Release Notes
Product Description
CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.
Product Abbreviations
| Name | Abbreviation |
|---|---|
| CipherTrust Batch Data Transformation | BDT |
| CipherTrust Manager | CM |
| CipherTrust Application Data Protection | CADP |
| CipherTrust Cloud Key Manager | CCKM |
| CipherTrust Database Protection (formerly known as ProtectDB) | CDP |
| CipherTrust Transparent Encryption | CTE |
| CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE) | CTE UserSpace |
| CipherTrust Teradata Protection | CTP |
| CipherTrust Intelligent Protection | CIP |
| CipherTrust Data Discovery and Classification | DDC |
| Data Protection on Demand | DPoD |
| CipherTrust Tokenization | CT |
| CipherTrust Vaulted Tokenization | CT-V |
| CipherTrust Vaultless Tokenization | CT-VL |
Release Description
This release is available on the Customer Support Portal in the following formats:
An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.
An upgrade file for KeySecure Classic k450 and k460 devices.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.
In addition, 2.7.x Virtual CipherTrust Manager is available on the following public clouds:
Amazon Web Services: SafeNet Cloud Provisioning System
Google Cloud
Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
Oracle Cloud
IBM Cloud
An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.
2.7.x contains a number of new features and enhancements. For the list of known issues, refer to Known Issues.
Features and Enhancements
Release 2.7.1
The 2.7.1 release some stability fixes described in the resolved issues list, as well as a resolution for the CVE-2022-0778 vulnerability. This release is available as a new virtual instance, or an upgrade file on physical devices. The upgrade can be applied directly on CipherTrust Manager versions 2.7.x, 2.6.x, 2.5.x, and 2.4.x.
Release 2.7.0
Platform
Creating users in non-root domains feature is generally available (GA).
Added support for alarms triggered by client records.
Added the ability to schedule a domain-scoped backup on the web console.
Added ability to reset a physical appliance through a serial connection without logging in as
ksadmin. This operation, called "zero knowledge factory reset", is done in tandem with customer support.Added support to renew certificates of registered CipherTrust Manager clients (CTE and KMIP clients).
Added ability to add connections to the SAP Data Custodian cloud.
Ability to manage the usage of CA on individual CipherTrust Manager domains using Client Authentication.
Certificate expiry notifications for registered KMIP/NAE clients.
The RSA-AES-WRAP/UNWRAP mechanism is added for NAE-XML.
Support for AES CMAC algorithm in the CipherTrust Manager.
Made the Host and Port fields optional for creating the SMB connection.
Added alarm and audit record when TLSv1.0 and TLSv1.1 are enabled on the CipherTrust Manager.
Support for Extractable & NeverExtractable attributes in KMIP.
Added support for creation of "PKCS#12 Password Link" and "PKCS#12 Certificate Link" through REST and KMIP interfaces.
Note
This release does not support:
• Register and Export of PKCS#12 key format using "PKCS#12 Certificate Link" and "PKCS#12 Password Link" for REST interface.
• Register and Export of PKCS#12 key format for KMIP interface.Support for client validation through NAE interface for CADP client.
Tech Preview: Expansion of quorum for deleting Google External Key Manager (EKM) Endpoints operation.
Tech Preview: Addition of a Prometheus metrics endpoint, which allows the Prometheus monitoring system to scrape the CipherTrust Manager continuously, providing metrics to help monitor overall system health, performance, and cryptographic activity. As well, there is a sample configuration available on Github, including Prometheus and Grafana data visualization application Docker containers.
Limitation(s)
During client renewal, if another client (which has Auth mode set to DN) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.
CCKM
Support for SAP Data Custodian.
Improved GUI for AWS key regionality, that is, single-region and multi-region keys.
Allowed adding same AWS account in one CipherTrust Manager domain with different names, with each entry having a unique set of regions.
Enhanced AWS Policy template to mark policies as verified/unverified.
Workflows for managing Google Cloud External Key Manager (EKM) endpoints and Google Cloud External Key Manager Ubiquitous Data Encryption (EKM UDE) endpoints are consolidated. This means that you can now create, view, update, and delete both endpoint types through the same API endpoints, CLI commands, and web console navigation menus. As well, EKM UDE functionality is now considered complete and no longer a technical preview.
Enhancements to EKM and EKM UDE endpoint policy management. This includes:
a "Basic View" UI display for policies, to allow policy editing without knowledge of Open Policy Agent policy engine.
More policies related to UDE Attestion, namely Zones, Project IDs and Instance Names.
