Deprecated features
The following is a list of features that are no longer supported starting with SPS 6.0.
-
X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.
-
DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.
-
The log ingestion feature of SPS has been removed from the product.
Deprecated features between SPS 5.1 and SPS 5.11
The following is a list of features that are no longer supported starting with SPS 6.0.
|
|
Caution:
Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release. If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1. If you do not know the type of your hardware or when it was purchased, complete the following steps:
|
-
Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.
-
SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:
-
You cannot configure SPS if your browser does not support at least TLSv1.
-
If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.
-
-
Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.
-
Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.
Shorter than 1024-bit SSH keys
Following the upgrade, support for less than 1024-bit SSH keys is lost.
You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.
Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or "Configuring usermapping policies" in the Administration Guide.
Minimum version of encryption protocol for the web UI
The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.
Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.
This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.
Deprecation of RPC API
The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.
Screen content search in sessions indexed by the old Audit Player
It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.
As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.
Resolved issues
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
Security package updates bind9:
busybox:
curl:
ffmpeg:
file:
isc-dhcp:
ldb:
libgd2:
libpng1.6:
libxslt:
linux:
lua5.3:
mysql-5.7:
nss:
openjdk-8:
openssh:
openssl1.0:
php7.2:
python-urllib3:
samba:
systemd:
tiff:
walinuxagent:
wget:
|
|
|
Search interface not available after cluster upgrade on certain versions When upgrading the cluster between certain versions, the search functionality was not available after the nodes rebooted. This has been fixed and the search backend starts up properly after a cluster upgrade. |
PAM-9768 |
|
Core file download button not visible for read-only users Read-only access rights to the Basic Settings/Troubleshooting page allows the user to download all kinds of debug information, including core files. The "Download" button was not visible for users with read-only rights, even though they could download these files via the API. The button is now shown correctly. |
PAM-9693 |
|
Limited logging for Citrix ICA connections Due to an internal error, system logging about Citrix ICA protocols did not work properly. Even though audit recording was unaffected, this made troubleshooting difficult. The problem was fixed and logging now works similarly to other protocols. |
PAM-9671 |
|
Rare crash when using Remote Desktop Gateway connections Due to an unhandled race condition, the RDP proxy could crash in very rare cases when a large number of Remote Desktop Gateway connections were open in parallel. The problem was fixed. |
PAM-9596 |
|
Changes to SIEM forwarder setting not applied Changes to the configuration of the SIEM forwarder except the initial setup were not applied until rebooting the machine or restarting the service. This is now fixed and all changes take effect immediately. |
PAM-9499 |
|
Stale RDP connections on the Active Connections page Since version 5.6, stale RDP sessions can remain unclosed and displayed on the "Active Connections" page. This is now fixed and all RDP sessions are now closed properly. |
PAM-9473 |
|
Wrong IP address in autogenerated HTTPS certificates Certificates generated for proxy mode HTTPS connections are using the IP address of SPS (the proxy) instead of the hostname/address of the target server. |
PAM-9337 |
|
AAA configuration (including root password) is not synchronized to the managed hosts in an SPS cluster The AAA configuration was blacklisted during the configuration synchronization between the central management and the managed host. This limitation is now solved, and AAA configuration is synchronized to the managed hosts. The AAA configuration contains the local users (including admin), therefore we added the root password to the synchronized configuration data, too. |
PAM-9295 |
|
Double check of group membership during public key-based gateway authentication in SSH When using public-key-based gateway authentication in SSH, the group filtering was performed twice, which could have a significant performance penalty. This is now fixed and this check is done only once. |
PAM-9268 |
|
Indexing RDP sessions may fail with "Size out of range" errror RDP sessions with multiple channels sometimes resulted in indexing errors ("Size out of range"). Such audit trails could not be opened in the Desktop Player. This has been fixed. |
PAM-9267 |
|
Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 cannot be replayed Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 could not be properly replayed, and contained garbled screens. The error has been corrected, SPS 6.0 now properly record such sessions, so they can be properly replayed. |
PAM-9232 |
|
Report a more descriptive error message when firmware upload fails When a firmware upload fails because of insufficient disk space, invalid file uploaded, or a similar error, now a more descriptive message is displayed instead of a generic error message. |
PAM-9231 |
|
Indexing certain archived sessions fails Indexing jobs sometimes failed with the "No such file or directory" error message. This occurred when the audit trail of the session has already been archived and the remote archive was not mounted. Now the indexer automatically remounts such archives to complete the indexing. |
PAM-9230 |
|
