Advanced Configuration").
Data Store Documentation Improvements - Each data store section has been updated to include a brief introduction, connection configuration, and target configuration, with examples where appropriate.
Resolved Issues
This table lists the issue resolved in 2.12.2.
| Issue | Synopsis |
|---|---|
| KY-84897 | The password for the CipherTrust Batch Data Transformation (BDT) container on the CipherTrust Manager is returned in the plaintext. The GUI and API no longer display username and password. |
This table lists the issue resolved in 2.12.1.
| Issue | Synopsis |
|---|---|
| KY-59649, KY-65439 | Virtual CipherTrust Manager instances using disk encryption lose network connectivity after an hour. |
This table lists the issues resolved in 2.12.0.
| Issue | Synopsis |
|---|---|
| KY-76082 | Google Workspace: Users with the Connection Admins, CCKM Admins, and CCKM Users group permissions can't create and list issuers. |
| KY-59291 | [SAP Cloud] Incorrect key operation attributes are displayed in the Key Version section even after updating the key attributes successfully. |
| KY-58932 | If you have configured a legacy syslog connection through Admin Settings using TCP as transport, logs with a packet size larger than 1024 bytes are trimmed which causes partial log messages to be sent. |
| KY-56569 | The SMB Connection field on the Create GuardPoint screen is not displayed while creating a GuardPoint for a CIFS path using the Browse option. |
| KY-61307 | After you join a new node to a CipherTrust Manager cluster and restart cluster members, cluster member backup keys become inactive. |
| KY-56713 | During the key activation, the KMIP client truncates the Activation date. When a user adds the ProcessStartDate, it precedes the ActivationDate and gives the following error: "ProcessStartDate can not precede ActivationDate." |
| KY-60505 | On upgrading the CipherTrust Manager from previous versions to 2.11, KMIP clients face authentication issues. |
| KY-56935 | While exporting keys from the application server to the CipherTrust Manager, the key version is not printed in the records. |
| KY-62435 | When quorum is enabled, if you perform an operation to delete client groups in bulk, the quorum is created in pre-active state. Disabled the option to delete client groups in bulk when quorum is enabled. |
| KY-61913 | If you attempt to use the UI to add an additional Luna T-Series HSM partition to a root-of-trust high availability group, incorrect settings are presented, such as ESN (Electronic Serial Number). |
| KY-61556 | [Google Cloud]: The Refresh All option refreshes only 10 key rings. The remaining key rings are ignored. |
| KY-60861 | APIs to manage impersonated users for NAE and KMIP clients were causing issues in some use cases. These APIs have been removed. |
| KY-60716 | If you migrate RSA keys from KeySecure Classic to CipherTrust Manager, the key permissions change from encrypt to decrypt, and from decrypt to encrypt. |
| KY-60674 | Caching of keys was not fully implemented in CCKM with the result that every encrypt request would lead to CipherTrust Manager checking the latest key version. This checking of latest key version in turn decreased CCKM's encrypt performance when compared to its decrypt performance. This issue is now resolved. |
| KY-60416 | The Secure Start capability can be enabled for GuardPoints on CTE clients manually added to the CipherTrust Manager. |
| KY-60187, KY-60211 | Can't configure KMIP connection in domains when the username is specified in the KMIP auth tag request. |
| KY-60146 | After upgrade from 2.10 to 2.11.0, the OpenID connection available through Access Management for authenticating CM users stops working. OIDC users can no longer authenticate. Resolution: Upgrading from 2.10 to 2.12 no longer produces this behavior. Upgrading from 2.11.0 to 2.11.1 restores OIDC connection functionality. |
| KY-59341 | The /auth/tokens API endpoint sometimes returns a renewed Refresh Token (refresh_token) with longer than requested lifetime (refresh_token_lifetime). |
| KY-58951, KY-60264 | Issues observed in managing AWS keys through an assumed role when the CipherTrust Manager is deployed in VPC. |
| KY-60129 | In case of auto registration, the KMIP operations in the domain fail for the assigned/created users if the registration token is created in the root domain. |
| KY-59971 | [OCI]: Generation of a Key Aging Report for a vault with a large number of keys becomes nonresponsive. |
| KY-59976 | [Google Cloud]: Keys cannot be uploaded using the GUI when more than 10 key rings are added to the CipherTrust Manager. |
| KY-59969 | While creating an Azure connection, thumbprint of the Application certificate generated on the CipherTrust Manager does not match with the thumbprint of the certificate after it is uploaded to Azure Service Principal (SPN). |
| KY-59220 | KeyQueryRequest doesn't work properly if the system (all domains) has more than 1000 cryptographic objects (keys and opaque objects). |
| KY-59727 | The KMIP and NAE clients in domains don't work properly after upgrading to 2.11. It can lead to the restart of the NAE service where NAE clients are registered. Resolution: This problem does not occur on upgrade from 2.10 or lower to 2.12. |
| KY-59714 | AWS XKS (HYOK) in unlinked mode is not working properly. Keys created on CCKM in the unlinked mode disappear from the AWS keys list after the Refresh action on the UI and Sync operation on the API. Conversely, if an unlinked AWS XKS (HYOK) key is created on the AWS console, a new key will appear on the CCKM AWS Key List with an incorrect origin (HYOK-External) after a Refresh or Sync operation on the UI or API. |
| KY-59607 | When attempting to verify the JWT within https://www.googleapis.com/oauth2/v3/certs, a connectivity problem occurs. After invoking GET /api/v1/cckm/ekm:getInfo to retry the connection, it hangs until the client abandons the attempt. |
| KY-59595, KY-56611 | In the GUI wizard to create a new registration token, the default local CA's common name incorrectly displays as "KeySecure Root CA". The KeySecure Root CA no longer exists on CipherTrust Manager. |
| KY-59304 | When creating a duplicate Google EKM endpoint, the error message that displays now correctly indicates an endpoint with the same name already exists. |
| KY-59268 | Previously, when attempting to create an AWS CloudHSM key store with an invalid AWS cluster ID, the CCKM would return a status code of 409. However, CCKM should return a status code of 400. This issue has been resolved. |
| KY-58997 | RESTful Data Protection tile displayed in CM web console GUI. |
| KY-58956 | If you test an AWS connection which has an Assume Role, the test fails with the error AccessDenied: Cannot call GetSessionToken with session credentials. |
| KY-58716 | GWS CSE: Unable to assign multiple authentication audience for GWS CSE endpoints on the GUI. |
| KY-58256 | In KMIP, you cannot set a key's ProcessStartDate to the same value as the ActivationDate. The Result Message "ProcessStartDate can not precede ActivationDate" is returned. |
| KY-57693 | [ksctl] Migration of ProtectFile resources from SafeNet KeySecure to the CipherTrust Manager results in the error, "DFS Alias is only configurable when DFS is enabled." |
| KY-57268 | When the CipherTrust Manager is upgraded to 2.10 or higher, decryption of Google Workspace CSE documents encrypted with an endpoint URL created on the CipherTrust Manager version 2.4 through 2.9 fails. The unwrap API returns the error "The authorization service doesn't match the service's wrapped Key". |
| KY-57030 | Azure GUI: While configuring a key rotation schedule, if you select All Keys Based on Creation/Last Rotation Date, but without making any changes switch to the All Keys or Only Expiring Keys option, then any changes under the selected option cannot be saved. |
| KY-56948 | AWS Report fails to generate when the name has underscores. |
| KY-56890 | CTE log forwarding to CipherTrust Manager causes high resource usage, leading to CTE management microservice restarting. |
| KY-56836 | Azure key rotation job might become nonresponsive in "running now" state. |