EKM endpoints can now be created with an asymmetric key, for signing operations and fetching the public key. The available asymmetric key types are:
RSA_SIGN_PSS_2048_SHA256
RSA_SIGN_PSS_3072_SHA256
RSA_SIGN_PSS_4096_SHA256
RSA_SIGN_PSS_4096_SHA512
RSA_SIGN_PKCS1_2048_SHA256
RSA_SIGN_PKCS1_3072_SHA256
RSA_SIGN_PKCS1_4096_SHA256
RSA_SIGN_PKCS1_4096_SHA512
EC_SIGN_P256_SHA256
EC_SIGN_P384_SHA384
Performance measurements for EKM operations now available, to help you decide on the CPU for, memory for, and number of CipherTrust Manager nodes required to support your EKM throughput needs.
Google Workspace CSE performance enhancement using caching.
New UI display on the Licensing page of the number of cloud units currently consumed by CCKM.
CTE
LDT Communication Groups. LDT clients within an LDT communication group can communicate with each other. An LDT communication group is mandatory when using a multi-node solution for LDT over NFS/CIFS.
An LDT client can only be added to one LDT communication group at any instance of time.
Although this release allows you to add multiple LDT communication groups to the CipherTrust Manager, only one group can be active at a time.
Domain-level CTE reporting. Administrators can now generate reports of CTE resources that belong to specific CipherTrust Manager domains.
Tech Preview (CTE for Kubernetes): Native support for Kubernetes through the implementation of a Container Storage Interface (CSI) driver. CTE for Kubernetes protects Kubernetes Persistent Storage Claims that are backed up by the storage with file system semantics.
Customized groups for CTE to control permissions on CTE resources.
Ability to restrict/allow updates to policies in use by active GuardPoints.
Note
CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.7 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.
CIP
Protection of existing classified data. A new option, Reclassify, is included to protect data that is already scanned and classified.
Automated intelligent protection. The DDC scans can be created automatically. A new option, Intelligent Protection, is added to the Create GuardPoint dialog box to enable automated intelligent protection.
Access only policies. These policies provide access control only, they do not encrypt data.
CTE UserSpace
GUI Enhancements:
Rules now display the linked Access Policy Group.
Editable Client Description field is added to briefly describe a client.
Ability to update user/group and process names in access policies. This release supports editable policies using the API only.
Data Discovery and Classification
Scan Trend report - provides the visibility of the scan trend data, such as the number of sensitive items discovered, analyzed and protected.
Improved CIP flow - to facilitate the possibility of protecting sensitive Data Object based on a scan execution, after it has ended successfully. Thanks to it, CipherTrust Transparent Encryption can be configured and triggered after the discovery phase has ended.
Identify ACL only - provides specific information when an ACL policy has been applied to a Data Object.
Manual agent assignment - brings the option of assigning a specific selected agent to a Data Store.
Automatic scan pause - facilitates the capability of pausing a scan automatically when necessary, for instance, during peak hours.
Improved scan reporting - filtering is enabled by the data displayed in the Scan Aggregated report, such as: Data Object name, path, risk, and type of the Data Object.
New InfoTypes - a set of new built-in InfoTypes for India, such as driving license, MGNREGA Job Card, bank account number, phone number, name, Indian Ration card number, and marital status.
Application Data Protection
Added support for Central Management. It allows clients to fetch configuration and policies from the CipherTrust Manager.
Added support to define Applications and decide how to protect them.
Added support for Client Registration. Currently, only DPG can be registered on the CipherTrust Manager.
Added support for Single Pane of Glass for applications defined on CipherTrust Manager.
Resolved Issues
This table lists the issues resolved in 2.7.1
| Issue | Synopsis |
|---|---|
| KY-43763 | If you upgrade Virtual CipherTrust Manager instances hosted on Microsoft Azure from version 2.6.x to 2.7.0, after two reboots the instance does not correctly initialize the network interface and so becomes unreachable. Upgrading to 2.7.1 or above solves this network issue. Note: This issue is described in more detail [below]. |
| KY-43657 | Upgrade from 2.5 times out, when the CipherTrust Manager contains large numbers of KMIP-managed keys migrated from KeySecure Classic, or keys with NAE custom attributes. In a clustered system, the upgrade times out after 30 minutes and restarts, and in a single system, the upgrade operation hangs indefinitely. |
| KY-42155 | This fix resolves the CVE-2022-0778 vulnerability. |
This table lists the issues resolved in 2.7.0.
