CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.
|CipherTrust Batch Data Transformation||BDT|
|CipherTrust Application Data Protection||CADP|
|CipherTrust Cloud Key Manager||CCKM|
|CipherTrust Database Protection (formerly known as ProtectDB)||CDP|
|CipherTrust Transparent Encryption||CTE|
|CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)||CTE UserSpace|
|CipherTrust Teradata Protection||CTP|
|CipherTrust Intelligent Protection||CIP|
|CipherTrust Data Discovery and Classification||DDC|
|Data Protection on Demand||DPoD|
|CipherTrust Vaulted Tokenization||CT-V|
|CipherTrust Vaultless Tokenization||CT-VL|
This release is available on the Customer Support Portal in the following formats:
An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.
An upgrade file for KeySecure Classic k450 and k460 devices.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.
In addition, 2.6.0 Virtual CipherTrust Manager is available on the following public clouds:
Amazon Web Services: SafeNet Cloud Provisioning System
An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.
Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
Features and Enhancements
Security Vulnerability Fix
On upgrade to 2.5.1, some existing keys are incorrectly tagged as "global" keys. This allows the "global" user and users who belong to the Key Users group to potentially affect the integrity, confidentiality, and availability of those keys. If you are running release 2.5.1, we strongly recommend upgrading to 2.5.2 or 2.6.0 immediately. See security bulletin 20211015 for further details on the security vulnerability.
Upgrading from 2.5.1 to 2.6.0 disables access to all global keys. If you are starting from 2.5.1 and you make use of global keys, contact Thales customer support for assistance to plan the upgrade to minimize downtime.
Added ability to add connections to the Salesforce cloud.
Support for certificate validation when using the LDAPS protocol.
Support for deploying Virtual CipherTrust Manager on Alibaba Cloud.
Ability to create and add CSRs directly to interfaces. This functionality allows you to configure a certificate for interfaces without downloading the private key.
Added CA chain validation for intermediate local CAs while creating registration tokens.
Tech Preview: This release introduces the ability to forward system logs and activity logs to two log forwarders, the ELK Stack (Elastic Search, Logstash, and Kibana) or Grafana Loki.
Tech Preview: Support for multi factor authentication, using the Open ID Connect implicit flow.
Tech Preview: Expansion of the quorum feature. Quorums are now supported for the following operations: adding a user to a group, downloading a backup key in the root domain, restoring a backup in the root domain, downloading a backup key in a child domain, restoring a backup in a child domain, deleting a domain, and managing policies. In addition, quorum profiles are now available to define the number of approvals for a quorum.
All quorum policies must be disabled before system upgrade and creating a backup. This limitation is valid as long as quorum is a technical preview feature.
Tech Preview: Ability to create users in non-root domains using API and CLI.
Support for the Salesforce cloud, including BYOK (Bring Your Own Key) and cache-only key tenant secrets.
Support for AWS multi-region keys.
Ability to search for AWS, Azure, and Google cloud keys by tags and labels.
Tech Preview: Support Google Cloud External Key Manager Ubiquitous Data Encryption which provides control over data at-rest, in-use and in-transit , using keys in customer's control by leveraging external key manager service. This feature is available in non-production environments.
Protection of Efficient Storage array devices using Efficient Storage GuardPoints (ESG)
Migration of the following CTE resources from a DSM backup file
Client logging, upload logging, and Syslog settings
LDT Quality of Service (QoS) and QoS schedules
LDT policies and GuardPoints
Improved API playground and online documentation for CTE metadata, keys, policies, GuardPoints, and LDT-specific use cases.
CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.6 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.
The DDC 2.6 release includes the following new main benefits:
Scan Filtering: Added capabilities for filtering the elements (data objects) to be scanned, where the elements can be filtered by size, extension, and date
Agent Management: Visibility for agent management (status, version, IP, etc.)