| KY-56733 | When an unauthorized user requests a resource with an incorrect relative resource name (one that does not match the key path), CM returns HTTP 400 with a status code of INVALID_ARGUMENT. CM now correctly returns HTTP 403 with a status code of PERMISSION_DENIED based on the results of its authorization check and conformance to Google's guidance relating to requested user operations and authorization checks. |
| KY-56581 | The appropriate response code is now returned when creating cryptospaces and updating cryptospaces in CCKM with Key Access Justification (KAJ) enabled or disabled. |
| KY-56372 | Users, who are not CipherTrust Manager administrators (admin group), cannot perform any operations on the Google Workspace CSE resources through CCKM. |
| KY-56358 | If you have a saved query for Loki audit server records, upgrade to 2.10.x or 2.11.x, and attempt to load one, the UI shows blank page. |
| KY-56258 | A NonFatalError occurs when shutting down the CipherTrust Manager through vSphere. |
| KY-56072 | If you create a domain-specific backup containing a pkcs12 key with one or more certificates, and then attempt to restore the backup, the pkcs12 key fails to restore. The message ERR | key-hash mismatch error message:failed verifying key hash for key record: <key_id> err:failed verifying key fingerprints errVerbose: is present in the /opt/keysecure/logs directory accessible in a ksadmin SSH session. |
| KY-56071 | The CipherTrust Manager GUI cannot list keys when the number of keys on which the key policies are applied increases. |
| KY-56057 | On the CipherTrust Manager GUI, the Client Settings field does not allow the hash character #. If specified, the Client Settings tab cannot be accessed. |
| KY-56049 | The Application page shows incorrect count of registered application. |
| KY-55891 | Creating an Azure connection using Certificate fails intermittently. |
| KY-55725 | Unable to update the password of an SCP connection for backups. |
| KY-55634 | Two quorums are generated for download backup key. |
| KY-55597 | Azure GUI: If an overriding schedule is added to an Azure vault, the size and source of the key rotation are not visible on the Key details page. |
| KY-53816 | The activity.nae logs show key version 0 always. |
| KY-53643 | When a region in an AWS account is selected and then deselected, the HYOK keys in that region are displayed but grayed out. |
| KY-53631 | OIDC group mapping is allowed even though it is not supported. If a user in the group attempts to login, the login fails with server error response. Resolution: Support for OIDC group maps is introducted in 2.12. |
Advisory Notes
This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.
2.12.0: Virtual CipherTrust Manager Instances with Disk Encryption Lose Network Connectivity After an Hour
If you use the disk encryption feature on a virtual CipherTrust Manager 2.12.0 instance, the instance loses network connectivity after approximately one hour. Upgrade to 2.12.1 for a permanent fix.
If you cannot upgrade to 2.12.1, you can restart the NetworkManager service to prevent or recover from this situation as a workaround.
To prevent this from happening:
If you still have network connectivity to the instance, login as ksadmin to the web console and run the following command:
sudo systemctl restart NetworkManager
Caution
This prevention is required within one hour of every CipherTrust Manager 2.12.0 reboot.
To recover from this state:
Access the serial console, login as ksadmin, and run the following command:
sudo systemctl restart NetworkManager
Note
If the serial console is unavailable, reboot the CipherTrust Manager instance and then access the serial console.
USB Host Logs are Not Immediately Forwarded on Upgrade
If you have an existing syslog forwarder configured for host logs, and upgrade to 2.12, the USB host logs are not immediately forwarded. You need to manually force the syslog forwarder to update completely. This can be achieved by:
Using the modify command.
Use
kscfg syslog forwarder modify --id <syslog_forwarder_id> --<another_option> <temporary_value>force the update.Use
kscfg syslog forwarder modify --id <syslog_forwarder_id> --<another_option> <original_value>to reset to the original value.
Deleting and recreating the syslog forwarder.
View the syslog forwarder's current configuration values with
kscfg syslog forwarder get --id. Note down or otherwise retain these configuration values.Delete the existing the syslog forwarder with
kscfg syslog forwarder delete --id <syslog forwarder_id>.Re-create the syslog forwarder with
kscfg syslog forwarder add, including any options necessary to set the original configuration values. These options are documented here.
NextGen KeySecure and ProtectFile End-of-Support in 2023
NextGen KeySecure firmware and the ProtectFile connector will be End of Support in December 2023.
In most cases, you can upgrade from NextGen KeySecure to CipherTrust Manager directly. If you are running the legacy k450 or k460 hardware model, you must migrate data to the k470 or k570 model.
We strongly recommend migrating ProtectFile to CTE or CTE Userspace.
Luna Network HSM 5.x and 6.x are no longer supported as Root-of-Trust for CipherTrust Manager
As Thales has passed the end-of-support date for Luna Network HSM 5.x and 6.x, CipherTrust Manager no longer supports those versions for root of trust. CipherTrust Manager does not enforce against setting up those versions for root-of-trust, so upgrading will not disrupt existing root-of-trust connections to our knowledge. Consult the End of Sale and End of Support announcement, Luna Network HSM 7 documentation, and Data Protection on Demand and Luna Cloud HSM documentation for migration information.
Quorum
Do not enable quorum on the ManagePolicyAttachment and DeletePolicy operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.
SMB Connection
The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.
Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests
When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.
We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.
We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.
Caution
The IV value used for an encryption request is needed to decrypt the data later.
In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.
In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.
Some Key States Change After Upgrade
After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.
As you cannot upgrade directly from 2.4 to 2.12, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.
When a key has an NAE state of
Retiredand the deactivation date is set in the future, the key is set toDeactivatedimmediately upon upgrade. No cryptographic operations are allowed.When a key has an NAE state of
Restrictedand Protect Stop Date is set in future, the key is set toActiveand the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.When a key has an NAE state of
Activeand Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.When a key has an NAE state of
Activeand Activation Date is set in the future, the key is set to aPre-Activestate and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.When a key has a state of
Deactivatedbefore upgrade, its state will be unchanged after upgrade. However, the allowed operations for theDeactivatedstate change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.
System Upgrade and Downgrade Supported Releases
System upgrades on a single unclustered device have been tested from releases 2.9.x, 2.10.x, and 2.11.0. Upgrades have also been tested from lower 2.12.x versions to higher 2.12.x patches.
Note
Upgrades from other versions have not been tested and may not work correctly.
Upgrade from 2.11.1-2.11.6 to 2.12.x is not supported, as these patches will be released after 2.12 and contain bug fixes not present in 2.12. Upgrading from these patches to 2.12 can re-introduce bugs. If you are using one of these 2.11 patches, wait for future releases to obtain the new features introduced in 2.12.
An unclustered CipherTrust Manager can be downgraded to the previous minor version. For release-specific upgrade/downgrade information, refer to the release notes for your release.
Warning
As we cannot guarantee stability, we strongly recommend using downgraded systems for test environments only. Do not use a downgraded CipherTrust Manager in a production environment.
Refer to the System Upgrade page for instructions to perform an upgrade or downgrade.