| Issue | Synopsis |
|---|---|
| KY-34978 | Cloud init is not available for Alibaba Cloud. |
| KY-19730 | The CipherTrust Manager registers duplicate clients with KMIP auto registration enabled. |
| KY-37994 | Problem: Virtual CipherTrust Manager instances on Microsoft Azure lose network connection and become inaccessible after two reboots. Resolution: This problem no longer occurs in new 2.7.0 deployments on Azure. If your instance is at 2.6, or was upgraded from 2.6, upgrade to 2.7.1 for a complete fix. If you have already lost network access, configuration steps in the advisory note. |
| KY-35326 | Non-root domain users can log on to the root domain with same privileges as its auth-domain. |
| KY-34965 | The kscfg system factory-reset command fails with the error /bin/sh: permission denied. |
| KY-34932 | CCKM integration Google Cloud: If the key source is Luna HSM, clicking the Source Key link on the key details page returns the "Resource not found" error. |
| KY-34857 | If a domain administrator creates a domain with user management enabled, then creates a user, and then attempts to edit user details, the edit fails with the error message InsufficientPermissions. |
| KY-34845 | CCKM Salesforce Integration: If you run a Salesforce certificate synchronization operation with a Salesforce organization that has a pending Certificate Signing Request(CSR), the synchronization fails with the error message "Error in saving the SFDC certificate.: pq: null value in column \"valid_to\" violates not null constraint". All certificates synchronized before reaching the CSR are successfully synchronize and are present in CipherTrust Manager. |
| KY-34661 | CCKM: The web console UI erroneously displays an option for "Only expiring keys" for Salesforce key rotation schedule. As Salesforce keys do not have expiration dates, this option is not applicable. |
| KY-34615 | The web console UI erroneously displays an option for "Only expiring keys" for Google key rotation schedule. As Google CME keys do not have expiration dates, this option is not applicable. |
| KY-34540 | In G-Mail, scanning on SENT, UNREAD, and IMPORTANT labels gets stuck in VALIDATING state, then fails after 1 hour.If you have one of these G-Mail directories in uppercase, the scan may fail with a timeout of 4 minutes. |
| KY-34329 | CTE: Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths. |
| KY-34219 | CCKM: The GUI web console can only update the certificate and named credentials for the latest version of a cache-only key. You cannot update older versions on the GUI. |
| KY-33884 | Problem: You cannot create a domain-scoped backup of the root domain through the web console UI. |
| KY-31122 | If you perform a kscfg system reset on a k570 device and then attempt to upload a backup key, the operation fails with the error that the backup key already exists, even if no backup keys are displayed in the web console GUI. |
| KY-12602 | Manual page refresh is required to show the Pending CAs list. |
| KY-1199 | (was NC-3904) Trimming of audit table (at 10 million records) takes significant time and causes temporary performance issues. |
Advisory Notes
This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.
Upgrading a k570 Appliance from 2.6.1: Lose of CipherTrust Manager Services after Reboot
Upgrading a k570 appliance from 2.6.1 to 2.7.x or 2.8.x makes the PCI HSM unavailable, and after reboot, CM services do not start. During upgrade the following message is displayed: Starting k7 (via systemctl): k7.serviceJob for k7.service failed because the control process exited with error code.
If you encounter this issue, contact customer support for assistance.
CipherTrust Manager Versions Hosted on Microsoft Azure Marketplace
Microsoft Azure Marketplace has removed all virtual CipherTrust Manager versions prior to 2.6. If you require an Azure deployment for earlier Virtual CipherTrust Manager versions, contact Thales customer support for a virtual machine file.
SMB Connection
The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.
Upgrade from 2.6 to 2.7.0: Network Connection Loss After Rebooting Microsoft Azure Instances
If you upgrade Virtual CipherTrust Manager instances hosted on Microsoft Azure from version 2.6 to 2.7.0, after two reboots the instance does not correctly initialize the network interface and so becomes unreachable.
We strongly recommend upgrading directly to 2.7.1 if you are running Azure-hosted instances at version 2.6.x or 2.7.0.
Follow these steps if you have already upgrade to 2.7.0 and lost network access to the CipherTrust Manager GUI, CLI, or REST API, but have password access to the serial console.
Warning
You cannot recover a Virtual CipherTrust Manager from a lost network connection unless you have password access to the serial console.
Open an SSH session with Virtual CipherTrust Manager as the
ksadminuser.Contact Thales Support for support shell access.
After you are logged in as root, run the following two commands:
# rm /etc/netplan/50-cloud-init.yaml # echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfgReboot the instance when convenient.
Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests
When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.
We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.
We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.
Caution
The IV value used for an encryption request is needed to decrypt the data later.
In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.
In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.
Some Key States Change After Upgrade
After upgrade from 2.4 to 2.7, some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.
When a key has an NAE state of
Retiredand the deactivation date is set in the future, the key is set toDeactivatedimmediately upon upgrade. No cryptographic operations are allowed.When a key has an NAE state of
Restrictedand Protect Stop Date is set in future, the key is set toActiveand the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.When a key has an NAE state of
Activeand Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.When a key has an NAE state of
Activeand Activation Date is set in the future, the key is set to aPre-Activestate and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.When a key has a state of
Deactivatedbefore upgrade, its state will be unchanged after upgrade. However, the allowed operations for theDeactivatedstate change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.
System Upgrade and Downgrade Supported Releases
System upgrades have been tested from releases 2.4.0, 2.5.0, and 2.6.0.
Note
Upgrades from other versions have not been tested and may not work correctly.
