Release Notes
Product Description
CipherTrust Manager (formerly known as NextGen KeySecure) is a new implementation of SafeNet KeySecure Classic, designed to add the following capabilities:
A RESTful interface
A full-featured, remote CLI interface
Removes dependencies on the underlying OS
Can be deployed as a physical and virtual appliance
Backward compatibility with the KeySecure Classic NAE-XML interface and the suite of existing connectors
Changes from SafeNet KeySecure Classic
Key policies (time of day and rate limits) are no longer supported.
RC4, 56-bit DES, 112-bit Triple DES, and 168-bit Triple DES in ECB mode (CBC mode is okay) are not supported.
FPE is only supported with 256-bit keys. 128 and 192 are not supported.
RSA Export formats supported are PKCS 1 and 8 only.
Product Abbreviations
Name | Abbreviation |
---|---|
CipherTrust Batch Data Transformation | BDT |
CipherTrust Manager | CM |
CipherTrust Application Data Protection | CADP |
CipherTrust Cloud Key Manager | CCKM |
CipherTrust Database Protection (formerly known as ProtectDB) | CDP |
CipherTrust Transparent Encryption | CTE |
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE) | CTE UserSpace |
CipherTrust Teradata Protection | CTP |
CipherTrust Data Discovery and Classification | DDC |
Data Protection on Demand | DPoD |
CipherTrust Tokenization | CT |
CipherTrust Vaulted Tokenization | CT-V |
CipherTrust Vaultless Tokenization | CT-VL |
Release Description
This release brings a number of new features and enhancements. Refer to Release 2.2.0 for details. For the list of known issues, refer to Known Issues.
Features and Enhancements
Release 2.2.0
Platform
Technical preview for Data Security Manager (DSM) migration
CipherTrust Manager supports restoring some objects from DSM backup files, as a preview of the migration functionality. You can restore Agent Keys, Vault Keys, and Domains.
All other DSM objects are not currently supported, and they are skipped during restoration. The skipped objects include:
Key Management Interoperability Protocol (KMIP) keys
Keys associated with CCKM, including Bring Your Own Key (BYOK) keys and Key Management as a Service (KMaaS) keys
DSM hostname and host configuration
DSM policies
Support for restoring certificates from KeySecure Classic. Local Certificate Authorities (CAs), Known CAs, and certificates with valid local CAs can be migrated.
Support for TCP for the Syslog connection.
Naming support for local CA, external CA, and certificate.
Support for deploying Virtual CipherTrust Manager on Nutanix AHV.
Support for a new k470v license for Virtual CipherTrust Manager deployments. The k470v license is intended for high transaction-per-second encryption operations as is typically required from the CipherTrust Data Security Portfolio suite. k470v allows for the usage of more than four CPUs. If you are running a k170v license with more than 4 CPUs allocated to the Virtual CipherTrust Manager, a warning notification is displayed. CipherTrust Manager operates as normal.
The Key Details page in the GUI has been enhanced to more clearly display various attributes and properties for CipherTrust Manager Managed Keys. New KMIP and NAE tabs for each key show relevant attributes for each of those protocols. The ability to edit permissions for keys has also been enhanced.
KMIP
License count enforcement.
Registration of KMIP clients made mandatory.
CCKM
Added support for the Azure Stack cloud. This release supports:
Azure Stack (Azure Active Directory, Azure AD)
Azure Stack (Active Directory Federation Services, AD FS)
Added support for Luna Network HSM as a key source. This release supports:
Luna HSM version 7.x
Asymmetric keys with Luna Network HSM
Note
This CCKM support is achieved through Connection Manager, rather than the existing HSM server setup commands, which control HSMs as a root of trust for the platform.
Introduced Reporting for AWS and Azure Clouds. The supported reports are:
Key Activity Report
Key Aging Report
Service/Usage Report
Reporting is not supported for the Azure Stack cloud.
Note
AWS China cloud does not support uploading 256-bit keys. It supports upload of 128-bit keys only. Current GUI supports creation and listing of 256-bit keys only. So, upload 128-bit keys to the AWS China cloud using the CCKM AWS APIs.
Note
AWS China cloud does not support creation of native asymmetric keys.
CTE
Bulk creation of GuardPoints using CSV files
Bulk deletion of clients
Bulk unguard of GuardPoints
Bulk addition of sources to signature sets
Domain level reporting using the API
Protection of Teradata clusters through In-place Data Transformation (IDT) policies
Creation of clients without registration
Challenge and Response password recovery method
Upload of kernel compatibility matrix
CTE UserSpace
Support for Offline Mode: CTE UserSpace downloads a copy of keys and encryption policies from the key manager and stores them securely on the client. When the connection to the key manager is lost and the CTE UserSpace service is restarted, it starts using the policies stored locally on the client.
Improved Lazy Migration: CTE UserSpace agent can now detect files previously encrypted by the agent and skip them during a migration operation.
DDC
Cloud Storage Scanning
The capability to scan AWS S3 and Azure Blobs.
New Data Base Storage Scanning
The capability to scan PostgreSQL.
New Built-in Templates
Extended list of regulation templates by LGPD (Lei Geral de Proteção de Dados) and NYDFS (New York Department of Financial Services) Cybersecurity Regulation.
Exporting Reports
Export of the report information to PDF.
Multipath Support
The possibility to select more than one path within a data store for scanning.
Backup/Restore
Backup of the CipherTrust Manager’s configuration.
Complete Scan Functionality
Allows editing parameters of the scan after its creation and/or execution.
Resolved Issues
This table lists the issues resolved in 2.2.0.
Issue | Synopsis |
---|---|
KY-24154 | [CTE-AIX] After reboot, client fails to communicate with the CipherTrust Manager. |
KY-22855 | If you upgrade from 1.7, 1.8.x, or 1.9.x to 1.10, 2.0, or 2.1, the KMIP port isn't listed in the interface settings. Similarly, the KMIP port isn't listed if you restore a backup from these older versions to the newer versions. Resolution: Fixed in 2.2. If you upgrade to 2.2 from a supported starting version (1.10, 2.0, or 2.1), or restore a backup from a supported starting version, all interface ports are listed. If your current version is below 1.10, please consult the 1.10 release notes for upgrade paths to that version. Contact technical support if you are unable to upgrade to 2.2. |
KY-20828 | Upgrade to 2.0 or 2.1 fails in a rare situation with incorrect configuration, and the system does not start up. If your CipherTrust Manager is in a clustered environment, continuing to upgrade other nodes would cause those nodes to not start up, as well. Resolution: Upgrade to 2.2 does not have this failure. |
KY-21901 | If you add a DNS host entry to the CipherTrust Manager using the /v1/dns-hosts API endpoint, and attempt to create a cluster specifying the hostname from that entry, cluster creation fails with the message "A generic connection error occurred while creating the cluster. This type of error typically occurs when the host is invalid. Please retry using a valid IP or hostname." |
KY-21307 | You cannot apply disk encryption when installing a Virtual CipherTrust Manager with cloud-init in Google Cloud. |
KY-14871 | After a cluster is created, the default NAE/KMIP interfaces are inaccessible from the secondary node. |
KY-12731 | GUI does not update the Syslog protocol specified in the client profile. |
KY-10749 | Configuring a Syslog server with its hostname in the client profile does not work. |
KY-9149 | The `Owner' and 'Modified' fields are not retrieved for some files in the "Data Objects" tab. Due to a known limitation of the processing engine, the information on the Owner and Modified is usually not listed in the report details. |
KY-9094 | “Something went wrong” displayed when saving a recently created SMB Data Store or trying to launch a scan on an SMB Data Store. When searching for the Agent to use, or checking whether the assigned Agent is up and running, the DDC Server may need to wait for the duration of the defined Network timeout if communication fails. |
KY-7818 | [ProtectApp Application] The Interface Name field on the Create Client Profile page should show the nae interface only. Currently, it also shows kmip , snmp , and web . |
KY-7433 | Refactor internal networking for better multi-NIC support (including network bonding), consistent client IP forwarding and better performance |
Release 2.1.0
CipherTrust Cloud Key Manager
Management of Azure cloud keys lifecycle operations using the GUI, API, and CLI. The supported operations are:
create
list
update
delete (soft/hard)
recover
upload
rotate
Note
To rotate Azure keys, CCKM Users require Add Key and Upload Key permissions.
