Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Release Notes

search

Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

NameAbbreviation
CipherTrust Batch Data TransformationBDT
CipherTrust ManagerCM
CipherTrust Application Data ProtectionCADP
CipherTrust Cloud Key ManagerCCKM
CipherTrust Database Protection (formerly known as ProtectDB)CDP
CipherTrust Transparent EncryptionCTE
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)CTE UserSpace
CipherTrust Teradata ProtectionCTP
CipherTrust Intelligent ProtectionCIP
CipherTrust Data Discovery and ClassificationDDC
Data Protection on DemandDPoD
CipherTrust TokenizationCT
CipherTrust Vaulted TokenizationCT-V
CipherTrust Vaultless TokenizationCT-VL

Release Description

This release is available on the Customer Support Portal in the following formats:

  • An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.

  • An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.

  • A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.

  • A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.8.x Virtual CipherTrust Manager is available on the following public clouds:

  • Amazon Web Services: SafeNet Cloud Provisioning System

  • Google Cloud

  • Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace

  • Oracle Cloud

  • IBM Cloud

    • An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.

    • A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.8.x contains a number of new features and enhancements. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.8.1

The 2.8.1 release includes some stability fixes described in the resolved issues list. This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.8.x, 2.7.x, 2.6.x, and 2.5.x.

You cannot upgrade 2.8.0-TCT to 2.8.1. Release 2.8.1 is not compatible with the k160 device.

Release 2.8.0-TCT

This release is only found on the Thales TCT k160 small form factor appliance and is preloaded at time of manufacture. It is not supported on Thales TCT k570 or any other CipherTrust Manager model.

In addition to support for TCT k160, this release includes all features and resolved issues from 2.8.0.

Release 2.8.0

Platform

  • New licensing model for Virtual CipherTrust Manager. All Virtual CipherTrust Managers 2.8 or higher launch in Community Edition, with restrictions on functionality. From that mode, you can choose to start a 90-day trial with full features, or apply a purchased license.

  • Support for Secure Trusted Channel (STC) for Luna Network HSM firmware version 7.7.0 or higher acting as a root of trust.

  • New feature to rotate a Root of Trust Key stored on HSM.

  • Ability to forward client audit records to Elasticsearch or Loki external log forwarders.

  • Support for disk encryption of physical appliances. Encryption can be applied after deployment.

  • Support to "register" and "export" of PKCS#12 key format for REST and KMIP interface.

  • Support to generate CSR using existing key pair.

  • Support of operation policy over KMIP.

  • Support of opaque key format type for symmetric objects.

  • Support for PKCS#12 format over REST and KMIP.

  • Support of key aliases for opaque objects over NAE.

  • Support for an external certificate (BYOC) in the client registration flow.

  • Added notification feature to alert CCKM users about the expiration of certificates used for authentication.

  • Support to add/create connections for the Oracle cloud.

  • Support to add/modify authorized group(s) for quorum approval associated with operations.

  • Added notification feature for WEB/NAE/KMIP interfaces certificate expiration.

  • Support to prevent the UI login for users.

  • New v1/system/services/status endpoint to return the status of the CipherTrust Manager instance and services when any service is failing.

Limitation(s)

During client renewal, if another client (which has Auth mode set to DN) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.

Deprecated Feature(s)

  • Due to security reasons, the "global" user login is no longer allowed from the CipherTrust Manager UI, REST API, and CLI. Keys will be accessible by NAE/KMIP users only.

CCKM

  • Added support for Oracle Cloud Infrastructure (OCI) resources using REST API.

  • Capability to assume a role within the same or a different AWS KMS account while adding KMS over the same AWS connection on the CipherTrust Manager.

  • Deprecated support for the Azure Germany Cloud.

  • Added support for Luna HSM symmetric keys as BYOK for AWS.

  • Ability to download public RSA keys from Azure and AWS.

  • Added support for the Azure role-based access control (Azure RBAC) permission model for key vaults.

  • Granular access control to view Native and BYOK keys for AWS.

  • GUI enhancements including support for new AWS regions and a separate tab for Azure subscriptions. The GUI also includes the ability to filter asymmetric AWS keys based on their usage (whether they are created for encrypt/decrypt or sign/verify operations).