Deleting keytabs failed when "Verbose system logs" (debug logging) was turned on When "Verbose system logs" (debug logging) was turned on, then a server side error prevented deleting keytabs. This has been fixed. |
PAM-9224 |
|
None The owner of the configuration lock was not reset within a browser session. As a result, if two different users logged in after each other in the same web browser, and the second user visited the Search > Search or Basic Settings > Cluster management pages, then the System monitor showed that the configuration is locked by , and the user could not edit the configuration. This problem has been fixed. |
PAM-9150 |
|
SSH sessions disconnect if SPS cannot find the account in the Credential store If a credential store was defined for a Connection Policy and SPS could not find an entry for the given target account in the store, it disconnected immediately instead of prompting the client to authenticate. This has been fixed, and now the fallback is triggered properly. |
PAM-9128 |
|
On an appliance with a Search minion role, generating daily/weekly/monthly reports results in several error e-mails On an appliance with the Search minion role, when generating reports every Day / Week / Month, selecting "Send reports in e-mail", and attempting to inculde a Search subchapter in the report resulted in receiving several error e-mails from all Search minions that were configured in that cluster environment. The error message in the e-mails was: "Unknown error: Error while fetching data via REST client, error: Error response got from REST client, status code: 500, reason: The search backend is unaccessible." This has been corrected, no error messages will be sent. If you want to include Search subchapters in your reports, generate them on the appliance with the Search master role. |
PAM-9001 |
|
Searching for audit trails that are not indexed is not working In some cases if the connection database was big, searching for audit trails that are not indexed on the Search > Search (classic) page did not work properly. (Selecting the 'Not indexed' option in the "Channel's Indexing Status" column resulted in a search query that was never completed.) This has been fixed. This has been corrected. |
PAM-9000 |
|
Failed SSH sessions can cause the System Monitor to show negative value as the number of active sessions When certain incompatible configuration settings are used (for example, GSSAPI authentication with autologin), a failed SSH connection attempt could decrease the active session count, eventually pushing it below zero. This is now fixed and such failed connections don't change the number of active sessions. |
PAM-8959 |
|
Unnecessary health check warnings in the logs of the Search master node In central search mode, the proxies are disabled on the Search master node. However, the built-in health check processes still checked the status of the proxies and logged a warning message. This warning is now disabled for search master nodes. |
PAM-8857 |
|
Generating certificates fails for long host and domain names SPS generates several certificates internally, and it uses the configured hostname and domain name for the appliance in the Common Name (CN) of these certificates. If any of these were long, the CN could go beyond the 64-character limit of the underlying OpenSSL libraries and the certificate generation failed. The appliance now truncates the strings to make sure the CN stays below the 64-character limit. |
PAM-8693 |
|
Multiple processing issues fixed in terminal based protocols with CJK characters The wide characters of CJK alphabets caused issues with command detection, video rendering, screenshot export in HTML, and the follow mode of the Safeguard Desktop Player. These are now fixed. |
PAM-8611 |
|
Session database upgrade fails for some ICA sessions Some older versions of SPS saved the protocol information of ICA sessions differently, using the name "CGP" instead of "ICA". The session database upgrade process was not prepared to handle that and moving such sessions to the new database failed. Such sessions are now handled correctly by the upgrade process. |
PAM-8465 |
|
The RDP domain membership configuration is displayed even if the appliance was not a member of the domain The RDP domain membership configuration was displayed even if the appliance was not a member of the currently configured domain. From now on, it is displayed only if the appliance is member of the currently configured domain. The status of the appliance (joined or not) is also displayed. |
PAM-8372 |
|
Insufficient error handling during external indexer initialization If an indexer failed to start up for some reason, in some scenarios it asked for the password for the decryption key for the trails instead of recognizing and logging the error. This is now fixed and startup errors are handled properly. |
PAM-8329 |
|
No warnings about encrypted sessions on the new search interface The Search > Search page did not warn the user if a session could not be played back because it was encrypted and the decryption key was not available in the keystore. This is now fixed and users get a warning that helps them solve the issue. |
PAM-7585 |
|
"Search subchapters" page only available to the "admin" user The "Search subchapters" report configuration page was only accessible to the "admin" user. The permission handling of this page has been corrected and it can be accessed by other users as well if they have the required Access Control rights. |
PAM-7136 |
|
Configuration interface is unresponsive during session database upgrade The System Monitor shows the status of the session database upgrade process. Unfortunately, the way it queryied the current status was highly inefficient, which could significantly slow down the entire web interface if the database being upgraded was large. The status check is now much more efficient and the UI remains responsive even during the upgrade. |
PAM-6204 |
System requirements
Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents: