Release Notes
Product Description
CipherTrust Vaulted Tokenization (CT-V) supplements Thales encryption solutions by facilitating smooth application performance and transparent end-user operation while keeping encrypted information secure in one central location. For countries with data privacy laws that require sensitive data remain in country, tokenization offers the flexibility to offshore storage without compromising compliance. CT-V also helps simplify audit compliance by reducing the number of auditable systems.
Release Description
This release includes the resolved issue CADP-17019.
Note
From this release onward, support for KeySecure has been deprecated.
Notes for MySQL Database
If a token vault contains multiple entries of the same plaintext with different custom data, CT-V 8.12.4 cannot be used with these token vaults.
Upgrade the existing token vaults to make them compatible with CT-V 8.12.4.
Non-idempotent token vaults are not supported for MySQL database.
Supported Databases
CT-V 8.12.4 is the next standard release over the previous release. This version is explicitly validated on the following platforms:
| Oracle 11g | SQL Server 2008 | SQL Server 2019 |
| Oracle 12c | SQL Server 2012 | MySQL 5.6 |
| Oracle 18c | SQL Server 2014 | MySQL 5.7 |
| Oracle 19c | SQL Server 2016 | MySQL 8.0 |
| Oracle 21c | SQL Server 2017 | Informix 12.10 |
Note
Java developers can use CT-V as a Web service with Apache Tomcat (versions 6 to 9) and Apache Axis2 1.7.8. Axis2, version 1.7.8 is required when using Tomcat.
.NET developers can install CT-V using Microsoft IIS. Refer to CipherTrust Vaulted Tokenization User Guide for details.
Advisory Notes
Enable SSL communications between CT-V and Microsoft SQL Server
To enable SSL communications between CT-V and Microsoft SQL Server, edit the
SafeNetToken.propertiesand set theDatabaseType=SQLServerSSL. If using the Web service, restart Tomcat so that the CT-V jar file will be reloaded with the new property value. The JDBC driver will use SQL Server's self-signed certificate.Multi-threading
By default, CT-V automatically splits
insert,get, andgetTokenbatches larger than 2000 into multiple threads and executes them in parallel. In these scenarios, adding multithreading to your application may not be necessary.When using CT-V in a multithreaded application, it is recommended to use use no more than 10 threads per single CPU machine.
Oracle Batch Jobs
It is recommended to execute the analyze table command after running the first batch job on a token vault in an Oracle database.
For example:
analyze table <your_token_vault_table> compute statistics;If this command is not used, performance will degrade after running batches between 5000 and 10000 rows. When using the CT-V Web service, this performance degradation will cause a
Read Timeout Exception.
Issues Severity and Classification
The following table serves as a key to the severity and classification of the issues listed in the Known Issues table:
| Severity | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium-level priority problems. |
| L | Low | Low-level priority problems. |
Resolved Issues
| Severity | Issue | Synopsis |
|---|---|---|
| M | CADP-17019 | When the CT-V Bulk Utility is run with a built-in format, the output doesn't print the first column (0 position). |
Known Issues
| Severity | Issue | Synopsis |
|---|---|---|
| C | CADP-23902 | Tokenization fails with the following exception when the input value contains special characters including one or more spaces (for example, @@ @@ @@@):No new tokens can be generated after 100 resolution attempts; either the generated token matches the plain value, or the token starts with 0. |
| M | CADP-6120 | The Verify_SSL_Certificate parameter does not work with Java 17. |
| M | TM-8496 | CT-V does not throw an exception when the insert API is used with sequential vault with formats other than SEQUENTIAL_TOKEN in the Oracle database.Summary: When the insert API is used with sequential vault with formats other than SEQUENTIAL_TOKEN, CT-V does not throw an exception. Ideally, CT-V should throw an error. |
| L | TM-8521 | Bulk detokenization header message prints tokens instead of detokens. Summary: While performing bulk detokenization, header message prints number of tokens instead of number of detokens. |
| L | TM-8535 | Local mode throws exceptions in multithreaded environment. Summary: When running JCE 8.5 in local mode for multiple threads, following errors are encountered: • com.ingrian.security.nae.NAEException: Cipher not initialized.• javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher. |
| M | TM-7572 | Windows authentication - DB to DB migration fails with Active Directory user. Summary: DB-to-DB bulk migration fails on using active directory user for database user. |
