Release Notes
Product Description
CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.
Product Abbreviations
Name | Abbreviation |
---|---|
CipherTrust Batch Data Transformation | BDT |
CipherTrust Manager | CM |
CipherTrust Application Data Protection | CADP |
CipherTrust Application Key Management | CAKM |
CipherTrust Cloud Key Manager | CCKM |
CipherTrust Data Protection Gateway | DPG |
CipherTrust RESTful Data Protection | CRDP |
CipherTrust Database Protection (formerly known as ProtectDB) | CDP |
CipherTrust Live Data Transformation | LDT |
CipherTrust Transparent Encryption | CTE |
CipherTrust Transparent Encryption for Kubernetes | CTE-K8s |
CipherTrust Transparent Encryption for Ransomware | RWP |
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE) | CTE UserSpace |
CipherTrust Intelligent Protection | CIP |
CipherTrust Data Discovery and Classification | DDC |
CipherTrust Vaulted Tokenization | CT-V |
CipherTrust Vaultless Tokenization | CT-VL |
Data Protection on Demand | DPoD |
CipherTrust Secrets Management | CSM |
Release Description
This release is available on the Customer Support Portal in the following formats:
An upgrade file for physical k570 and k470 CipherTrust Manager and Thales TCT k160 devices, and existing k170v Virtual CipherTrust Manager instances.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.
In addition, 2.16.0 Virtual CipherTrust Manager is available on the following public clouds, as the Community Edition:
Amazon Web Services: SafeNet Cloud Provisioning System
Google Cloud
Note
As 2.16.0 is not the default version, you must use the gcloud CLI to retrieve it.
Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
Oracle Cloud
IBM Cloud
An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.
2.16.x contains a number of new features and enhancements. For the list of known issues, refer to Known Issues.
Features and Enhancements
Release 2.16.1
The 2.16.1 release includes fixes for the issues described in the resolved issues list.
This release is available as an upgrade file. For k470, k570, and Virtual CipherTrust Manager instances, the upgrade can be applied directly on CipherTrust Manager version 2.13, 2.14, 2.15, and 2.16.0. For Thales TCT k160 devices, the supported upgrade path is 2.11.2-tct -> 2.15.0 -> 2.16.1. Supported upgrade methods for the Thales TCT k160 device are unclustered and cluster remove/rebuild.
This release does not address security vulnerabilities discovered after the release of 2.16.0 minor version. To obtain current security fixes, upgrade to the latest feature release.
Release 2.16.0
Platform
The names of the following services are changed in the services/status API.
vte-management
tocte-management
config-app-database
toadp-management
Support added for pagination and optimization in LDAP User/Group browsing.
Support for system alarms for broken connections in Log Forwarder Connections.
Introduction of System alarms for Syslog, Loki, and Elasticsearch log forwarder connections.
Support of Key Management Mode in HSM Connections.
Support of AES-CTR mode for cryptographic operations on REST and NAE interfaces.
Added support to display and query keys based on the value of the
scheduledRotationDate
parameter.Added support to display Public key in
<KeyInfoResponse>
if<PublicKeyData>
is used in the request.Added capability for secret rotation. Also, support added for auto-generation of a secret for type "Password" for licensed users.
NAE activity log format displays CipherTrust Manager hostname/IP.
Added support for the Google Cloud HSM as a root-of-trust.
Added a new system property, HSM-anchored domains data key material caching, to improve cryptographic and key export performance for HSM-anchored domains.
Added log forwarder redirection for Connection Manager log forwarders. This setting can send audit records, KMIP activity logs, and NAE activity logs from a child domain to the log forwarder configured for a higher-level domain.
Limitations
Policies created to manage authentication based on the Client IP parameter don't apply to the requests coming to the NAE and KMIP interfaces with "anonymous login" mode enabled. For details, refer to Client IP.
If a domain has more than 1000 cryptographic objects (keys and opaque objects), to fetch keys, it is recommended to use
KeyNamesRequest
instead ofKeyQueryRequest
. The response time of KeyQueryRequest is proportional to the number of keys on the CipherTrust Manager, therefore, it may lead to a timeout exception on the client side.Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.
The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.
During client renewal, if another client (which has
Auth
mode set toDN
) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
However, for local CAs, it is not required to delete the client to be renewed, rather set thedo_not_modify_subject_dn
field to false. Refer to Renew Local CA Client Certificates for details.
CCKM
Technical preview: Added support for Double Key Encryption (DKE) for Microsoft 365.
Licensing: Added capability to generate a report that lists the CCKM licenses consumed per domain. Run the
get /v1/licensing/features/
API and see the license comsumption underdomains_usage
. The GUI will be available in CipherTrust Manager v2.17.0.Added capability to restore the Azure key backup when an Azure Key Vault is deleted.
Support for restoring Azure key backup after key rotation.
Added support for point-in-time backups for Azure keys.
Enhanced GUI to sort AWS KMS accounts by the "Date Added to CCKM".
Enhanced reports to list only the subscriptions or projects that contain vaults and key rings. A new report is available on the console that displays the Google Projects and Key Rings discovered in the KMS Container discovery schedule.
Added capability to replicate asymmetric HSM keys based on the connection mode (clone or export).
Introduced EC key support for Luna Network HSM.
Added FQDN support for Oracle EKMS.
CTE and CTE UserSpace
Information in this section applies to all types of CTE and CTE UserSpace Agents unless stated specifically.
CTE and CTE UserSpace
Added capability to fetch the latest status of a registered client from the CipherTrust Manager GUI at any time.
Automated addition or removal of the ApplyKey effect for all security rules while updating a policy. In the previous release, after enabling or disabling Learn Mode on an existing policy, you needed to manually add or remove the ApplyKey effect to all the security rules having the Deny effect in the policy. Refer to Automatic Addition/Removal of ApplyKey Effect for All Security Rules for details.
Included the Key Name column to the Client Guard Status report.
Added the following CTE-RWP event charts under CTE Protected Data Access Charts to the Thales Security Intelligence app for Splunk:
All Ransomware Protection (RWP) Events
All RWP-Detected Processes
All RWP-Prevented Processes
Enhanced the security of CTE keys by restricting their key metadata updates only by users having the permissions of both the CTE Admins and Key Admins roles.
CTE Specific
- Enhanced the Client Groups GUI to create sets of LDT-capable clients that can be chosen as preferred primary clients for performing key rotation and key versioning. Only the clients of an LDT Communication Group can be designated as preferred primary clients in the set.
Note
CTE resources of Container policies on the DSM cannot be migrated to the CipherTrust Manager using the backup/restore method. The Container policies are supported only on the DSM.
CTE UserSpace Specific
- Added support for Multifactor Authentication (MFA) to the MFA-capable clients. In MFA, access to the requested data is granted only after the requester satisfies two or more authentication criteria. Refer to Multifactor Authentication for details. This support will be available from CTE UserSpace 10.3 onward.