New Google Data Stores Scanning: Extended capabilities for scanning Gmail and Gdrive data stores
New Classification Profile: The Personal Data Protection Bill (PDP) is added for the Indian market
New Infotypes: New built-in infotypes for India - Aadhaar and passport
This table lists the issues resolved in 2.6.0.
|KY-34975||Problem: Physical appliance k470 and k570 only: Downgrading a CM 2.5.0 or 2.5.1 then upgrading back to the same version, or upgrading from 2.5.0 to 2.5.1, will fail to boot after reboot, resulting in a unusable appliance.|
Resolution: Upgrade to and downgrade from 2.6.0 does not result in failure to boot. If you are at 2.5.0, 2.4.x, or 2.3.x, it is recommended to upgrade directly to 2.5.2 or 2.6.0 and skip 2.5.1.
|KY-34350||Deleting Expunged CTE clients using the REST API returns null instead of meaningful return message.|
|KY-33878||After registration with the CipherTrust Manager, the CTE Agent cannot be initialized.|
|KY-32196||GuardPoints of client groups can be deleted through the CTE clients associated with the client groups.|
|KY-31050||Update the documentation with complete details on the CTE metadata.|
|KY-32775||Update the documentation for Expunged CTE clients.|
|KY-31961||Proxy setting: Test connection returns error without a server certificate for https_proxy.|
|KY-31908||Creating a domain-scoped backup with a user in the |
|KY-31887||If you do not change the default SSH key upon installing a Trusted Cyber Technologies (TCT) CipherTrust Manager k570 appliance or upgrading a KeySecure k460 or k560 with a 2.6 ISO file, you are prompted for the |
|KY-31171||If you add a new SCP connection through the web console GUI, and try the Test connection button, CipherTrust Manager displays the error |
|KY-31117||If you log into the CipherTrust Manager web console as a user with Key Admin level permissions, and click on the Cloud Key Manager tile, the errors |
|KY-31027||If you add a proxy exemption before any proxy hosts, and attempt to delete the exception, the operation fails.|
|KY-31024||In the web console, there is an option to take an SCP backup for domain-scoped backups. SCP backups are only supported for system backups this release. |
Resolution: The option to take an SCP backup for domain-scoped backups is removed in the web console.
|KY-29727||Problem: The |
|KY-27499||If you update the hostname for a Google Cloud EKM endpoint, the URI format is invalid, and Google KMS cannot use the URI to perform wrap or unwrap operations.|
|KY-26867||User password over NAE-XML does not accept the ampersand character, |
|KY-30138||MongoDB reports will only contain information for the first 1M documents even when more than 1M documents are scanned.|
|KY-27855||"Something went wrong" message when generating a report with many scans.Report with many scans cannot be generated due to timeout in the requests between CM and the TDP servers.|
|KY-23584||If you migrate a key with KMIP attributes from KeySecure Classic to CipherTrust Manager, you cannot retrieve the attributes.|
This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.
Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests
When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.
We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.
We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.
The IV value used for an encryption request is needed to decrypt the data later.
In the KMIP interface, always set the
RandomIV object in the
Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an
In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.
Some Key States Change After Upgrade
After upgrade from 2.3 or 2.4 to 2.6, some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.
When a key has an NAE state of
Retiredand the deactivation date is set in the future, the key is set to
Deactivatedimmediately upon upgrade. No cryptographic operations are allowed.
When a key has an NAE state of
Restrictedand Protect Stop Date is set in future, the key is set to
Activeand the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.
When a key has an NAE state of
Activeand Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.
When a key has an NAE state of
Activeand Activation Date is set in the future, the key is set to a
Pre-Activestate and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.
When a key has a state of
Deactivatedbefore upgrade, its state will be unchanged after upgrade. However, the allowed operations for the
Deactivatedstate change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.
ECIES Decryption Can Fail After Upgrade in Rare Cases
If you encrypted data with ECIES at version 2.3, you might not be able to decrypt the data with the same EC key after upgrade to 2.6. This is because, in very rare cases, the ECIES function of the NAE interface derived an encryption and authentication key due to incorrect padding. Release 2.4, 2.5, and 2.6 fix this rare incorrect key derivation, which means that the derived key can be different from previous releases, and decryption operations can fail. If you have trouble decrypting with an EC key after upgrade, decrypt the data with an older version of CipherTrust Manager and re-encrypt it with CipherTrust Manager version 2.6.
System Upgrade and Downgrade Supported Releases
System upgrades have been tested from releases 2.3.0, 2.4.0, and 2.5.x.
Upgrades from other versions have not been tested and may not work correctly.
CipherTrust Manager 2.6.0 can be downgraded to 2.5.2. For release-specific upgrade/downgrade information, refer to the release notes for your release.
Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.
Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.
Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.
Clusters with a Large Number of Transactions
Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.
To disable local audit logging
Set the property
ENABLE_RECORDS_DB_STORE to false using the ksctl command:
$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false
If configured, Audit logs will be still be sent to a syslog server.
Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
Clusters with DDC
Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.
DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).
Overlapping licenses are not supported (except for the trial license).
DDC Scalable Reports Processing
Previous DDC versions needed PQS and HDFS Hadoop services, but starting from version 2.4 DDC requires HDFS and Livy. Refer to the latest Thales Data Platform Deployment Guide for information on how to install Spark, Livy and Tez and DDC Deployment Guide for configuring them in CipherTrust Manager.
It is mandatory to have TDP version 18.104.22.168 or later prior to upgrade DDC.
As DDC no longer uses PQS to store new data, it is no longer possible to modify its configuration through the UI. Please use the API if you need to update the Knox hostname, credentials or TLS certificate. The upgrade will not delete any data stored in PQS. Please consider deleting it when you no longer need access to legacy reports.
The Hadoop settings (HDFS and Livy) must be added as if it was a fresh deployment. The HDFS settings that the user could had up to now are not kept, but the PQS settings are automatically stored to make sure the information stored for scans and reports is not lost. For the HDFS connection, it is recommended to configure a different HDFS folder.
The scans created in the DDC Scans section are stored but the executions can not be used for new reports. The user will have to run the scans to make new reports for these scans. It is not possible to create new reports for the scan executions that were completed with a previous DDC version. The reports that were generated using a previous DDC version are accessible and will be marked with an "L" icon, which means that it is a legacy report and can not be updated any more. For the reports generation, the user will need to run new executions of the scans, since the legacy scan executions cannot be used. The user will notice that after an upgrade, when trying to generate new reports, scan executions completed with previous DDC version are not displayed in the reports wizard.
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default
minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
|Interface||Minimum TLS version||Maximum TLS version||Default Minimum TLS version|
|Web UI||TLS 1.2||TLS 1.3||TLS 1.2|
|NAE||TLS 1.1||TLS 1.3||TLS 1.2|
|KMIP||TLS 1.1||TLS 1.3||TLS 1.2|
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:
TLS Deprecation Notices
Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
The following client Platforms are supported by the CipherTrust Manager.
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
ProtectApp JCE: minimum version 8.6.1
ProtectApp .NET: minimum version 8.11.0
ProtectApp ICAPI: minimum version 8.10.0
ProtectApp Oracle TDE: minimum version 8.9.0
ProtectApp SQL EKM: minimum version 8.3.2
CipherTrust Cloud Key Manager
Minimum version 22.214.171.12432
CipherTrust Database Protection
ProtectDB Oracle: minimum version 8.8.0
ProtectDB SQL: minimum version 8.9.0
ProtectDB DB2: minimum version 8.7.0
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 9.0.0
CipherTrust Vaulted Tokenization
Tokenization Manager: minimum version 8.7.1
Vaultless Tokenization Manager: minimum version 8.8.0
CipherTrust Batch Data Transformation
Minimum version 126.96.36.19916
CipherTrust Vaultless Tokenization
Minimum version 188.8.131.52
CipherTrust Teradata Protection
Minimum version 184.108.40.206
Minimum version 8.10.11
Minimum version 4.7.3
Data Discovery and Classification Agents
Linux minimum kernel version is 2.6.
There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.
ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.
TDP Version Compatibility
Data Discovery and Classification requires TDP 220.127.116.11 or newer.
If you have an existing TDP 3.1.5 cluster, you should apply the patch 18.104.22.168.
This section lists the issues known to exist in the product at the time of release.
|KY-35326||Non-root domain users can log on to the root domain with same privileges as its auth-domain.|
|KY-34978||Cloud init is not available for Alibaba Cloud.|
|KY-34965||Problem: The |
|KY-34857||If a domain administrator creates a domain with user management enabled, then creates a user, and then attempts to edit user details, the edit fails with the error message |
|KY-33884||Problem: You cannot create a domain-scoped backup of the root domain through the web console UI. |
|KY-32644||If you download a backup key and downgrade the appliance, re-uploading the backup key fails with the error |
|KY-31122||Problem: If you perform a |
|KY-31116, KY-31114||Problem: If an |
Workaround: While the quorum feature is considered a technical preview, only
|KY-30705||You cannot migrate an RSA public key without a corresponding private key from KeySecure Classic. Migration attempts fail with the error |
|KY-27984||The PQS Services page does not fetch resource information on the CipherTrust Manager GUI.|
The PQS service will be available with DDC in a future release.
