Release Notes
Product Description
CipherTrust Vaultless Tokenization (CT-VL) is a platform-independent appliance (virtual machine or bare-metal) that offers REST-API services to protect sensitive data.
Release Description
This release includes OS migration from CentOS to Ubuntu, security and bug fixes.
Note
Support for DSM and KeySecure as a key manager has been deprecated this release onward.
Support for Azure Linux Agent is deprecated from this release onwards.
CLI Command Changes
| Command | CT-VL 2.6.x to 2.8.3 | CT-VL 2.9.0 |
|---|---|---|
network set --defroute | Supported | Not supported (use network set -- dns and network set --gateway) |
icapi setup | A message prompt to restart vts service is displayed | There is no message, the vts service will restart silently. |
vts service --restart | Status is displayed | Status is not displayed |
system df --direct | Supported | Not supported |
system terminal --terminate ALL | Supported | Not supported |
network dns | Supported | Not supported (use network set --dns) |
Resolved Issues
| Reference | Description |
|---|---|
| CADP-22387 | Mismatch in the number of log entries and data displayed on the CT-VL dashboard. |
| CADP-21154 | /var/log/messages log file does not rotate by size limit. |
Known Issues
| Reference | Description |
|---|---|
| CADP-28694 | Problem: Access logs information is missing from the GUI. |
| CADP-24392 | Problem: CT-VL backup fails due to large size of counter tables leading timeout while using GUI or API. |
| CADP-22956 | Problem: NGINX processes use more memory than usual when handling high traffic or heavy loads. Workaround: Monitor Nginx memory utilization during peak loads using 'system top' command availale in CT-VL and restarting the vts service. |
| CADP-27506 | Problem: When the input data length is less than or equal to keep right count in token template and the "Preserve NULL or 1 character inputs" option is selected, an empty "" token is returned. Workaround: To preserve single character input , set keep right count to a value smaller than minimum input data length. |
| CADP-25444 | Problem: Tokenization/Detokenization calls return invalid token values intermittently when the key cache update fails. |
| CADP-24594 | Problem: Syslog reduces the number of logs when the same message appears repeatedly in a short time. |
| CADP-25380 | Problem: When an IP (valid or invalid) is added during the cluster add operation, the cluster remove command does not remove the IP from the cluster. |
| CADP-24695 | Problem: While upgrading from CT-VL 2.9.0 to 2.9.1, using vts upgrade --upload command does not work.Workaround: Use vts upgrade --url command. |
| CADP-23317 | Problem: Syslog is compressing consecutive events into one entry "last message repeated X times". |
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-21893 | For the restore process, UI session timeout after 10 minutes, therefore it is recommended to use CLI. Workaround: To monitor the data restore progress, use the following command: vts logfile --tail clish.log |
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. Upgrading to v2.6 or higher doesn't fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-21939 | CT-VL backup that used a DSM cannot be restored into a CT-VL 2.9.0 VM. |
| CADP-22912 | CT-VL does not adhere to Admin group permissions for encryption/decryption. |
| CADP-22321 | Error "502 Bad Gateway" occurs when a sign/verify operation is performed with an HMAC key of size 512. |
| CADP-22331 (CADP-23347) | Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-23336 | The CipherTrust Manager NAE mode: "TLS, verify client cert, user name taken from client cert, auth request is optional" is currently not supported. |
| CADP-23407 | Unable to use Client Certificate Authentication in CT-VL 2.9.0 . Workaround: Create a client certificate with complete subject instead of Common Name only. |
| CADP-23420 | Server Certificate's show key command is not working in CT-VL 2.9.0. |
| CADP-23563 | Unable to download logs using REST in CT-VL 2.9.0 Workaround: To check the logs, use the cli command: vts logfile --tail <logfile name> |
| CADP-22736 | Key cache expiration setting does not work with a multi-node cluster. |
Limitations
Upgrade to CT-VL 2.9.0 is not supported. Refer to Migrating from CT-VL Lower Versions to 2.9.0 for details.
Auto-renewal of client certificate is not supported with CipherTrust Manager.