The cluster upgrade section provides instructions to perform an upgrade on a cluster of devices. Supported upgrade paths depend on the method used to upgrade the cluster.
Cluster remove/rebuild is supported from 2.9.x, 2.10.x, 2.11.0, and 2.12.0.
In-place cluster upgrade is generally performed from one minor version at a time, so there is no limit on starting version.
The only exception is that if you are at 2.10.x, you skip 2.11.x and upgrade directly to 2.12.0. This is because upgrade from 2.11.1-2.11.6 to 2.12 is unsupported, and 2.11.0 is no longer available.
Restoring a backup from release 2.9 or later is supported; however, restoring a newer backup to an older version is never supported.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
Key Usage Mask Selection
If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.
DDC
Clusters
Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.
DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).
Licensing
Overlapping licenses are not supported (except for the trial license).
Upcoming End of Support for Platforms and Features
Linux 2.4 Node Agents
Email Targets - Microsoft Exchange (EWS)
Microsoft 365 - Exchange Online (EWS)
Web Browser - Internet Explorer
Compatibility
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
| Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
|---|---|---|---|
| Web UI | TLS 1.2 | TLS 1.3 | TLS 1.2 |
| NAE | TLS 1.0 | TLS 1.3 | TLS 1.2 |
| KMIP | TLS 1.0 | TLS 1.3 | TLS 1.2 |
Caution
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:
TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)
TLS_AES_128_GCM_SHA256 (TLSv1.3)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS Deprecation Notices
Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Client Platforms
The following client Platforms are supported by the CipherTrust Manager.
Caution
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
CADP for .NET Core: minimum version 8.11.0
CADP for C: minimum version 8.14.0
CADP for Java: minimum version 8.13.0
CipherTrust Application Key Management
CAKM for Oracle TDE: minimum version 8.10.0
CAKM for Microsoft SQL Server EKM: minimum version 8.5.0
CipherTrust Cloud Key Manager
Minimum version 1.6.3.20532
CipherTrust Database Protection
CDP for Oracle: minimum version 8.12.0
CDP for MSSQL: minimum version 8.12.0
CDP for DB2: minimum version 8.12.0
CDP pdbctl: minimum version 1.5.1
CipherTrust Teradata Protection: minimum version 6.4.0.12
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 10.0
CipherTrust Transparent Encryption for Kubernetes
Minimum version 1.0.0
CipherTrust Vaulted Tokenization
Minimum version 8.7.1
CipherTrust Batch Data Transformation
Minimum version 2.2.0.2816
CipherTrust Vaultless Tokenization
Minimum version 2.5.2.19
ProtectFile
Minimum version:
ProtectFile Windows 8.12.3
ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)
The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.
Data Discovery and Classification Agents
Linux minimum kernel version is 2.6.
There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.
Note
ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.
TDP Version Compatibility
Data Discovery and Classification requires TDP 3.1.5.1 or newer.
If you have an existing TDP 3.1.5 cluster, you should apply the patch 3.1.5.1.
Following the TDP upgrade users are required to Configure TDP service HDFS again and also Configure TDP service Livy.
Known Issues
This section lists the issues known to exist in the product at the time of release.
CipherTrust Manager
| Reference | Synopsis |
|---|---|
| KY-93937 | Problem: If you configure an LDAP connection for CipherTrust Manager user management, and set up group maps in a child domain, group permissions are not applied when users are logged into the child domain. |
| KY-92312 | Problem: If you attempt to configure an HSM root-of-trust on the CipherTrust Web UI, the UI sometimes displays a timeout error, but the HSM configuration succeeds. Workaround: Wait two minutes and refresh the page to see if the HSM configuration succeeded. If the HSM configuration fails, retry with the ksctl hsm setup --timeout 120 CLI command. |
| KY-92080 | Problem: If the client certificate is renewed before its expiration date, on the original expiration date, the client goes into the expired state, which breaks communication between the client and the CipherTrust Manager. Recommendation: Before the certificate expiration date, do either of the following: • Re-register the client with the CipherTrust Manager using the new client certificate. • Upgrade the CipherTrust Manager to 2.16.1 or higher. Workaround: After the client moves to the expired state, renew the client certificate as a client administrator. Refer to Renewing client certificates for details on renewing client certificates. Also, CTE clients need to be re-registered with the CipherTrust Manager after the client certificate renewal. |
| KY-91730 | Problem:If a network interface connection goes down on a node, the cluster status for that node displays as ready on other nodes, even though the node is unreachable. |
| KY-84105 | Problem: You cannot restore backups containing ProtectV objects. The restore operation fails with the error schema "pvm" already exists in the debug log. Workaround: Reset the CipherTrust Manager and retry the restore operation. |
| KY-78303 | Problem: If you configure OIDC authentication for CipherTrust Manager users with an identity provider with a short id_token lifetime, users are logged out of their sessions frequently, every time the id_token expires. The error message Wrong username or password is displayed. |
| KY-71399 | Problem: For SCP, if algorithms with sha1 are disabled on the destination server, SCP doesn't work with the CipherTrust Manager |
| KY-81695 | Problem: If a client certificate contains both OCSP and CRL URLs, the certificate revocation check (for NAE and KMIP clients) only considers the OCSP and never falls back to check the CRL even if the OCSP URL is inaccessible. |
| KY-80453 | Problem: If you are using Entrust nShield Connect HSM as a root of trust, remove the admin card from the HSM, and then attempt to reboot the CipherTrust Manager, the CipherTrust Manager does not reboot successfully. Workaround: None. |
| KY-75452 | Problem: The auto-registered clients don't get auto-renewed after expiration. Workaround: • For manually registered clients, renew the clients. • For auto-registered clients, delete and re-register the clients. |
| KY-77181 | Problem: Prometheus metrics with the node_ prefix are not exported. An error msg:fetching metrics for node_exporter:9100 failed with error: Get "http://node_exporter:9100/metrics is present in the debug logs. |
| KY-72796 | Problem: The CipherTrust Manager constantly communicates with multiple IPs of the akeyless SAAS server (for example, "52.223.11.194", "35.71.185.167", "35.192.171.171") over port 9443, which leads to a lot of irrelevant log entries. |
| KY-64648 | Problem: The "Forgot Password" feature for email is not supported through akeyless gateway on the CipherTrust Manager. Only "Forgot API Access Key" feature is supported. Workaround: Use "Forgot Password" feature for email directly on the Akeyless website. |
| KY-74128 | Problem: If the LDAP connection property User's distinguished name (user_dn_field) is set to distinguishedName for LDAP Group Mapping, when the user or client authenticates, it loses all permissions in fewer than 5 minutes. Solution: Update the LDAP connection property User's distinguished name (user_dn_field) to dn. |
| KY-71188 | Problem: Users in the Key Admins group are unable to create a new key version for a key owned by another user. Workaround: Create a custom policy for a group to be able to perform key rotations on all keys. |
| KY-71050 | Problem: If a local user is created with a different username and full name, the user cannot change its own password. Workaround:A user in the Users Admin group can edit the full name value to match the username value. |
| KY-70603 | Problem: If you attempt to add an HSM-anchored domain through the CipherTrust Manager GUI, the operation times out with the error Failed to create domain kek in the debug logs.Workaround: Set the KSCTL_TIMEOUT value to 60 (corresponding to 60 seconds), and then use the ksctl domains create command to add the HSM-anchored domain. |
| KY-69999 | You cannot add URLs with a wildcard asterisk character * to the proxy exemption list. |