Notes on CTE UserSpace
CTE UserSpace is a kernel-independent file encryption product. The resources of CTE UserSpace clients running 10.0 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager. These clients can't be managed by the ProtectFile & Transparent Encryption UserSpace application.
This release does not support the following features:
Kernel Compatibility Matrix
Agent and System locks
CBC and XTS keys
COS, IDT, and LDT policies and GuardPoints
To manage the clients running the previous versions of the CTE UserSpace Agent, use the ProtectFile & Transparent Encryption UserSpace application only. Alternatively, upgrade those clients to CTE UserSpace 10.0 or a higher version.
DDC
Extended support for upgraded DDC Agents. Refer to DDC Agents for details.
Enhanced GUI to allow browsing of targets while adding scans. This minimizes the risks of scan failure due to invalid target paths.
Enhanced DDC reports to display data objects that were inaccessible during scans.
Added capability to regenerate aggregated reports associated with scans' latest execution.
Added capability to view history of aggregated reports.
Added tooltip in the GUI to display additional information about data store configurations.
Increased the availability of trace logs at different scan stages (statuses). Refer to Scan Statuses for the list of supported statuses and the supported trace log download formats.
Note
After upgrading to CipherTrust Manager v2.16, the count of scanned data objects could be higher than the actual data objects when scanning data objects like .docx and .xlsx files.
CDP
- Added support for domain/LDAP user in userMapping.
CipherTrust Secrets Management (CSM)
Ability to add trusted CAs to Akeyless container.
Added support for multiple customer fragments within a CipherTrust Manager cluster.
Added support for JWKS URL for JWT/OAuth authentication method using the gateway to fetch public JWT signing keys of CipherTrust Manager in the JWKS format.
Documentation
PDF downloads are now available for CipherTrust Manager 2.16 documentation. Click the "Download Project" icon () in the top right for a combined PDF including the current page and related pages, and the "Download this page" icon() for a PDF of the current page.
Resolved Issues
This table lists the issue resolved in 2.16.1.
Issue | Synopsis |
---|---|
KY-91499 | AWS GUI: Key rotation schedule can't be updated. |
KY-86892 | Auto-registered NAE clients cannot establish a connection using renewed certificate. |
KY-87552 | When upgrading to CM version 2.16, Web client users receive a Certificate Revocation Check error in the audit records, even for valid certificates. |
This table lists the issue resolved in 2.16.0.
Issue | Synopsis |
---|---|
CM-2 | Secondary k160 token HSMs are re-registered after a system reset generates duplicate root of trust keys causing the system to fail to boot from these token HSMs. |
KY-80776 | When migrating KMIP keys from DSM, the migration utility migrates the key's application specific information incorrectly, therefore the key link page on the UI appears blank. Resolution: This issue is fixed in the latest version of the migration utility, which is compatible with CipherTrust Manager 2.16. |
KY-80453 | If you are using Entrust nShield Connect HSM as a root of trust, remove the admin card from the HSM, and then attempt to reboot the CipherTrust Manager, the CipherTrust Manager does not reboot successfully. |
KY-77825 | CCKM GUI: Account filtering doesn't work for the AWS keys and saved policies. |
KY-74887 | Google EKM: When an existing EKM endpoint (key URI hostname) is updated to include a port, the key URI is displayed without the protocol (https:// ). |
KY-69549 | If you have configured an LDAP connection to manage CipherTrust Manager users and the LDAP server is not reachable, you cannot retrieve users with "return_groups=true" on GUI, API, or CLI. |
KY-76521 | CCKM: Intermediate keys in Luna HSM aren't cleaned up when the sync operation is performed. |
KY-71399 | For SCP, if algorithms with sha1 are disabled on the destination server, SCP doesn't work with the CipherTrust Manager |
KY-73963 | Listing latest version of the keys throw an internal server error when a key policy exists in the system. |
KY-82370 | In a configuration with multiple Luna Network HSMs in high availability mode configured in the connection manager, when the HSM in use becomes unavailable, CCKM occasionally doesn't failover to the remaining HSMs. |
KY-78994 | On an RWP-capable CTE client, when an RWP and any other type of GuardPoints are applied to the same path, the RWP GuardPoint can be disabled but not enabled. |
KY-72709 | CDP: Can't recognize domain user in user mapping. |
KY-75945 | CSM: Rotating Docker Hub target doesn't display the current password in the version list. Therefore, the user is unable to log in to the Docker Hub once the credentials are rotated on the Akeyless. |
KY-80439 | While editing a Cryptospace service account, the entry is removed from the list and added back to the Add Service field on the top. lf you keep clicking the Edit option on the next entry, it causes the previous entry to disappear. |
KY-80595 | After upgrading the CipherTrust Manager, editing an existing scan having "No Info" set for the Amount of Data Object Volume from Advanced Configuration results in Validation errors: matchDetail must be one of [minimum balanced maximum] . |
KY-80597 | CCKM Admin users can't create the add KMS container schedules. |
KY-80452 | If you create a log forwarder connection with an invalid hostname, and then add a log forwarder, logs stop forwarding from every configured log forwarder. |
KY-75452 | The auto-registered clients don't get auto-renewed after expiration. |
KY-76021 | SAP GUI: On the SAP Data Custodian Groups page, the Application column and filter show blank values for the Backup/Wrapping Keys (BWK) and SAP Analytics Cloud (SAC) applications. |
KY-75691 | An error is returned on canceling an already completed sync job. Ignore the error message. |
KY-71243 | GUI: Intermittent: If the key source has a large number of keys (say, in thousands), fetching all the keys may take a significant amount of time or the request may time out. |
KY-71194 | AWS GUI: Intermittent: If the CipherTrust Manager has a large number of keys (in thousands), while adding an external key store, request to fetch the health check keys times out. The Health Check Key drop-down list does not display the existing keys. |
KY-69549 | If you have configured an LDAP connection to manage CipherTrust Manager users and the LDAP server is not reachable, you cannot retrieve users with "return_groups=true" on GUI, API, or CLI. |
KY-68495 | When you change the port of the default interfaces (NAE, KMIP & WEB) and take a backup of the CipherTrust Manager, while restoring this backup on any CipherTrust Manager, the /v1/backupStatus API reports the incorrect status and also the success audit record for restore doesn't appear. |
KY-67413 | After creating a secret, Akeyless provides a functionality to share the secrets to an external user through email. This functionality doesn't work on the akeyless console UI integrated with the CipherTrust Manager and throws an error. |
KY-66205 | When custom interfaces are created in a cluster, with certificate auto-generation turned off, the node on which the interface is created accepts the client connections. However, on other nodes, the connection fails. |
KY-65821 | The ls -l command fails in SSH sessions as ksadmin user, in the /home/ksadmin and /opt/keysecure directories. |
KY-56387 | The count of data stores in the Agent List section does not change for the Exchange Server data store. The number of data stores linked to an agent on the agents page is updated once the data store is ready, except for the Exchange Server data store. |
KY-55987 | If you have a scheduled job set to run on a particular cluster node, remove the node from cluster, and then rejoin it, the scheduled job runs on all cluster nodes instead. |
KY-46340 | Office365: OneDrive for Business - Using wrong OneDrive domain while probing or scanning does not return an error. Also, a scan with the wrong domain and path does not return any error and it completes successfully. |
Advisory Notes
This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.
