Release Notes
Product Description
CipherTrust Application Data Protection for Java (CADP for Java) is a Java Cryptography Extension (JCE) provider that enables users to integrate the Key Manager's capabilities into their Java applications. CADP for Java is available in the following variants:
CADP for Java with Centrally Managed APIs
This is our new set of APIs available from CADP for Java 8.18.1 release. CADP for Java offers simplified APIs (Protect/Reveal) to perform cryptography operations. All the configuration for CADP for Java, along with protection and access policies are centrally managed and maintained on CipherTrust Manager.
Protection Policy (ciphers, keys, IV, tweak, and so on) defines how to protect the sensitive data. Whereas, Access policy determines who can view sensitive data and how (plaintext, ciphertext, custom masking format or redacted).
Centrally Managed APIs offer several advantages over traditional APIs, including:
Developers do not need to understand cryptographic parameters (cipher, key, IV, Nonce, Tweak, and so on) to protect data as the Data Security Admins are responsible to handle configurations and policies.
Each deployed application with CADP for Java is visible on CipherTrust Manager (providing a Single Pane of Glass view).
Data Security Admins gain Crypto Agility, enabling real time changes to cipher, keys and parameters.
Traditional APIs
This is our standard release of CADP for Java which has been delivered so far.
CADP for Java integrates with the Java Cryptographic Extension (JCE), allowing your Java application to perform cryptographic operations for data protection either locally (with key material securely cached in memory or on disk) or remotely (by forwarding cryptographic requests to CipherTrust Manager). CADP for Java provides encryption/decryption ciphers, tokenization/detokenization ciphers, sign/verify, MAC/verify operations, along with key management functionalities.
Traditional APIs have some drawbacks compared to centrally managed APIs, as developers must understand and handle cryptographic parameters (cipher, key, IV, nonce, tweak, and so on.) and configurations file by themselves. The CADP for Java configuration is stored in a local file that is deployed with each instance of the application.
Release Description
This release includes bug fix.
Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
This release onward, the
protectappws.warandtmrestVaultless.warfiles will no longer be included in the CADP for Java package. These files remain available for download from the Thales Customer Support Portal. This change has been made because our web services use End-of-Life (EOL) Spring OSS version 5.3.39. While the Spring jars also have known vulnerabilities, but our web services functionality is not impacted.Removal of
safenetcloud.warandsfbyok.warfiles from CADP for Java package: We are migrating CSEG and BYOK REST API support to open-source as integration. To handle these migrations, 8.15.0 release onward, thesafenetcloud.warandsfbyok.warfiles are not bundled with the CADP for Java package. Soon, CSEG and BYOK REST API support will be available as open-source. Contact the Sales Team for any queries.Key versioning and group key permission are not supported by the Key Manager device with the KMIP protocol.
Resolved and Known Issues
The following table defines the severity of the issues listed in this section.
| Priority | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issues
There are no resolved issues to be listed in this section.
The following issues are fixed in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-24204 | H | A delay has been observed when closing NAE connections if the response from Key Manager exceeds the Connection_Read_Timeout value. This issue is observed with OpenJDK and not with Oracle; other providers have not been validated. |
Known Issues
The following issues are known to exist in the product at the time of release.
There are no known issues to be listed in this section
| Issue | Severity | Synopsis |
|---|---|---|
| CADP-23688 | H | Decryption using a versioned EC key with IV fails when provided in persistent mode. |
| CADP-20861 | M | Can't run external logger without log4J libraries. |
| CADP-26231 | M | The KMIP_GCM_Crypto operation fails with IBM Java, Oracle Java and OpenJDK. |
| CADP-26230 | H | Date2 tokenization fails with pre-active, wiped, and retired key states. |
| CADP-18026 | H | ECC key creation request fails with null pointer exception on IBM Java 8. |
| CADP-14569 | H | HMAC verification fails with doFinal two parameters. |
| CADP-10355 | H | Bulk crypto operation becomes unresponsive when data size and batch size are greater than 2000. |
| CADP-9834 | M | For bulk operation, if data is null or blank, the whole batch is discarded and the operation is terminated. |
| CADP-13846 | M | [KMIP] Unable to add custom attribute. |
| CADP-13847 | M | [KMIP] Unable to delete key. |
| CADP-13848 | M | [KMIP] Crypto not working for AES/GCM. |
| CADP-13849 | M | [KMIP] Unable to perform wrap and unWrap. |
| CADP-13850 | M | [KMIP] Query operation not working. |
| PAN-1802 | M | In a Multithreaded environment, Given Final Block not properly padded exception is thrown if ECB mode is used for encryption/decryption and Persistent cache is also enabled. |
| PA-4314 | M | KMIP: Authenticated user cannot Locate global keys. |
| 48382 | M | Considerations when using PKCS #5 Padding. Problem: If users attempt a chain of operations that includes two decrypt operations that use PKCS #5 padding, the chain of operations might hang because both decrypt operations wait for the doFinal() method. This scenario poses another potential issue when the user’s input data requires only one block (e.g. 8 bytes for DES and DESede, or 16 bytes for AES), with chances of the NAE server returning incorrect data. |
Compatibility Information
Key Manager
Centrally Managed APIs are supported with CipherTrust Manager 2.19 and higher versions.
Traditional APIs are supported with CipherTrust Manager 2.11.1 and higher versions.
Operating Systems
CADP for Java works with most of the operating systems. It is supported on a variety of platforms, including Windows, RHEL, Solaris, HPUX, and AIX PowerPC. Not all operating system versions combinations are explicitly validated.
Supported JRE
Following JRE versions are supported in this release:
Oracle Java version 8, 10, 11, 12, 14, 15, 17, 19, 21 (Validated)
OpenJDK 8, 10, 11, 12, 14, 15, 17, 19, 21 (Validated)
Derivatives of OpenJDK supported versions.
Deliverables
This release includes the following components:
Software: CADP for JAVA (.zip format) available on Support Portal
Product documentation is available on Thalesdocs
CADP for Java samples are available on Github
Package for CADP for Java (Java API) is available on Maven
We have attempted to make these documents complete, accurate, and useful. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.