Azure authentication support for service principle with certificates and admin consent.
Scheduler to perform key synchronization, rotation, and expiry operations.
Ability to back up and restore Azure keys.
Ability to search keys by:
tags
key operations
key expiration time
Access control lists to manage user permissions on Azure accounts.
Platform
- Support for DPoD's newest HSM service client package, which uses JSON Web Token (JWT) authentication. This client was introduced in DPoD Release 1.16.
Resolved Issues
This table lists the issues resolved in release 2.1.0.
Issue | Synopsis |
---|---|
KY-19804 | In-place cluster upgrade from 1.10 fails when cluster configuration uses DNS entries. |
KY-19362 | Listing of large number of users using the REST API is slower than release 1.8. |
KY-19047 | System upgrades sometimes require Internet access. |
KY-16399 | In the Internet Explorer 11, the AWS Keys detail page is not displayed properly. |
KY-14192 | Degraded performance observed after migrating from a KeySecure Classic k460 appliance to a NextGen KeySecure k570 appliance. Fixed: Performance has been improved in this release. |
KY-12905 | Unknown key/permission and connection errors occur when performing a large number of cryptographic operations. |
KY-9950 | Data Objects are not listed in reports with more than 50,000 matches. Additionally, an error message NCERRInternalServerError: unexpectederror is displayed on the Data Objects report tab. This means that the Hadoop cluster takes too long (more than 30 seconds) to retrieve the list of Data Objects in the report. |
Release 2.0.0
Major Release
This is a major update to the product. It includes these new product lines:
CipherTrust Transparent Encryption Suite
CipherTrust Transparent Encryption
CipherTrust Transparent Encryption UserSpace
CipherTrust Cloud Key Manager
Platform
Product rename! NextGen KeySecure has been renamed to CipherTrust Manager. Some utilities, such as ksctl and kscfg retain the KeySecure (or ks) name for backward compatibility.
NAE crypto audit logging. An option is provided to enable detailed audit logging for NAE crypto operations. Enabling this feature will have an impact on performance. It is recommended to disable NAE crypto audit logging in performance-critical environments.
GUI For Key Rotation and Selective Backup.
Enhanced Key Query in the Key UI.
Trigger Notifications for Certificate Expiration: Configure record-based alarms to trigger email notifications for monitoring certificate expiration.
Custom DNS Entries: You can now specify custom DNS entries instead of IP addresses.
HSM Partition Labeling.
Ability to Upload CTE Client Audit Logs/Records to CipherTrust Manager.
Ability to Enable/Disable SSH, NAE, and KMIP Interfaces.
Support for the Oracle Cloud.
Network TCT HSM.
Key Management
Added support for:
Cloning of keys
MUID and keyID for opaque objects
UID in client certificates for NAE/KMIP interface
New interface mode: Password is required in Auth header with certificate-only verification
CipherTrust Data Discovery and Classification
DDC, which has been rebranded as CipherTrust Data Discovery and Classification, brings you the following new features:
Support for creating custom Infotypes
Licensing updates
Trial license extension to 90 days
New 15 TB license
Data consumption displayed on the Licensing page
General improvements
Hadoop configuration restricted to root domain (in multiple domain setups)
GUI responsiveness
More GUI error messages
CipherTrust Transparent Encryption
Ability to encrypt data on AIX, Linux, and Windows clients.
Deployment of Cloud Object Storage (COS), Standard, and Live Data Transformation (LDT) policies. COS policies are supported for Amazon S3 buckets.
Agent log upload to the CipherTrust Manager and Syslog over TLS.
Learn Mode to test policies by tracking how rules are evaluated, without enforcing the policy.
Health checks of CTE Agents.
Support for AES-128, AES-256, ARIA-128, and ARIA-256 keys.
CTE key metadata feature.
Licensing for CTE and LDT clients. The LDT feature is provided as an add-on license. To use the LDT feature, you need a CTE base license activated on the CipherTrust Manager.
Note
After a client is registered, you must change the client password using the manual password creation method. The dynamic password creation method is not supported.
CipherTrust Transparent Encryption UserSpace
Licensing for CTE UserSpace clients.
Ability to encrypt data on clients running a supported platform. CTE UserSpace supports Linux, Oracle Linux (UEK and RHCK), and SLES platforms.
CipherTrust Cloud Key Manager
Management of AWS cloud keys using the GUI, API, and CLI. The supported operations are: create, list, delete, update, upload, and rotate.
Ability to search AWS keys by tags.
Scheduler to perform key synchronization, rotation, and expiry operations.
Ability to back up and restore AWS keys.
Access control lists to manage user permissions on AWS accounts.
Licensing support for cloud units.
Reporting of cloud keys using the CLI and REST API.
CipherTrust Database Protection
Product rename! SafeNet ProtectDB has been renamed to CipherTrust Database Protection.
Rebranded GUI, API, CLI, and product documentation.
General Note
The k570 appliance contains a FIPS-approved HSM. However, the HSM is not in FIPS mode by default. To put the HSM into FIPS mode, refer to the Luna PCI documentation, or contact Thales Customer Support.
Resolved Issues
This table lists the issues resolved in release 2.0.0.
Issue | Synopsis |
---|---|
KY-16396 | The length of ks_support challenge blob is limited to the shell width on a serial console. |
KY-13345 | On heavily loaded systems, the ProtectV GUI may occasionally give an internal server error when listing clients. |
KY-11139 | User cannot sort by "Owner" or "Modified" in the Report's "Data Object" tab. Even though the user interface indicates that the user can order the list of Data Objects inside a Report by clicking the column header, nothing happens when the user does that. |
KY-10615 | Running a scan when another one is running on same data store, causes the first one to fail. When one scan is being executed and another scan is launched that includes at least one data store used in the first scan, the first scan may fail. |
KY-11712 | ksctl does not accept the --node-id flag for the active-node command.The node that will be registered is always the one receiving the request. That is why the ksctl command does not accept the --node-id flag. |
Release 1.10.0
Platform
Base Platform Upgrade: The base OS of NextGen KeySecure has been upgraded to Ubuntu 18.04 to support the latest security patches and upgrades.
Key Rotation Support: Keys can be automatically rotated using CRON like syntax. Any set of keys can be rotated based on a query.
In this release, this feature is supported using the CLI and API. Support for the GUI will be added in a future release.Scheduled Backup Support: Backups can be scheduled and rotated automatically.
In this release, this feature is supported using the CLI and API. Support for the GUI will be added in a future release.Client certificate-based login to the NextGen KeySecure GUI.
Client certificate revocation check through CRL/ OCSP for NAE/ KMIP interface.
Ability to download System logs using the GUI and the CLI.
