Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Release Notes

search

Please Note:

Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

NameAbbreviation
CipherTrust Batch Data TransformationBDT
CipherTrust ManagerCM
CipherTrust Application Data ProtectionCADP
CipherTrust Cloud Key ManagerCCKM
CipherTrust Data Protection GatewayDPG
CipherTrust Database Protection (formerly known as ProtectDB)CDP
CipherTrust Transparent EncryptionCTE
CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)CTE UserSpace
CipherTrust Teradata ProtectionCTP
CipherTrust Intelligent ProtectionCIP
CipherTrust Data Discovery and ClassificationDDC
Data Protection on DemandDPoD
CipherTrust TokenizationCT
CipherTrust Vaulted TokenizationCT-V
CipherTrust Vaultless TokenizationCT-VL

Release Description

This release is available on the Customer Support Portal in the following formats:

  • An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.

    Warning

    2.9.x is not supported on Thales TCT k160 devices.

  • An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.

  • A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.

  • A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.

In addition, 2.9.x Virtual CipherTrust Manager is available on the following public clouds:

  • Amazon Web Services: SafeNet Cloud Provisioning System

  • Google Cloud

  • Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace

  • Oracle Cloud

  • IBM Cloud

    • An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.

    • A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.9.x contains a number of new features, enhancements, and resolved issues. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.9.2

The 2.9.2 release includes an internal client upgrade to maintain compatibility with the Thales Data Protection On Demand (DPoD) Luna Cloud HSM service root-of-trust integration past January 28, 2025. Details on the Luna Cloud HSM compatibility change are available in knowledge base article KB0028422. The CipherTrust Manager change is tracked internally under reference number KY-85448.

This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.9.x, 2.8.x, 2.7.x, and 2.6.x.

This release does not address all security vulnerabilities discovered after the release of 2.9.0 minor version. To obtain current security fixes, upgrade to the latest LTS patch or feature release.

Release 2.9.1

The 2.9.1 release includes some security fixes and stability fixes described in the resolved issues list. This release is available as an upgrade file. The upgrade can be applied directly on CipherTrust Manager versions 2.9.x, 2.8.x, 2.7.x, and 2.6.x.

Release 2.9.0

Platform

  • Added support for AWS Regional STS Endpoint in AWS connection manager.

  • Added support for Open ID Connect (OIDC) connections to authenticate CTE agents in connection manager.

    Note

    This is an additional, separate connection from the OIDC connection used to authenticate CipherTrust Manager users.

  • Changes to the OIDC connection to authenticate CipherTrust Manager users.

    • Added the ability to pre-create OIDC users before the user logs in to CipherTrust Manager.

    • Due to stability and performance enhancements, this feature is fully supported and no longer a technical preview.

    • Support for GET method to start an OIDC login flow.

  • Added support for a Syslog connection available to the ksadmin user to forward host logs. Host logs are very detailed messages at the base operating system level.

  • The certificate duration for Azure Cloud and Salesforce Cloud connection managers is made configurable. The default duration is 730 days.

  • Expansion of log forwarder features:

    • Added support for Loki connections in connection manager.

    • TLS is also now available for Loki connections.

    • Added support for Elastic Search connection in connection manager.

    • Support of Syslog added in log forwarders.

    • Added support for Syslog connections in connection manager.

      Note

      Upgraded CipherTrust Manager instances can have existing syslog connections through Admin Setting, which continue to be supported as an additional Syslog connection. Syslog servers configured as log forwarders can forward client audit records, while syslog servers configured through Admin Settings cannot.
      These two syslog connections are separate from the syslog connection available to the ksadmin user to forward host logs.

    • Due to design stability, log forwarders are now fully supported and no longer technical preview.

  • Certificate revocation check request timeout for Web (cert user login) and NAE/KMIP clients is made configurable.

  • Added support to renew CA CRL automatically on expiration.

  • Support added to configure maximum TLS version on interfaces.

  • Support added for "y-" prefixed custom attributes for migration of keys from KeySecure to the CipherTrust Manager.

  • Updated ksctl to allow configuration of trusted certificates.

  • Added ability to auto-generate server certificates on restart if certificate signing request (CSR) parameters or CA is changed.

  • Added support for including a Subject Alternative Name in CSR in CipherTrust Manager UI.

  • Domain backup now includes users and groups.

  • Registration of new KMIP client certificates now uses DN matching instead of fingerprint pinning.

  • Added ECDSA signing and verification support for REST interface.

  • Added support for custom attribute to KeyVersionModifyRequest.

  • Support of certificate-based authentication for users created inside the domain.

  • The default setting of the system generated auto key rotation scheduler for new deployments is now disabled. However, in the previous releases, it was enabled.

  • Changes to the internal Loki Grafana log aggregation microservice:

    • Added a configurable retention period.

    • Due to stability and performance enhancements, this feature is fully supported and no longer technical preview.