  • Added support for using Google Cloud Virtual Private Cloud (VPC) network for Google Cloud External Key Manager (EKM) connections to EKM endpoints.

  • New features and enhancements for Google Workspace CSE:

    • Support for encryption of Google Meet calls

    • Support for encryption of Google Calendar events

    • Performance enhancements of API calls

    SafeNet Trusted Access (STA) does not support multiple redirect URIs. Therefore, this release does not recommend use of STA as an identity provider.

CTE

  • Capability to audit CTE operations on the CipherTrust Manager. Now, all create, update, and delete operations performed on the CTE resources are logged under Records > Server Records on the CipherTrust Manager.

  • Added support for Kubernetes protection of Container Storage Interface (CSI).

    CTE for Kubernetes will be available in June 2022.

  • Added capability to update security configuration parameters after CTE client registration. This capability is applicable to CTE clients that support new parameters. Every parameter has the fixed set of values. Refer to the CTE Agent documentation for compatible versions and dynamic parameters.

  • Introduced a new endpoint that will be used by the CTE Agent to continuously monitor the VMD status. If VMD fails, vmutil on the CTE Agent uses this endpoint to update the CipherTrust Manager about the VMD status.

  • Added support for domain level CTE policy backup and restore.

  • A new licensing model (Thales CipherTrust Manager Community Edition) introduced, which includes CTE for Kubernetes. If your CTE for Kubernetes license is unavailable or has expired, license enforcement switches to the Community Edition.

CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.8 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.

DDC

  • Multi-Agent Scan. This allows a scan to be divided internally and then run by several agents, which improves the scan execution time.

  • Scan Progress. Displays scan progress during the scan execution.

  • Sharepoint Server Support. Supports scanning in an on-prem Sharepoint Server.

  • Enhanced Scan Trend Report. Displays the Data Object List in a Scan Trend Report. It can then be exported to a PDF.

Resolved Issues

This table lists the issues resolved in 2.8.1.

IssueSynopsis
KY-37955When a KMIP profile/client is created in a domain with the <domain>||<username> format, the CipherTrust Manager sometimes sets wrong user as the key owner if there are domain users with the same name.
KY-46713Certificate Signing Requests generated in the CipherTrust Manager web console UI only include the Common Name. Other provided attributes such as DNS names, IP addresses, or email addresses are not encoded.
KY-46650In the web console, if you search for a domain in All Domains and change the number of results displayed per page, the search no longer displays the correct results.
KY-44629GET v1/auth/self/domains does not correctly interpret the skip value. For some values of skip the returned value is the limit value. In addition, the response body doesn't contain count, total, or skip.
KY-44558OIDC creation fails with the message [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852): Failed to retrieve authorization_uri and jwks even when a well-known CA signs the certificate.
Resolution: The CAs in CipherTrust Manager's trust store for OIDC have been updated to be more current.
KY-44019The API Guide does not list every domain in the domains drop down.
KY-43763If you upgrade Virtual CipherTrust Manager instances hosted on Microsoft Azure from version 2.6.x to 2.8.0, after two reboots the instance does not correctly initialize the network interface and so becomes unreachable. Upgrading to 2.8.1 or above solves this network issue.
Note: This issue is described in more detail below
KY-43657Upgrade from 2.5 times out, when the CipherTrust Manager contains large numbers of KMIP-managed keys migrated from KeySecure Classic, or keys with NAE custom attributes. In a clustered system, the upgrade times out after 30 minutes and restarts, and in a single system, the upgrade operation hangs indefinitely.
KY-43132CADP: If you created a protection profile with underscores (_) in the algorithm name, then created a BDT policy with that profile, the underscores in the algorithm name were replaced with dashes (-). For example, the protection profile AES_CBC_PAD becomes AES-CBC-PAD when viewed through a GET on the BDT policy.
KY-41109The API Guide takes more than 10 seconds to authenticate.
KY-40214While performing ProtectFile to CTE Migration, rules applied on ProtectFile Clients are disabled. On the next polling interval, all the rules that are still ENCRYPTED ENABLED on ProtectFile Client are pushed but the rules that are set DISABLE do not push to the client. Therefore, PF did not clean its activerules registry, and CTE is not able to access the path.