Sorting of records by the "By" column.
Data Discovery and Classification
Native scanning support for common types of data stores and data locations
Analysis of structured and unstructured content
Possibility to perform classification based on a large variety of data types
Classification templates for main regulations
Scheduled scans to automate execution of discovery tasks
Advanced reporting to provide all the insights from the discovered data
Remote proxy and/or Agent-based scans
Run specific scans to improve the performance
Note
• DDC is compatible with virtual NextGen KeySecure appliances only.
• DDC requires at least 16 GB of RAM. Failed scans may be seen if you run with less than 16 GB of RAM.
KMIP
Ability to change KMIP log level using the CLI.
Ability to pick username from other certificate fields.
Support for Certificate Objects, Wrap/Unwrap, Sign/SignV and Device Credentials.
ProtectFile
SafeNet ProtectFile now supports the Multiple Domains feature of NextGen KeySecure appliances.
General Notes
Upgrades are supported from versions 1.7.0, 1.8.0, 1.9.0, 1.9.1, and 1.10.0-ddc.
Due to the OS upgrade support, downgrading from version 1.10 is not supported.
The k570 appliance contains a FIPS-approved HSM. However, the HSM is not in FIPS mode by default. To put the HSM into FIPS mode, refer to the Luna PCI documentation, or contact Thales Customer Support.
ProtectV functionality has not changed since 1.9.1, therefore ProtectV customers are recommended to not upgrade to NextGen KeySecure 1.10.
Resolved Issues
This table lists the issues resolved in release 1.10.0.
Issue | Synopsis |
---|---|
KY-10473 | Physical NextGen KeySecure: lcdController crashes intermittently on system boot. |
KY-8497 | SMTP server does not accept email address with capital letters. |
PFL-7857 | Hash error occurs when reregistering a client with the NextGen KeySecure. |
KY-6262 | [AWS only] NextGen KeySecure instances are slow to reboot, fail to read cloud-init metadata, and reset some system information on reboot. |
KY-9104 | Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
KY-9399 | The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
Release 1.10.0-DDC
Data Discovery and Classification
The NextGen KeySecure appliance now supports discovery of sensitive data in different Data Stores: Linux and Windows local storages, SMB/CIFS shares, NFS shares, Oracle databases, Microsoft SQL databases, DB2 databases, and Hadoop HDFS. The classification can be done using the several provided Classification Profiles as GDPR or by creating your own. Reports for the scans will provide you a clear view on the state of your Data Objects.
Note
• NextGen KeySecure 1.10.0-DDC is compatible with virtual NextGen KeySecure appliances only.
• This release supports upgrade from NextGen KeySecure version 1.9.1 only. If you are upgrading from an older version, please first upgrade to 1.9.1 and then to 1.10.0-DDC.
• The Data Discovery functionality requires at least 16 GB RAM in any platform. It will not function properly with less than 16 GB RAM.
Release 1.9.1
This release fixes the below issues. No new features or enhancements are provided.
Resolved Issue | Synopsis |
---|---|
KY-9113 | NextGen KeySecure license is required after upgrading NextGen KeySecure to 1.9.0. |
KY-9064 | Absent email attribute in LDAP breaks user login. |
KY-8719 | Prevent boot into Ubuntu recovery mode from console. |
KY-8657 | KMIP: Optional password does not work in the Credential object. |
KY-7642 | When retrieving a token, “connection” attribute should support “local” in addition to “local_account”. |
KY-7391 | NextGen KeySecure nodes are unreachable intermittently and data replication is unsuccessful. |
KY-4823 | LCD reads Gemalto when no network cable is attached to the NextGen KeySecure appliance during boot. |
Release 1.9.0
Platform
Multiple Domains
The k170v/k470/k570 NextGen KeySecure appliances now support Multiple Domains. This allows keys and other resources to be isolated from each other within an enterprise. Refer to the API playground for details.ProtectFile does not support the Multiple Domains feature.
License Revocation
Licenses (except default trial licenses) can now be removed from the system.Secure Support Access
The ability to gain root access to the system now requires an interaction with Thales Customer Support.E-mail Notifications
The system can be configured to send e-mail notifications to specific addresses when system alarms are triggered. In this release, this feature is supported for alarms configured by users.Syslog Improvements
Alarm functionality is added to indicate unreachable Syslog servers. If a Syslog server is unreachable, an alarm will be raised on the system. This feature is supported for Syslog servers configured over TLS only.
A new column, domain_id, is added to logs redirected to Syslog servers. This column indicates the domain associated with the log message.
Records Improvements
The Lineage column has been renamed as Client on the Records page of the UI.
The Lineage column has been replaced with Client IP in API and CLI.
Support for CCKM
Added support for CCKM as a key repository. This allows transfer of NextGen KeySecure keys to AWS KMS, Azure KeyVault, or Salesforce Shield.UI Improvements
An App Launcher is introduced to open applications. The App Launcher contains Keys & Access Management, Admin Settings, ProtectDB, ProtectFile, ProtectV, ProtectApp, and KMIP applications.
ProtectDB
Session Management
Added functionality to configure whether to receive prompts for database credentials when accessing tables for the first time in a GUI session.Error Replacement Support for MSSQL Server
Error Replacement feature is supported for MSSQL Server.Upload of SSL Certificate from GUI
Option to upload SSL certificates for Oracle and DB2 databases is added to the NextGen KeySecure GUI.Handling of Non-supported Data Types
Encryption property for non-supported data types can no longer be configured on NextGen KeySecure.
ProtectV
ProtectV supports the Multiple Domains feature of NextGen KeySecure appliances.
KMIP Improvements
KMIP Client Registration: Added registration enforcement for existing and new KMIP clients.
Anonymous Login: Added anonymous login functionality to achieve support for global keys. Only certificate will be validated, username is not required.
New Cryptographic Operations: Added support for cryptographic operations Encrypt, Decrypt, Mac, and MacV.
New Attributes: Added support for new attributes Alternative Name, Digest, Cryptographic Usage Mask, and Fresh.
Wildcard for KMIP Locate: Added wildcard support for the Locate operation.
Resolved Issues
This table lists the issues resolved in release 1.9.0.
Issue | Synopsis |
---|---|
PFW-10949 | When an encryption rule is removed from NextGen KeySecure, changes are not pushed to other non-transformer/cluster nodes during the next polling interval. |
PFW-10945 | Access logs are not sent to the Syslog server. |
KY-3680 | In a clustered environment, if an SSL certificate is uploaded to one node, the SSL certificate is automatically replicated on other nodes. However, if you uploaded another SSL certificate to one node, the SSL certificate is not replicated on other nodes. |
KY-3675 | GUI: In the Alarms table, the "State Changed at' column is obsolete as of release 1.8.0. In this release, the column is replaced with "Triggered At". |
KY-3444 | LDAP user cannot log in to the domain for which he is administrator. |
KY-1286 | (was NC-3431) Key names with only spaces are considered valid. |
Release 1.8.1
This is a critical patch for customers using the Data Protection on Demand service HSM on demand as a Root of Trust. Other customers can ignore this patch.
Note
This patch must be applied to the NextGen KeySecure version 1.8.0 only. Earlier versions of NextGen KeySecure must be upgraded to 1.8.0 before applying this patch. Refer to "System Upgrade" for details.
Applying the Patch
To apply the patch:
Download the patch file, ks_patch_1.8.1.tar.gz.gpg, from the Customer Support Portal.