  • Technical preview: Ability to anchor a new child domain to a Luna Network HSM partition. All keys and secrets within an HSM-anchored domain are wrapped and unwrapped by the HSM itself.

  • Support for upgrading the Luna PCIe Hardware Security Module on board the Thales CipherTrust Manager k570. You can now upgrade the firmware on this HSM to 7.7.0.

Limitations

  • To fetch all keys, it is recommended to use KeyNamesRequest instead of KeyQueryRequest. The KeyQueryRequest response time is proportional to the number of keys on the CipherTrust Manager, hence may lead to a timeout exception on the client side.

  • The CipherTrust Manager logs forwarded to Syslog server are limited to a size of 1024 bytes. After this size, the log message is truncated. However, you can use a Syslog log forwarder instead of the Syslog server to view the complete logs. The log forwarders support log messages larger than 1024 bytes.

  • Currently, the log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.

  • The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.

  • During client renewal, if another client (which has Auth mode set to DN) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.
    However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renewing Local CA Clients for details.

Deprecated Feature(s)

The CipherTrust Manager version 2.9 onward:

  • The 'global' user doesn't get generated on restart.

  • The 'global' user cannot be created.

    While upgrading to CipherTrust Manager 2.9, the 'global' user gets deleted.

    In CipherTrust Manager 2.8 and 2.9 mixed cluster environment, if a 'global' user exists, you cannot login as a 'global' user.

    While upgrading to CipherTrust Manager 2.9 or in mixed cluster environment, if a 'global' user is deleted, the keys owned by the 'global' user will be accessible to the 'Key admin' or 'admin' groups. The NAE/KMIP users can also access these keys.

Application Data Protection

  • Added support for access policies that allow you to select how to display data in a RESTful API call during the reveal operation based on the user. The data can be revealed as:

    • Plaintext

    • CipherText

    • Masked Value

    • Error/Replacement Value

  • Added licensing enforcement for DPG.

CCKM

  • Technical preview: Support for Luna HSM as a key source for BYOK and cache-only keys in Salesforce cloud.

  • Added support for management of Oracle Cloud Infrastructure (OCI) resources using the GUI.

  • Added support for management of Azure secrets and certificates using REST API.

  • Capability to persist permitted operations and tags for Azure keys after the key rotation.

  • Added capability to provide an existing key to act as the Key Encryption Key (KEK) when you create a Google External Key Manager (EKM) endpoint. Multiple Google EKM endpoints cannot share the same KEK at the same time.

  • Added support for the Azure Key Vault Managed HSM cloud service.

CTE

  • Added capability to share CTE resources across domains. Refer to Sharing Resources Across Domains for details.

  • Added support for Multifactor Authentication (MFA) to the MFA-capable CTE for Windows clients. In MFA, access to the requested data is granted only after the requester satisfies two or more authentication criteria. Refer to Multifactor Authentication for details.

  • Added capability to configure cluster node preference. Refer to Configuring Cluster Node Preference for details.

  • Added option to suspend rekey on a client group level.

  • Enhanced the Thales Security Intelligence Splunk app to include CipherTrust Manager dashboards.

Note

CTE resources of Efficient Storage and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.9 using the backup/restore method. The Container policies are supported only on the DSM. However, Efficient Storage resources can be manually created on the CipherTrust Manager. Migration of Efficient Storage resources will be supported in a future release.

DDC

  • Salesforce Data Store Support. Supports scanning sensitive data in Salesforce Standard, Custom, and Big objects in your production and sandbox environments.

  • Search Precision Support in Built-in Infotypes. Discovers sensitive data objects based on the High or Low search precisions.

  • Auditing Scan Execution and Reports Generation Events. Logs Scan execution and Reports generation actions in the Server records (audit).

Resolved Issues

This table lists the issues resolved in 2.9.1.

IssueSynopsis
KY-51283When adding the license string for the DDC license, CipherTrust Manager returns the error "User not authorized to add a license."
KY-49442If you delete a domain that has used DDC to any extent before upgrading, DDC is unavailable after upgrade. The UI displays the error "Cannot start DDC-management".

This table lists the issues resolved in 2.9.0.