CipherTrust Manager 2.7.0 can be downgraded to 2.6.0. For release-specific upgrade/downgrade information, refer to the release notes for your release.
Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.
Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.
Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.
Clusters with a Large Number of Transactions
Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.
To disable local audit logging
Set the property ENABLE_RECORDS_DB_STORE to false using the ksctl command:
$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false
If configured, Audit logs will be still be sent to a syslog server.
Cluster Synchronization
Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
Key Usage Mask Selection
If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.
Clusters with DDC
Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.
DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).
DDC Licensing
Overlapping licenses are not supported (except for the trial license).
DDC Scalable Reports Processing
Previous DDC versions needed PQS and HDFS Hadoop services, but starting from version 2.4 DDC requires HDFS and Livy. Refer to the latest Thales Data Platform Deployment Guide for information on how to install Spark, Livy and Tez and DDC Deployment Guide for configuring them in CipherTrust Manager.
Note
It is mandatory to have TDP version 3.1.5.1 or later prior to upgrade DDC.
As DDC no longer uses PQS to store new data, it is no longer possible to modify its configuration through the UI. Please use the API if you need to update the Knox hostname, credentials or TLS certificate. The upgrade will not delete any data stored in PQS. Please consider deleting it when you no longer need access to legacy reports.
The Hadoop settings (HDFS and Livy) must be added as if it was a fresh deployment. The HDFS settings that the user could had up to now are not kept, but the PQS settings are automatically stored to make sure the information stored for scans and reports is not lost. For the HDFS connection, it is recommended to configure a different HDFS folder.
The scans created in the DDC Scans section are stored but the executions can not be used for new reports. The user will have to run the scans to make new reports for these scans. It is not possible to create new reports for the scan executions that were completed with a previous DDC version. The reports that were generated using a previous DDC version are accessible and will be marked with an "L" icon, which means that it is a legacy report and can not be updated any more. For the reports generation, the user will need to run new executions of the scans, since the legacy scan executions cannot be used. The user will notice that after an upgrade, when trying to generate new reports, scan executions completed with previous DDC version are not displayed in the reports wizard.
Compatibility
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
TLS Compatibility
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
| Interface | Minimum TLS version | Maximum TLS version | Default Minimum TLS version |
|---|---|---|---|
| Web UI | TLS 1.2 | TLS 1.3 | TLS 1.2 |
| NAE | TLS 1.0 | TLS 1.3 | TLS 1.2 |
| KMIP | TLS 1.0 | TLS 1.3 | TLS 1.2 |
Caution
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:
TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)
TLS_AES_128_GCM_SHA256 (TLSv1.3)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS Deprecation Notices
Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Client Platforms
The following client Platforms are supported by the CipherTrust Manager.
Caution
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
ProtectApp JCE: minimum version 8.6.1
ProtectApp .NET: minimum version 8.11.0
ProtectApp ICAPI: minimum version 8.10.0
ProtectApp Oracle TDE: minimum version 8.9.0
ProtectApp SQL EKM: minimum version 8.3.2
CipherTrust Cloud Key Manager
Minimum version 1.6.3.20532
CipherTrust Database Protection
ProtectDB Oracle: minimum version 8.8.0
ProtectDB SQL: minimum version 8.9.0
ProtectDB DB2: minimum version 8.7.0
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 9.0.0
CipherTrust Vaulted Tokenization
Tokenization Manager: minimum version 8.7.1
Vaultless Tokenization Manager: minimum version 8.8.0
CipherTrust Batch Data Transformation
Minimum version 2.2.0.2816
CipherTrust Vaultless Tokenization
Minimum version 2.5.2.19
CipherTrust Teradata Protection
Minimum version 6.4.0.12
ProtectFile
Minimum version 8.10.11
ProtectV
Minimum version 4.7.3
Data Discovery and Classification Agents
Linux minimum kernel version is 2.6.
There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.
Note
ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.
TDP Version Compatibility
Data Discovery and Classification requires TDP 3.1.5.1 or newer.
If you have an existing TDP 3.1.5 cluster, you should apply the patch 3.1.5.1.
Following the TDP upgrade users are required to Configure TDP service HDFS again and also Configure TDP service Livy.
Known Issues
This section lists the issues known to exist in the product at the time of release.