Copy the file to all NextGen KeySecure instances.
scp -i <my-ssh-key> ./ks_patch_1.8.1.tar.gz.gpg ksadmin@<keysecure-ip>:
Log on to NextGen KeySecure.
ssh -i <my-ssh-key> ksadmin@<keysecure-ip>
Apply the patch.
sudo /opt/keysecure/ks_upgrade.sh -f ks_patch_1.8.1.tar.gz.gpg
If the NextGen KeySecure appliance is using the DPoD HSM, the KeySecure services will restart.
Note
• If you need to set up new NextGen KeySecure instances to use the HSM DPoD root of trust after applying this patch, it is recommended to retrieve a new client bundle directly from DPoD.
• Older client bundles may not be compatible. This is not an issue for systems already configured to use DPoD. The patch will update existing client configuration.
• If an HSM was not configured prior to installing this patch, you will need to manually restart the NextGen KeySecure service with the following command:systemctl restart keysecure
Resolved Issues
This table lists the issues resolved in release 1.8.1.
Issue | Synopsis |
---|---|
KY-6073 | Add support for the latest SafeNet Data Protection On Demand (DPoD) clients for enhanced performance and improved service resilience. |
Release 1.8.0
KeySecure
Multi Domain Support Preview
NextGen KeySecure supports the concept of “Domains” as a way to segregate the data a specific user is capable of accessing. Domains can be created using the ksctl command, and then specific requests can be scoped to a Domain. To create and use domains, refer to the CLI help for ksctl domains. This is a preview of this new feature, so there are these limitations:No UI Support - only ksctl and API are supported.
Limited user configuration - users must be assigned to a domain when it is created.
Not all resources supported - only Keys resources have been validated. ProtectFile, ProtectV, and ProtectApp resources are not yet supported.
Login Banner
A pre-authentication and post-authentication login banner are supported via the API, CLI and GUI.In-place Cluster Upgrades
A cluster can now be upgraded in-place to release 1.8.0. The only supported version that can be upgraded in-place is version 1.7.0. For further details, go to the Advisory Notes > In-place Cluster Upgrade.Cluster Operations via the GUI
In addition to the CLI, you can now perform normal cluster operations using the GUI.Audit record based Alarms
Support for Alarm generation based on Audit record conditions.NAE - Added support for
UUID
MUID
KMIP
A new implementation of KMIP Server. Supported operations are in accordance with spec br1.4.
Multiple KMIP ports
Multiple local and external CA for KMIP
TLS-1.0 for KMIP; the default is TLS-1.2
Re-keying of key pairs
Usability of 'KMIP created keys' over the NAE interface
KMIP Licensing:
If unlicensed, KMIP operations will stop working after the 90-day trial period.
If you are upgrading from NextGen KeySecure version 1.6.0 or earlier, you must contact the Customer Support Portal to obtain a KMIP license.
Syslog
Added support for the new Syslog formats, RFC-5424, CEF, and LEEF. The default format is RFC-5424.Records
Added severity, source, and lineage columns to the Records page. All fields support sorting and filtering.
ProtectV
SafeNet ProtectV Licensing
SafeNet ProtectV is offered through the following licensing models:Trialware: Provides the fully-functional SafeNet ProtectV solution for free for 90 days with pre-installed trial license.
Term Licensing Model: Provides the fully-functional SafeNet ProtectV solution for a prepaid charge for a specific period of time, for a specific number of clients. This license comes with a grace period of 90 days.
Perpetual Licensing Model: Provides the fully-functional SafeNet ProtectV solution for a prepaid charge with no time limit, for a specific number of clients.
A NextGen KeySecure appliance administrator can install the SafeNet ProtectV license. Refer to the SafeNet ProtectV Server Administrator Guide for details.
ProtectDB
Support for New Databases
This release adds support for management of database operations on following databases:DB2: Following operations can be performed on the NextGen KeySecure:
Adding database connections
Managing user mappings
Configuring column-level properties
MSSQL Server: Following operations can be performed on the NextGen KeySecure:
Adding database connections
Managing user mappings
Configuring column-level encryption properties
Teradata: Following operations can be performed on the NextGen KeySecure:
Adding database connections
Managing user mappings
Support for SSL Based Connections
This release adds support for SSL-based connections for Oracle and DB2 databases. The upload of SSL certificate is allowed only through the NextGen KeySecure API Playground.
Resolved Issues
This table lists the issues resolved in release 1.8.0.
Issue | Synopsis |
---|---|
KY-4511 | Replication might lose data for "large" objects or break cluster connectivity. |
KY-1395 | (was NC-2257) GUI: In Firefox, sometimes "insufficient permissions" popup does not appear. |
KY-1203 | (was NC-3897) Any user can change the name of the system. |
KY-500 | The "ksctl pf client-rule-assn list" command returns the error code 403. |
KY-492 | The "ksctl pf client-rule-assn update" command does not perform the specified operation. |
NC-4239 | ISO installation does not enable VGA login console. Workaround: Press Alt+F2 to go to tty1 and then press Alt+F1 to go back to tty0. |
NC-4003 | NAE/KMIP: Interface only supports a single trusted CA. |
NC-3290 | JCE: GCM File Encryption throwing "Read Timed out" Exception with large files. |
Release 1.7.0
KeySecure
NIC Bonding
NIC bonding is supported via the command line utility nmcli. Bonding provides redundancy and performance improvements by aggregating two or more network interfaces into a single logical network interface.kcstl changes
The ksctl utility now will display a version number. Note that this version number is different from the server version.
ksctl now supports a "login" command which provisions the user with a token valid for 30 days. This removes the need to keep a password in the config.yaml file.
SNMP Support
Standard MIBs are supported (SNMP v1, v2c, v3)
Internet Standard MIBs are supported
The Host Resources MIB is supported
The Distributed Management MIB is supported
System Start with Missing Root of Trust
If the HSM Root of Trust is not available, the system will come up and present a message to the user.HKDF Support
HKDF is a simple key derivation function (KDF) based on a hash-based message authentication code (HMAC).
Use Hash Algorithm for key generation using HKDF. Default is hmac-sha256. The Options are:hmac-sha1
hmac-sha224
hmac-sha256
hmac-sha384
hmac-sha512
KMIP/NAE: NAE Updates:
XML support is added for Certificate and CA requests, Group/policy for local mode,
Support for PKCS#12 format,
AES-GCM PKCS5 Padding,
HKDF Support.
Added
System Reset
askscfg
command
System Reset performs a hard reset of the k170(v).Warning
System Reset is a destructive operation and wipes all data on the k170(v). It should be used with care.
Network Configuration Utility
Supports configuration of multiple network interfaces and bonding these interfaces to achieve redundancy and performance improvements.
ProtectFile
SafeNet ProtectFile Licensing
SafeNet ProtectFile is offered through the following licensing models:
Trialware: Provides the fully-functional SafeNet ProtectFile solution for free for 30 days. This license does not require activation during the trial period. After the trial period expires, SafeNet ProtectFile configurations on the NextGen KeySecure appliance become read-only. A trialware SafeNet ProtectFile license comes bundled with the NextGen KeySecure appliance.
Term Licensing Model: Provides the fully-functional SafeNet ProtectFile solution for a prepaid charge for a specific period of time, for a specific number of clients. The NextGen KeySecure appliance console starts showing a notification about the remaining license time. The license renewal can be ordered before the license expires. Functionality will not be immediately disabled at time of license expiry. Maintenance and Support Fees are included within the term license.