| KY-66135 | Problem: If you add an NTP server more than 1024 times and then restart all services, multiple services fail to restart. The server audit records contain a message Following services have stopped after starting: followed by a list of services.Workaround: SSH in as ksadmin and restart host daemon service using sudo systemctl restart host-daemon. |
| KY-65947 | Problem: If you attempt to add an alarm configuration from a specific record using the UI's Add Alarm Config from Record option, the conditions for boolean type fields are populated incorrectly. For example, the UI sets conditions such as input.success == "true,boolean" or input.success == "false,boolean" which are not in compliance with Open Policy Agent's Rego query language, and will not trigger alarms correctly. Workaround: Edit the alarm configuration to reformat the condition as input.success == true or input.success == false. Alternatively, add new alarm configurations through the + Add Alarm Configuration button available in the Alarm Configurations tab. |
| KY-63518 | Problem: Problem: The create custom password policy throws an error with invalid values when default values are not provided. Workaround: Provide default value for all the parameters or create a password policy through GUI. |
| KY-65935 | Problem: If domains are deleted without deleting the linked protectapp profiles, the NAE service will not restart after the upgrade.Workaround: Delete the linked protectapp profiles before deleting the domain. |
| KY-65539 | Problem: If the client registration fails when registering the client using the certificate, then an invalid entry may be displayed in the response. Workaround: Delete the client using the Delete /v1/client-management/clients/{id} API. |
| KY-64600 | Problem: If you create multiple automatic key rotation scheduled jobs, and they are scheduled to run at the same time, a key rotation intermittently fails with the message 'There is an ongoing key rotation job, cannot add another'. Workaround: Schedule automatic key rotation jobs to run at different times from one another. |
| KY-63083 | Problem: Clients registered in a deleted domain are not excluded from the License usage. Workaround: 1. Log on to the root shell. 2. Delete the entries of the clients registered with the deleted domain from the database. |
| KY-62196 | Problem: CTE LDT policies which have "allow browsing" checked for the first secure rule, which is a legacy configuration from DSM version 5.x, are not migrated to CM correctly. The migration fails with the error [NCERRBadRequest: Bad HTTP request]: Invalid Params supplied. With LDT policy, first security-rule must be created with action as key_op, effect as applykey,permit, browsing(partial_match) as disabled and without any UserSet/ProcessSet/ResourceSet present. Workaround: Please contact customer support for help migrating CTE LDT policies with this setting. |
| KY-61517 | If you create a group mapping for an LDAP Access Management connection on a child domain, the UI lists an additional LDAP connection prefixed with the domain name. |
| KY-60913 | Problem: Occasionally, if you change from a child domain to the root domain on the UI, an error "The connection does not exist." displays. Workaround: Log out and log in to the UI. |
| KY-60718 | Problem: When you create a new domain in the UI, and select "Admins" for the new domain, duplicate user names are displayed. The users are duplicated for each LDAP Access Management connection which is configured. Workaround: Select any of the duplicate user names. That user will be able to act as the domain's administrator, regardless of whether and which LDAP connection is used to authenticate. |
| KY-55467 | Problem: NAE FPE batch crypto request fails for rapid encryption requests. This leads to failure of all crypto requests thereafter. Workaround: Either restart the NAE service or introduce a small delay between subsequent FPE crypto requests. |
| KY-64877 | Problem: If you upgrade a CipherTrust Manager which has more than 100 domains and then perform a service reset, the system might fail to come up. Workaround: Contact customer service to recover. |
| KY-64767 | Problem: After upgrade, if a system was previously configured to send host syslog messages, USB syslog messages may not appear. Workaround: Use the kscfg utility to delete and re-add host syslog configuration. |
| KY-64593 | Problem: If you create a Loki log forwarder connection with TLS configuration in connection manager and use the test connection function, the test fails with the error 400 Bad Request. Workaround: Disregard the test results and continue with Loki log forwarder configuration. To confirm records are being forwarded, perform an operation such as creating a test key and then check the Loki server to see if the operation appears in the logs. |
| KY-64562 | Problem: Policy attachments can be detached (deleted) from system policies even though those policies are read-only. Workaround: Restart CipherTrust Manager to populate the deleted system policy attachment. |
| KY-62550, KY-58948 | Problem: High memory and CPU consumption can lead to CipherTrust Manager declining user and client application requests. Workaround: Monitor CPU and memory usage through Prometheus or Grafana and adjust load accordingly. |
| KY-61292 | Problem: In a configuration with multiple Luna Network HSMs acting as root-of-trust in high availability mode, when the HSM in use becomes unavailable, the CipherTrust Manager occasionally does not failover to the remaining HSMs, and CipherTrust Manager becomes unavailable. Workaround: Reboot the CipherTrust Manager instance to reconnect to remaining HSMs. |
| KY-61054 | Problem: While migrating from KeySecure Classic to CipherTrust Manager, if the local CA is signed by an external CA, the migration will fail for the local CA even if the external CA is added to the known CA list. Workaround: If an externally imported CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, the CA will be migrated as an external CA, but the certificates will not be migrated to the CipherTrust Manager. Therefore, to use the same certificate for the NAE/KMIP interface on the CipherTrust Manager, select the migrated external CA and upload its certificate manually by editing the NAE interface on the CipherTrust Manager. Similarly, if a local CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, use auto-generation or issue a new certificate and upload the certificate to the interface. |
| KY-63347 | Problem: The SNMP trap notification linkDown, indicating a network interface is down, is not sent immediately in a multi-NIC environment. The trap notification is sent after CipherTrust Manager reboot. |
| KY-62563 | Problem: After auto-registering a client, the server audit record for creating a token has an incorrect value for client_id. Workaround: Note the client_name value in the record. Run ksctl clientmgmt clients list --client-name <client_name_value> to return client details including the client ID. |
| KY-61892 | Problem: The NAE and KMIP clients get auto-registered even if the system property, ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN, is disabled, the user impersonated by the client certificate is not created in the root domain, and the registration token is generated in the root domain. However, the client won't be able to communicate to the CipherTrust Manager on any interface. |
| KY-61722 | Problem: Deleting a domain that contains an NAE (ProtectApp) client returns status code 500. |
| KY-61056 | Problem: After first restart/reboot of CipherTrust Manager for cluster certificate renewal, cluster nodes statuses still display as down. Workaround: Restart all CipherTrust Manager nodes one at a time once again. |
| KY-60595 | Problem: If you attempt to create a domain with an existing name, the domain creation fails as expected. However, you can no longer delete the user specified as the domain administrator. Workaround: Contact customer support to delete the user. |
| KY-59993 | Problem: CipherTrust Manager does not validate the CA certificate file on creating or updating a legacy syslog connection in Admin Settings. |
| KY-59952 | Problem: Only the 10 most recent alarm configurations are listed in the GUI. Workaround: Manage alarm configurations through the ksctl records alarm-configs CLI commands or the /v1/audit/alarm-configs REST API endpoint. |
| KY-59762 | Problem: UI Search results are not retained for users when navigated to another page. |
| KY-59705 | Problem: UI always shows server/client records disabled and logs ReadProperties authorization error for users in the Audit Admins group. |
