Release Notes
Product Description
CipherTrust Application Data Protection for Java is a Java Cryptography Extension provider that helps the users to integrate their Java applications with the cryptographic and key management abilities of the Key Manager. CADP for Java provides APIs (Java, REST, and SOAP) to perform cryptographic and key management operations using Key Manager.
Release Description
This release includes enhancements and bug fixes.
Enhancements
Added support to pass domain name (FQDN) or IP address of the key manager in the Server Name Indication (SNI) Header during TLS Handshake. Click here to know more.
Added a parameter,
setIgnoreIv, inFPEParameterAndFormatSpecthat allows users to skip IV if data size is less than the block length. Click here for details.
Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
We are migrating CSEG and BYOK REST API support to open-source as integration. To handle these migrations, 8.15.0 release onward, the
safenetcloud.warandsfbyok.warfiles will not be bundled with the CADP for Java package. Soon, CSEG and BYOK REST API support will be available as open-source.Jar File Version Change: The jar file version is 8.14.1.000 and the name of the file is CADP_for_JAVA-8.14.1.000.jar. Customers upgrading from previous releases must update the classpath to reflect this new name.
Downloading JCE Policy Files: The CADP for Java Provider does not include the JCE policy files required to use unlimited strength ciphers (e.g., 192- and 256-bit AES keys.) You must download the unlimited strength policy files for Java 8 implementation.
Generate and Install a Client Certificate with an IP Address: A workaround is available to generate and install a client certificate containing a client IP address into a Java key store for JCE client application use.
Key versioning and group key permission are not supported by the Key Manager device with the KMIP protocol.
Resolved and Known Issues
The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issues
The following issues are fixed in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-12982 | H | User gets out of connection pool error. |
| CADP-13301 | M | The CADP for JAVA web services (protectappws) doesn't work with Java 8. |
| CADP-11403 | M | The CADP for Java throws an error when KMIP samples are run with CipherTrust Manager. |
Known Issues
The following issues are known to exist in the product at the time of release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-10355 | H | Bulk crypto operation becomes unresponsive when data size and batch size are greater than 2000. |
| CADP-10241 | H | Bulk operation with AES/CBC/PKCS5Padding returns incorrect ciphertext when batch size exceeds 375. |
| CADP-12400 | H | While retrieving global keys using the getKeys() API, CADP for Java throws Server closed connection exception. |
| CADP-9834 | H | For bulk operation, if data is null or blank, the whole batch is discarded and the operation is terminated. |
| PA-5194 | H | There is a difference in RSA private key export format in local and remote mode. |
| PA-5201 | H | [Local Mode] Key information returns null or NullPointerException message for retired key versions. |
| PA-5196 | H | [Remote Mode] Unable to fetch new key state information after modifying its state during the same session. |
| PAN-1802 | M | In a Multithreaded environment, following exception is thrown if ECB mode is used for encryption/decryption and Persistent cache is also enabled. "Given Final Block not properly padded." |
| PA-4314 | M | KMIP: Authenticated user cannot Locate global keys. |
| 48382 | M | Considerations when using PKCS #5 Padding. Problem: If users attempt a chain of operations that includes two decrypt operations that use PKCS #5 padding, the chain of operations might hang because both decrypt operations wait for the doFinal() method. This scenario poses another potential issue when the user’s input data requires only one block (e.g. 8 bytes for DES and DESede, or 16 bytes for AES), with chances of the NAE server returning incorrect data. |
| 48080 | M | Key Generation Requests and Key Permissions. Problem:NAE users cannot see keys that they do not have permission to use. However, a key generation request will fail if the key already exists on the server. A user could use this behavior to discover the names of existing keys. |
Compatibility Information
Key Manager
CipherTrust Manager 2.12 and higher versions.
Operating Systems
CADP for Java works with most of the operating systems. It is supported on a variety of platforms, including Windows, RHEL, Solaris, HPUX, and AIX PowerPC. Not all operating system versions combinations are explicitly validated.
Supported JRE
Following JRE versions are supported in this release: Oracle Java version 8 (minimum 1.8.0_111), 10, 11 (including OpenJDK and Amazon Corretto), 12 (OpenJDK and Azul Java), 14 (OpenJDK), 15 (OpenJDK), 17 (OpenJDK), 19 (OpenJDK), or IBM Java 8 (minimum 8.0.6.25).
Deliverables
This release includes the following components:
Software: 630-000697-001_CADP_for_JAVA-8.14.1.000.zip
Product documentation is available on Thalesdocs
CADP for Java samples are available on Github
Package for CADP for Java (Java API) is available on Maven