This table lists the issues resolved in 2.8.0 and 2.8.0-TCT.

IssueSynopsis
KY-35783Performance fixes for NAE KeyInfoRequest and KeyExportRequest.
KY-42576Over time, CTE client audit records were no longer sent to and displayed on CipherTrust Manager.
Resolution: This was due to a volume limit which has been corrected.
KY-42500KMIP: After a client is auto-registered, for subsequent create token requests, Server Records show a "Create Token" ERROR.
KY-42353SSH may not be accessible when CM services fail to start after configuring cluster.
KY-42033Unable to use the key version created through CCKM for Azure SQL EKM.
KY-40846All network packets to the subnet 172.17.0.0/16 are routed to an internal CipherTrust Manager network interface named leia0. This routing rule prevents CipherTrust Manager 2.6 and 2.7 from communicating with external devices within that subnet.
KY-40839If you delete a root-of-trust HSM server in an HA group, reboot the appliance or restart services, you cannot add back the deleted HSM.
KY-39821If a KeySecure backup contains certificates that have been revoked and then resumed, the CipherTrust Manager shows them as revoked certificates after migration.
KY-39818The links of the keys (XTS/RSA) get deleted from the source domain when the key backup is restored on the destination domain of the same CipherTrust Manager.
KY-39437KMIP: Access token is not cleared from the user cache when the refresh token is deleted from the database after 24 hours of an idle KMIP connection.
KY-39268, KY-39348For the auto-registered KMIP clients created before 2.0 release, the KMIP services do not start after upgrading them to 2.5 or later releases.
KY-39255When migrating a non-versioned key from DSM to Ciphertrust Manager, the expiration date of the key gets copied to the key's rotation date after migration, causing auto-rotation instead of its deactivation.
KY-39349CCKM GUI: Unable to view/edit AWS KMS accounts having '/' in their names.
KY-39150SAP Data Custodian: The Key Rotation Report for the BYOK keys does not show the manual rotation entry.
KY-38998When the credentials of an SMB connection are updated on the CipherTrust Manager, the updates are not reflected on the CTE Agent.
KY-38845The CLI guide erroneously adds the CipherTrust Manager's IP address to the beginning of an external link in the ksctl client records page. The link directs to <ciphertrust-manager-IP-address>/cli/https://www.openpolicyagent.org/docs/latest/how-do-i-write-policies/, which does not exist.
KY-38690Migration of data from KeySecure Classic to CipherTrust Manager fails and throws an error if any certificate has been revoked or resumed on a single digit date on the KeySecure Classic before taking backup. For example, 2 Feb 2022.
KY-38813If you attempt to create an alarm configuration with conditions copied directly from CTE client record details, the operation fails with the error Invalid condition\n1 error occurred. The format is not recognized.
KY-38435Problem If you have a large number of system debug logs and attempt to download all logs, the operation might time out, and subsequent attempts might return the error Download already in progress for the same logs, try after some time.
Resolution: Log performance enhancements in 2.8 ensure larger log histories can be downloaded.
KY-38321When a database connection is migrated from KeySecure Classic to the CipherTrust Manager, the Service Name field does not migrate, which leads to the database connection failure.
KY-38336If you attempt to add an inaccessible or invalid HSM partition as root-of-trust, the partition is not added, but the HSM HA group configuration is corrupted. Subsequent attempts to add any HSM partition fail until HA group configuration is fixed using the Support CLI in conjunction with customer support.
KY-36057, KY-14847If you configure MISSING VARIABLE: vm with an additional root-of-trust HSM to create an HSM high availability (HA) group or cluster, sometimes an unnecessary additional set of root-of-trust keys is created. This additional set of root-of-trust keys can result in all services failing to start.
KY-28063No matches found when scanning Teradata Developer Tier Preconfigured Edition.
DDC cannot complete scans on Teradata Developer Tier Preconfigured Edition as its default configuration does not set the spoolmode to nospoolonly, and this setting is required for DDC scans to work.
KY-27805, KY-28689SNMPv3 requests fail with the error security service 3 error parsing ScopedPDU for users configured with AES-192 or AES-256 privacy protocol. This error is seen with SNMP applications, including SolarWinds Network Performance Manager, which use the nonstandard Cisco AES key extension implementation for 192 and 256 bit key length. CipherTrust Manager 2.7 and below only support the Blumenthal implementation for these key lengths.
KY-41556CTE: LDAP users/groups cannot be browsed without search filters.