CipherTrust Manager
| Reference | Synopsis |
|---|---|
| KY-64204 | Problem: In NAE, the Permission tags such as <Encrypt/> and <Decrypt/>are not returned in the KeyInfoResponse when permission is assigned using LDAP group maps. |
| KY-59471 | Problem: The trusted CAs, in the existing custom interfaces, don't get replicated on a new node joining in a cluster. This leads to failure of the client (NAE, KMIP, and REST) authentication on the new node. Workaround: Update the trusted CA manually on the interface of that node where the issue persists. |
| KY-52237 | The state of a pending CA changes to expired after the restart. This breaks the connection/integration of any KMIP or VSAN client. |
| KY-51920 | Problem: CipherTrust Manager k570 models can sometimes lose network connectivity, showing the errors PCIe link lost, device now detached and igb 0000:01:00.1 eth1: malformed Tx packet detected and dropped, LVMMC:0xffffffff in kern.log and syslog host log files available in system logs download or through ksadmin SSH access. Workaround: Contact Thales customer support. |
| KY-47184 | Problem: After upgrade, services sometimes fail to restart with an error message starting with Forcing migration for retry. Workaround: Contact customer support to recover from this state. |
| KY-37955 | Problem: When a KMIP profile/client is created in a domain with the <domain>||<username> format, the CipherTrust Manager sometimes sets wrong user as the key owner if there are domain users with the same name. |
| KY-48941 | Problem: Upgrading a k570 appliance from 2.6.1 to 2.7.x or 2.8.x makes the PCI HSM unavailable, and after reboot, CipherTrust Manager services do not start. During upgrade the following message is displayed: Starting k7 (via systemctl): k7.serviceJob for k7.service failed because the control process exited with error codeWorkaround: Please contact customer support if you encounter this situation. |
| KY-42500 | KMIP: After a client is auto-registered, for subsequent create token requests, Server Records show a "Create Token" ERROR. |
| KY-40418 | Problem: After migrating local CAs from KeySecure to CipherTrust Manager, the connection between KMIP client and CipherTrust Manager could not be established. The same issue also occurs when there is serial number conflict in external CAs. Workaround: Add the migrated local CA as an external CA on the CipherTrust Manager. |
| KY-41734 | Problem: Multiple OIDC connections are required in a cluster where individual nodes are accessed without a load balancer. Workaround: Create multiple OIDC connections and let each one have a different redirect URI, then select the appropriate connection for your specific node in the cluster. |
| KY-41140 | Problem: GUI does not provide any option to add or edit the description of a domain backup. Workaround: Take domain backup using the CipherTrust Manager API. A description can be while taking the backup. |
| KY-39821 | Problem: If a KeySecure Classic backup contains certificates that have been revoked and then resumed, the CipherTrust Manager shows them as revoked certificates after migration. |
| KY-39437 | KMIP: Access token is not cleared from the user cache when the refresh token is deleted from the database after 24 hours of an idle KMIP connection. |
| KY-38690 | Problem: Migration of data from KeySecure Classic to CipherTrust Manager fails and throws an error if any certificate has been revoked or resumed on a single digit date on the KeySecure Classic before taking backup. For example, 2 Feb 2022. Workaround: Identify the certificate that has been revoked or resumed on the single digit date on the KeySecure Classic, exclude the corresponding CA that has signed that certificate from the backup. |
| KY-39818 | Problem: The links of the keys (XTS/RSA) get deleted from the source domain when the key backup is restored on the destination domain of the same CipherTrust Manager. |
| KY-39734 | Problem: Proxy doesn't work if https_proxy is not set in the following scenarios:• After upgrading to the CipherTrust Manager version 2.6. • After installing the CipherTrust Manager version 2.6. Workaround: After upgrade and installation, configure the https_proxy and http_proxy with the same values. |
| KY-39255 | Problem: When migrating a non-versioned key from DSM to Ciphertrust Manager, the expiration date of the key gets copied to the key's rotation date after migration, causing auto-rotation instead of its deactivation. Workaround: Disable the auto key rotation job in each domain. |
| KY-39294 | Problem: If you create user with the same name on two cluster nodes, replication sometimes stops due to latency. Workaround: Avoid creating users of the same name on separate nodes. If your replication is hanging: 1. Take a full system backup on all nodes in the cluster. 2. Find the remote tuple timestamp in the system log of the problematic users, for example timestamp=2022-01-24 14:33:11.70402+003. Delete users created at or around that time stamp. Note that you cannot retain the deleted user's password, and a new one will have to be set. Replication should automatically continue. If manually deleting users is infeasible, contact customer support for other workarounds. |
| KY-39268 | Problem: For the auto-registered KMIP clients created before 2.0 release, the KMIP services do not start after upgrading them to 2.5 or later releases. Workaround: Delete that auto-registered client created before 2.0 release and again perform auto-registration using the same certificate and key. |