Increased Disk Space and Cluster Node Downtime Required for Upgrade from CipherTrust Manager 2.13.x
Due to a major internal database upgrade in 2.14, CipherTrust Manager upgrade requires more free disk space and cluster node downtime when upgrading from CipherTrust Manager 2.13 or below.
You require 35 GB of free disk space to exercise the upgrade.
In-place online cluster upgrade requires additional downtime for cluster nodes. An individual cluster node might be unavailable for 10 minutes or more.
During upgrade, the message
NOTICE: skipped replication for captured CCL command "LOCK TABLE in replication sets (kylo)
is displayed multiple times. This is an expected part of backend database configuration and does not indicate a problem.
Required System Volume Disk Size for Virtual CipherTrust Manager
If you have deployed at a Virtual CipherTrust Manager with the previous evaluation disk size of 50 GB, you need to increase the system volume disk space to exercise the upgrade. We recommend at minimum 100 GB.
NextGen KeySecure and ProtectFile End-of-Support
NextGen KeySecure firmware and the ProtectFile connector reached End of Support in December 2023.
In most cases, you can upgrade from NextGen KeySecure to CipherTrust Manager directly. If you are running the legacy k450 or k460 hardware model, you must migrate data to the k470 or k570 model.
We strongly recommend migrating ProtectFile to CTE or CTE Userspace.
Quorum
Do not enable quorum on the ManagePolicyAttachment
and DeletePolicy
operations until all the CipherTrust Manager nodes in a cluster are upgraded to 2.10 or a higher version.
SMB Connection
The Host
and Port
fields must be specified together, or do not specify any of them. If Host
and Port
are not specified while creating an SMB connection, these fields cannot be added later.
Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests
When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.
We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.
We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.
Caution
The IV value used for an encryption request is needed to decrypt the data later.
In the KMIP interface, always set the RandomIV
object in the Cryptographic Parameters
attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce
object.
In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.
Some Key States Change After Upgrade
After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.
As you cannot upgrade directly from 2.4 to 2.16, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.
When a key has an NAE state of
Retired
and the deactivation date is set in the future, the key is set toDeactivated
immediately upon upgrade. No cryptographic operations are allowed.When a key has an NAE state of
Restricted
and Protect Stop Date is set in future, the key is set toActive
and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.When a key has an NAE state of
Active
and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.When a key has an NAE state of
Active
and Activation Date is set in the future, the key is set to aPre-Active
state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.When a key has a state of
Deactivated
before upgrade, its state will be unchanged after upgrade. However, the allowed operations for theDeactivated
state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.
System Upgrade and Downgrade Supported Releases
System upgrades on a single unclustered k570, k470, and virtual CipherTrust Manager device have been tested from releases 2.13, 2.14, 2.15, and 2.16.0.
Note
The supported upgrade path for the Thales TCT k160 device is 2.11.2-tct->2.15.0->2.16.x. Supported upgrade methods for this device are unclustered and cluster remove/rebuild.
An unclustered CipherTrust Manager can be downgraded to the previous minor version. For release-specific upgrade/downgrade information, refer to the release notes for your release.
Warning
As we cannot guarantee stability, we strongly recommend using downgraded systems for test environments only. Do not use a downgraded CipherTrust Manager in a production environment.
Refer to the System Upgrade page for instructions to perform an upgrade or downgrade.
The cluster upgrade section provides instructions to perform an upgrade on a cluster of devices. Supported upgrade paths depend on the method used to upgrade the cluster.
Cluster remove/rebuild is supported from 2.13, 2.14, 2.15, and 2.16.0.
In-place cluster upgrade is performed from one minor version at a time, so there is no limit on starting version.
Restoring a backup from release 2.13 or later is supported; however, restoring a newer backup to an older version is never supported.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
Key Usage Mask Selection
If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.
DDC
Upgrading DDC
After you upgrade to version 2.11 you will not be able to downgrade it to any of the previous versions.
Clusters
Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.
DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).
Licensing
Overlapping licenses are not supported (except for the trial license).
EOS for Legacy Reports
The support for Legacy Reports has been dropped in DDC 2.11.
EOS for KCT Datastore
End of Support for KCT Datastore Format in DDC 2.11.
Upcoming End of Support for Platforms and Features
Linux 2.4 Node Agents
Email Targets - Microsoft Exchange (EWS)
Microsoft 365 - Exchange Online (EWS)
Web Browser - Internet Explorer
Compatibility
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version
setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
---|---|---|---|
Web UI | TLS 1.2 | TLS 1.3 | TLS 1.2 |
NAE | TLS 1.0 | TLS 1.3 | TLS 1.2 |
KMIP | TLS 1.0 | TLS 1.3 | TLS 1.2 |
Caution
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:
TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)
TLS_AES_128_GCM_SHA256 (TLSv1.3)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS Deprecation Notices
Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Client Platforms
The following client Platforms are supported by the CipherTrust Manager.
Caution
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
CADP for .NET Core: minimum version 8.11.0
CADP for C: minimum version 8.14.0
CADP for Java: minimum version 8.13.0
CipherTrust Application Key Management
CAKM for Oracle TDE: minimum version 8.10.0
CAKM for Microsoft SQL Server EKM: minimum version 8.5.0
CipherTrust Cloud Key Manager
Minimum version 1.6.3.20532
CipherTrust Database Protection
CDP for Oracle: minimum version 8.12.0
CDP for MSSQL: minimum version 8.12.0
CDP for DB2: minimum version 8.12.0
CDP pdbctl: minimum version 1.5.1
CipherTrust Teradata Protection: minimum version 6.4.0.12
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 10.2.0.83
CipherTrust Transparent Encryption for Kubernetes
Minimum version 1.0.0
CipherTrust Vaulted Tokenization
Minimum version 8.7.1
CipherTrust Batch Data Transformation
Minimum version 2.2.0.2816
CipherTrust Vaultless Tokenization
Minimum version 2.5.2.19
ProtectFile
Minimum version:
ProtectFile Windows 8.12.3
ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)
The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.
Data Discovery and Classification Agents
Linux minimum kernel version is 2.6.
There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.
Note
ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.
TDP Version Compatibility
Data Discovery and Classification requires TDP 3.1.5.1 or newer.
If you have an existing TDP 3.1.5 cluster, you should apply the patch 3.1.5.1.