| KY-57097 | Problem: Users in the Read-Only Admins group are not able to download files for debug logs, web activity logs, NAE activity logs, or KMIP activity logs. Workaround: Create a new group and attach a policy with these allowed actions: "Read*", "List*", "Get*","DownloadLogs", "UpdateLogLevel", "DownloadActivityLogs", "DownloadDebugLogs". |
| KY-56426 | Problem: Deleted groups still show up in the key details information on the CipherTrust Manager. |
| KY-56213 | Problem: If you attempt to create a Luna Network HSM STC partition in connection manager and upload a partition identity file, the upload fails with the error Code 14: NCERRInternalServerError: unexpected error. This is because CipherTrust Manager doesn't recognize the format of the partition identity file downloaded from Luna Network HSM. Workaround: Use the Linux command base64 -wo on the partition identity file to convert it to base64 format, and then re-attempt the STC partition creation. |
| KY-55987 | Problem: If you have a scheduled job set to run on a particular cluster node, remove the node from cluster, and then rejoin it, the scheduled job runs on all cluster nodes instead. Workaround: After making any changes to cluster membership, update the scheduled job run_on parameter to reflect the current cluster node ID. |
| KY-55416 | Problem: Alarms table does not support retention policy. Record based alarms will fill up the table. Workaround: Contact customer support. |
| KY-54039, KY-55544 | Problem: Syslog message redirection from child domains to parent domains stops when 30 or more child domains enable this feature. |
| KY-54374 | • With legacy Syslog servers, there is a performance drop after increasing 20 Syslog entries in the system. • The new log forwarders support a maximum of 100 connections internally. Each domain consists of four matrices/labels. If there are 25 domains (including root) in the system and all four matrices are enabled, then only for a maximum of 25 domains the logs will be forwarded. |
| KY-61196 | Problem: In a CipherTrust Manager cluster, if two nodes are disconnected and you create the same user on both nodes and update them with same DN, on re-connect, duplicate users get created. Workaround: Duplicate users cannot be authenticated as regular users, therefore, function as redundant users. It is recommended to delete these users to avoid any confusion. However, if you don't delete them, you will be allowed to log in with one user only. |
| KY-61423 | Problem: KMIP Query request doesn't return supported operations such as encrypt, decrypt, and sign. |
| KY-61373 | Problem: The support for ProtectV is removed from the CipherTrust Manager, but the ProtectV license still shows up after the upgrade from version 2.10.0 to 2.12.x. |
| KY-61299, KY-61402 | Problem: The emptyMaterial parameter is set to false for a destroyed key. As the key material is deleted, emptyMaterial should be set to true. |
| KY-59807 | Problem: Start CipherTrust Platform Evaluation request takes 18-20 seconds and Stop CipherTrust Platform Evaluation takes 12-15 seconds, and occasionally times out. Workaround: Reload the page. |
| KY-59471 | Problem: The trusted CAs, in the existing custom interfaces, don't get replicated on a new node joining in a cluster. This leads to failure of the client (NAE, KMIP, and REST) authentication on the new node. Workaround: Update the trusted CA manually on the interface of that node where the issue persists. |
| KY-60048, KY-60057 | Problem: Adding more than 26 external trusted CAs to KMIP interface throws "pq: payload string too long" error. |
| KY-43666 | Problem: After upgrade, cannot register a client if there is an existing client with same Subject DN and auth_mode as "fp".Workaround: Delete the existing registered client using auth_mode "fp" and auto-register the new client. |
| KY-60420 | Problem: If you download Luna STC Client Identity from the CM web console GUI, the file is formatted incorrectly and registration on Luna Client fails. Workaround: Download the Luna STC Client Identity through the REST API with GET /v1/connectionmgmt/services/luna-network/client or through the CLI with ksctl connectionmgmt luna-hsm servers client-get. Use the command base64 -d to decode the a text format that is acceptable to Luna Network HSM. |
| KY-59893 | Problem: Signature rules are not copied to a clone policy. Workaround: On the policy details page, manually add the missing signature rules. |
| KY-59842 | Problem: MFA setting cannot be modified from the View/Edit option for a GuardPoint. Workaround: Modify the MFA setting using the Multifactor Authentication toggle in the GuardPoints list. |
| KY-59483 | Problem: OCI test connection does not work if the OCI user has access to only a sub-compartment. Workaround: On the Oracle cloud, add the OCI user to the admin group. Alternatively, update the first two policies as: Allow group cckm-group to manage vaults in tenancyAllow group cckm-group to manage keys in tenancyRefer to Apply Policies to the User Group. This issue will be resolved in 2.13. Upgrade to 2.13 or higher when available. |
| KY-58939 | Problem: Displayed Domain Level Usage for KMIP Clients on Licensing page shows total client usage for all domains instead of just the current domain. |
| KY-53681 | Problem: You cannot delete the default backup key if it is uploaded from another domain. Workaround: Contact customer support. |
| KY-52137 | Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded. Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys. |
| KY-51664 | Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a ServerAccessDenied error, and CipherTrust Manager raises the HSM is offline system alarm. Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts. |
| KY-49376 | Problem: If a CipherTrust Manager is deployed at a version lower than 2.8, a CTE license is installed, and the CipherTrust Manager is upgraded to 2.8 or higher, the displayed CTE license usage count is incorrect. Workaround: In a domain with pre-existing CTE clients, create or register a new CTE client, and then delete the new client. |
| KY-49126 | Problem: After the external CA is uploaded on the CipherTrust Manager, the GN and DC fields are not displayed as part of the record. |
| KY-49082 | Problem: If you set a CipherTrust Manager to use a non-default port for the web interface, other than 443, you cannot join the CipherTrust Manager to a cluster. The join operation hangs and never completes. Workaround: Enter the IP address and port in the Public address of the new node field, disable the Cluster address is the same as the Public address checkbox, and then enter the IP address without the port in the Cluster network address of the new node field. |
| KY-48284 | Problem: Domain backups with local users cannot be restored into another domain in the same cluster. Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered. |
| KY-47184 | Problem: After upgrade, services sometimes fail to restart with an error message starting with Forcing migration for retry. Workaround: Contact customer support to recover from this state. |
| KY-42690 | Problem: If you edit the default port value on the web or KMIP interface, and then join the CipherTrust Manager to a cluster, web or KMIP requests directed to the changed port value fail on other nodes. This is true even though the nodes in the cluster display the new, correct port value for these interfaces. Workaround: On CipherTrust Manager nodes with failing requests, change the interface port number to a temporary value, and then change the interface port number again to the desired value. |
| KY-39354 | Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid. Workaround: If scheduled backup through SCP is needed, create a System Backup. |
| KY-39235 | If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain. |
| KY-37961 | Problem: If you add a user only to the "CTE Admins" group and attempt to create a registration token on the UI, the operation hangs and never completes. Workaround: Add the user to the "admin" or "CA Admins" group in addition to the "CTE Admins" group. |
| KY-27450 | Local Certificate Authorities (CAs) do not allow commas , in any of the fields. Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value. All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC. |
| KY-25152 | You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances. Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login. |
| KY-17338 | KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration. |
| KY-13343 | Uploading an existing backup results in error but is displayed in the list with status "Uploading". Workaround: Delete the backup using the "uploadID" as backup ID. |
| KY-11517 | [ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding. |