| KY-39242 | Problem: If you create keys with the same name on two cluster nodes, replication sometimes stops due to latency. The system log will have repeating log entries such as 2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] LOG: CONFLICT: insert_exists on relation "minerva.keys"; resolution: apply_remote; resolver: update_if_newer.2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] DETAIL: remote tuple origin=2,timestamp=2022-01-24 14:33:11.70402+00,commit_lsn=0/4E247C82022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] CONTEXT: during apply of INSERT from remote relation minerva.keys in xact with commit-end lsn 0/4E247C8 xid 198983 committs 2022-01-24 14:33:11.70402+00 (action #2) (effective sess origin id=2 lsn=0/4E247C8)2022-01-24 14:51:27 | pg | while consuming 'I' message from receiver for subscription bdr_kylo_kylo_ff58c04f08f_38223f4165d (id=2756859727) on node 3822e20ded82494fab50ec6dfa931ef3 (id=1061250514) from upstream node ff58cc81c5e44934af8f468f7e9f2160 (id=3226405105, reporiginid=2)2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.733 UTC [9687] FATAL: writer has diedWorkaround: Avoid creating keys of the same name on separate nodes. If your replication is hanging: 1. Take a backup of the keys on all nodes in the cluster. You can take a full system backup, take a partial backup of only keys, or export key material. 2. Find the remote tuple timestamp in the system log for the problematic keys, for example timestamp=2022-01-24 14:33:11.70402+003. Delete keys created at or around that timestamp. Replication should automatically continue. If manually deleting keys is infeasible, contact customer support for other workarounds. |
| KY-38845 | Problem: The CLI guide erroneously adds the CipherTrust Manager's IP address to the beginning of an external link in the ksctl client records page. The link directs to <ciphertrust-manager-IP-address>/cli/https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/, which does not exist. Workaround: Browse directly to https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/ in a separate tab from the CipherTrust Manager web console. |
| KY-38813 | Problem: If you attempt to create an alarm configuration with conditions copied directly from CTE client record details, the operation fails with the error Invalid condition\n1 error occurred. The format is not recognized. Workaround: Re-format the client record details before providing them for Conditions. 1. Delete the args line. 2. For each line under the former args array, add input.details.args to the beginning of each key. 3. For each key beginning with input.details.args add an array with an index value, starting with 0. For example, input.details.args.cat and input.details.args.pol would become input.details.args[0].cat and input.details.args[1].pol. 4. Remove angle brackets and add commas so that the args key-value pairs are at the same level as all other key-value pairs in the record. There should be no nested objects, and the JSON object should become flat. 5. Add input.details. to the beginning of every remaining key that isn't an args key. For example, log becomes input.details.log. 6. Provide this JSON object as the input for Conditions when creating a new client alarm configuration. |
| KY-38321 | Problem: When a database connection is migrated from KeySecure Classic to the CipherTrust Manager, the Service Name field does not migrate, which leads to the database connection failure. Workaround: On the CipherTrust Manager: 1. Manually edit the database connection. 2. Select Service Name instead of SID. |
| KY-37961 | Problem: If you add a user only to the "CTE Admins" group and attempt to create a registration token on the UI, the operation hangs and never completes. Workaround: Add the user to the "admin" or "CA Admins" group in addition to the "CTE Admins" group. |
| KY-31116, KY-31114 | Problem: If an admin enables a quorum policy on any domain, and a key admin of that domain logs into the web console GUI and views the quorum settings, the quorum policy is displayed as disabled and the error NCERRResourceNotFound: Resource not found is displayed. Workaround: While the quorum feature is considered a technical preview, only admin level users have permissions to access and configure quorums. Log in as a user with admin permissions to try any quorum functionality. |
| KY-30705 | You cannot migrate an RSA public key without a corresponding private key from KeySecure Classic. Migration attempts fail with the error "Server error [417/NCERRInvalidOrMissingKeyData: Could not decode key from key material]: Invalid private key format. HTTP code:422". |
| KY-27897 | SaltLength with zero (0) value is not supported for Sign/SignV operations using RSA PSS padding. |
| KY-27805, KY-28689 | Problem: SNMPv3 requests fail with the error security service 3 error parsing ScopedPDU for users configured with AES-192 or AES-256 privacy protocol. This error is seen with SNMP applications, including SolarWinds Network Performance Manager, which use the nonstandard Cisco AES key extension implementation for 192 and 256 bit key length. CipherTrust Manager 2.7 and below only support the Blumenthal implementation for these key lengths. Workaround: Set SNMP users to AES-128 privacy protocol instead. In CipherTrust Manager CLI and API, this value is called AES. CipherTrust Manager 2.8 will support Cisco implementation privacy protocols AES-192-C and AES-256-C. |
| KY-27450 | Local Certificate Authorities (CAs) do not allow commas , in any of the fields. Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value. All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC. |
| KY-25152 | You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances. Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login. |
| KY-20310 | When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error. Workaround: Disregard the timeout error. |
| KY-17662 | In-place cluster upgrade does not enforce upgrading only one version. |
| KY-17338 | KMIP: LDAP users cannot be set in the KMIP profile. Workaround: To use LDAP authentication, use the KMIP auto registration. |
| KY-13617 | Domain scoped backup fails to restore on another domain when a key with the same name and version already exists. Workaround: To handle this issue, try either of the following:
|
| KY-13343 | Uploading an existing backup results in error but is displayed in the list with status "Uploading". Workaround: Delete the backup using the "uploadID" as backup ID. |