Following the TDP upgrade users are required to Configure TDP service HDFS again and also Configure TDP service Livy.
Known Issues
This section lists the issues known to exist in the product at the time of release.
CipherTrust Manager
Reference | Synopsis |
---|---|
KY-96139 | Problem: When CipherTrust Manager is upgraded from v2.12.0 or older, the "unique to client keys" feature doesn't work as expected. The data is being encrypted using a key that is "not" unique to the client where the CipherTrust Transparent Encryption (CTE) agent is installed. It is recommended to contact Thales Customer Support team to help with addressing the issue for affected deployments. |
CM-315 | Problem: Certain additional Standard Tokens fail to register with CipherTrust Manager k160. The first Standard token registers successfully. For certain additional Standard tokens the registration fails. HA tokens are not affected. |
KY-89382 | Problem: CipherTrust Manager 2.15 onward, the logs are not recorded for each key export request operation in the server logs or Loki audit logs if the key export request is made within 24 hours. |
KY-92312 | Problem: If you attempt to configure an HSM root-of-trust on the CipherTrust Web UI, the UI sometimes displays a timeout error, but the HSM configuration succeeds. Workaround: Wait two minutes and refresh the page to see if the HSM configuration succeeded. If the HSM configuration fails, retry with the ksctl hsm setup --timeout 120 CLI command. |
KY-92080 | Problem: On CipherTrust Manager v2.16.0, if the client certificate is renewed before its expiration date, on the original expiration date, the client goes into the expired state, which breaks communication between the client and the CipherTrust Manager. Recommendation: Before the certificate expiration date, do either of the following: • Re-register the client with the CipherTrust Manager using the new client certificate. • Upgrade the CipherTrust Manager to 2.16.1 or higher. Workaround: After the client moves to the expired state, renew the client certificate as a client administrator. Refer to Renewing client certificates for details on renewing client certificates. For CTE-specific instructions, refer to Client Certificate Renewal. Note: On CipherTrust Manager v2.16.1, if the client certificate is renewed before its expiration date, on the original expiration date, the client goes into the expired state, however, the communication between the client and the CipherTrust Manager is retained. This issue doesn't have any impact the functionality. |
KY-91730 | Problem:If a network interface connection goes down on a node, the cluster status for that node displays as ready on other nodes, even though the node is unreachable. |
KY-91454 | Problem: Before upgrading the CipherTrust Manager, if you change the setting (hide/show) of a column in a table, then after the upgrade, the order of the column is changed and the blank screen error may be displayed. Workaround: Reset the columns setting, run the update user API, and set "user_metadata": {"persistedData": {}} . |
KY-89062 | Problem If you attempt to create a partial domain-scoped backup in the CipherTrust Web UI, and toggle the number of results for Domain Backup Key in the Backup Properties screen, sometimes available domain backup keys no longer display. This occurs if you have more than ten domain backup keys. Workaround: Retain ten or fewer domain backup keys. |
KY-88925 | Problem: If you add connections to multiple Luna Network HSM V1 partitions in HA mode in connection manager, CCKM Luna key source and HSM-anchored domains are not usable. Workaround: Use Luna Network HSM V0 partitions for HA groups formed through the connection manager. Delete existing connections to Luna Network HSM V1 partitions. |
CM-6 | Problem:The “removeToken” KSCTL command for the k160 token HSM fails to effectively deregister a token root of trust. Workaround: Do not use this command. Token HSMs may be re-registered after a system reset. |
KY-87241 | Problem: When renewing NAE/KMIP clients, details of the new certificate are not updated until the client remains idle for approximately 10 minutes. For KMIP clients, this issue occurs only in the TLS, verify client cert, user must supply password mode whereas for NAE clients it is observed in all modes. For NAE clients, you can retrieve the updated certificate details using the /v1/protectapp/clients-get API or through the CM UI under Legacy Clients > Registered Clients section.For KMIP clients, keep the client idle for at least 10 mins, after renewal. |
KY-87152 | Problem: When a renewed client certificate reaches its expiration, the client remains in an active state but is unable to establish a connection with the expired certificate. |
KY-87183 | Problem: Client renewal fails, if interface mode is changed from TLS, verify client cert, user must supply password to TLS, verify client cert, user name taken from client cert, auth request is optional before certificate renewal. It is recommended to avoid modifying the interface mode when renewing the client. Workaround: Restore the interface mode to its previous value and proceed with client renewal, or delete and re-register the client. |
KY-82087 | Problem: After client renewal, it takes around 10 minutes for the client to switch from expired state to active state. During this time, the client operates normally with the renewed certificate. |
KY-87394 | Problem: In the TLS verify client cert, Allow anonymous logins mode, NAE/KMIP clients remain in the expired state after the client certificate is renewed, but continue to operate normally with the renewed certificate. |
KY-85906 | Problem: Backup Admins and Domain Backup Admins are not able to schedule backups through the web console UI. Workaround: Use the /v1/scheduler/job-configs REST API endpoint or the ksctl scheduler configs create backup CLI command to schedule backups. Alternatively, add Backup Admin and Domain Backup Admin users to the Connection Admins group as well to have permissions for scheduling backups in the web console UI. |
KY-84562 | Problem: Deactivating the CipherTrust Manager Full Trial license does not deactivate individual trial licenses. Workaround: Reactivate the Full Trial license and re-attempt deactivation. |
KY-86273 | Problem: Cluster report doesn't work. Workaround: Contact customer support. |
KY-83840 | Problem: The /v1/usermgmt/connections/{id}/users/ API returns all users instead of users associated with the specified connection. |
KY-80554, KY-81695 | Problem: If a client certificate contains both OCSP and CRL URLs, the certificate revocation check (for NAE and KMIP clients) only considers the OCSP and never falls back to check the CRL even if the OCSP URL is inaccessible. |
KY-84081 | Problem: License count doesn't increase for KMIP auto-registered clients. However, the the clients are registered successfully. |
KY-78303 | Problem: If you configure OIDC authentication for CipherTrust Manager users with an identity provider with a short id_token lifetime, CipherTrust Manager users are logged out of their sessions frequently, every time the id_token expires. The error message "Wrong username or password" is displayed. |
KY-77452 | Problem: Salesforce sandbox test connection fails when using domain_name field. |
KY-76147 | Problem: If you initiate an upgrade, and restart the CipherTrust Manager before being prompted, CipherTrust Manager services sometimes fail to restart. Workaround: Contact customer support if your devices has hanging services in this scenario. While performing upgrades, confirm the upgrade has completed before restarting the CipherTrust Manager. |