Perpetual Licensing Model: Provides the fully-functional SafeNet ProtectFile solution for a prepaid charge with no time limit, for a specific number of clients. Customers will be invoiced on a predetermined interval for Maintenance and Support.
A NextGen KeySecure appliance administrator can install the SafeNet ProtectFile license.
Migration of Clusters from KeySecure Classic
This release supports migration of SafeNet ProtectFile clusters from the SafeNet KeySecure Classic to the NextGen KeySecure appliance.
Progress Reporting
The NextGen KeySecure appliance now shows the progress of cryptographic operations being performed by SafeNet ProtectFile on a path under a rule. Reason of failed rules is also displayed.
Configurable Polling Interval
This allows configuring optimal polling interval value that best suits customer environments.
ProtectV
Rekey
SafeNet ProtectV includes automatic key renewal, also known as key rotation or rekey. Rekey is the process of re-encrypting partitions with a new encryption key. The rekey feature is disabled by default. This feature can be helpful in meeting regulatory requirements concerning the change of encryption keys.
A SafeNet ProtectV administrator can configure the feature on the NextGen KeySecure appliance console.
When configuring the feature, specify the number of days after which encryption keys should be changed automatically. If enabled on the NextGen KeySecure appliance console, the default rekey interval is 180 days.
In-transit Key Wrapping
SafeNet ProtectV supports encryption of keys while they are moving between the NextGen KeySecure appliance and ProtectV clients. This is referred to as in-transit key wrapping.
Enable in-transit key wrapping to protect KEKs against TLS attacks. The KEK is wrapped with a public key by the NextGen KeySecure appliance. By default, this feature is disabled. A SafeNet ProtectV administrator can enable this feature on the NextGen KeySecure appliance console.
Windows Auto Protection
SafeNet ProtectV includes the Windows Auto Protection option to configure automatic encryption behavior of Windows client images on registration. By default, encryption of a Windows image starts as soon as it is registered with the NextGen KeySecure appliance.
A SafeNet ProtectV administrator can disable this configuration. When disabled, encryption of newly registered Windows images does not start immediately. This allows selecting specific Windows partitions for encryption for the first time. Encryption of selected partitions starts automatically within an hour as the NextGen KeySecure appliance is contacted between 5 and 60 minutes continuously. Alternatively, reboot the client image to start the encryption of selected partitions immediately.
Global Autoscaling
Autoscaling refers to whether new clones of images will be granted keys automatically. Previous release supported autoscaling of individual ProtectV client images.
This release includes an option to configure autoscaling for all SafeNet ProtectV images. This is called global autoscaling. A SafeNet ProtectV administrator can configure global autoscaling.
By default, global autoscaling is turned off. New clones will not be granted keys automatically. When global autoscaling is turned on, encryption keys will be granted to new clones of SafeNet ProtectV client images that will be created in future.
Auto Keys Deletion
An option is included to configure automatic deletion of encryption keys on deletion of the associated ProtectV Client virtual machines.
By default, this option is disabled. In this case, the keys with which an image’s partitions are encrypted will not be deleted if the image is deleted. However, when the option is enabled, deletion of the encrypted image will automatically delete the linked encryption keys.
Migration from KeySecure Classic
Support is added to migrate encrypted SafeNet ProtectV clients from the SafeNet KeySecure Classic to the NextGen KeySecure appliance.
ProtectDB
GUI support provided for the following operations for the Oracle database type:
Add, delete, or modify database connection.
View the list of existing database connections.
Add, delete, or modify user mapping for a database (NAE user mapped with the database user).
View the list of user mappings for a database.
Configure the column level encryption properties including error replacement feature.
View the list of encrypted tables for a database.
Note
More databases will be supported in a future release.
Resolved Issues
This table lists the issues resolved in release 1.7.0.
Issue | Synopsis |
---|---|
NC-3948 | Retain node license on reset. |
NC-3920 | System Upgrade: If there is not enough disk space available during a system upgrade, the upgrade will fail Workaround: Perform a system reset, ensure there is at least 12 GB of space available (not including the upgrade file), and then try the system upgrade again. |
NC-3871 | Single node cluster fails to perform upgrade |
NC-3869 | NAE interface Refresh Tokens are not being deleted |
NC-3850 | The "secrets" API has been deprecated and replaced by an object type in "keys2". |
NC-3841 | Restoring backup causes ProtectFile and ProtectV Manager malfunction. |
NC-3826 | Records: Audit record logs are periodically deleted (eventually all) once it utilizes disk size of 10 GB. |
NC-3823 | Default NAE port (9000) requires a restart after making configuration changes. |
NC-3779 | Backup Download Failure with large backup files |
NC-3778 | Command kscfg network interface list has empty values on AWS. |
NC-3750 | Backup: CLI (ksctl) out of memory error occurs on large backup download. |
NC-3470 | PA-ICAPI: Init Update Final does not work with SEED for chunk sizes other than 1024 bytes. |
NC-3301 | JCE: GCM Encryption result in Remote and Local modes does not match with Version Key. |
NC-1629 | NAE-XML VersionRequest returns invalid server version. |
Release 1.6.1
This release resolves known issues listed in section: Resolved Issues. No new features or enhancements are provided.
Resolved Issues
This stable lists the issues resolved in release 1.6.1.
Issue | Synopsis |
---|---|
NC-3903 | Re-enabled 'cluster delete' command; was removed in release 1.5.0. |
NC-3871 | Single node cluster fails to perform upgrade. |
NC-3869 | NAE interface Refresh Tokens are not being deleted. |
NC-3860 | kscfg: Modifying static IPv6 configuration fails when netmask is not provided. Workaround: Include setting netmask when modifying static IPv6 configuration. |
NC-3841 | Restoring backup causes ProtectFile and ProtectV Manager malfunction. |
NC-3826 | Records: Audit record logs are periodically deleted (eventually all) once it utilizes disk size of 10 GB. |
NC-3750 | Backup: CLI (ksctl) out of memory error on large backup download |
Release 1.6.0
Note
Release 1.6.0 supports both the SafeNet KeySecure k570 appliance and the SafeNet Virtual KeySecure k170v.
Physical Appliance Installation ISO
An ISO Image is available for existing customers to upgrade their k450/k460 appliance with the k170 software. Refer to the SafeNet NextGen KeySecure Deployment Guide for instructions.
Multi NIC Support
Multiple NICs can be configured for Physical and Private Cloud images using the kscfg utility.
kscfg can only be used to configure interfaces on a Physical Appliance or in a Private Cloud, VMware vSphere, and HyperV etc. It cannot configure interfaces in public clouds, AWS,
Note
and Azure etc.
Downgrade Support
Downgrade support has been added in release 1.6.0. This means that future releases will be able to downgrade but not to a version earlier than release 1.6.0.
Backup Encryption Changes
Beginning with release 1.6.0, backups are encrypted when they are created, rather than when they are downloaded. This is more secure, and simplifies management of backups.
Note
During an upgrade, any existing backups are encrypted using the default backup key.
Backups and Backup Keys Retained
Backups and Backup Keys are retained, even if a system is reset.
GUI Backup Support
Backups and Backup Keys can be managed via the GUI
Debug File Rotation Improvements
Debug file rotation has been improved. Debug files are rotated once they reach 1GB in size, and a maximum of 30 files are retained. Additionally, all but the last two debug log files are compressed.
Local Audit Log Disable
Logging Audit records to local store (database) can be disabled via the CLI and the API - audit logs are still forwarded to syslog. Clusters that support a large number of transactions should be configured with local audit logging disabled. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl 'properties' command to disable audit logging.