| KY-11517 | [ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding. |
| KY-11498 | When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it. |
| KY-7289 | When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode. Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|
| KY-7288 | When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to ciphertext. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|
| KY-7193 | Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups. Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created. |
| KY-6383 | Users with a pipe in their user names (for example, user1|something) cannot log on using NAE/KMIP. |
| KY-3670 | Cluster join operation can fail, but rarely, leaving joining node in a bad state. Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join. If you still cannot log on to the node:
|
| KY-2482 | (was NC-3480) Signing with EC keys does not work via the REST API. |
| KY-2423 | (was NC-2318) KMIP: Result Reason may not be accurate or have enough detail. |
| KY-2418 | (was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves. |
| KY-1397 | (was NC-2253) Last Login and Logins count are not updated for global user. |
| KY-1396 | (was NC-2256) Group membership change for yourself does not take effect until after re-login. |
| KY-1394 | (was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error. The error should be: insufficient permissions. |
| KY-1373 | (was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used. |
| KY-1166 | (was NC-4098) NAE/KMIP multiport iptables rules are not replicated. Workaround: Perform NAE restart on each node. |
| KY-504 | Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster. |
| NC-3573 | Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT. Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface. |
| NC-3572 | Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager. Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration. Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface. |
| NC-2063 | If a user is deleted (or LDAP connection name changes), they fail to display in the keys table. |
CipherTrust Cloud Key Manager
| Issue | Synopsis |
|---|---|
| KY-39349 | CCKM GUI: Unable to view/edit AWS KMS accounts having '/' in their names. Workaround: Use the REST API to view/edit the details of AWS KMS accounts. |
| KY-39150 | SAP Data Custodian: The Key Rotation Report for the BYOK keys does not show the manual rotation entry. |
| KY-39123 | SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error". Workaround: Refresh the newly added group, add the key again, and retry operations. |
| KY-35220 | When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned. Workaround: Refresh all the key vaults. |
| KY-31186 | If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate. Workaround: Add an exception ( cloudkms.googleapis.com) with no_proxy or use the proxy with username and password, and restart the services. |
| KY-31058 | The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work. |
| KY-27583 | CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state. This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state. Workaround: Delete the running and scheduled jobs from the API playground, and retry. |
| KY-17213 | When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group. |
| KY-42033 | Unable to use the key version created through CCKM for Azure SQL EKM. This issue will be resolved in CipherTrust Manager v2.8.0. |
CipherTrust Database Protection
| Issue | Synopsis |
|---|---|
| PDB-3293 | If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work. |
CipherTrust Data Discovery and Classification
| Issue | Synopsis |
|---|---|
| KY-9098 | DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails. Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store. |
| KY-9104 | Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI. Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent. |
| KY-9399 | The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it. |
| KY-8990 | Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts. |
| None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases. Solution:
| |
| KY-22666 | DDC cannot scan files that are bigger than 512MB for AWS S3 and Azure Blob Data Stores Scanning large files (larger than 512 MB) on "remote (cloud)" Data Stores fails with an "error processing scan" error. Those file are marked as 'inaccessible' on the report or the scan fails with an "error processing scan". The user has no way to identify the issue from DDC. Possible Workarounds:
|
| KY-13618 | Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted. When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled. Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost. |
| KY-19763 | OracleDB and IBM DB2: uppercase schema/table name issues. User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase. Workaround: Set the target path in uppercase. |
| KY-21981 | Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again. |
| KY-30756 | A scan with one or more custom infotype fails with "Internal Error" when it contains Custom Infotype from CM 2.4. This may happen when a custom infotype, created in CM 2.4, contains an expression with a format too complex to interpret. Workaround: Edit the Custom Infotype to verify if the expression is valid. |
| KY-27095 | The PostgreSQL Agent selection fails as if there were no compatible Agent, or as if no compatible Agent could reach the Data Store. DDC does not support the scram-sha-256 authentication method.Workaround: Create the user with 'md5' password encryption by specifying the hash of the password at user creation, as in CREATE USER <user name> PASSWORD 'md5<password hash>';For example, to create a user named 'u0' with the password 'foobar' (md5('foobar') = ac4bbe016b808c3c0b816981f240dcae) use the following command: CREATE USER u0 PASSWORD 'md5ac4bbe016b808c3c0b816981f240dcae'; |
| KY-27102 | Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports. |