IssueSynopsis
KY-48941Upgrading a k570 appliance from 2.6.1 to 2.7.x or 2.8.x makes the PCI HSM unavailable, and after reboot, CipherTrust Manager services do not start. During upgrade the following message is displayed: Starting k7 (via systemctl): k7.serviceJob for k7.service failed because the control process exited with error code
Resolution: Upgrade from 2.6.1 to 2.9.0 does not cause this error.
KY-47890CPU usage increases when KMIP license expires.
KY-47152, KY-47142While generating a CSR using the /v1/vault/csr API, an incorrect Subject Key Identifier is generated.
KY-43409SNMP interface cannot be read or deleted if the name contains any upper-case letters.
KY-43096Google Workspace CSE: The Google Workspace Client Side Encryption page shows the label Takeout Unwrap instead of Privileged Unwrap.
KY-42868CTE GUI: When trying to add more than 200 clients to a client group in one attempt, the GUI becomes nonresponsive.
KY-42750While creating/uploading a DSM key from Azure, Google, Salesforce, and SAP clouds, the source key name does not allow underscores (_). The same issue is also observed when creating/uploading a Luna HSM key from the SAP cloud.
KY-42739GUI: The Delete Key permission is missing under Access Control in SAP Groups.
KY-42325Server audit records don't display Google EKM wrap and unwrap operations in domains other than the root domain.
KY-41734Multiple OIDC connections are required in a cluster where individual nodes are accessed without a load balancer.
KY-41140, KY-41739GUI does not provide any option to add or edit the description of a domain backup.
KY-40418After migrating local CAs from KeySecure to CipherTrust Manager, the connection between KMIP client and CipherTrust Manager could not be established. The same issue also occurs when there is serial number conflict in external CAs.
KY-39821If a KeySecure backup contains certificates that have been revoked and then resumed, the CipherTrust Manager shows them as revoked certificates after migration.
KY-39818The links of the keys (XTS/RSA) get deleted from the source domain when the key backup is restored on the destination domain of the same CipherTrust Manager.
KY-39268, KY-39348For the auto-registered KMIP clients created before 2.0 release, the KMIP services do not start after upgrading them to 2.5 or later releases.
KY-39349CCKM GUI: Unable to view/edit AWS KMS accounts having '/' in their names.
KY-39294If you create user with the same name on two cluster nodes, replication sometimes stops due to latency.
KY-39255When migrating a non-versioned key from DSM to Ciphertrust Manager, the expiration date of the key gets copied to the key's rotation date after migration, causing auto-rotation instead of its deactivation.
KY-39242If you create keys with the same name on two cluster nodes, replication sometimes stops due to latency. The system log will have repeating log entries such as
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] LOG: CONFLICT: insert_exists on relation "minerva.keys"; resolution: apply_remote; resolver: update_if_newer.
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] DETAIL: remote tuple origin=2,timestamp=2022-01-24 14:33:11.70402+00,commit_lsn=0/4E247C8
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.730 UTC [9688] CONTEXT: during apply of INSERT from remote relation minerva.keys in xact with commit-end lsn 0/4E247C8 xid 198983 committs 2022-01-24 14:33:11.70402+00 (action #2) (effective sess origin id=2 lsn=0/4E247C8)
2022-01-24 14:51:27 | pg | while consuming 'I' message from receiver for subscription bdr_kylo_kylo_ff58c04f08f_38223f4165d (id=2756859727) on node 3822e20ded82494fab50ec6dfa931ef3 (id=1061250514) from upstream node ff58cc81c5e44934af8f468f7e9f2160 (id=3226405105, reporiginid=2)
2022-01-24 14:51:27 | pg | 2022-01-24 14:51:27.733 UTC [9687] FATAL: writer has died
KY-39139The CipherTrust Manager should not allow the certificate duration greater than the CA duration.
KY-38998When the credentials of an SMB connection are updated on the CipherTrust Manager, the updates are not reflected on the CTE Agent.

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

KeySecure Classic Hardware No Longer Supported

CipherTrust Manager firmware is no longer supported on KeySecure Classic k450 and k460 hardware from version 2.8.0 and onward. Refer to Migrate from KeySecure Classic for information on migrating KeySecure Classic data to CipherTrust Manager hardware.

SMB Connection

The Host and Port fields must be specified together, or do not specify any of them. If Host and Portare not specified while creating an SMB connection, these fields cannot be added later.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

Caution

The IV value used for an encryption request is needed to decrypt the data later.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4 some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4 to 2.9, these changes take effect when you first upgrade from 2.4 to an intermediate minor version, 2.5, 2.6, or 2.7.

  • When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.

  • When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.

  • When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.

  • When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.

  • When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

System Upgrade and Downgrade Supported Releases

System upgrades have been tested from releases 2.6.x, 2.7.x, and 2.8.x. Upgrades from lower 2.9.x versions to 2.9.x patches have also been tested.

Note

Upgrades from other versions have not been tested and may not work correctly.

CipherTrust Manager 2.9.x can be downgraded to 2.8.x. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.

Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.

Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.

Clusters with a Large Number of Transactions

Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.

To disable local audit logging

Set the property ENABLE_RECORDS_DB_STORE to false using the ksctl command:

$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false

If configured, Audit logs will be still be sent to a syslog server.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

Key Usage Mask Selection

If you want to perform any operation (for example, Wrap/Unwrap) from the NAE/KMIP connector, set the usage mask explicitly for that operation while creating keys through UI.

Upgrading DDC

After you upgrade to version 2.9 you will not be able to downgrade it to any of the previous versions.