|KY-27897||SaltLength with zero (0) value is not supported for Sign/SignV operations using RSA PSS padding.|
|KY-27450||Local Certificate Authorities (CAs) do not allow commas |
Workaround: Configure an External CA instead. Use a backslash
All other printable characters are allowed, as per RFC 5280 definition of PrintableString.
|KY-25152||You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the |
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the
|KY-24645||If you attempt to create a domain-scoped backup when any keys are in a "Destroyed" state, the backup fails. |
Workaround: While creating the backup, use a filter to only include keys with "Pre-Active", "Active", "Deactivated", and "Compromised" states.
|KY-20310||When setting up a new DPoD HSM on Demand Service as root of trust, the command succeeds but sometimes returns a timeout error. |
Workaround: Disregard the timeout error.
|KY-17662||In-place cluster upgrade does not enforce upgrading only one version.|
|KY-17338||KMIP: LDAP users cannot be set in the KMIP profile.|
Workaround: To use LDAP authentication, use the KMIP auto registration.
|KY-13617||Domain scoped backup fails to restore on another domain when a key with the same name and version already exists.|
Workaround: To handle this issue, try either of the following:
|KY-13343||Uploading an existing backup results in error but is displayed in the list with status "Uploading".|
Workaround: Delete the backup using the "uploadID" as backup ID.
|KY-12602||Manual page refresh is required to show the Pending CAs list.|
|KY-11517||[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.|
|KY-11498||When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it.|
|KY-7289||When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.|
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|KY-7288||When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.|
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|KY-7258||NAE and KMIP might not be connectable after cluster join.|
Workaround: Restart the newly joined node or at a minimum restart the KeySecure service. Restart the service either from the UI or by running ksctl services restart.
|KY-7193||Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.|
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
|KY-6383||Users with a pipe in their user names (for example, |
|KY-3670||Cluster join operation can fail, but rarely, leaving joining node in a bad state.|
Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join.
If you still cannot log on to the node:
|KY-2482||(was NC-3480) Signing with EC keys does not work via the REST API.|
|KY-2423||(was NC-2318) KMIP: Result Reason may not be accurate or have enough detail.|
|KY-2418||(was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves.|
|KY-1373||(was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used.|
|KY-1270||(was NC-3567) User Admin should not have authority to manage system groups.|
|KY-1199||(was NC-3904) Trimming of audit table (at 10 million records) takes significant time and causes temporary performance issues|
Workaround: Disable audit table logging for a very active cluster.
|KY-1166||(was NC-4098) NAE/KMIP multiport iptables rules are not replicated.|
Workaround: Perform NAE restart on each node.
|KY-504||Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.|
|NC-3573||Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.|
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
|NC-3572||Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.|
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
|NC-2063||If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.|
CipherTrust Cloud Key Manager
|KY-35520||When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned.|
Workaround: Refresh all the key vaults.
|KY-34932||Google Cloud: If the key source is Luna HSM, clicking the Source Key link on the key details page returns the "Resource not found" error.|
Workaround: To view the source key details on the CipherTrust Manager GUI, open the Luna Keys page (Cloud Keys > Luna) and search for the key by Label.
|KY-34845||Problem: If you run a Salesforce certificate synchronization operation with a Salesforce organization that has a pending Certificate Signing Request(CSR), the synchronization fails with the error message |
Workaround: Before performing a synchronization, go to Salesforce and either delete all pending CSRs in Salesforce, or upload the CA-signed certificate corresponding to the CSR and ensure no pending CSRs are present.
|KY-34661||The web console UI erroneously displays an option for "Only expiring keys" for Salesforce key rotation schedule. As Salesforce keys do not have expiration dates, this option is not applicable. Disregard the option.|
|KY-34615||The web console UI erroneously displays an option for "Only expiring keys" for Google key rotation schedule. As Google CME keys do not have expiration dates, this option is not applicable. Disregard the option.|
|KY-34219||Problem: The GUI web console can only update the certificate and named credentials for the latest version of a cache-only key.You cannot update older versions on the GUI.|
Workaround: You can update these attributes through the REST API and the CLI. Each key version has a unique resource ID.
|KY-31186||If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate.|
Workaround: Add an exception (
|KY-31058||The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.|
|KY-27583||CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state.|
This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state.
