Release Notes for CTE UserSpace
Release Note Version | Date |
---|---|
10.2.0.72 | 2023-11-23 |
New Features and Enhancements
-
FreeBSD with CTE-U
You can now use CTE-U on FreeBSD with the option of installing CTE-U in a FreeBSD jail.
See FreeBSD: Using FreeBSD with CTE-U for more information.
-
Restricting Access with Client Settings
You can now restrict access with client settings with
su
support.See Restricting Access with Client Settings for more information.
-
Arm Processor
The ARM processor is now supported with Ubuntu 22 for v10.2.0 and subsequent versions.
Resolved Issues
-
AGT-43828 [CS1447055] List disk is not showing the disk on other node
This feature required I/O direct mode for loop devices. Support for this feature was not added in the kernel loop driver until kernel 4.10.
-
AGT-46597: CTE-U not exporting GuardPoints over NFS
An IO error occurred when accessing GuardPoints over NFS. The IO issue has been fixed. You can successfully export GuardPoints over NFS.
See Exporting GuardPoints over NFS for more information.
-
AGT-46885: CTE Agents not returning to healthy state after CipherTrust Manager reboot
After the CipherTrust Manager rebooted, the majority of the clients, or all of the clients, remained at the warning state with a message stating:
1 of 1 servers are poor responders
. This issue was caused by a long poll problem. CTE client tried to upload the client status to CipherTrust Manager without sending a long poll message. As a result, CTE agent was never notified of the new status. CTE clients waited indefinitely and never cleared the warning from CipherTrust Manager. -
AGT-48403 [CS1502762] Read-Only user is trying to edit the file; after edits, file is losing data
If CTE rejects writes due to the policy, then kernel fuse cannot interpret if writeback cache was enabled, since the original write was accepted. This results in stale cache and can result in all users seeing bogus data that can eventually cause corruption. The solution is to not allow an open write flag (WONLY, TRUNC or RDWR) if the user/process does not have write access.
-
AGT-48639 [CS1510594]: Files displayed extra white space characters when read in VI
For the
f_rd_att
action, set the effect to:Permit, Apply Key
Known Issues
-
AGT-44852: Cannot delete very long file names in FreeBSD
A path length longer than 1024 characters is not supported.
-
AGT-45125: Execute program from the GuardPoint
Due to the implementation of the FreeBSD kernel, process sets and signature sets are not supported in CTE-U in FreeBSD.
-
AGT-46856: FreeBSD 13.1 Documentation: FUSE protocol violation warning message
The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.
-
AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled
In the future, Thales will try to enhance this feature to reduce the logs more.
-
AGT-47230: Missing IOCTL in CTE-U causes VMSec challenge to claim that a challenge is needed
Invalid. CTE-U does not support challenge/response.
-
AGT-48249: Direct IO does not work with mmap or buffered IO
Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.
Work-around
Disable writeback cache:
-
AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access
CTE-U does not support security rules with process sets, or user sets, for Block Devices. Refer to Sample Policy for Block Devices.
-
AGT-48289: dkey not available after reboot on AWS EC2
This issue is caused by a race condition during initial boot.
-
AGT-48348: Raw device GuardPoint gets stuck in processing state after getting removed from agent
In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a Guardpoint from the loop device layer. As a result, it is not possible to cleanly stop
secfs-fuse
. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoint are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions. -
AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once
Work-around
Run the following Data Transformation cleanup command before transforming the data:
-
AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2
If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.
Work-around
In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.
-
AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working
When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.
Work-around
See Migrating an Encryption Key for more information.
-
AGT-48659: CTE-CTE-U migration: embed GuardPoint command is not working
After migration from CTE-CTE-U, the command
dxf --embed --gp <path>
is not embedding header info into the files.