Clusters with DDC

  • Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.

  • DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).

DDC Licensing

Overlapping licenses are not supported (except for the trial license).

DDC Reports

Support for Legacy Reports

Starting from scans run with CM version 2.9.0, the data objects listed in the reports for SMB/CIFS data stores will be displayed with a new prefix.

  • old prefix: share://server\share\folder1\folder2\file.txt

  • new prefix: \\server\share\folder1\folder2\file.txt

Warning

The support for legacy reports will be removed in the next version (following version 2.9.0). All scans run with DDC version 2.2 and its reports will stop functioning. Please make sure to download and save any legacy reports that you have.

Compatibility

This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

InterfaceMinimum TLS versionMaximum TLS versionDefault Minimum TLS version
Web UITLS 1.2TLS 1.3TLS 1.2
NAETLS 1.0TLS 1.3TLS 1.2
KMIPTLS 1.0TLS 1.3TLS 1.2

Caution

TLS 1.0 and TLS 1.1 support will be discontinued in a future release.

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

  • TLS_AES_256_GCM_SHA384 (TLSv1.3)

  • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)

  • TLS_AES_128_GCM_SHA256 (TLSv1.3)

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS Deprecation Notices

  • Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.

  • Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    • TLS_RSA_WITH_AES_256_CBC_SHA

    • TLS_RSA_WITH_AES_128_CBC_SHA

Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

Caution

Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.

For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.

CipherTrust Application Data Protection

  • ProtectApp JCE: minimum version 8.6.1

  • ProtectApp .NET: minimum version 8.11.0

  • ProtectApp ICAPI: minimum version 8.10.0

  • ProtectApp Oracle TDE: minimum version 8.9.0

  • ProtectApp SQL EKM: minimum version 8.3.2

CipherTrust Cloud Key Manager

Minimum version 1.6.3.20532

CipherTrust Database Protection

  • ProtectDB Oracle: minimum version 8.8.0

  • ProtectDB SQL: minimum version 8.9.0

  • ProtectDB DB2: minimum version 8.7.0

  • Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 9.0.0

CipherTrust Vaulted Tokenization

  • Tokenization Manager: minimum version 8.7.1

  • Vaultless Tokenization Manager: minimum version 8.8.0

CipherTrust Batch Data Transformation

Minimum version 2.2.0.2816

CipherTrust Vaultless Tokenization

Minimum version 2.5.2.19

CipherTrust Teradata Protection

Minimum version 6.4.0.12

ProtectFile

Minimum version:

  • ProtectFile Windows 8.12.3

  • ProtectFile Linux 8.12.3, 8.12.4p02 (for migration to CTE)

The latest three GA versions of ProtectFile are tested with CipherTrust Manager. Older versions are expected to work, but they are not tested explicitly.

ProtectV

Minimum version 4.7.3

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

Note

ODBC driver for Microsoft SQL: To connect to Microsoft SQL, DDC Agent requires the ODBC drivers to be installed on the host. If DDC cannot find a suitable agent, make sure that these drivers are installed. If necessary, upgrade them to the latest available version. Thus, if your MSSQL Server is configured with TLS 1.2 only, install the ODBC Driver 17 for MSSQL Server.

TDP Version Compatibility

Data Discovery and Classification requires TDP 3.1.6.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