ProtectV Support (BETA)
ProtectV is supported via the CLI, API and GUI. An updated client is required to use ProtectV with the NextGen KeySecure. This is a BETA feature - migration of existing ProtectV clients is not yet supported and certain features may not be available.
New API Playground (BETA)
A new API playground is included with improved formatting and performance. This is a BETA feature and in addition to the existing one.
Multiport Support for NAE Server
Multiple instances of NAE Server can be instantiated on different ports and network interfaces.
Key States Support
Key States support is added over NAE-XML. The key states are compatible with corresponding states on KeySecure Classic.
Release 1.5.0
Migration for KeySecure Classic
The NextGen KeySecure now supports importing a backup file from KeySecure Classic (k450, k460 and k450v) to assist users with the upgrade process. All Keys, Users and LDAP connections are imported into NextGen KeySecure. For details, refer to: "SafeNet KeySecure k170v Deployment Guide > Migrating from KeySecure Classic".
Static IP Configuration
Static IP can now be set via a command line utility "kscfg". SSH into the system as "ksadmin" and type kscfg net interfaces modify -h command for details.
Private Cloud Image Disk Size Increase
The size of the Private Cloud Image Disk was increased from 16 GB to 30 GB. It can also be set to a larger value and will re-size automatically.
Note
An encrypted instance cannot be resized.
NAE and KMIP Certificate Separation
NAE and KMIP certificates are now separate and can be managed individually.
Backup Chunking Support
Very large backup files can be optionally uploaded in chunks to support restart and to work around size limits.
SEED and ARIA algorithms are now supported.
ECC algorithm is now supported.
LDAP Group Support
Groups from and LDAP connection can be mapped to a local group for authorization control.
The maximum number of nodes in a cluster has been increased from 6 to 10.
New Crypto API
There is a new REST Crypto API for simpler encryption and decryption. Go to the API Playground for details.
Secret Object Support
Secret Objects are supported via the KMIP interface. There is also a REST interface for managing text and opaque secrets.
Support for SafeNet Data Protection On Demand (DPoD) root of trust HSM.
See https://cpl.thalesgroup.com/encryption/data-protection-on-demand/marketplace to sign up for DPoD.
Refer to DPoD service setup configuration.
Release 1.4.0
New Features and Enhancements
Added support for SafeNet ProtectFile
The SafeNet Virtual KeySecure k170 version 1.4.0 extends support for encryption of local file system using SafeNet ProtectFile 8.7.10. This release provides CLI, REST API, and GUI to create and manage the following types of policies:
Access Control and Encryption
Access Control Only
Added Alarm support
API lists available alarms
Alarm events are sent to syslog
See Alarms for details.
Added TLS/SSL certificate provisioning for web interface.
Added a “user friendly” name can now be set for each NextGen KeySecure instance.
Interface certificates are now automatically issued when a new node joins a cluster.
“beta” has been removed from the API path; existing applications that use "v1beta" in the API path will continue to work.
Release 1.3.0
Support for IPv6 configuration
Added the ability to configure IPv6 to either 'dhcp' or 'auto’ via cloud-init. The default is “auto”.
Note
For IPv6 to operate correctly in AWS, this should be changed to “dhcp” in the startup cloud-init script. Refer to the Deployment Guide for details.
AWS CloudHSM
Added support for AWS CloudHSM (Cavium).
Password History Policy
Added support for Password History Policy that retains the user's password history to prevent users from reusing their previous
passwords. Hybrid HSM Support
Although it is the most secure configuration, nodes in a cluster are no longer required to be connected to the same HSM. Each node can be now connected to a different supported HSM partition, or to no HSM. Refer to Hardware Security Module for details and security considerations.
Support for a “status” API
There is a new API called services/status that returns the status of the NAE-XML and KMIP interfaces, as well as an overall status. This can be used to determine if system is ready to accept connections.
New System Defined Groups
A number of new System Defined Groups are now created by default, which give granular permissions to users. A user must be in one or more of these groups to have access to resources in the system. This is different from previous releases where all users had key access by default. If an upgrade is performed from 1.1.0 or 1.2.0, existing non-admin users must be placed in the “Key Users” group for them to have appropriate access. Refer to Groups for details on these new groups.
Disk Encryption Performance Improvements
Encrypting a k170v instance now takes significantly less time. Try it!
Elliptical Curve Key Support
The API now supports creation of EC keys. Encryption/Decryption operations coming soon.
New Deployment Guide
A Deployment Guide is now available as part of the documentation set, describing how to deploy k170v in various environments.
Release 1.2.0
Support for Luna HSM HA Groups
Multiple Luna HSMs can now be configured in an HA group. Updates to the API and CLI support this configuration.
Initial Password Changes
The initial admin password now defaults to "admin" and must be changed on first login. A random initial password can be generated optionally - requires a cloud-init configuration, and must be retrieved via SSH.
Force Password Change
A user can be forced to change their password on their next login attempt.
Password Expiration
An expiration policy can be set for local system passwords. Users will be forced to change their passwords after expiration.
Updates to Interface Settings
Various authentication options can be set for the NAE interface. See API documentation for details. GUI support is also added.
Changes to Key UUID format
To be compatible with SafeNet KeySecure Classic, the UUID format for Keys has been changed to be a 64-byte string.
IPv6 Support
IPv6 addresses will be configured automatically if available.
NTP Support
Multiple authenticated NTP servers can be configured via the API, CLI, or GUI.
Google Compute Support (Preview)
Google Compute is supported as a preview. Contact Thales Customer Support directly to evaluate a Google Compute image.
Hyper-V Support
Configurable root ca (via cloud-init)
API Support for system Reset and Restart.
KMIP Register Operation Support
Advisory Notes
This section highlights important issues you should be aware of before deploying the CipherTrust Manager.
System Downgrade
CipherTrust Manager 2.2.0 can be downgraded to 2.1.0. For release-specific upgrade/downgrade information, refer to the release notes for your release.
System Upgrade
Caution
Please read this section carefully before performing an system upgrade.
Supported Releases
System upgrades have been tested from releases 1.10.x, 2.0.0, and 2.1.0.
Note
Upgrades from other versions have not been tested and may not work correctly.
To apply a system upgrade
System upgrades are supplied in the form of a signed archive file available from the Support Portal.
Before proceeding, ensure there is at least 12 GB of space available (not including the upgrade file).
Create and download a backup with corresponding backup key, in case there are any problems.
scp
the archive file to the CipherTrust Manager:$ scp -i <identity_file> <update file name> ksadmin@<ip>:.
ssh
into the CipherTrust Manager asksadmin
and run the following command:$ sudo /opt/keysecure/ks_upgrade.sh -f <~/filename>
The signature of the archive file is verified and the upgrade is applied.
Restoring a Backup from a Previous Version
Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.
In-place Cluster Upgrade
A cluster can be upgraded in-place since version 1.9.0. The upgrade is generally limited to one minor version at a time, for example, from 1.10.0 to 2.0.0; from 2.0.0 to 2.1.0; or from 2.1.0 to 2.2.0. Be aware of the following considerations when performing an in-place cluster upgrade.
Note
If you attempt to upgrade to 1.10 from 2.0 with DNS entries in the cluster configuration, that upgrade might fail with database errors. In this situation, run kscfg system reset
on the affected node, upgrade your other nodes from 1.10 directly to 2.1, upgrade the affected node to 2.1, re-join the cluster, and continuing upgrading nodes to 2.2.0.