KY-64600 | Problem: If you create multiple automatic key rotation scheduled jobs, and they are scheduled to run at the same time, a key rotation intermittently fails with the message 'There is an ongoing key rotation job, cannot add another'. Workaround: Schedule automatic key rotation jobs to run at different times from one another. |
KY-64597 | Problem: Typing a % (percent character) into the embedded API Guide for GET operations leads to inconsistent results, and sometimes crashes the page. Workaround: As a best practice, avoid naming resources with the % character. If you must retrieve a resource with a % in its name, use the UI or CLI to do so. |
KY-64562 | Problem: Policy attachments can be detached (deleted) from system policies even though those policies are read-only. Workaround: Restart CipherTrust Manager to populate the deleted system policy attachment. |
KY-66351, KY-63083 | Problem: Clients registered in a deleted domain are not excluded from the License usage. Workaround: 1. Log on to the root shell. 2. Delete the entries of the clients registered with the deleted domain from the database. |
KY-61892 | Problem: The NAE and KMIP clients get auto-registered even if the system property, ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN , is disabled and the user impersonated by the client certificate is not created in the root domain and the registration token is generated in the root domain.However, the client wont be able to communicate using impersonated user for interface mode 'TLS, verify client cert, user name taken from client cert, auth request is optional' . |
KY-61722 | Problem:Deleting a domain that contains an NAE (ProtectApp) client returns status code 500 . |
KY-61373 | Problem: The support for ProtectV is removed from the CipherTrust Manager, but the ProtectV license still shows up after the upgrade from version 2.10.0. |
KY-61196, KY-64823 | Problem: In a CipherTrust Manager cluster, if two nodes are disconnected and you create the same user on both nodes and update them with same DN, on re-connect, duplicate users get created. Workaround: Duplicate users cannot be authenticated as regular users, therefore, function as redundant users. It is recommended to delete these users to avoid any confusion. However, if you don't delete them, you will be allowed to log in with one user only. |
KY-61054 | Problem: While migrating from KeySecure Classic to CipherTrust Manager, if the local CA is signed by an external CA, the migration will fail for the local CA even if the external CA is added to the known CA list. Workaround: If an externally imported CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, the CA will be migrated as an external CA, but the certificates will not be migrated to the CipherTrust Manager. Therefore, to use the same certificate for the NAE/KMIP interface on the CipherTrust Manager, select the migrated external CA and upload its certificate manually by editing the NAE interface on the CipherTrust Manager. Similarly, if a local CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, use auto-generation or issue a new certificate and upload the certificate to the interface. |
KY-56426 | Problem: Deleted groups still show up in the key details information on the CipherTrust Manager. |
KY-56213 | Problem: If you attempt to create a Luna Network HSM STC partition in connection manager and upload a partition identity file, the upload fails with the error Code 14: NCERRInternalServerError: unexpected error . This is because CipherTrust Manager doesn't recognize the format of the partition identity file downloaded from Luna Network HSM. Workaround: Use the Linux command base64 -wo on the partition identity file to convert it to base64 format, and then re-attempt the STC partition creation. |
KY-55416 | Problem: Alarms table does not support retention policy. Record based alarms will fill up the table. Workaround: Contact customer support. |
KY-54039, KY-55544 | Problem: Syslog message redirection from child domains to parent domains stops when 30 or more child domains enable this feature. |
KY-53681 | Problem: You cannot delete the default backup key if it is uploaded from another domain. Workaround: Contact customer support. |
KY-53100 | Problem:Acknowledging/clearing alarms changes alarm's source and source_id to the cluster member node which updated the alarm. |
KY-52664 | Problem: [NAE] When sending data in bulk requests, encryption fails intermittently. |
KY-52137 | Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded. Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys. |
KY-51664 | Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a ServerAccessDenied error, and CipherTrust Manager raises the HSM is offline system alarm. Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts. |
KY-51286 | Problem: In a CipherTrust Manager cluster, when replicating a node, records from one table are not replicated to the tables of the other node due to known constraints with BDR related to foreign keys. |
KY-49376 | Problem: If a CipherTrust Manager is deployed at a version lower than 2.8, a CTE license is installed, and the CipherTrust Manager is upgraded to 2.8 or higher, the displayed CTE license usage count is incorrect. Workaround: In a domain with pre-existing CTE clients, create or register a new CTE client, and then delete the new client. |
KY-49126 | Problem: After the external CA is uploaded on the CipherTrust Manager, the GN and DC fields are not displayed as part of the record. |
KY-48284 | Problem: Domain backups with local users cannot be restored into another domain in the same cluster. Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered. |
KY-47184 | Problem: After upgrade, services sometimes fail to restart with an error message starting with Forcing migration for retry . Workaround: Contact customer support to recover from this state. |
KY-39354 | Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid. Workaround: If scheduled backup through SCP is needed, create a System Backup. |
KY-39235 | Problem: If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain. |
KY-27450 | Problem: Local Certificate Authorities (CAs) do not allow commas , in any of the fields. Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value. All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC. |
KY-25152 | Problem: You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances. Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login. |
KY-17338 | Problem: KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration. |
KY-11517 | Problem: ProtectApp Application: The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding. |
KY-7289 | Problem: When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|
KY-7288 | Problem: When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|
KY-504 | Problem: Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster. |
NC-2063 | Problem: If a user is deleted (or LDAP connection name changes), they fail to display in the keys table. |
CipherTrust Application Data Protection (CADP for C)
Issue | Synopsis |
---|---|
KY-47385 | Problem: If you migrate a non-deletable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "deletable". Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-deletable. |
CipherTrust Cloud Key Manager
Issue | Synopsis |
---|---|
KY-95730 | Problem: GCP GUI: The details page of a Google key page shows incorrect Soft Delete Wait Time. |
KY-92814 | Problem: CCKM GUI: After applying a filter to a column, if you navigate away from the screen and return back, the filter may not persist. Workaround: Apply the filter again. |
KY-92752 | Problem: If the AWS XKS is connected and CCKM is disconnected, you cannot update the External Custom Key Store details of an AWS KMS Account. Workaround: You can disconnect the AWS Console and CCKM, then update the External Custom Key Store details of an AWS KMS Account. |