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

Upgrading a k570 Appliance from 2.6.1: Lose of CipherTrust Manager Services after Reboot

Upgrading a k570 appliance from 2.6.1 to 2.7.x or 2.8.x makes the PCI HSM unavailable, and after reboot, CM services do not start. During upgrade the following message is displayed: Starting k7 (via systemctl): k7.serviceJob for k7.service failed because the control process exited with error code.

If you encounter this issue, contact customer support for assistance.

KeySecure Classic Hardware No Longer Supported

CipherTrust Manager firmware version 2.8 is not supported on KeySecure Classic k450 and k460 hardware. Refer to Migrate from KeySecure Classic for information on migrating KeySecure Classic data to CipherTrust Manager hardware.

SMB Connection

The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.

Upgrade from 2.6 to 2.8.0: Network Connection Loss After Rebooting Microsoft Azure Instances

If you upgrade Virtual CipherTrust Manager instances hosted on Microsoft Azure from version 2.6 to 2.8.0, after two reboots the instance does not correctly initialize the network interface and so becomes unreachable.

We strongly recommend upgrading directly to 2.8.1 if you are running Azure-hosted instances at version 2.6.x or 2.8.0.

Follow these steps if you have already upgraded to 2.8.0 and lost network access to the CipherTrust Manager GUI, CLI or REST API, but have password access to the serial console.

You cannot recover a Virtual CipherTrust Manager from a lost network connection unless you have password access to the serial console.

  1. Open an SSH session with Virtual CipherTrust Manager as the ksadmin user.

  2. Contact Thales Support for support shell access.

  3. After you are logged in as root, run the following two commands:

    # rm /etc/netplan/50-cloud-init.yaml
    # echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
    
  4. Reboot the instance when convenient.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

The IV value used for an encryption request is needed to decrypt the data later.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4 to 2.8, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.

  • When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.

  • When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.

  • When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.

  • When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.

  • When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

System Upgrade and Downgrade Supported Releases

System upgrades have been tested from releases 2.5.0, 2.6.0, and 2.7.0.

Upgrades from other versions have not been tested and may not work correctly.

CipherTrust Manager 2.8.x can be downgraded to 2.7.0. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.

Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.

Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.

Clusters with a Large Number of Transactions

Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.

To disable local audit logging

Set the property ENABLE_RECORDS_DB_STORE to false using the ksctl command:

$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false

If configured, Audit logs will be still be sent to a syslog server.

Cluster Synchronization

Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Key Usage Mask Selection

If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.

Upgrading DDC

After you upgrade to version 2.8 you will not be able to downgrade it to any of the previous versions.

End of Support for Operating Systems

The following operating systems will no longer be supported as of DDC version 2.8:

  • Microsoft Windows workstation / server Targets

    • Windows XP Embedded

    • Windows Vista

    • Windows 7

    • Windows Server 2003

    • Windows Server 2008 32-bit

  • Linux 2.4 node agents

Renamed Infotype

If you have an infotype named "Indian Aadhaar Number" in version 2.7.0, after the migration it will be renamed to "Custom Indian Aadhaar Number".

Clusters with DDC

  • Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.

  • DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).

DDC Licensing

Overlapping licenses are not supported (except for the trial license).

Mandatory SAN field in Knox Certificate

Starting from CM version 2.8.0, the SAN (Subject Alternative Name) field is mandatory in the Knox server certificate. Please upgrade your TDP cluster to version 3.1.6 before upgrading CM to 2.8.0. The Upgrading TDP to Version 3.1.6 procedure includes the instructions on how to replace it.