| KY-7289 | When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|
| KY-7288 | When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|
| KY-7193 | Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups. Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created. |
| KY-6383 | Users with a pipe in their user names (for example, user1|something) cannot log on using NAE/KMIP. |
| KY-2482 | (was NC-3480) Signing with EC keys does not work via the REST API. |
| KY-2418 | (was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves. |
| KY-1373 | (was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used. |
| KY-504 | Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster. |
| NC-3573 | Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT. Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface. |
| NC-3572 | Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager. Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration. Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface. |
| NC-2063 | If a user is deleted (or LDAP connection name changes), they fail to display in the keys table. |
CipherTrust Application Data Protection (CADP for C)
| Issue | Synopsis |
|---|---|
| KY-47385 | Problem: If you migrate a non-deletable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "deletable". Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-deletable. |
| KY-47374 | Problem: If you migrate a non-exportable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "exportable". Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-exportable. |
CipherTrust Cloud Key Manager
| Issue | Synopsis |
|---|---|
| KY-92814 | Problem: CCKM GUI: After applying a filter to a column, if you navigate away from the screen and return back, the filter may not persist. Workaround: Apply the filter again. |
| KY-87019 | Problem: GWS GUI: When creating a new endpoint, the Identity Provider list displays only 10 identity providers. Workaround: Use the API to create a new endpoint using the required identity provider. |
| KY-86980 | Problem: Salesforce GUI: When adding a new Salesforce key using DSM to configure the source key, the DSM Domain field on the Configure DSM Key screen may not display all the available DSM domains. Workaround: Use the API to add a new Salesforce key by uploading a DSM key created in a specific DSM domain. |
| KY-89969 | Problem: Cloud key management APIs don't work behind a proxy for Google EKM, Google Workspace CSE, SAP, and DSM. Workaround: Add the proxy URLs for your cloud to the proxy exception list and allow this URL in the firewall. Refer to URLs to Whitelist for Running CipherTrust Manager Behind Proxy. |
| KY-84440 | Problem: AWS GUI: Alias specified when linking an unlinked AWS HYOK key is not attached to the key. Workaround: Add the alias on the detail page of the key. |
| KY-82370 | Problem: In a configuration with multiple Luna Network HSMs in high availability mode configured in the connection manager, when the HSM in use becomes unavailable, CCKM occasionally doesn't failover to the remaining HSMs. |
| KY-81547 | Problem: AWS: Key rotation doesn't succeed if the AWS connection no longer has access to the KMS keys. |
| KY-81514 | Problem: SFDC: Refresh operations on CCKM don't remove certificates that are deleted from the SFDC console. |
| KY-73919 | Problem: Synchronize Salesforce certificate operations don't display error messages in audit logs. |
| KY-77825 | Problem: CCKM GUI: Account filtering doesn't work for the AWS keys and saved policies. |
| KY-76609 | Problem: The custom policy statement doesn't update when rotating an AWS key on which the encrypt permissions are disabled (the "Disable Encrypt Permissions on Current Key" check box is selected). |
| KY-73679 | Problem: Azure GUI: While importing an Azure certificate, if you select Yes for "Is Certificate File Password Protected?" and specify a password, later if you change to No without clearing the entered password, the password parameter is still picked up from the GUI. Workaround: Clear the specified password, and select the No option for "Is Certificate File Password Protected?". |
| KY-72210 | Problem: [AWS, Azure, and Luna HSM GUI]: When adding a new container or changing the connection of a container, the GUI lists only 10 connections. Workaround: Use the API or CLI to view all connections added to the CipherTrust Manager. |
| KY-72067 | Problem: [GUI]: Salesforce mTLS connection doesn't work when the Salesforce connection to the CipherTrust Manager is configured using the Client Secret authentication. Workaround: Use the Certificate authentication when creating the Salesforce connection to the CipherTrust Manager. |
| KY-71243 | Problem: [GUI]: Intermittent: If the key source has a large number of keys (say, in thousands), fetching all the keys may take a significant amount of time or the request may time out. Workaround: Use the API or CLI to fetch the keys. |
| KY-71194 | Problem: [AWS GUI]: Intermittent: If the CipherTrust Manager has a large number of keys (in thousands), while adding an external key store, request to fetch the health check keys times out. The Health Check Key drop-down list does not display the existing keys. Workaround: Add the external key store using the API or CLI. |
| KY-65520 | Problem: System might appear slow when the cloud event logs are more than 10 million. Workaround: Contact Thales Customer Support to clean the event logs. |
| KY-65165 | Problem: [SAP]: A delete key job remains in the PENDING state for long time and fails intermittently. This issue is at the SAP end. |
| KY-65151 | Problem: If you navigate to Cloud Key Manager > Containers > Oracle Vaults, an error is displayed in the browser console, "Why is lifecycle_state not in {region {...}} ". Workaround: No impact on the functionality, ignore the error. |
| KY-64955 | Problem: [Azure]: If a vault (say vault-1) is first added and synchronized in the CipherTrust Manager in a domain (say domain-1), and later added to another domain, the associated key_vault_id is changed for keys in domain1, leaving keys in domain-1 unuseable.Now, if vault-1 in domain-1 is refreshed, all the keys (except those marked as DELETED) are again useable. Note that, even after the refresh, the users cannot perform any operations on the keys marked as DELETED in domain-1. |
| KY-64933 | A CCKM User with the View BYOK ACL on AWS KMS can view the AWS Native keys. The user can view BYOK keys if it only has the View Native ACL. |
| KY-64700 | Problem: [AWS GUI]: While configuring a key policy, the Key Admins and Key Users tabs show 100 admins/users only. Workaround: Add/update the key policy in the Raw view. |
| KY-61252 | Problem: When using an AWS Assume Role KMS account, the ARN of a modified key policy on CCKM is different than the key policy ARN on the AWS cloud. Workaround: Refresh the AWS Assume Role KMS account. |
| KY-60614 | Problem: When a policy template (P1) is created in a KMS (for example, K1), then if the KMS is deleted, and re-added with the same name (K1), the policy template can be listed, but its details cannot be viewed. |
| KY-60380 | Problem: [Azure Certificates]: When a certificate issued by DigiCert is pending approval from them, CCKM does not show the in progress, failed, or cancelled certificates. They are marked as deleted. |
| KY-60354 | Problem: [AWS]: When a key is created, the path is not concatenated with the admin and user name in the policy. Workaround: When creating a key, specify the policy in the Raw View. |
| KY-60113 | Problem: [SAP]: Deleted Luna HSM keys are displayed when uploading a new key or adding a new version. |
| KY-60008, KY-59449 | Problem: [Azure]: Should not show release policies and export option for non-exportable keys while adding a new version or a schedule. |
| KY-59906 | Problem: [AWS GUI]: When updating the region of a KMS created with AssumeRole, the GUI displays all the available regions. They should be separated according to the assumed role. |
| KY-59495 | Problem: [AWS]: The Create Key Policy page becomes nonresponsive when adding a policy with formatting issues. Workaround: Retry with the correct policy format. |
| KY-59483 | Problem: OCI test connection does not work if the OCI user has access to only a sub-compartment. Workaround: On the Oracle cloud, add the OCI user to the admin group. Alternatively, update the first two policies as: Allow group cckm-group to manage vaults in tenancyAllow group cckm-group to manage keys in tenancyRefer to Apply Policies to the User Group. This issue will be resolved in CipherTrust Manager v2.11.1 and 2.13. Upgrade to version 2.11.1, 2.13, or higher when available. |