| KY-30760 | In Legacy Reports, Data objects may not be listed in Local Storage reports with a large number of matches.NCERRInternalServerError: unexpected error is displayed on the DataObjects report tab.This means that the Hadoop cluster has taken too long (more than 30 seconds) to retrieve the list of data objects in the report. Workaround: Re-run the scan and generate a new (non-Legacy) report. |
| KY-28063 | No matches found when scanning Teradata Developer Tier Preconfigured Edition. DDC cannot complete scans on Teradata Developer Tier Preconfigured Edition as its default configuration does not set the spoolmode to nospoolonly, and this setting is required for DDC scans to work. Workaround: Change the spoolmode to nospoolonly. |
| KY-34032 | A mismatch between the number displayed for "Total Data Objects Scanned" and the real number of data objects in case of G-Mail type data stores. E-mail attachments and multiple encodings inside the e-mails cause an increase of the number of "Total Data Objects Scanned". |
| KY-34462 | In G-Drive DDC scans all the path to which the scan path is prefixed. When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan. |
| KY-33887 | Azure Table - A scan fails with an internal error when scanning a large piece of sensitive data. DDC scans on Azure Table may fail with an internal error when a Windows agent is assigned. Workaround: Use a Linux agent compatible with the database. |
| KY-34984 | Scans run on versions prior to CM 2.7 cannot be remediated after upgrading to CM version 2.7. This is a known limitation the remediation cannot be done in scans executed on versions earlier than CM 2.7, even though the "Reclassify" option is available for them. The remediation process using the "Reclassify" option is only valid for scans executed starting with the CM version 2.7. Recommendation/Workaround: Run the scan with remediation enabled to remediate the scans created in the previous versions. |
| KY-37429 | Agent selection is not re-triggered after the selected agent becomes invalid. If you delete a label for an agent and then save the changes that agent should become invalid for the data store(s) that use the deleted label and agent selection should be re-triggered. This, however, does not happen for when you later check the Data Stores screen, the modified agent is still available for the affected data store. |
| KY-38447 | Scan Trend Report: If a scan execution does not find any sensitive data, it will not appear in the Risk graph. Scan executions that find no sensitive data should be shown in the Risk graph and their risk should show 0, however they are missing on the Average Risk chart. |
| KY-38108 | A datastore scan fails to continue in the scheduled time after the autopause end time if the scan gets to the "Autopaused" state directly from the "Pending" state. |
| KY-36643 | When you log in to DDC as a member of the "DDC Profiles Admin" user group you get an "Insufficient Permissions" error. Recommendation/Workaround: Ask the system administrator to elevate your privileges. |
| KY-38398 | Scan Trend Report: the asterisk (*) character is misplaced in the Remediation chart. The Remediation chart in the Scan Trend report may have the asterisk (*) character displaced. Workaround: You can find its correct position by looking at the other graphs in the report. |
| KY-38457/KY-38725 | Some Indian infotypes are getting many false positives. This happens with the Indian Passport data that is getting matched without any context. Also, Indian Marital Status is showing more matches than expected. |
| KY-38513 | Indian GLASS Expression: Data not matching when English context is mixed with non-English context of byte size greater than 32 bytes. You should not create custom infotypes where English context is mixed with non-English context and the byte size is greater than 32 bytes. This can potentially cause miss matches. |
| KY-27607 | Scanning an empty Azure table returns an "Scan failed to start". |
| KY-39005 | A G-mail scan fails with a scan RAM exhausted error while scanning on large sensitive data. While scanning G-mail with large sensitive data, you run into an "Internal error". This can happen due to RAM exhausted. Workaround: To check it, look the CM log for "Pool memory limit reached" error. Increase the Agent's RAM Memory using the ksctl tool, following the procedure in Tuning Scan Settings. |
CipherTrust Transparent Encryption
| Issue | Synopsis |
|---|---|
| KY-38998 | When the credentials of an SMB connection are updated on the CipherTrust Manager, the updates are not reflected on the CTE Agent. Workaround: 1. Create a new SMB connection with new credentials. 2. Update the existing LDT over CIFS/SMB GuardPoints to link to the new SMB connection. |
| KY-41556 | CTE: LDAP users/groups cannot be browsed without the Search filter. Workaround: Use the Search filter to search and browse LDAP users/groups. |
Application Data Protection
| Issue | Synopsis |
|---|---|
| CADP-6187 | Remove "Allow null or single character input Workaround: For DPG clients, the Allow null or single character input check box should not be checked. |
| CADP-5211 | When deleting an application, the associated DPG policy is not deleted. |
| CADP-5207 | Character set should only be displayed and required for UNICODE. |
| CADP-5206 | Keys displayed should depend on the selected algorithm. |
| CADP-6186 | UI does not show the correct default log level. It should be WARN. |
ProtectApp
| Issue | Synopsis |
|---|---|
| KSCH-16415 | The Host Name field on the Client Registration screen does not have validation for host availability. Workaround: Add clients using the API. |
ProtectFile
| Issue | Synopsis |
|---|---|
| KSCH-573 | Encryption rules cannot be modified to reset values for include and exclude extension parameters. |
| KSCH-568 | Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously. |
| KSCH-567 | Modifying a file level encryption rule to set the “isRecursive” flag does not return error. |
| KSCH-564 | Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress. |