Compatibility

This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

InterfaceMinimum TLS versionMaximum TLS versionDefault Minimum TLS version
Web UITLS 1.2TLS 1.3TLS 1.2
NAETLS 1.0TLS 1.3TLS 1.2
KMIPTLS 1.0TLS 1.3TLS 1.2

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

  • TLS_AES_256_GCM_SHA384 (TLSv1.3)

  • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)

  • TLS_AES_128_GCM_SHA256 (TLSv1.3)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS Deprecation Notices

  • Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.

  • Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    • TLS_RSA_WITH_AES_256_CBC_SHA

    • TLS_RSA_WITH_AES_128_CBC_SHA

Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

  • ProtectApp JCE: minimum version 8.6.1

  • ProtectApp .NET: minimum version 8.11.0

  • ProtectApp ICAPI: minimum version 8.10.0

  • ProtectApp Oracle TDE: minimum version 8.9.0

  • ProtectApp SQL EKM: minimum version 8.3.2

CipherTrust Cloud Key Manager

Minimum version 1.6.3.20532

CipherTrust Database Protection

  • ProtectDB Oracle: minimum version 8.8.0

  • ProtectDB SQL: minimum version 8.9.0

  • ProtectDB DB2: minimum version 8.7.0

  • Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 9.0.0

CipherTrust Vaulted Tokenization

  • Tokenization Manager: minimum version 8.7.1

  • Vaultless Tokenization Manager: minimum version 8.8.0

CipherTrust Batch Data Transformation

Minimum version 2.2.0.2816

CipherTrust Vaultless Tokenization

Minimum version 2.5.2.19

CipherTrust Teradata Protection

Minimum version 6.4.0.12

ProtectFile

Minimum version:

  • ProtectFile Windows 8.12.3

  • ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)

The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.

ProtectV

Minimum version 4.7.3

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP 3.1.6.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