KY-87019 | Problem: GWS GUI: When creating a new endpoint, the Identity Provider list displays only 10 identity providers. Workaround: Use the API to create a new endpoint using the required identity provider. |
KY-86980 | Problem: Salesforce GUI: When adding a new Salesforce key using DSM to configure the source key, the DSM Domain field on the Configure DSM Key screen may not display all the available DSM domains. Workaround: Use the API to add a new Salesforce key by uploading a DSM key created in a specific DSM domain. |
KY-92234 | Problem: AWS GUI: AWS connection linked with an AWS KMS account can't be changed. Workaround: Run the patch /v1/cckm/aws/kms/{id} API to change the AWS connection. |
KY-89969 | Problem: Cloud key management APIs don't work behind a proxy for Google EKM, Google Workspace CSE, Microsoft DKE, OCI HYOK, SAP, DSM, and external CipherTrust Manager. Workaround: Add the proxy URLs for your cloud to the proxy exception list and allow this URL in the firewall. Refer to URLs to Whitelist for Running CipherTrust Manager Behind Proxy. |
KY-89038 | Problem: GCP GUI: Only 100 key rings are listed on the Add Key Rings screen even if more than 100 key rings exist. Workaround: View all the existing key rings using the API. |
KY-89331 | Problem: AWS: While creating an AWS asymmetric key, the key upload to AWS fails with the error "Failed to create KS RSA key pair." |
KY-88498 | CCKM GUI: The "Expiration Date" check box is disabled for "Luna HSM" and "CipherTrust (External)" key sources while performing manual key rotation. |
KY-86632 | Problem: Azure GUI: When adding a new Azure key, the Vault drop-down doesn't display all available vaults. Workaround: If a vault is not displayed on the GUI, use the API to create keys in the desired vault. |
KY-84440 | Problem: AWS GUI: Alias specified when linking an unlinked AWS HYOK key is not attached to the key. Workaround: Add the alias on the detail page of the key. |
KY-83780 | Problem: GCP: After running an add KMS container schedule on CipherTrust Manager 2.14, if you upgrade CipherTrust Manager to 2.16, attempts to download the add KMS container schedule details report returns the "Wrong format of data to convert to CSV" error. The tables on the details page show no records. |
KY-82970 | Problem: After migrating from a CCKM Appliance to CCKM Embedded, searching for a migrated key, which had no backup before migration, returns the "Resource not found" error message on restore. |
KY-81514 | Problem: SFDC: Refresh operations on CCKM don't remove certificates that are deleted from the SFDC console. |
KY-79220 | Problem: AWS HYOK: When creating a new AWS HYOK key, a key rotation schedule can't be assigned to the key. Workaround: After creating the key, assign the key rotation schedule on the SCHEDULES section of the key details page. Alternatively, use the /v1/cckm/aws/keys/<key-id>/enable-rotation-job API to assign the rotation schedule to the key. |
KY-78298 | Problem: SAP GUI: The Algorithm filter on the SAP Keys page doesn't show the RSA 8192 algorithm. |
KY-77916 | Problem: AWS GUI: The Accounts column filter on the AWS Keys page returns no results when the table is reset. Workaround: To see the accounts list, either refresh the page or navigate away from the page and return to the Keys listing page. |
KY-76609 | Problem: The custom policy statement doesn't update when rotating an AWS key on which the encrypt permissions are disabled (the "Disable Encrypt Permissions on Current Key" check box is selected). |
KY-73919 | Problem: Synchronize Salesforce certificate operations don't display error messages in audit logs. |
KY-72770 | Problem: OCI: The origin field of asymmetric HSM keys with External BYOK as Origin Type is set inconsistently for initial and subsequent versions. The origin of the initial version is correctly set to EXTERNAL. However, the origin of subsequent versions is incorrectly set to INTERNAL. This issue is at the Oracle end. |
KY-72067 | Problem: GUI: Salesforce mTLS connection doesn't work when the Salesforce connection to the CipherTrust Manager is configured using the Password authentication. Workaround: Use the authentication type of Certificate or Client Credential (My Domain) when creating the Salesforce connection to the CipherTrust Manager. |
KY-65165 | Problem: SAP: A delete key job remains in the PENDING state for long time and fails intermittently. This issue is at the SAP end. |
KY-56952 | Problem: GCP GUI: ACLs of Google Projects for cryptospaces and cryptospace endpoints can't be updated with the "CCKM Users" group. Workaround: Use the API to update the ACLs with the "CCKM Users" group. |
KY-42082 | Problem: SAP Data Custodian: SAP key activity report doesn't show any data. This issue is at the SAP end. |
KY-31186 | Problem: If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate. Workaround: Add an exception ( cloudkms.googleapis.com ) with no_proxy or use the proxy with username and password, and restart the services. |
KY-17213 | Problem: When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group. |
CipherTrust Database Protection
Issue | Synopsis |
---|---|
KY-82266 | Problem: CDP: A non-admin user of the ProtectDB Users group can't migrate tables on the CipherTrust Manager. |
PDB-3293 | Problem: If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work. |
CipherTrust Data Discovery and Classification
Issue | Synopsis |
---|---|
KY-79798 | Problem: Scan fails with the "Scan results could not be found" error after processing for OneDrive and Exchange Online with some targets. |
KY-75646 | Problem: Reports of scans on Teradata tables with unique primary index show the Key Source as "Integer Non Unique Column". |
KY-75083 | Problem: Search for the Secrets infotypes returns less matches for the PDF data. |
KY-74909 | Problem: Search for the Secrets infotypes returns less matches for the MongoDB data store. |
KY-73411 | Problem: Probing an empty folder in an AWS S3 bucket returns the NotFound error. |
KY-72978 | Problem: Search for the SSH private keys returns less matches when data for multiple infotypes is present in the same file. |
KY-72411 | Problem: Scan on Office365 Sharepoint Online completes successfully for a non-existent file. |
KY-72408 | Problem: Text data in Sharepoint Online Notebooks can't be matched. |
KY-72397 | Problem: Images inserted in Sharepoint Online Notebooks can't be matched. |
KY-9104 | Problem: Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
KY-9399 | Problem: The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
KY-8990 | Problem: Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts. |
Problem: None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution:
| |
KY-22666 | Problem: DDC may not scan big Data Objects for Data Stores other than local storage. The threshold to consider is a file as big as half of the assigned scan RAM. When a DDC scan encounters a file exceeding this threshold, it may completely skip the file or scan just up to that threshold. The user has no way to identify the issue from DDC reports. Possible Workarounds:
|
KY-19763 | Problem: OracleDB and IBM DB2: uppercase schema/table name issues. User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase. Workaround: Set the target path in uppercase. |
KY-21981 | Problem: Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again. |
KY-34462 | Problem: In G-Drive DDC scans all the path to which the scan path is prefixed. When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan. |
KY-48874 | Problem: A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service". |