The node being upgraded will be inaccessible during the upgrade. This may be as long at 10 or more minutes. Clients must be able to handle this outage.
There will be a brief period of time (under 30 seconds) where the database will be locked while upgrading the first node. This affects all nodes at the same time, and some nodes may give error responses during this time.
All nodes in the cluster should be upgraded as soon as possible - nodes running different version of the firmware will behave differently, potentially causing problems with applications.
To perform an in-place cluster upgrade
Before doing any upgrade operation, ensure that you have a backup, and that you have downloaded the backup and associated backup key.
Ensure all nodes in the cluster are up and operating normally. Resolve any issues (like removing any obsolete nodes) before performing the upgrade.
Perform a system upgrade on each node, one at a time. Ensure the upgrade of each node is complete and that the node is operating normally, before proceeding to the next node.
Note
When updating the first node in a cluster, the cluster nodes may briefly experience slower than usual response times. This occurs because the shared database schema for the cluster is updated with the first node.
Alternative to In-place Cluster Upgrade
To upgrade a cluster using the cluster remove/rebuild method
On one of the cluster nodes, create and download a backup with corresponding backup key, in case there are any problems.
Remove all nodes from the cluster except one.
Perform the upgrade on that remaining node.
Ensure there is at least 12 GB of space available (not including the upgrade file) before proceeding.
scp the archive file to the CipherTrust Manager:
$ scp -i <identity_file> <update file name> ksadmin@<ip>:.
SSH into the CipherTrust Manager as ksadmin and run the following command:
$ sudo /opt/keysecure/ks_upgrade.sh -f <~/filename>
The signature of the archive file is verified and the upgrade is applied.
Rebuild the cluster by creating a new cluster on this node.
Perform the upgrade on all other removed nodes.
Note
If a previously used node is to be re-used, the cluster must first be deleted from that system.
Join new instances to the cluster.
Clusters with a Large Number of Transactions
Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.
To disable local audit logging
Set the property ENABLE_RECORDS_DB_STORE
to false using the ksctl command:
$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false
If configured, Audit logs will be still be sent to a syslog server.
Cluster Synchronization
Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
Compatibility
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version
setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
---|---|---|---|
Web UI | TLS 1.2 | TLS 1.2 | TLS 1.2 |
NAE | TLS 1.0 | TLS 1.2 | TLS 1.1 |
KMIP | TLS 1.0 | TLS 1.2 | TLS 1.2 |
Caution
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
By default, CipherTrust Manager accepts the following GCM-based ciphersuites for TLS 1.2+ connections:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS Deprecation Notices
Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Client Platforms
The following client Platforms are supported by the CipherTrust Manager.
Caution
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
ProtectApp JCE: minimum version 8.6.1
ProtectApp .NET: minimum version 8.11.0
ProtectApp ICAPI: minimum version 8.10.0
ProtectApp Oracle TDE: minimum version 8.9.0
ProtectApp SQL EKM: minimum version 8.3.2
CipherTrust Cloud Key Manager
Minimum version 1.6.3.20532
CipherTrust Database Protection
ProtectDB Oracle: minimum version 8.8.0
ProtectDB SQL: minimum version 8.9.0
ProtectDB DB2: minimum version 8.7.0
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 9.0.0
CipherTrust Vaulted Tokenization
Tokenization Manager: minimum version 8.7.1
Vaultless Tokenization Manager: minimum version 8.8.0
CipherTrust Batch Data Transformation
Minimum version 2.2.0.2816
CipherTrust Vaultless Tokenization
Minimum version 2.5.2.19
CipherTrust Teradata Protection
Minimum version 6.4.0.12
ProtectFile
Minimum version 8.10.11
ProtectV
Minimum version 4.7.3
Known Issues
This section lists the issues known to exist in the product at the time of release.
CipherTrust Manager
Issue | Synopsis |
---|---|
KY-40418 | Problem: After migrating local CAs from KeySecure to CipherTrust Manager, the connection between KMIP client and CipherTrust Manager could not be established. The same issue also occurs when there is serial number conflict in external CAs. Workaround: Add the migrated local CA as an external CA on the CipherTrust Manager. |
KY-19730 | The CipherTrust Manager registers duplicate clients with KMIP auto registration enabled. |
KY-28934 | Problem: Upgrading from 2.1 or earlier causes existing LDAP group maps to no longer apply. Users lose membership in groups that are LDAP mapped. Workaround: Modify the LDAP connection by setting the user_dn_field to either dn or the empty string. Verify group mapping behavior by logging in with a user that is a member of a group that is mapped. Details: We recommend to leave the user_dn_field property empty in an LDAP connection unless the LDAP server does not use a user's distinguished name to test for user equality.Prior to CipherTrust Manager 2.2, LDAP connections ignored the user_dn_field property (user's distinguished name) and always used the dn attribute. Starting with CipherTrust Manager 2.2, when user_dn_field is set, the LDAP server uses the specified attribute to test for user equality. This primarily affects group maps between LDAP groups and CipherTrust Manager groups. For example, if a user's LDAP entry has cn:John Doe and the LDAP configuration in CipherTrust Manager has user_dn_field set to cn , then the LDAP group entry must have a member attribute that is exactly John Doe , not cn=John Doe for the LDAP server to consider the user part of the group. |
KY-27805, KY-28689 | Problem: SNMPv3 requests fail with the error security service 3 error parsing ScopedPDU for users configured with AES-192 or AES-256 privacy protocol. This error is seen with SNMP applications, including SolarWinds Network Performance Manager, which use the nonstandard Cisco AES key extension implementation for 192 and 256 bit key length. CipherTrust Manager 2.7 and below only supports the Blumenthal implementation for these key lengths. Workaround: Set SNMP users to AES-128 privacy protocol instead. In CipherTrust Manager CLI and API, this value is called AES .CipherTrust Manager 2.8 will support Cisco implementation privacy protocols AES-192-C and AES-256-C. |
KY-27366, KY-27361 | If a connection to the KMIP or NAE interface is left idle for more than 24 hours, client authentication fails. The following error message is logged: [5/NCERRUnauthorizedAccess]: Wrong username or password . Contact customer support if you encounter this situation. |
KY-26761 | Upgrade to CipherTrust Manager 2.2.0 can sometimes cause login to fail for LDAP-authenticated users with the error "Ambiguous result, multiple users found using search filter." when group mapping is configured. |
KY-25517 | If you attempt to delete a certificate in the GUI, you are erroneously presented with a confirmation to delete the Certificate Authority (CA). Deleting a certificate and deleting a CA are two different operations. Note: Confirm deletion of the CA to proceed with deleting the certificate. This action does not actually delete a CA. |
KY-24292 | Performance of crypto operations through the NAE-XML interface degrades over a long, continuous run (upwards of 6 hours). |
KY-24102 | Client can authenticate with expired password if the CipherTrust Manager is not restarted. |
KY-22668 | NAE and KMIP crypto operations performance is affected with high CPU and memory utilization. |
KY-23664 | If you join a node into a cluster and then restart the joining node, you cannot list or access any backup keys on that node. Attempting to upload an existing backup key in this state results in NCERRResourceAlreadyExists: Resource already exists . Restoring a backup with a backup key in this state results in the error aesgcm open error: cipher: message authentication failed . Workaround:
|
KY-24645 | If you attempt to create a domain-scoped backup when any keys are in a "Destroyed" state, the backup fails. Workaround: While creating the backup, use a filter to only include keys with "Pre-Active", "Active", "Deactivated", and "Compromised" states. An example ksctl command to filter for these states is ksctl backup create --scope domain --filters { "states": [ "Pre-Active", "Active", "Deactivated", "Compromised" ] } |
KY-23623 | If you restore a previous version and then attempt to create a new cluster on the local node using the cluster new operation, the creation fails. Workaround: Restart the CipherTrust Manager and retry the cluster new operation. |
KY-22641 | NAE: State changes of a key are not updated on the NAE tab. |
