RELEASE NOTES

Issue Month: September 2025

Build Details

Server (Full version): 2.9.0

• IDPrimeVirtual_Server_Alpine - supports Luna HSM only
• IDPrimeVirtual_Server_Ubuntu - supports Luna and DPoD HSM

Server (Evaluation version)

IDPrimeVirtual_Server_Evaluation - supports Luna and DPoD HSM

• Includes SoftHSM v2.5

• Enables test and installation without requiring additional licenses, with a limitation of 500 tokens.

For more information, click here.

Product Description

SafeNet IDPrime Virtual (IDPV) is a PKI-based software authenticator that uses latest innovation in software-based smart token technology to combine the strong two-factor security of a smart card. It is cost effective and convenient for the software authentication. IDPV emulates the functionality of physical smart cards used for authentication, email, data encryption, and digital signing to enable the use cases such as VDI, BYOD, backup, and mobility on any device. It secures user private key on HSM with user authentication from OIDC compatible Identity providers (IDPs).

Release Description

SafeNet IDPrime Virtual v2.9.0 includes new features and bug fixes from the previous version.

New Features and Enhancements

• A new command-line tool, Tenant Migration Utility, has been added to SafeNet IDPrime Virtual. The migration preserves existing tenant identifiers and attempts a non-destructive upgrade.

  This (optional) utility migrates existing tenants that use 2048-bit exchange keys to tenants using 4096-bit exchange keys and updates tenant metadata accordingly.

  Caution

  This migration is irreversible. Once a tenant is migrated to 4096-bit exchange keys, it cannot be reverted to 2048-bit. Before proceeding, you must take full backups and validate client compatibility. Treat this as a one-way operation.

• From IDPV Server v2.9, a support has been added to update the PIN policy for both new and existing tenants. Click here for detailed steps.

  Note

  Existing tokens will retain the previously configured policies. To apply the new PIN policy, customers must delete their existing tokens and recreate them under the updated or newly created tenant.

• (Optional) A new parameter, tenant_identifier, may be included in the IDP JWT claim to enable validation of the tenant against the tenant ID used in API calls. This claim can serve as an additional mechanism for tenant ID verification through JWT.

• The following APIs are added:

  Change PIN API

  Now, users can change their own PIN. The new PIN must be as per the standards defined in the PIN policy configuration of the respective tenant.

  Post

  /IDPrimeVirtual/Provisioning/V1.0/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Role/{roleName}:ChangePin

  Request

  
      {  
  
    "oldPin": "string",  
    "newPin": "string"
  }
  
  
  

  Unblock PIN API

  Now, operators can unblock users' PINs.

  /IDPrimeVirtual/Provisioning/V1.0/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Role/{roleName}/UnblockPin

  After a PIN is unblocked, the end user has to reconnect the token.

  Certificate Renewal Signing Request API

  The CertificateRenewalSigningRequest API is created to renew certificates by generating a Certificate Signing Request (CSR) for an existing certificate key.

  
  /IDPrimeVirtual/Provisioning/V1.0/Tenants/{tenantId}/Users/{userId}/Keys/{keyId}/CertificateRenewalSigningRequest
  
  
  

  Usage Workflow

  1. Take backup: Take a backup of your old certificate before renewal.

  2. Generate CSR: Create a CSR using the following CSR template:

     
     {"signAlgorithm": "<Sign algorithm>",   "subjectDistinguishedName": "<Subject name>",   "keyUsage": [],   "extendedKeyUsage": [],   "subjectAlternativeName": "<optional>",   "rsaKeySize": "<2048/3072/4096>" }
     
     
     

     The rsakeysize parameter is mandatory and must match the key size of the existing certificate.

  3. Submit CSR to CA: Use the generated CSR to request a renewed certificate from your Certificate Authority (CA).

  4. Update Certificate: Once the CA issues the renewed certificate, use the Update Certificate API to update the certificate information in the system. Ensure to Set the X-IDPrimeVirtual-IsCertificateRenew parameter to true. Otherwise, the exisitng certificate may get impacted.

• The following APIs are updated:

  Reset PIN API

  The Reset PIN API is used to reset a token PIN based on the configured PIN policies. This API cannot be used to reset the PIN of an operational tokens.

  IDPrimeVirtual/Provisioning/V1.0/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Role/{roleName}:ResetPin

  Provisioning Get Certificates API

  The Provisioning Get Certificates API now also returns the keyId of the certificate, which can be used to update the certificate using the provided Certificate Renewal API.

  Request

  
  /IDPrimeVirtual/Provisioning/V1.0/Tenants/{tenantId}/Users/{userId}/Tokens/{tokenId}/Certificates
  
  
  

• For more clarity, new attributes have been added to both the client and server-side logs:

  • The Token name and TokenID attributes are added to the client logs.
  • The Card Serial attribute is added to the server logs.

Default Password

Virtual IDPrime cards are supplied with the following default token password: “000000” (6 zeros) and the Administrator Password must be entered using 48 zeros.

Password Recommendations

We strongly recommend changing all device passwords upon receipt of a token/ smart card as follows:

• User PIN should include at least 8 characters of different types.

• PIN character types should include upper case, lower case, numbers, and special characters.

  For more information, refer to the ‘Security Recommendations’ section in SafeNet IDPrime Virtual Server-Client Product Documentation.

Compatibility Information

Operating Systems

Following operating systems are supported:

Server Operating Systems

• Ubuntu 22.04 and 24.04.3

• RHEL 8,9, and 10

Middleware

• SafeNet Authentication Client R2 10.9.5951.0

• SafeNet Minidriver R2 10.9.5951.0

IDPV Windows Client

• Windows Client: 2.10.0.122

Virtual Smart Card Features

Below table specifies the various features that are supported by IDPV:

Execution of Third-Party Security Tools

• Aqua Trivy 0.66.0

• Anchore Grype v0.100.0

• Open Collective Dockle v0.4.14

• Anchore Syft v1.33.0

• Cisco ClamAV v1.4.3

Compatibility with Thales Applications

Virtual IDPrime cards can be used with the following products:

• SafeNet Authentication Service Private Cloud Edition (SAS PCE) with Keycloak / SafeNet Trusted Access (STA)

• SafeNet Authentication Client (SAC) R2 10.9.5951.0

• SafeNet Minidriver R2 10.9.5951.0

Resolved and Known Issues

This section lists the resolved and known issues that exist in this release. The following table defines the severity of the issues listed in this section.

Resolved Issues

Related Product Documentation

The following documentation is associated with this release:

ThalesDocs

IDPV Documentation Homepage

We have attempted to make the documentation complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.