KY-49115 | Problem: Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9. These infotypes show discrepancies: - Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10) - China Union Pay: 1000 (in 2.9), 921 (in 2.10) - Discover: 1001 (in 2.9), 919 (in 2.10) - Diners Club: 1001 (in 2.9), 1002 (in 2.10) The above discrepancy is because of the new and improved data types, which are as follows: - The Australian Passport Number data type has been enhanced for improved accuracy and coverage of the newer passport series, with additional updates made to enable the Australian Passport Number to be detected on the passport MRZ line. - Discover Global Network cardholder data types including China Union Pay, Diners Club, Discover, and JCB have been updated to identify 14-19 digit primary account numbers (PANs) for all supported BIN ranges. |
KY-51301 | Problem: For SMB Data Stores with remediation enabled, scans performed after remediation completes may not find matches in encrypted files. Workaround: Automatic agent selection does not narrow the selection of DDC Agents to those installed on host with a CTE Agent in the Agent Group protecting the SMB GuardPoint. If DDC selects any of those agents, further scans on the SMB will read the encrypted content and therefore will be unable to find any match. In order to avoid this issue, please assign use labels to force DDC to select only the right agents as follows: - Add one dedicated label to the DDC Agents installed on the hosts with valid CTE Agent, - Associate that same label to the SMB Data Store, in order to guide automatic agent selection algorithm. |
KY-51550 | Problem: Office365: OneDrive for Business - Scan progress reaches more than 100%. |
KY-51586 | Problem: A scan of a LONGBLOB file in MySQL gets stuck while scanning. DDC should be able to scan a 20 MB table, as LONGBLOB data type supports up to 4 GB of data, yet it fails. |
KY-51623 | Problem: Partial Scan in BLOBs of size greater than 100 MB in MSSQL. NOTE: If a file is partially scanned, it will be considered in the inaccessible location list. |
KY-52297 | Problem: DDC scan fails with an empty GuardPoint path for a SMB data store. Solution: A GuardPoint for a data store must always have a path configured in CTE. |
KY-51695 | Problem: DDC is only able to scan the initial 4 KB of any text file stored as a large binary object in database tables. |
KY-52494 | Problem: From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version. |
KY-52532 | Problem: Autopause feature not working as expected in Azure Table scans. A scan of Azure Table with the "Autopause" feature enabled has the following issues:
|
KY-42593, KY-42491 | Problem: Launching a second scan with any Data Stores in common with a running scan may restart the first scan progress on the shared Data Store, or even fail it if the first scan is manually paused. Workaround: Minimize scan concurrency on any given Data Store and use automatic pause, as automatically paused scans normally do not fail. |
KY-23163 | Problem: A scan goes into an interrupted state for CIFS after restarting the agent. This only happens on Windows Server agents and for the Exchange Server and Windows Local Storage. Solution: 1) Restart the Windows agent with the scan in the "Paused" state. Then resume the scan, and it will go into the "Scheduled" state. 2)Restart the Windows agent one more time and the scan comes back to normal. |
KY-53620 | Problem: Targeted scans of a smaller dataset in a G-Drive data store take a long time, if the overall data that is stored in G-Drive is of a larger size (for example, over 500 GB). |
KY-56390 | Problem: Scanning of any data from an Exchange Server data store works only if the agent is installed on the same machine as the Exchange Server. |
KY-60493 | Problem: A scan is failing with an internal error when an entire SMB share is scanned. A scan of a full SMB datastore takes a long time and and ends with an internal error. Scanning a sub folder only gives no problem and you can generate a report. |
KY-66074 | Problem: Azure Table: The Issue related to Azure Table Data Store has been fixed as 'Cloudant Credentials', 'Basic Auth Secret' infotypes showing correct matches if relevant data resides inside the dataset. Mongo DB: The IBM COS HMAC Credentials infotype is getting correct matches when quotes are not used while creating the dataset. But still it will get less matches with double quotes. For example, if the dataset has more than one pair of double quotes like so: "IBM COS HMAC TOKEN [-secret_accesskey]:: "687a726d2d905d575248759459871a2c4f92c54bdec6b78f"" In the above example, there are quotes around the '687a726d....' string. It will be considered an escape character, and MongoDB automatically appends '\' to ensure the string is preserved correctly. Due to this '\', the infotype will skip the match. |
KY-66217 | Problem: The 'IBM COS HMAC Credentials' infotype from DDC shows fewer matches for EBCDIC formatted dataset. The conversion of the text dataset to EBCDIC format leads to this issue. |
KY-67484, KY-71568 | Problem: SharePoint Online Scan functionality is currently not available for a "Specific List" and "All List" as Target. |
KY-76437 | Problem: OneDrive: Inconsistent count of sensitive data objects after every scan of the "All Users" targets. |
KY-79397 | Problem: AWS S3: Report generation fails for scan results of large data objects. Workaround: On the Ambari GUI, set spark.sql.autoBroadcastJoinThreshold = -1 . |
KY-81147 | Problem: AWS S3: DDC scan incorrectly marks data objects as inaccessible. |
KY-81672 | Problem: SharePoint Online & SharePoint Server: Scans fails when "site collection" or "site in a site collection" is added as a target path using the List option. Workaround: Manually add the "site collection" or "site in a site collection" target path according to the defined format. |
KY-83875 | Problem: IBM DB2: Scan fails if a target path contains a table having space in its name. |
CipherTrust Secrets Management
Issue | Synopsis |
---|---|
KY-86259 | Problem: CSM UI: When creating a customer fragment, pressing the "Enter" key after entering a name in the Customer Fragment Name field returns the "405 Not Allowed" error. Workaround: Click Save after specifying a name in the Customer Fragment Name field. |
KY-77535 | Problem: Decrypting a secret with the DFC key that no longer exists, logs the user out abruptly from Akeyless. Workaround: Don't decrypt a secret with the DFC key that no longer exists when a user is logged in using the SSO JWT authentication method. Instead, use other authentication methods such as API or Email. |
KY-78214 | Problem: OIDC & SAML Auth login to Akeyless gateway doesn't work with CipherTrust Manager. Workaround: 1. Log on to Akeyless console. 2. Navigate to Users & Auth Methods. 3. Go to already configured OIDC/SAML auth method. 4. Click the Generate OIDC Bookmark URL/Generate SAML Bookmark URL button to generate a bookmark URL. 5. Copy the corresponding bookmark URL and use the same for the subsequent logins. |
KY-77112 | Problem: When deleting a Hashicorp Vault proxy static secret, it doesn't delete from the Akeyless Vault. Workaround: Delete the Hashicorp Vault proxy static secret directly from the Akeyless vault. |
KY-76477 | Problem: Reloading the external secrets manager (universal secrets connector) page leads to a "404 page not found" error. Workaround: Go to Akeyless console webpage (https://CM-IP/akeyless-console/items) and open the universal secret connector again. |
KY-81515 | Problem: The Forgot Password/Forgot Access Key feature doesn't work when the AKEYLESS_URL in the akeyless configuration is set to https://vault.akeyless.io. Workaround: The field should be left blank. |
KY-81517 | Problem: The new user registration doesn't work when the AKEYLESS_URL in the akeyless configuration is set tohttps://vault.akeyless.io .Workaround: The field should be left blank. |
KY-75947 | Problem: OpenID Connect (OIDC) fails to authenticate during callback to CipherTrust Manager from Akeyless. |