ReferenceSynopsis
KY-63347Problem: The SNMP trap notification linkDown, indicating a network interface is down, is not sent immediately in a multi-NIC environment. The trap notification is sent after CipherTrust Manager reboot.
KY-65653Problem: Refresh tokens created by NAE/KMIP services are not cleaned up after closing the connection. This affects the NAE/KMIP performance when the refresh tokens count reaches couple of millions.
Workaround: Contact Thales Support.
KY-61307Problem:After you join a new node to a CipherTrust Manager cluster and restart cluster members, cluster member backup keys become inactive.
Workaround: Delete the inactive backup keys and upload the backup keys that were downloaded.
KY-61292Problem: In a configuration with multiple Luna Network HSMs acting as root-of-trust in high availability mode, when the HSM in use becomes unavailable, the CipherTrust Manager occasionally does not failover to the remaining HSMs, and CipherTrust Manager becomes unavailable.
Workaround: Reboot the CipherTrust Manager instance to reconnect to remaining HSMs.
KY-60716Problem: If you migrate RSA keys from KeySecure Classic to CipherTrust Manager, the key permissions change from encrypt to decrypt, and from decrypt to encrypt.
Workaround: After migration, edit the key permissions on CipherTrust Manager.
KY-60595Problem: If you attempt to create a domain with an existing name, the domain creation fails as expected. However, you can no longer delete the user specified as the domain administrator.
Workaround: Contact customer support to delete the user.
KY-59952Problem: Only the 10 most recent alarm configurations are listed in the GUI.
Workaround: Manage alarm configurations through the ksctl records alarm-configs CLI commands or the /v1/audit/alarm-configs REST API endpoint.
KY-55987Problem: If you have a scheduled job set to run on a particular cluster node, remove the node from cluster, and then rejoin it, the scheduled job runs on all cluster nodes instead.
Workaround: After making any changes to cluster membership, update the scheduled job run_on parameter to reflect the current cluster node ID.
KY-55725Unable to update the password of an SCP connection for backups.
KY-55634Two quorums are generated for download backup key.
KY-53816The activity.nae logs show key version 0 always.
KY-54374• With legacy Syslog servers, there is a performance drop after increasing 20 Syslog entries in the system.
• The new log forwarders support a maximum of 100 connections internally. Each domain consists of four matrices/labels. If there are 25 domains (including root) in the system and all four matrices are enabled, then only for a maximum of 25 domains the logs will be forwarded.
KY-59471Problem: The trusted CAs, in the existing custom interfaces, don't get replicated on a new node joining in a cluster. This leads to failure of the client (NAE, KMIP, and REST) authentication on the new node.
Workaround: Update the trusted CA manually on the interface of that node where the issue persists.
KY-59483Problem: OCI test connection does not work if the OCI user has access to only a sub-compartment.
Workaround: On the Oracle cloud, add the OCI user to the admin group. Alternatively, update the first two policies as:
Allow group cckm-group to manage vaults in tenancy
Allow group cckm-group to manage keys in tenancy.
Refer to Apply Policies to the User Group.
KY-59341Problem: The /auth/tokens API endpoint sometimes returns a renewed Refresh Token (refresh_token) with longer than requested lifetime (refresh_token_lifetime).
KY-56072If you create a domain-specific backup containing a pkcs12 key with one or more certificates, and then attempt to restore the backup, the pkcs12 key fails to restore. The message ERR | key-hash mismatch error message:failed verifying key hash for key record: <key_id> err:failed verifying key fingerprints errVerbose: is present in the /opt/keysecure/logs directory accessible in a ksadmin SSH session.
KY-55416Problem: Alarms table does not support retention policy. Record based alarms will fill up the table.
Workaround: Contact customer support.
KY-53681Problem: You cannot delete the default backup key if it is uploaded from another domain.
Workaround: Contact customer support.
KY-53631Problem: OIDC group mapping is allowed even though it is not supported. If a user in the group attempts to login, the login fails with server error response.
Workaround: Delete the invalid group mapping.
KY-52237The state of a pending CA changes to expired after the restart. This breaks the connection/integration of any KMIP or VSAN client.
CM-7Thales TCT k570 model does not support FIPS backup.
CM-17Thales TCT k570 model does not support key rotation for HSM root key.
CM-18Thales TCT k570 model does not support HSM Firmware Upgrade (in field).
CM-19Thales TCT k570 does not support external JWT rotation.
KY-51920Problem: CipherTrust Manager k570 models can sometimes lose network connectivity, showing the errors PCIe link lost, device now detached and igb 0000:01:00.1 eth1: malformed Tx packet detected and dropped, LVMMC:0xffffffff in kern.log and syslog host log files available in debug logs download or through ksadmin SSH access.
Workaround: Contact Thales customer support.
KY-51318Problem: Adding a proxy host using the web console GUI results in the port displaying incorrectly with a dash (-), and the proxy setting is not applied.
Workaround: Use the ksctl CLI or REST API to update the proxy configuration, removing the / suffix from the http_proxy and https_proxy parameter values.
KY-49082Problem: If you set a CipherTrust Manager to use a non-default port for the web interface, other than 443, you cannot join the CipherTrust Manager to a cluster. The join operation hangs and never completes.
Workaround: Enter the IP address and port in the Public address of the new node field, disable the Cluster address is the same as the Public address checkbox, and then enter the IP address without the port in the Cluster network address of the new node field.
KY-49376Problem: If a CipherTrust Manager is deployed at a version lower than 2.8, a CTE license is installed, and the CipherTrust Manager is upgraded to 2.8 or higher, the displayed CTE license usage count is incorrect.
Workaround: In a domain with pre-existing CTE clients, create or register a new CTE client, and then delete the new client.
KY-48357Problem: Wild card support is not present for partial domain backup of user.
Workaround: Take manual backup of selective users.
KY-48358Problem: The users and groups backup fails if an invalid group name is provided in the resource query filter during partial domain backup.
KY-48284Problem: Domain backups with local users cannot be restored into another domain in the same cluster.
Workaround: Restore the backup to a CipherTrust Manager in a new cluster, or to a different CipherTrust Manager instance which isn't clustered.