Workaround: Delete the running and scheduled jobs from the API playground, and retry.
|KY-17213||When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".|
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.
CipherTrust Database Protection
CipherTrust Data Discovery and Classification
|KY-9098||DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails.|
Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
|KY-9104||Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI.|
Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
|KY-9399||The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.|
|KY-8990||Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed.|
Workaround: Configure an NTP server for DDC and all Agent hosts.
|KY-24205||The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store. |
Solution: For possible solutions, check the following:
|None of the clustered nodes responds to requests to DDC.|
DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases.
|KY-22666||DDC cannot scan files that are bigger than 512MB for AWS S3 and Azure Blob Data Stores|
Scanning large files (larger than 512 MB) on "remote (cloud)" Data Stores fails with an "error processing scan" error. Those file are marked as 'inaccessible' on the report or the scan fails with an "error processing scan". The user has no way to identify the issue from DDC.
|KY-13618||Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted.|
When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled.
Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost.
|KY-19763||OracleDB and IBM DB2: uppercase schema/table name issues.|
User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase.
Workaround: Set the target path in uppercase.
|KY-21981||Postgres tables without primary keys are not completely scanned|
DDC can only scan Postgres tables if they have at least one primary key defined.
Workaround: Configure at least one primary key in the tables and run the scan again.
|KY-30756||A scan with one or more custom infotype fails with "Internal Error" when it contains Custom Infotype from CM 2.4.|
This may happen when a custom infotype, created in CM 2.4, contains an expression with a format too complex to interpret.
Workaround: Edit the Custom Infotype to verify if the expression is valid.
|KY-27095||The PostgreSQL Agent selection fails as if there were no compatible Agent, or as if no compatible Agent could reach the Data Store. DDC does not support the |
Workaround: Create the user with
For example, to create a user named
|KY-27102||Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports.|
|KY-30760||In Legacy Reports, Data objects may not be listed in Local Storage reports with a large number of matches.|
This means that the Hadoop cluster has taken too long (more than 30 seconds) to retrieve the list of data objects in the report.
Workaround: Re-run the scan and generate a new (non-Legacy) report.
|KY-28063||No matches found when scanning Teradata Developer Tier Preconfigured Edition.|
DDC cannot complete scans on Teradata Developer Tier Preconfigured Edition as its default configuration does not set the spoolmode to nospoolonly, and this setting is required for DDC scans to work.
Workaround: Change the spoolmode to nospoolonly.
|KY-34462||In G-Drive DDC scans all the path to which the scan path is prefixed.|
When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan.
|KY-34540||In G-Mail, scanning on SENT, UNREAD, and IMPORTANT labels gets stuck in VALIDATING state, then fails after 1 hour.|
If you have one of these G-Mail directories in uppercase, the scan may fail with a timeout of 4 minutes.
Workaround: Set the path in lowercase.
|KY-33887||Azure Table - A scan fails with an internal error when scanning a large piece of sensitive data.|
DDC scans on Azure Table may fail with an internal error when a Windows agent is assigned.
Workaround: Use a Linux agent compatible with the database.
|KY-34529||Certain DDC user groups can see the Agents section in the GUI but are unable to view the list of agents.|
Members of the group "DDC Scan Viewer", "DDC Scan Admin", "DDC Report Admin", or "DDC Full Report Admin" (any of them) can see the Data Store and Agents section in the GUI but they get the "Permission denied" error when they try to access the Agents section.
|KY-34032||A mismatch between the number displayed for "Total Data Objects Scanned" and the real number of data objects in case of G-Mail type data stores.|
E-mail attachments and multiple encodings inside the e-mails cause an increase of the number of "Total Data Objects Scanned".
CipherTrust Transparent Encryption
|KY-35163||Efficient Storage support for CipherTrust Manager is disabled in the CTE 7.1.1 installer.|
Workaround: To enable Efficient Storage support in CTE 7.1.1 with CipherTrust Manager 2.6.0:
|KY-34329||Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths.|
Workaround: Create GuardPoints by manually entering the raw device paths.
|KSCH-16415||The Host Name field on the Client Registration screen does not have validation for host availability.|
Workaround: Add clients using the API.
|KSCH-573||Encryption rules cannot be modified to reset values for include and exclude extension parameters.|
|KSCH-568||Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.|
|KSCH-567||Modifying a file level encryption rule to set the “isRecursive” flag does not return error.|
|KSCH-564||Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.|