ReferenceSynopsis
KY-52237The state of a pending CA changes to expired after the restart. This breaks the connection/integration of any KMIP or VSAN client.
KY-48941Problem: Upgrading a k570 appliance from 2.6.1 to 2.7.x or 2.8.x makes the PCI HSM unavailable, and after reboot, CipherTrust Manager services do not start. During upgrade the following message is displayed: Starting k7 (via systemctl): k7.serviceJob for k7.service failed because the control process exited with error code
Workaround: Contact customer support if you run into this scenario.
KY-47142While generating a CSR using the /v1/vault/csr API, an incorrect Subject Key Identifier is generated.
KY-43409Problem: SNMP interface cannot be read or deleted if the name contains any upper-case letters.
Workaround: None. Please contact customer support.
KY-42690Problem: If you edit the default port value on the web or KMIP interface, and then join the CipherTrust Manager to a cluster, web or KMIP requests directed to the changed port value fail on other nodes. This is true even though the nodes in the cluster display the new, correct port value for these interfaces.
Workaround: On CipherTrust Manager nodes with failing requests, change the interface port number to a temporary value, and then change the interface port number again to the desired value.
KY-40418Problem: After migrating local CAs from KeySecure to CipherTrust Manager, the connection between KMIP client and CipherTrust Manager could not be established. The same issue also occurs when there is serial number conflict in external CAs.
Workaround: Add the migrated local CA as an external CA on the CipherTrust Manager.
KY-41734Problem: Multiple OIDC connections are required in a cluster where individual nodes are accessed without a load balancer.
Workaround: Create multiple OIDC connections and let each one have a different redirect URI, then select the appropriate connection for your specific node in the cluster.
KY-41140, KY-41739Problem: GUI does not provide any option to add or edit the description of a domain backup.
Workaround: Take domain backup using the CipherTrust Manager API. A description can provided be while taking the backup.
KY-39734Problem: Proxy doesn't work if https_proxy is not set in the following scenarios:
• After upgrading to the CipherTrust Manager version 2.8 from 2.5.
• After installing the CipherTrust Manager version 2.8.
Workaround: After upgrade and installation, configure the https_proxy and http_proxy with the same values.
KY-39294Problem: If you create user with the same name on two cluster nodes, replication sometimes stops due to latency.
Workaround: Avoid creating users of the same name on separate nodes. If your replication is hanging:
1.Take a full system backup on all nodes in the cluster.
2. Find the remote tuple timestamp in the system log of the problematic users, for example timestamp=2022-01-24 14:33:11.70402+00
3.Delete users created at or around that time stamp. Note that you cannot retain the deleted user's password, and a new one will have to be set. Replication should automatically continue.
If manually deleting users is infeasible, contact customer support for other workarounds.
KY-39242Problem: If you create keys with the same name on two cluster nodes, replication sometimes stops due to latency. The system log will have repeating log entries such as
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] LOG: CONFLICT: insert_exists on relation "minerva.keys"; resolution: apply_remote; resolver: update_if_newer.
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] DETAIL: remote tuple origin=2,timestamp=2022-01-24 14:33:11.70402+00,commit_lsn=0/4E247C8
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] CONTEXT: during apply of INSERT from remote relation minerva.keys in xact with commit-end lsn 0/4E247C8 xid 198983 committs 2022-01-24 14:33:11.70402+00 (action #2) (effective sess origin id=2 lsn=0/4E247C8)
2022-01-24 14:51:27 | pg | while consuming 'I' message from receiver for subscription bdr_kylo_kylo_ff58c04f08f_38223f4165d (id=2756859727) on node 3822e20ded82494fab50ec6dfa931ef3 (id=1061250514) from upstream node ff58cc81c5e44934af8f468f7e9f2160 (id=3226405105, reporiginid=2)
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.733 UTC [9687] FATAL: writer has died
Workaround: Avoid creating keys of the same name on separate nodes. If your replication is hanging:
1. Take a backup of the keys on all nodes in the cluster. You can take a full system backup, take a partial backup of only keys, or export key material.
2. Find the remote tuple timestamp in the system log for the problematic keys, for example timestamp=2022-01-24 14:33:11.70402+00
3. Delete keys created at or around that timestamp. Replication should automatically continue.
If manually deleting keys is infeasible, contact customer support for other workarounds.
KY-39235If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain.
KY-31116, KY-31114Problem: If an admin enables a quorum policy on any domain, and a key admin of that domain logs into the web console GUI and views the quorum settings, the quorum policy is displayed as disabled and the error NCERRResourceNotFound: Resource not found is displayed.
Workaround: While the quorum feature is considered a technical preview, only admin level users have permissions to access and configure quorums. Log in as a user with admin permissions to try any quorum functionality.
KY-30705You cannot migrate an RSA public key without a corresponding private key from KeySecure Classic. Migration attempts fail with the error "Server error [417/NCERRInvalidOrMissingKeyData: Could not decode key from key material]: Invalid private key format. HTTP code:422".
KY-27897SaltLength with zero (0) value is not supported for Sign/SignV operations using RSA PSS padding.
KY-27450Local Certificate Authorities (CAs) do not allow commas , in any of the fields.
Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-25152You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances.
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login.
KY-20310When setting up a new DPoD HSM on Demand Service as root of trust, the command succeeds but sometimes returns a timeout error.
Workaround: Disregard the timeout error.
KY-17662In-place cluster upgrade does not enforce upgrading only one version.
KY-17338KMIP: LDAP users cannot be set in the KMIP profile.
Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13617Domain scoped backup fails to restore on another domain when a key with the same name and version already exists.
Workaround: To handle this issue, try either of the following:
  • Retain both keys.
    1. Take the backup without the conflicting key with filters.
    2. Export/import the key material and import it separately.
  • Retain only the backup key.
    1. Delete the key with duplicate name on the restore system.
    2. Restore the domain scoped backup.
KY-13343Uploading an existing backup results in error but is displayed in the list with status "Uploading".
Workaround: Delete the backup using the "uploadID" as backup ID.
KY-11517[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-11498When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it.
KY-7289When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7193Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-6383Users with a pipe in their user names (for example, user1|something) cannot log on using NAE/KMIP.
KY-3670Cluster join operation can fail, but rarely, leaving joining node in a bad state.
Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join.
If you still cannot log on to the node:
  1. ssh in as the ksadmin user.
  2. Reset the node by running the ksctl reset command.
KY-2482(was NC-3480) Signing with EC keys does not work via the REST API.
KY-2423(was NC-2318) KMIP: Result Reason may not be accurate or have enough detail.
KY-2418(was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves.
KY-1397(was NC-2253) Last Login and Logins count are not updated for global user.
KY-1396(was NC-2256) Group membership change for yourself does not take effect until after re-login.
KY-1394(was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error. The error should be: insufficient permissions.
KY-1373(was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used.
KY-1166(was NC-4098) NAE/KMIP multiport iptables rules are not replicated.
Workaround: Perform NAE restart on each node.
KY-504Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-3573Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
NC-3572Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
NC-2063If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Cloud Key Manager