KY-22639 | NAE: State of an Active key is displayed as N/A on the NAE tab. |
KY-22633 | When certificate authorities are migrated from KeySecure Classic, the revoked certificate fields do not update. Workaround: If an externally imported CA and its certificate are used in the NAE interface of KeySecure Classic, the CA is migrated as an External CA but the certificate is not migrated to the CipherTrust Manager. To use the same certificate for the NAE interface on the CipherTrust Manager: 1. Select the migrated external CA. 2. Upload the CA certificate manually by editing the NAE interface. |
KY-22569 | Incorrect activation date and key state are set for pre-active keys after they are migrated from KeySecure Classic to the CipherTrust Manager. |
KY-20310 | When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error. Workaround: Disregard the timeout error. |
KY-17662 | In-place cluster upgrade does not enforce upgrading only one version. |
KY-17338 | KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration. |
KY-13617 | Domain scoped backup fails to restore on another domain when a key with the same name and version already exists. Workaround: To handle this issue, try either of the following:
|
KY-13343 | Uploading an existing backup results in error but is displayed in the list with status "Uploading". Workaround: Delete the backup using the "uploadID" as backup ID. |
KY-12602 | Manual page refresh is required to show the Pending CAs list. |
KY-11517 | [ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding. |
KY-11498 | When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it. |
KY-7289 | When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|
KY-7288 | When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|
KY-7258 | NAE and KMIP might not be connectable after cluster join. Workaround: Restart the newly joined node or at a minimum restart the KeySecure service. Restart the service either from the UI or by running ksctl services restart. |
KY-7193 | Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups. Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created. |
KY-6383 | Users with a pipe in their user names (for example, user1|something ) cannot log on using NAE/KMIP. |
KY-3670 | Cluster join operation can fail, but rarely, leaving joining node in a bad state. Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join. If you still cannot log on to the node:
|
KY-2482 | (was NC-3480) Signing with EC keys does not work via the REST API. |
KY-2423 | (was NC-2318) KMIP: Result Reason may not be accurate or have enough detail. |
KY-2418 | (was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves. |
KY-1397 | (was NC-2253) Last Login and Logins count are not updated for global user. |
KY-1396 | (was NC-2256) Group membership change for yourself does not take effect until after re-login. |
KY-1394 | (was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error . The error should be: insufficient permissions. |
KY-1373 | (was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used. |
KY-1270 | (was NC-3567) User Admin should not have authority to manage system groups. |
KY-1199 | (was NC-3904) Trimming of audit table (at 10 million records) takes significant time and causes temporary performance issues Workaround: Disable audit table logging for a very active cluster. |
KY-1166 | (was NC-4098) NAE/KMIP multiport iptables rules are not replicated. Workaround: Perform NAE restart on each node. |
KY-504 | Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster. |
NC-3573 | Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT. Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface. |
NC-3572 | Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager. Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration. Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface. |
NC-2063 | If a user is deleted (or LDAP connection name changes), they fail to display in the keys table. |
CipherTrust Cloud Key Manager
Issue | Synopsis |
---|---|
KY-23791 | UI: All the Azure Key Vaults are not displayed while updating the scheduler for Azure. Workaround: Create a new Refresh schedule in the desired vault. |
KY-23790 | UI: All the AWS KMS Accounts are not displayed while updating the scheduler for AWS. Workaround: Create a new Refresh schedule in the desired account. |
KY-23732 | CCKM Users cannot delete backup even if they are granted the "Delete Key Backup" permission on the Azure key vaults. Workaround: Delete the backup using the CLI or API. |
KY-23289 | Luna HSM Connection Manager: Downloaded client certificate file is named incorrectly as, <cm-ip-address>.pem .Workaround: Rename the certificate file as <cckm-client-name>.pem .To rename the certificate:
|
KY-23056 | HSM UI: Recently created Luna HSM keys are not visible. Workaround: Refresh the Luna Keys page. |
KY-17446 | When rotating a key using the GUI, a new version of an existing CipherTrust Manager key cannot be created. The key can only be rotated to an existing version. Workaround: Manually create a new version of the key and rotate the key. To do so:
|
KY-17213 | When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group. |
KY-42033 | Unable to use the key version created through CCKM for Azure SQL EKM. This issue will be resolved in CipherTrust Manager v2.8.0. |
CipherTrust Database Protection
Issue | Synopsis |
---|---|
PDB-3293 | If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work. |
CipherTrust Data Discovery and Classification
Issue | Synopsis |
---|---|
KY-23751 | Scans re-launched after a connectivity issue with Hadoop get stuck in a Pending status Workaround: Wait for the previous scan execution to finish before you re-launch the scan. For more information about the Hadoop connectivity issue that causes the problem, refer to KY-23569. |
KY-23569 | Hadoop network connectivity issues cause the DDC ongoing scans to fail The DDC performs a connectivity test to PQS every minute, which can cause scan failures. Note that, even though the scans are marked as FAILED, in fact they continue running and are consuming the Data Allowance. Workaround:
|
KY-23454 / KY-22666 | DDC cannot scan files that are bigger than 512MB for AWS S3 and Azure Blob Data Stores Scanning large files (larger than 512 MB) on "remote (cloud)" Data Stores fails with an "error processing scan" error. Those file are marked as 'inaccessible' on the report or the scan fails with an "error processing scan". The user has no way to identify the issue from DDC. Possible Workarounds:
|
KY-22908 | All new scan executions fail with 'internal error' If all your scans finish with an "internal error", check whether your data allowance has been completely exhausted. |
KY-21981 / KY-22000 | Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again. |
KY-20051 | Data objects may not be listed in reports when there is a huge number of matchesNCERRInternalServerError: unexpected error displayed on the DataObjects report tab. This means that the Hadoop cluster has taken too long (more than 30 seconds) to retrieve the list of data objects in the report. Workaround:
|
KY-19665 | Multipath-Report: only the files from one directory are shown two or more have the same name but differs on the capitalization (uppercase / lowercase) Possible Workaround: Rename one of the folders. |
KY-16274 / KY-16598 | A scan with one or more custom infotypes fails with "Internal Error" This may happen when a custom infotype contains an expression with a format too complex to interpret. Workaround:
|
KY-8526 / KY-22408 | Hadoop configuration does not allow PQS schema changes. After the initial PQS Hadoop connection settings in DDC, you should not reconfigure them. If you do, you will lose all the data from the previous scan executions (if you have any). It is also necessary to restart the active node. |
KY-9098 | DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails. Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store. |
KY-9104 | Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
KY-9399 | The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
KY-8990 | Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts. |
A Data Store never transitions to a “ready” state and displays “A valid agent could not be found”. The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store. Solution: For possible solutions, check the following:
| |
None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution:
| |
KY-13618 | Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted. When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled. Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost. |
ProtectFile
Issue | Synopsis |
---|---|
KSCH-573 | Encryption rules cannot be modified to reset values for include and exclude extension parameters. |
KSCH-568 | Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously. |
KSCH-567 | Modifying a file level encryption rule to set the “isRecursive” flag does not return error. |
KSCH-564 | Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress. |