KY-79307 | Problem: When customer fragments are created/deleted in large number or in bulk, it takes too long for secret-manager service to restart and load the Akeyless gateway and console pages. Workaround: Do not create/delete customer fragments rapidly, wait for the current operation to reflect on the Akeyless gateway. |
KY-72796 | Problem: The CipherTrust Manager constantly communicates with multiple IPs of the akeyless SAAS server (for example, "52.223.11.194", "35.71.185.167", "35.192.171.171") over port 9443, which leads to a lot of irrelevant log entries. |
KY-64648 | Problem: The "Forgot Password" feature for email is not supported through akeyless gateway on the CipherTrust Manager. Only "Forgot API Access Key" feature is supported. Workaround: Use "Forgot Password" feature for email directly on the Akeyless website. |
KY-70144 | Problem: During secret creating for Docker Hub target in Akeyless, the connection is refused. Workaround: Add an explicit DNS Host entry to the CipherTrust Manager for Docker Hub. |
KY-64835 | Problem: If you attempt to modify the protection key for an existing certificate-type secret in the Akeyless console, an exception stating Unexpected error is displayed. Workaround: Delete and re-create the existing secret with the desired protection key. |
KY-64751 | Problem: If you launch the Akeyless console from the Secrets Management tile, and the CipherTrust Manager session expires or is manually logged out, the Akeyless console session logs out as well. Workaround: Refrain from logging out from the CipherTrust Manager UI unless you also want to log out from the Akeyless UI. |
KY-63288 | Problem: Some internet browsers, such as Mozilla Firefox, Google Chrome, or Microsoft Edge launch the secrets management tile as a pop-up, and prompt to allow pop-ups. Workaround: Allow pop-ups from the CM UI if prompted. |
KY-61568 | Problem: The POST /v1/connectionmgmt/services/akeyless/connections operation in the API playground to create a new Akeyless connection introduces unnecessary parameters "meta", "products", and "category".Workaround: Ignore these parameters. They do not affect the functioning of the Akeyless connection. |
CipherTrust Transparent Encryption
Issue | Synopsis |
---|---|
KY-91010 | Problem: If an LDT policy contains multiple security rules, the first security rule displayed on the second page of the Security Rules tab doesn't display the check box. |
KY-88830 | Problem: After disabling two nested GuardPoints applied to a Windows client through a Client Group, you can't enable both GuardPoints. Only one of the GuardPoints can be enabled, the other remains disabled. Workaround: Use the Unguard/Re-guard option on the GUI instead of the Enable/Disable option. |
KY-75999, KY-84128 | Problem: The CTE licenses are not updated, when the domain gets deleted from the CipherTrust Manager or the clients of a domain are migrated from DSM to CipherTrust Manager. Workaround: If the clients of a domain are migrated from DSM to CipherTrust Manager and the license count is incorrect for that domain, create a CTE client (for example, ABC) in the same domain and then delete it. This will correct the license count for that domain. |
KY-83746 | Problem: Intermittent: After migrating CTE resources from DSM, the details of LDT on a migrated client shows Resume Live Data Transformation (LDT paused) even though the GuardPoint is successfully Rekeyed. Workaround: Restart the CTE Agent ( service vmd restart ). |
KY-72096 | Problem: CTE UserSpace: After upgrade to CipherTrust Manager 2.14.0, CTE UserSpace 10.1.0 clients don't show the Healthy status on GUI. This issue is resolved in the CTE-U 10.2.0 release. Workaround: Upgrade the clients to 10.2.0 or manually restart the CTE-U services ( secfs-fuse restart ) to restore the client communication to the Healthy state for older CTE-U client versions. |
KY-72095 | Problem: After upgrade to CipherTrust Manager 2.14.0, CTE clients can take up to 25 minutes to show the Healthy status on GUI. This issue has no impact on the functioning of GuardPoints. This issue is resolved in the CTE 7.5.0 release. Workaround: Upgrade the clients to 7.5.0 or manually restart the VMD service ( secfs restart ) to restore the client communication to the Healthy state for older CTE client versions. |
KY-60249 | Problem: The get /v1/transparent-encryption/policies API does not return the complete list of policies added to the CipherTrust Manager.Workaround: Run the get /v1/transparent-encryption/policies API with limit as -1 . |
KY-59893 | Problem: Signature rules are not copied to a clone policy. Workaround: On the policy details page, manually add the missing signature rules. |
KY-55739 | Problem: When a CipherTrust Manager user having only CTE Admins group permissions initiates a Quorum-dependent operation, a corresponding Quorum is created. After the required Quorum approvals, the operation does not auto-trigger in the background. Workaround: Retry the operation after the required Quorum approvals. |
KY-55511, KY-55527, KY-55275, KY-55528 | Problem: Simultaneous composite operations (for example, update and delete) are not supported for quorums. |
KY-55273 | Problem: If quorum is activated for client group deletion, then bulk client group deletion generates multiple quorums in pre-active state. Workaround: Delete client groups individually. |
KY-55064, KY-54442 | Problem: In case of bulk client or client GuardPoint deletion, the quorum details may not be available. However, quorum operations (such as approval, rejection) can be performed. This issue has no impact on functionality. |
KY-51759, KY-51754 | Problem: When quorum is enabled, if you perform an operation to delete clients or GuardPoints in bulk, the quorum is created in pre-active state. Workaround: Activate the quorum using the /v1/quorum-mgmt/quorums/{id}/activate API. |
KY-51135 | Problem: Group members cannot be imported from ldap for user sets. |
KY-34329 | Problem: Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths. Workaround: Create GuardPoints by manually entering the raw device paths. |
Batch Data Transformation (BDT)
Issue | Synopsis |
---|---|
KY-72695 | Problem: 500 Status code occurs when fetching BDT policies. |
ProtectApp
Issue | Synopsis |
---|---|
KSCH-16415 | Problem: The Host Name field on the Client Registration screen does not have validation for host availability. Workaround: Add clients using the API. |
ProtectFile
Issue | Synopsis |
---|---|
KSCH-573 | Problem: Encryption rules cannot be modified to reset values for include and exclude extension parameters. |
KSCH-568 | Problem: Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously. |
KSCH-567 | Problem: Modifying a file level encryption rule to set the “isRecursive” flag does not return error. |
KSCH-564 | Problem: Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress. |
CipherTrust Intelligent Protection
Issue | Synopsis |
---|---|
KY-56816 | Problem: Unencrypted report is generated for few files if user reboot the machine during remediation. Workaround: User need to run scan with reclassify option or full scan again to generate correct report. |
KY-55480 | Problem: Cross domain client registration is not working with CIP. |
AGT-43391 | Problem: All files are not encrypted on performing bulk rename during remediation on Linux Local Storage with STD/LDT policy. Workaround: All remaining files will get encrypted after a periodic CIP scan which runs after 8 hours (default). |
KY-36741 | Problem: File becomes plain with MOVE operation of a tagged file with ACL and STD policy on Linux. |
KY-65540 | Problem: PQS configurations are not visible on GUI after saving remediationconfig via API using the ID/UUID for the knox_connection_identifier name.Workaround: • Solution 1: Use GUI to configure PQS. • Solution 2: Use the knox_connection_identifier name instead of ID/UUID via API. |