| M | TM-7186 | SQL Server - Token created on passing string of length 2000 in SQL Server. Summary: SQL Server supports a default token length of 256. If a token is created of length higher than 256, the token is created of default length 256 thus ignoring the given input data length. |
| M | TM-7029 | getTokenByDate is effective on date but not on time.Summary: getTokenByDate API is applicable on date but not on time. |
| L | TM-6858 | .NET installer 32 bit is not working with Windows Server 2012 64-bit. Summary: On installing CT-V with .NET installer (32-bit) on Windows Server 2012 64-bit, the following message is being displayed: “The operating system is not adequate in running CipherTrust Vaulted Tokenization”. But same .NET installer (32-bit) is working with Windows Server 2008 64-bit. |
| M | TM-6979 | getTokenByDate API not working with batch custom data.Summary: getTokenByDate API is not working with batch custom data. |
| M | TM-6949 | Unable to select Filegroup/Tablespace on creation from KeySecure Classic GUI. Summary: In the Vault Index Filegroup fields, entering anything other than the default value, returns the following error: Error: Incorrect syntax near the keyword 'ON'. |
| M | TM-6945 | CT-V not replicating tokens to local site on calling get() API. |
| M | TM-6601 | The getTokensByDate() API retrieves token from the local site even when CT-V is configured for the multi-site feature.Summary: The getTokensByDate() API retrieves token from the local site even if the multi-site feature is configured on CipherTrust Vaulted Tokenization. |
| H | TM-6577 | Performance efficiency degrades in version 6.5.0 of SafeNet Tokenization. Summary: The performance of SafeNet Tokenization goes down after an upgrade to SafeNet Tokenization 6.5. This is a known issue with SafeNet Tokenization and Java 1.6 (Both Sun and IBM versions) on Linux platforms, caused due to a Java defect. Refer to Java Bug Database for information on Java defect. Workaround: It is recommended that you upgrade to Java 1.8. Alternatively, you can set securerandom.source to file:/dev/./urandom. For example, Djava.security.egd=file:/dev/./urandom. |
| H | 151139 | Intermittent Error When Deleting Token Vaults From the Management Console. Summary: When deleting a token vault, particularly a vault with a large number of rows, the Management Console may seem to hang. This is because the Management Console does not remove the token vault entry until the database confirms that the vault has been deleted. The larger the vault, the more time this takes. During this time, if a KeySecure administrator attempts to refresh the web browser, or repeatedly clicks the delete button, the Management Console can reach an error state. Likewise, if a KeySecure administrator attempts to access the token vault entry during the delete process, the Management Console may return an inaccurate message, such as “Token vault does not exist”. Workaround: Do not interrupt the Management Console when deleting a token vault. Do not click the Delete button again, do not attempt to access the token vault entry in the Management Console or refresh the browser. The Management Console will indicate when the vault has been deleted from the database. |
| M | 117848 117846 | CT-V requires c3p0 settings and retry logic code when failover occurs in Oracle RAC environment. Summary: Calls to get(), insert(), update(), deleteToken(), and deleteValue() will not failover when the database server goes down.Workaround: To work around this issue: 1. Set the following c3p0 parameters in the SfntDbp.properties file:• c3p0.testConnectionOnCheckin=true • c3p0.idleConnectionTestPeriod=10 • c3p0.preferredTestQuery=select * from dual 2. Place the API call in the try block and decrement the loop counter in the catch block to retry for the same input value as shown in Retry Logic Code below: while (true) { |
Compatibility and Upgrade Information
CT-V 8.12.4 is compatible with CipherTrust Manager 2.2 and higher versions.
Installation and Upgrade Instructions
Refer to CipherTrust Manager User Guide for complete installation and upgrade instructions for the server, and CipherTrust Vaulted Tokenization User Guide for the client and token vault details.
Installation Prerequisites for Client
Supported Java versions are 8 (minimum 1.8.0_111), 10, 11, 17.
Installing CT-V in the .NET environment, requires the following:
A recent version of .NET Framework is installed. It is recommended to use .NET version 4.0.
A token vault is already created.
Note
The
InstallShieldWizard first deletes the existing version of CipherTrust Vaulted Tokenization, and then installs the latest version.Before installing the latest version of CT-V in the .NET environment, manually uninstall SafeNet Tokenization 8.4.0 or lower versions, otherwise the installation will fail.