IssueSynopsis
KY-43096Google Workspace CSE: The Google Workspace Client Side Encryption page shows the label Takeout Unwrap instead of Privileged Unwrap.
KY-42739GUI: The Delete Key permission is missing under Access Control in SAP Groups.
Workaround: Grant/remove the Delete Key permission using the REST API.
KY-42750While creating/uploading a DSM key from Azure, Google, Salesforce, and SAP clouds, the source key name does not allow underscores (_). The same issue is also observed when creating/uploading a Luna HSM key from the SAP cloud.
Workaround: Create the key on the DSM/Luna section of the CCKM GUI (Cloud Keys > DSM / Luna), as appropriate. Alternatively, you can create the key using the REST API.
KY-39123SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error".
Workaround: Refresh the newly added group, add the key again, and retry operations.
KY-35520When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned.
Workaround: Refresh all the key vaults.
KY-31058The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.
KY-27583CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state.
This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state.
Workaround: Delete the running and scheduled jobs from the API playground, and retry.
KY-17213When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

IssueSynopsis
PDB-3293If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work.

CipherTrust Data Discovery and Classification

IssueSynopsis
KY-9098DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails.
Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI.
Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed.
Workaround: Configure an NTP server for DDC and all Agent hosts.
KY-24205The Agent selection will fail if no compatible Agent is found, or if no compatible Agent can reach the Data Store, or if the credentials provided do not grant access to the Data Store.
Solution: For possible solutions, check the following:
  • Make sure a compatible Agent is properly installed. Check the compatibility table in the “Agent Configurations” section in the “DDC Deployment Guide”.
  • For a local Data Store, make sure that the Agent is installed on the same host where the Data Store is located.
  • For remote connections, make sure that the network connectivity between the Agent and the Data Store is not blocked by a network firewall.
  • Verify the configured credentials, and make sure that they have permission to connect and read the Data Store contents.
  • When you make sure that the Agent is up and with connectivity, go back to DDC and select the button "Find Agent" for the Data store with the issue.
  • Make sure that you do not have two (or more) Agents with the same hostname (for example, as a result of VMs cloning).
  • Configure the Data Store using a hostname, instead of an IP Address.
None of the clustered nodes responds to requests to DDC.
DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases.
Solution:
  • Run ksctl ddc active-node to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP.
  • If the node identified by ksctl ddc active-node does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666DDC cannot scan files that are bigger than 512MB for AWS S3 and Azure Blob Data Stores
Scanning large files (larger than 512 MB) on "remote (cloud)" Data Stores fails with an "error processing scan" error. Those file are marked as 'inaccessible' on the report or the scan fails with an "error processing scan". The user has no way to identify the issue from DDC.
Possible Workarounds:
  • Download large files to a local storage, and run the scan on this local storage data store.
  • Contact Thales Customer Support for other possible solutions.
KY-13618Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted.
When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled.
Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost.
KY-19763OracleDB and IBM DB2: uppercase schema/table name issues.
User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase.
Workaround: Set the target path in uppercase.
KY-21981Postgres tables without primary keys are not completely scanned
DDC can only scan Postgres tables if they have at least one primary key defined.
Workaround: Configure at least one primary key in the tables and run the scan again.
KY-30756A scan with one or more custom infotype fails with "Internal Error" when it contains Custom Infotype from CM 2.4.
This may happen when a custom infotype, created in CM 2.4, contains an expression with a format too complex to interpret.
Workaround: Edit the Custom Infotype to verify if the expression is valid.
KY-27095The PostgreSQL Agent selection fails as if there were no compatible Agent, or as if no compatible Agent could reach the Data Store. DDC does not support the scram-sha-256 authentication method.