KY-48256Problem: The Admin > Services page has Restart buttons for every listed service, but only nae-kmip and web services can successfully restart. All other services fail with 15: NCERRBadRequest: Bad HTTP request.
Workaround: The System Restart at the bottom of the page restarts every service.
KY-48108Problem: HSM-anchored domain creation fails with Luna HSM versions earlier than 7.7.x.
Workaround: Upgrade Luna HSM version to 7.7.x.
KY-48085Problem: The Reset option to restore default columns doesn't work in some tables in the CipherTrust Manager UI.
Workaround: Manually select the columns you wish to view and click OK.
KY-48050Problem: [CipherTrust Manager UI]: If you attempt to renew a KMIP client certificate without providing a CSR/CSR parameters, you do not receive the private key associated with the new certificate.
Workaround: Renew the client certificate using the post /v1/client-management/clients/{id}/renew API or the command ksctl clientmgmt clients renew.
Alternatively, you can renew the client certificate without providing any parameter if you select Server CSR and click Renew on the CipherTrust Manager UI.
KY-47789Problem: User login to the CipherTrust Manager UI with an external certificate sometimes hangs and does not complete.
Workaround: User login through other interfaces, such as curl commands, ksctl CLI, NAE, or KMIP, is unaffected. If login to the CipherTrust Manager UI with an external certificate is still required, set the CERT_REV_CHECK_TIMEOUT property to a value such that CERT_REV_CHECK_TIMEOUT multiplied by the number of CRL endpoints is less than 20 seconds.
KY-47184Problem: After upgrade, services sometimes fail to restart with an error message starting with Forcing migration for retry.
Workaround: Contact customer support to recover from this state.
KY-46653Problem: If you add a syslog host on connection manager with IPv6 format, testing the connection fails with the message too many colons in address. This error occurs despite the connection working properly.
Workaround: Manually compare the records visible in CipherTrust Manager with the records present in the syslog server to validate that the connection is working.
KY-42690Problem: If you edit the default port value on the web or KMIP interface, and then join the CipherTrust Manager to a cluster, web or KMIP requests directed to the changed port value fail on other nodes. This is true even though the nodes in the cluster display the new, correct port value for these interfaces.
Workaround: On CipherTrust Manager nodes with failing requests, change the interface port number to a temporary value, and then change the interface port number again to the desired value.
KY-39354Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid.
Workaround: If scheduled backup through SCP is needed, create a System Backup.
KY-39235If a user fails to log in to a domain, an audit record is created in the root domain instead of the intended domain.
KY-37961Problem: If you add a user only to the "CTE Admins" group and attempt to create a registration token on the UI, the operation hangs and never completes.
Workaround: Add the user to the "admin" or "CA Admins" group in addition to the "CTE Admins" group.
KY-31116, KY-31114Problem: If an admin enables a quorum policy on any domain, and a key admin of that domain logs into the web console GUI and views the quorum settings, the quorum policy is displayed as disabled and the error NCERRResourceNotFound: Resource not found is displayed.
Workaround: While the quorum feature is considered a technical preview, only admin level users have permissions to access and configure quorums. Log in as a user with admin permissions to try any quorum functionality.
KY-30705You cannot migrate an RSA public key without a corresponding private key from KeySecure Classic. Migration attempts fail with the error "Server error [417/NCERRInvalidOrMissingKeyData: Could not decode key from key material]: Invalid private key format. HTTP code:422".
KY-27897SaltLength with zero (0) value is not supported for Sign/SignV operations using RSA PSS padding.
KY-27450Local Certificate Authorities (CAs) do not allow commas , in any of the fields.
Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value.
All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-25152You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the admin user on Oracle Cloud instances.
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the admin user on this login.
KY-20310When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error.
Workaround: Disregard the timeout error.
KY-17662In-place cluster upgrade does not enforce upgrading only one version.
KY-17338KMIP: LDAP users cannot be set in the KMIP profile.
Workaround: To use LDAP authentication, use the KMIP auto registration.
KY-13617Domain scoped backup fails to restore on another domain when a key with the same name and version already exists.
Workaround: To handle this issue, try either of the following:
  • Retain both keys.
    1. Take the backup without the conflicting key with filters.
    2. Export/import the key material and import it separately.
  • Retain only the backup key.
    1. Delete the key with duplicate name on the restore system.
    2. Restore the domain scoped backup.
KY-13343Uploading an existing backup results in error but is displayed in the list with status "Uploading".
Workaround: Delete the backup using the "uploadID" as backup ID.
KY-11517[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-11498When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it.
KY-7289When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
KY-7288When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
  1. Decrypt the data using KeySecure Classic.
  2. Encrypt the data with keys stored on CipherTrust Manager.
After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
KY-7193Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
KY-6383Users with a pipe in their user names (for example, user1|something) cannot log on using NAE/KMIP.
KY-3670Cluster join operation can fail, but rarely, leaving joining node in a bad state.
Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join.
If you still cannot log on to the node:
  1. ssh in as the ksadmin user.
  2. Reset the node by running the ksctl reset command.
KY-2482(was NC-3480) Signing with EC keys does not work via the REST API.
KY-2423(was NC-2318) KMIP: Result Reason may not be accurate or have enough detail.
KY-2418(was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves.
KY-1394(was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: NotFound error. The error should be: insufficient permissions.
KY-1373(was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used.
KY-1166(was NC-4098) NAE/KMIP multiport iptables rules are not replicated.
Workaround: Perform NAE restart on each node.
KY-504Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.
NC-3573Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
NC-3572Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
NC-2063If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.