| KY-58241, KY-58239 | Problem: While generating or deleting a report for all clouds except SAP cloud, the GUI shows a generic error Unable to generate Google report for given parameters for unauthorized users. |
| KY-56952 | Problem: GCP GUI: ACLs of Google Projects for cryptospaces and cryptospace endpoints can't be updated with the "CCKM Users" group. Workaround: Use the API to update the ACLs with the "CCKM Users" group. |
| KY-56787 | When using GET /v1/cckm/ekm/endpoints?relative_resource_name_without_version=-1 to filter the list of EKM endpoints by unique cryptospace endpoints, the first version of each endpoint is returned. However, the expected behavior is to return the latest version of each endpoint. |
| KY-56786 | To filter the results of GET /v1/cckm/ekm/endpoints to list EKM endpoints based on the request query parameters of cryptospace_name (for cryptospace name) or gcp_relative_resource_name (for relative resource name of a GCP Cloud KMS key) using the wildcard search does not work. Workaround: To filter the results based on either of these parameters, use the full name for each of these parameters. |
| KY-55676 | Azure GUI: On the certificate details page, the X.509 SHA-1 Thumbprint is displayed as base64 encoded. |
| KY-42082 | SAP Data Custodian: SAP key activity report doesn't show any data. This issue is at the SAP end. |
| KY-39123 | SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error". Workaround: Refresh the newly added group, add the key again, and retry operations. |
| KY-35220 | When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned. Workaround: Refresh all the key vaults. |
| KY-31186 | If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate. Workaround: Add an exception ( cloudkms.googleapis.com) with no_proxy or use the proxy with username and password, and restart the services. |
| KY-31058 | The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work. |
| KY-27583 | CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state. This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state. Workaround: Delete the running and scheduled jobs from the API playground, and retry. |
| KY-17213 | When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group. |
CipherTrust Database Protection
| Issue | Synopsis |
|---|---|
| KY-82266 | Problem: A non-admin user of the ProtectDB Users group can't migrate tables on the CipherTrust Manager. |
| KY-81007 | Problem: DatabaseID is not set in metadb ing_property.Workaround: Perform adddb operation using the pdbctl utility once. |
| PDB-3293 | Problem: If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work. |
Application Data Protection
| Issue | Synopsis |
|---|---|
| KY-56048 | The delete application operation fails when the number of clients reaches 300. |
| KY-56047 | The Protection Policy page crashes when the name of protection policy exceeds 50 characters. |
CipherTrust Data Discovery and Classification
| Issue | Synopsis |
|---|---|
| KY-9098 | DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails. Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store. |
| KY-9104 | Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
| KY-9399 | The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
| KY-8990 | Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts. |
| KY-24205 | The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store. Solution: For possible solutions, check the following:
|
| None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution:
| |
| KY-22666 | DDC may not scan big Data Objects for Data Stores other than local storage. The threshold to consider is a file as big as half of the assigned scan RAM. When a DDC scan encounters a file exceeding this threshold, it may completely skip the file or scan just up to that threshold. The user has no way to identify the issue from DDC reports. Possible Workarounds:
|
| KY-13618 | Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted. When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled. Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost. |
| KY-19763 | OracleDB and IBM DB2: uppercase schema/table name issues. User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase. Workaround: Set the target path in uppercase. |
| KY-21981 | Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again. |
| KY-27855 | "Something went wrong" message when generating a report with many scans.Report with many scans cannot be generated due to timeout in the requests between CM and the TDP servers. Workaround:
|
| KY-27102 | Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports. |
| KY-34462 | In G-Drive DDC scans all the path to which the scan path is prefixed. When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan. |
| KY-30138 | MongoDB reports will only contain information for the first 1M documents even when more than 1M documents are scanned. Workaround: Run scans with less than 1M documents. |
| KY-46340 | Office365: OneDrive for Business - Using wrong OneDrive domain while probing or scanning does not return an error. Also a scan with the wrong domain and path does not return any error and it completes successfully. |
| KY-48874 | A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service". |
| KY-49115 | Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9. These infotypes show discrepancies: - Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10) - China Union Pay: 1000 (in 2.9), 921 (in 2.10) - Discover: 1001 (in 2.9), 919 (in 2.10) - Diners Club: 1001 (in 2.9), 1002 (in 2.10) |
| KY-51301 | For SMB Data Stores with remediation enabled, scans performed after remediation completes may not find matches in encrypted files. Workaround: Automatic agent selection does not narrow the selection of DDC Agents to those installed on host with a CTE Agent in the Agent Group protecting the SMB Guard Point. If DDC selects any of those agents, further scans on the SMB will read the encrypted content and therefore will be unable to find any match. In order to avoid this issue, please assign use labels to force DDC to select only the right agents as follows: - Add one dedicated label to the DDC Agents installed on the hosts with valid CTE Agent, - Associate that same label to the SMB Data Store, in order to guide automatic agent selection algorithm. |
| KY-51306 | DDC Agent version 2.6 fails to configure for SMB datastore using hostname or IP. Workaround: If the hostname or IP do not work as credentials, instead try only the username. |
| KY-51550 | Office365: OneDrive for Business - Scan progress reaches more than 100%. |
| KY-51586 | A scan of a LONGBLOB file in MySQL gets stuck while scanning. DDC should be able to scan a 20 MB table, as LONGBLOB data type supports up to 4 GB of data, yet it fails. |
| KY-51623 | Partial Scan in BLOBs of size greater than 100 MB in MSSQL. NOTE: If a file is partially scanned, it will be considered in the inaccessible location list. |
| KY-52297 | DDC scan fails with an empty GuardPoint path for a SMB data store. Solution: A GuardPoint for a data store must always have a path configured in CTE. |
| KY-51695 | DDC is only able to scan the initial 4 KB of any text file stored as a large binary object in database tables. |
| KY-52494 | From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version. |
| KY-52532 | Autopause feature not working as expected in Azure Table scans. A scan of Azure Table with the "Autopause" feature enabled has the following issues:
|
| KY-42593, KY-42491 | Launching a second scan with any Data Stores in common with a running scan may restart the first scan progress on the shared Data Store, or even fail it if the first scan is manually paused. Workaround: Minimize scan concurrency on any given Data Store and use automatic pause, as automatically paused scans normally do not fail. |
| KY-23163 | A scan goes into an interrupted state for CIFS after restarting the agent. This only happens on Windows Server agents and for the Exchange Server and Windows Local Storage. Solution: 1) Restart the Windows agent with the scan in the "Paused" state. Then resume the scan, and it will go into the "Scheduled" state. 2)Restart the Windows agent one more time and the scan comes back to normal. |
| KY-55916 | Full DS scan on SAP HANA fails with an "Internal Error". SAP HANA scans on specific target paths (the schema to which the user has privileges) are successful. The database can contain schemas to which the user does not have privileges. The scan on a full datastore will try to scan all schemas that are present in the database and as a result the scan will fail due to the lack of privileges on some schemas. |
| KY-56181, KY-56104 | Scan progress and Scan Status windows are stuck at partial progress for a scan path with many folders / tables. The scan progress gets stuck as it receives too many scan sub-paths and fails to display the updated information, but the scan keeps running and will eventually complete. Workaround: Run several partial scans for the data store. |
| KY-56387 | The count of data stores in the Agent List section does not change for the Exchange Server data store. The number of data stores linked to an agent on the agents page is updated once the data store is ready, except for the Exchange Server data store. |
| KY-56389 | Scan does not get triggered if it is scheduled for the Asia/Kolkata time zone after 12 am. When using the API to create a scan and scheduling it for the Asia/Kolkata time zone from 12:00 am to 5:30 am, it is necessary to set a date that is one day before, otherwise the scan will not activate and commence. |
| KY-53620 | Targeted scans of a smaller dataset in a G-Drive data store take a long time, if the overall data that is stored in G-Drive is of a larger size (for example, over 500 GB). |
| KY-56390 | Scanning of any data from an Exchange Server data store works only if the agent is installed on the same machine as the Exchange Server. |
| KY-60493 | A scan is failing with an internal error when an entire SMB share is scanned. A scan of a full SMB datastore takes a long time and and ends with an internal error. Scanning a sub folder only gives no problem and you can generate a report. |
| KY-58877 | The datastore count does not decrease for an agent which is no longer assigned to that datastore. Normally, after a datastore comes into the "Ready" state the count should be decreased by 1. |
| KY-58944 | A wrong or misleading message in the Scan Status window when the FF_ML is not enabled. If you create and run a scan on any Data Store and then keep refreshing the page, when the scan reaches 100%, and you bring up the Scan status window, it says: 'Regex Process is Completed. Scan is still running since one of the 2 processes is not yet completed.' Typically, a scan reaches 100% complete, the Scan Status window should be: Scan Status: 100% completed. |
| KY-64105 | DDC keeps a network connection to TDP open while processing the scan execution results. In case of unreliable network connectivity between CM and TDP, this may cause an error processing the scan results. In order to mitigate this issue, please ensure there are no network disconnections between both components. Solution: DDC 2.13 includes a change in the processing logic to download the full scan results to a temporary file in CM, this way minimizing the duration of the open connection. |
CipherTrust Secrets Management
| Issue | Synopsis |
|---|---|
| KY-64835 | Problem: If you attempt to modify the protection key for an existing certificate-type secret in the Akeyless console, an exception stating Unexpected error is displayed. Workaround: Delete and re-create the existing secret with the desired protection key. |
| KY-64751 | Problem: If you launch the Akeyless console from the Secrets Management tile, and the CipherTrust Manager session expires or is manually logged out, the Akeyless console session logs out as well. Workaround: Refrain from logging out from the CipherTrust Manager UI unless you also want to log out from the Akeyless UI. |
| KY-63288 | Problem: Some internet browsers, such as Mozilla Firefox, Google Chrome, or Microsoft Edge launch the secrets management tile as a pop-up, and prompt to allow pop-ups. Workaround: Allow pop-ups from the CM UI if prompted. |
| KY-63116 | Problem: If you restart all services, the Akeyless console and Akeyless gateway services return a 502 bad gateway error, and display the message "Oops! Something went wrong..." in the browser, instead of displaying in the "Following services are starting up:" message on the CM login page. Workaround: Wait 40 seconds for the Akeyless services to start up and then re-attempt visiting Akeyless console or Akeyless gateway. |
| KY-62702 | Problem:Server audit records include messages about the Akeyless SSO token when the Akeyless console is not open or in use. Workaround: Ignore these messages. They are the result of a background process. |
| KY-61568 | Problem:The POST /v1/connectionmgmt/services/akeyless/connections operation in the API playground to create a new Akeyless connection introduces unnecessary parameters "meta", "products", and "category".Workaround: Ignore these parameters. They do not affect the functioning of the Akeyless connection. |
CipherTrust Transparent Encryption
| Issue | Synopsis |
|---|---|
| KY-75787 | Problem: When new configurations are done on a CipherTrust Manager's cluster node not reachable by the clients, the clients don't receive new configurations from the reachable nodes of the cluster. Workaround: • Create or update configurations on the CipherTrust Manager's cluster node that is reachable by all clients. • If configuration is already there, but it is not pushed to the clients, use the browse option on the cluster node reachable by the clients. Browsing initiates an authenticated route from the clients. |
| KY-62336 | Problem: When creating an IDT GuardPoint on ESG enabled CTE for Windows clients, IDT policies are not visible for selection. Workaround: Use the API to apply IDT GuardPoints. |
| KY-60249 | Problem: The get /v1/transparent-encryption/policies API does not return the complete list of policies added to the CipherTrust Manager.Workaround: Run the get /v1/transparent-encryption/policies API with limit as -1. |
| KY-59893 | Problem: Signature rules are not copied to a clone policy. Workaround: On the policy details page, manually add the missing signature rules. |
| KY-59066 | Problem: Displayed Domain Level Usage for CTE Clients on Licensing page shows client usage for all domains instead of just the current domain. |
| KY-55739 | Problem: When a CipherTrust Manager user having only CTE Admins group permissions initiates a Quorum-dependent operation, a corresponding Quorum is created. After the required Quorum approvals, the operation does not auto-trigger in the background. Workaround: Retry the operation after the required Quorum approvals. |
| KY-55511, KY-55527, KY-55275, KY-55528 | Problem: Simultaneous composite operations (for example, update and delete) are not supported for quorums. |
| KY-55273 | Problem: If quorum is activated for client group deletion, then bulk client group deletion generates multiple quorums in pre-active state. Workaround: Delete client groups individually. |
| KY-55064, KY-54442 | Problem: In case of bulk client or client GuardPoint deletion, the quorum details may not be available. However, quorum operations (such as approval, rejection) can be performed. This issue has no impact on functionality. |
| KY-51135 | Problem: Group members cannot be imported from ldap for user sets. |
| KY-34329 | Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths. Workaround: Create GuardPoints by manually entering the raw device paths. |
Batch Data Transformation (BDT)
| Issue | Synopsis |
|---|---|
| KY-72695 | Problem: 500 Status code occurs when fetching BDT policies. |
ProtectApp
| Issue | Synopsis |
|---|---|
| KSCH-16415 | The Host Name field on the Client Registration screen does not have validation for host availability. Workaround: Add clients using the API. |
ProtectFile
| Issue | Synopsis |
|---|---|
| KSCH-573 | Encryption rules cannot be modified to reset values for include and exclude extension parameters. |
| KSCH-568 | Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously. |
| KSCH-567 | Modifying a file level encryption rule to set the “isRecursive” flag does not return error. |
| KSCH-564 | Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress. |
CipherTrust Intelligent Protection
| Issue | Synopsis |
|---|---|
| KY-56816 | Problem: Unencrypted report is generated for few files if user reboot the machine during remediation. Workaround: User need to run scan with reclassify option or full scan again to generate correct report. |
| KY-55480 | Problem: Cross domain client registration is not working with CIP. |
| AGT-43391 | Problem: All files are not encrypted on performing bulk rename during remediation on Linux Local Storage with STD/LDT policy. Workaround: All remaining files will get encrypted after a periodic CIP scan which runs after 8 hours (default). |
| KY-36741 | Problem: File becomes plain with MOVE operation of a tagged file with ACL and STD policy on Linux. |
