Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Release Notes

Release Notes for CTE UserSpace

search

Release Notes for CTE UserSpace

Release Note Version Date
10.3.0.65 2024-06-18

New Features and Enhancements

  • Multifactor Authentication Support

    Multifactor Authentication ensures that the access credentials presented belong to the actual person logging in. CTE-U is supporting Multifactor Authentication through integration with Keycloak MFA provider. CTE-U will continue to integrate with additional providers and release information about them in the future.

    See Multifactor Authentication for CTE-U

  • Support for User Sets when Exporting NFS GuardPoints

    See Exporting GuardPoints over NFS for more information.

  • Enhanced the Agent Health Monitor Guide to include Troubleshooting Guidance

    See Troubleshooting/ Debugging CTE-U for more information.

Resolved Issues

  • AGT-48289: dkey not available after reboot on AWS EC2

    This issue was caused by a race condition during the initial boot. This has been fixed.

  • AGT-50686: Unable to guard sub-directory of an exported NFS share directory

    CTE-U cannot guard a sub-directory of an exported NFS share directory. The guarded path must be the same as the NFS exported path.

  • AGT-50857: CipherTrust Manager user set, without root, user failed to give non-root user permission to mount the NFS directory

    Two methods to support non-root user with NFS mount (guarded in NFS server):

    1. Specify only the gid for a non-root user during user set configuration for a policy

    2. Include the root user during user set configuration in the policy, but limit root user permission with Action = d_rd-att Effect = permit,audit (This allows the root user to mount the NFS but they are not able to read the actual data.)

  • AGT-51115 [CS1526300]: chmod failure from NFS client

    This occurred because user sets were previously not supported for NFS export. They are supported now.

  • AGT-56672 | AGT-55254: On RHEL7.9, secfs-fuse.service hangs on re-registration

    The Falcon services were interfering with secfs-fuse.service. You must stop the Falcon services before re-registering the client. To stop the service, type:

    systemctl stop falcon-sensor.service

  • AGT-57761: When running the Linux Test Project (LTP), it hangs when run on a guarded path

    The issue occurred when Amazon used older kernels that were performing MMAP I/O. The solution is to turn off custom_cache_management for these older kernels if their tools are going to perform MMAP I/O.

    To turn off custom_cache_management, type:

    voradmin secfs config custom_cache_management 0

Known Issues

  • AGT-44852: Cannot delete very long file names in FreeBSD

    A path length longer than 1024 characters is not supported.

  • AGT-45125: Execute program from the GuardPoint

    Due to the implementation of the FreeBSD kernel, process sets and signature sets are not supported in CTE-U in FreeBSD.

  • AGT-46856: FUSE protocol violation warning message

    The kernel driver displays this message because the file size reported by CTE is different than the file size of the actual file. So FuseFS thinks something has changed and triggers the warning. This message is benign and can be ignored.

  • AGT-47108: Enabling Concise logging does not reduce logs as compared to when it is disabled

    In the future, Thales will try to enhance this feature to reduce the logs more.

  • AGT-48249: Direct IO does not work with mmap or buffered IO

    Writing to a file without direct IO, and then reading from the same file with direct IO, while using a different file descriptor, without syncing or closing the first file descriptor, causes the read to fail to get the correct data.

    Work-around

    Disable writeback cache:

    voradmin secfs config writeback_cache_local 0 <GP>

  • AGT-48284: Access to the GuardPoint displays incorrect GuardPoint path and garbage in path on first access

    CTE-U does not support security rules with process sets, or user sets, for block devices. Refer to Sample Policy for Block Devices.

  • AGT-48348: Raw device GuardPoint gets stuck in processing state after being removed from agent

    In SUSE Linux Enterprise Server 12 SP5, it is not possible to gracefully detach a GuardPoint from the loop device layer. As a result, it is not possible to cleanly stop secfs-fuse. Attempts to do so may result in a hang where recovery is only possible by power cycling the machine. For these reasons, block deviceGuardPoints are not currently supported on SUSE Linux Enterprise Server 12 SP5 or previous versions.

  • AGT-48387: FreeBSD: Unable to run dataxform against the same directory more than once

    Work-around

    Run the following Data Transformation cleanup command before transforming the data:

    dataxform --cleanup --gp <gp_path>

  • AGT-48502: CTE to CTE-U migration on NFS v3/v4 with backup user generates I/O error when restored on CTE-U NFS GuardPoint in SLES and RHEL 9.2

    If the file does not have write permissions, then when updating, the keyid fails and CTE-U generates an I/O error.

    Work-around

    In CTE to CTE-U migration, you must have full write OS permissions for the files copied from the CTE backup to the CTE-U GuardPoint.

  • AGT-48532 [CS1506097] Using a Standard Policy with an XTS key, when user migrated from a CipherTrust Manager to another CipherTrust Manager, key stopped working

    When a key is backed up and restored to a different domain or CipherTrust Manager, the keyid may be changed and trigger a protection code in CTE-U that is designed to prevent accidental use of the wrong key or accidental double encryption.

    Work-around

    See Migrating an Encryption Key for more information.

  • AGT-48659: CTE-CTE-U migration: embed GuardPoint command is not working

    After migration from CTE-CTE-U, the command dxf --embed --gp <path> is not embedding header info into the files.

  • AGT-49859: GuardPoints are not healthy when partial config is enabled for CTE-U client

    The Partial Config feature in CipherTrust Manager v2.15 GA requires CTE-U v10.2.0.80, v10.3.0.19 or subsequent versions.

  • AGT-54610: Failed to create a file with only a write action in the key rule

    When a policy on CipherTrust Manager has only write access for user/process set, the corresponding user/process set, on the agent, should be able to write to the file. However, due to the FUSE design, for every operation, CTE-U needs to check for getattr permissions. Due to this limitation, CTE-U did not give the user the write permission.

    Work-around

    Customers must grant read attribute permissions to all of the directories & files in the policy. Select the actions for d_rd_att, f_rd_att and write.

  • AGT-55110: Switching existing MFA client profile, that used register_host, failed on CipherTrust Manager enrollment

    Work-around

    In CipherTrust Manager, change the existing Multifactor Authentication Select MFA Exempted User Set parameter to your new target user set.

End of Life

  • IBM is discontinuing support for Red Hat Enterprise Linux (RHEL) v7.0 on June 30, 2024. Therefore, CTE-U is discontinuing support for RHEL v7.0 in CTE-U v10.4.0 and subsequent versions.

On this page