CipherTrust Application Data Protection

IssueSynopsis
KY-47374Problem: If you migrate a non-exportable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "exportable".
Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-exportable.

CipherTrust Cloud Key Manager

IssueSynopsis
KY-60264Issues observed in managing AWS keys through an assumed role when the CipherTrust Manager is deployed in VPC.
KY-56372Users, who are not CipherTrust Manager administrators (admin group), cannot perform any operations on the Google Workspace CSE resources through CCKM.
Workaround:
1. Create a policy for Google CSE operations. Run the API post /v1/admin/policies, as follows:
{
    "name": "Google CSE policy",
    "allow": true,
    "effect": "allow",
    "resources":["kylo::cckm:"],
    "actions": ["GoogleWorkspaceCSE"],
    "conditions": [],
    "obligations": [],
    "includeDescendantAccounts": false
}
   This will return a policy resource id.
2. Attach the policy to the "CCKM Admins" group. Run the API post /v1/admin/policy-attachments, as follows:
{
    "policy": "<policy-id>",
    "principalSelector": { "cust":{ "groups": [ "CCKM Admins" ] }},
    "jurisdiction": ""
}
   Here, <policy-id> is the policy resource id returned in the previous step.
KY-48665Oracle Cloud: When you upload a key to an Oracle vault, the Origin column under KEY VERSIONS shows External as the key material origin for both software and HSM protection modes.
Workaround: Check the correct key material origin using API.
KY-48263Automatic rotation of Salesforce tenant secrets using Luna HSM as a key source does not work.
Workaround: Rotate the tenant secrets manually.
KY-48261The SAP Keys created by search filter in the CipherTrust Manager web console UI does not take effect. Results are not filtered.
The creator_name parameter in the REST API and creator-name flag in the ksctl CLI filter correctly.
KY-46776GUI shows EC and RSA key types when adding keys to Azure-managed HSM vaults.
These key types will be removed in a future release.
Workaround: Use the EC-HSM and RSA-HSM options to add keys to the Azure-managed HSM key vaults.
KY-56869The key rotation operation fails when Azure doesn't return any response while fetching the key details.
Workaround:
• For manual key rotation, re-run the key rotation manually.
• For key rotation scheduler, delete the running scheduler job from API playground using the DELETE /v1/scheduler/jobs/{id} API and re-configure the key rotation scheduler.
KY-44547GUI: The "requested by" search functionality does not work for Google Workspace CSE records (Records > Google Workspace CSE).
KY-42082SAP Data Custodian: SAP key activity report doesn't show any data.
KY-39123SAP Data Custodian: When a SAP group is added again, then performing any enable, disable, update, and add new version operation on a key in the group returns the "500 Internal Server Error".
Workaround: Refresh the newly added group, add the key again, and retry operations.
KY-35220When the CipherTrust Manager is upgraded, the Azure Keys page does not show any keys. "Error unescaping tags: invalid URL escape "%" 9 : NCERRInvalidParamValue" is returned.
Workaround: Refresh all the key vaults.
KY-31186If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate.
Workaround: Add an exception (cloudkms.googleapis.com) with no_proxy or use the proxy with username and password, and restart the services.
KY-31058The manual add version/rotation process (using Clone Existing Key Material) of Google Cloud symmetric keys using migrated AWS DSM keys does not work.
KY-27583CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state.
This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state.
Workaround: Delete the running and scheduled jobs from the API playground, and retry.
KY-17213When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

IssueSynopsis
PDB-3293If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work.