Workaround: Create the user with 'md5' password encryption by specifying the hash of the password at user creation, as in CREATE USER <user name> PASSWORD 'md5<password hash>';
For example, to create a user named 'u0' with the password 'foobar' (md5('foobar') = ac4bbe016b808c3c0b816981f240dcae) use the following command: CREATE USER u0 PASSWORD 'md5ac4bbe016b808c3c0b816981f240dcae';
KY-27855"Something went wrong" message when generating a report with many scans.Report with many scans cannot be generated due to timeout in the requests between CM and the TDP servers.
Workaround:
  • Verify the TDP health.
  • Verify the network speed and latency between CM and TDP.
KY-27102Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports.
KY-30760In Legacy Reports, Data objects may not be listed in Local Storage reports with a large number of matches.
NCERRInternalServerError: unexpected error is displayed on the DataObjects report tab.
This means that the Hadoop cluster has taken too long (more than 30 seconds) to retrieve the list of data objects in the report.
Workaround: Re-run the scan and generate a new (non-Legacy) report.
KY-30138MongoDB reports will only contain information for the first 1M documents even when more than 1M documents are scanned.
Workaround: Run scans with less than 1M documents.
KY-42494In multi-agent scans on the same datastore, the first scan fails when paused manually, if the second scan is started with the same agents.
Workaround: For Oracle and SMB set the Minimum and Maximum Agents value as 1. For the other datastores, do not pause the scan manually but use the automatic pause scan feature instead.
KY-42492In multi-agent scans on the same datastore, the first running scan restarts if the second scan is started with the same agents.
Workaround: For Oracle and SMB set the Minimum and Maximum Agents value as 1. For the other datastores, either wait till the first scan completes before starting a second scan, or do nothing as eventually the restarted scans complete successfully.
KY-42491, KY-42359Launching a second scan that has any datastores in common with a running scan may result in restarting the first scan in progress on the shared datastore, or even fail it if the first scan is manually paused.
Workaround: Minimize scan concurrency on any given datastore and use automatic pause, as the automatically paused scans never fail.
KY-42521'Error launching livy job' (on mouse-over on the scan fail icon)
This could happen when a scan is being 'reclassified' for the second time with a larger number of sensitive Data Objects found.
Solution: Use the instructions in the TDP documentation, "Spark Tuning" section, and modify the following parameters:
spark.driver.cores=3
spark.driver.memory=5g
spark.executor.cores=3
spark.executor.memory=5g
spark.executor.instances=3
KY-42510The number of connected datastores is not updated after editing the number of agents of a datastore.
Workaround: Relaunch automatic agent selection by doing the following:
1. In the Data Discovery application, click the overflow icon (ellipsis) that corresponds to the desired datastore.
2. In the shortcut menu that appears, click Find Agent.
Refer to https://thalesdocs.com/ctp/cm/2.6/admin/ddc_ag/data_stores/index.html#automatic-agent-selection for more details.
KY-42719You cannot make changes to a scan, when the field On this date is enabled in the scheduler.
If you have a scan that is not scheduled, and then you schedule it in the wizard or through the Edit Scan UI and select a date, the Save Changes button becomes disabled.
Workaround: To enable the Save Changes button, select the No End option, then select again On this date.

CipherTrust Transparent Encryption

IssueSynopsis
KY-40214Problem: After migrating ProtectFile clients to CTE, rules set to DISABLE are not applied to the clients.
Workaround: For Windows clients, in the client registry, delete the activeRules string from key HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\ProtectFile, and delete the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sfntpffd\RulePaths. Then, reboot the host machine.
For Linux clients, in the /etc/safenet/config/PF/safenet_pf file, delete the activeRules parameter entry and reboot the host machine.
KY-34329Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths.
Workaround: Create GuardPoints by manually entering the raw device paths.
KY-42868CTE GUI: When trying to add more than 200 clients to a client group in one attempt, the GUI becomes nonresponsive.
Workaround: Add up to 200 clients to a client group in one attempt.

ProtectApp

IssueSynopsis
KSCH-16415The Host Name field on the Client Registration screen does not have validation for host availability.
Workaround: Add clients using the API.

ProtectFile

IssueSynopsis
KSCH-573Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.