CipherTrust Data Discovery and Classification

IssueSynopsis
KY-9098DDC cannot automatically assign an Agent for empty NFS shared folders. You cannot create an NFS type Data Store with an empty folder. When an empty folder is shared over NFS and scanned by DDC, the probe fails.
Workaround: Introduce any document in the empty folder and manually trigger the Agent selection. Click the "Find Agent" button to relaunch the Agent selection. The button is visible when you click the ellipsis (overflow) button next to the data store.
KY-9104Scan fails with “Error scanning. The target for Data Store XYZ cannot be accessed.” This happens when the Data Store is created and an Agent is selected for the Data Store but then the Agent is no longer available and there is no way to select a new Agent from the UI.
Workaround: Edit the Data Store and edit any configuration parameters so the DDC Server automatically searches for a new suitable Agent.
KY-9399The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed.
Workaround: Configure an NTP server for DDC and all Agent hosts.
None of the clustered nodes responds to requests to DDC.
DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. This will be improved in next releases.
Solution:
  • Run ksctl ddc active-node to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP.
  • If the node identified by ksctl ddc active-node does not answer DDC requests correctly or is no longer active, contact Thales Customer Support.
KY-22666DDC cannot scan files that are bigger than 512MB for AWS S3 and Azure Blob Data Stores
Scanning large files (larger than 512 MB) on "remote (cloud)" Data Stores fails with an "error processing scan" error. Those file are marked as 'inaccessible' on the report or the scan fails with an "error processing scan". The user has no way to identify the issue from DDC.
Possible Workarounds:
  • Download large files to a local storage, and run the scan on this local storage data store.
  • Contact Thales Customer Support for other possible solutions.
KY-13618Sometimes, a scan cannot be resumed after the CipherTrust Manager is restarted.
When a scan is paused before restarting the CipherTrust Manager, sometimes, the scan is shown as RUNNING after the restart, when in fact, it is stalled.
Workaround: Restart the scan execution after restarting the CipherTrust Manager. Note that the progress of the previous scan will be lost.
KY-19763OracleDB and IBM DB2: uppercase schema/table name issues.
User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase.
Workaround: Set the target path in uppercase.
KY-21981Postgres tables without primary keys are not completely scanned
DDC can only scan Postgres tables if they have at least one primary key defined.
Workaround: Configure at least one primary key in the tables and run the scan again.
KY-30756A scan with one or more custom infotype fails with "Internal Error" when it contains Custom Infotype from CM 2.4.
This may happen when a custom infotype, created in CM 2.4, contains an expression with a format too complex to interpret.
Workaround: Edit the Custom Infotype to verify if the expression is valid.
KY-27102Reports created before upgrading to CM 2.4 do not show Last run and Duration. The upgrade to CM 2.4 resets the Last run and Duration fields for the existing reports.
KY-30760In Legacy Reports, Data objects may not be listed in Local Storage reports with a large number of matches.
NCERRInternalServerError: unexpected error is displayed on the DataObjects report tab.
This means that the Hadoop cluster has taken too long (more than 30 seconds) to retrieve the list of data objects in the report.
Workaround: Re-run the scan and generate a new (non-Legacy) report.
KY-28063No matches found when scanning Teradata Developer Tier Preconfigured Edition.
DDC cannot complete scans on Teradata Developer Tier Preconfigured Edition as its default configuration does not set the spoolmode to nospoolonly, and this setting is required for DDC scans to work.
Workaround: Change the spoolmode to nospoolonly.
KY-33887Azure Table - A scan fails with an internal error when scanning a large piece of sensitive data.
DDC scans on Azure Table may fail with an internal error when a Windows agent is assigned.
Workaround: Use a Linux agent compatible with the database.
KY-34462In G-Drive DDC scans all the path to which the scan path is prefixed.
When scanning a specific G-Drive folder, the scan is extended onto all folder names that contain the name of the folder that you intended to scan.
KY-38108A datastore scan fails to continue in the scheduled time after the autopause end time if the scan gets to the "Autopaused" state directly from the "Pending" state.
KY-42491Launching a second scan that has any datastores in common with a running scan may result in restarting the first scan in progress on the shared datastore, or even fail it if the first scan is manually paused.
Workaround: Minimize scan concurrency on any given datastore and use automatic pause, as the automatically paused scans never fail.
KY-47755An Oracle Datastore fails with a "Cannot find minimum agents for the datastore" error. This is because the database name has an invalid format.
Solution: Enter the database name in a valid format, that is DB(SERVICE_NAME=XXX).
KY-47936Indian GLASS Expression: The Indian Address infotype does not support all valid address format. For example, special characters are not supported.
KY-48070When a HDFS folder /user/XXX does not exist, a misleading message is displayed.
When you configure HDFS without a folder /user/XXXX, the DDC should display an error "HDFS folder /user/XXX" does not exist". Instead, it displays "Invalid HDFS folder: the folder does not exist"

CipherTrust Transparent Encryption

IssueSynopsis
KY-48228Problem: When creating a data transformation enabled policy, if you keep on selecting the same action, its duplicate entries are added.
Workaround: Manually delete the duplicate entries from the GUI.
KY-34329Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths.
Workaround: Create GuardPoints by manually entering the raw device paths.

ProtectApp

IssueSynopsis
KSCH-16415The Host Name field on the Client Registration screen does not have validation for host availability.
Workaround: Add clients using the API.

ProtectFile

IssueSynopsis
KSCH-573Encryption rules cannot be modified to reset values for include and exclude extension parameters.
KSCH-568Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.
KSCH-567Modifying a file level encryption rule to set the “isRecursive” flag does not return error.
KSCH-564Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.

On this page