Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Sessions 6.4.0 - Release Notes

Deprecated features

The following is a list of features that are no longer supported starting with SPS 6.5.

Caution:

After SPS 6.5, CentOS 6 operating systems will not be supported for external indexers. This means that after upgrading to SPS 6.5, or the LTS maintanance release in that cadence, you will not be able to use your external indexers that are running on CentOS 6. Make sure that you prepare your affected systems for this change and upgrade to CentOS 7 or later.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.4.0
Resolved Issue Issue ID

Traceback in the logs after rejecting a four-eyes authorization request

A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly.

PAM-10881

Traceback appears in the logs if the LDAP server is down

A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled.

PAM-11028

False data in archiving notice

After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected.

NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead.

PAM-9615

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed.

PAM-10413

Timeout in RDGW sessions causes core files on SPS

If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly.

PAM-11123

Resizing the screen in ICA sessions to span multiple monitors did not work

If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session.

PAM-10988

Sessions are terminated when using the credit-card detection and alerting features

In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected.

PAM-11134

RDP sessions shown as active even after client disconnects

In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected.

PAM-11168

Client unexpectedly closes RemoteApp sessions

In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client.

PAM-11187

Overriding the global verbosity level in ICA connection policies had no effect

In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level.

PAM-11251

Configuration changes not taking effect

In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when committing networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly.

PAM-10336

Password reuse always allowed when changing the password over REST

It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too.

PAM-11213

Remote Desktop Gateway authentication fails for Windows 2012 R2 clients

Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected.

PAM-9967

IPv6 routing table is missing from the support bundle

The IPv6 routing table was missing from the support bundle. This has been corrected.

PAM-10354

Improve the debug logging of ldapservice

The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs.

PAM-11135

Failed screenshots in content subchapter reports

Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs:

'Cannot retrieve image for screencontent'

This has been corrected, screenshots are now properly generated for the reports.

PAM-10190

Following trail downloaded from Active Connections generates multiple Audit trail download events on Search

When following an .srs trail downloaded from Active Connections page through Desktop Player, it spammed the 'Audit trail downloads' section on Search > Details page of the connection in every second.

This has been fixed, the 'Audit trail downloads' section displays now only once the event of download per trail download initiated from Active Connections page.

PAM-10669

Additional Metadata field may contain Gateway Password

In certain cases, the "Additional Metadata" field contained the Gateway Password used in the session. This is the password that the user used to authenticate on the SPS gateway, and belongs to the Gateway Username of the user. The passwords used to authenticate on the target servers were not affected.

For this error to occur, all of the following circumstances must have been met:

  • the client used an SSH session to access remote servers

  • in a joined SPS-SPP scenario

  • that used the SPS-initiated workflow

  • where the Authentication Policy of the SSH Connection Policy used the "Password" Gateway Authentication Method

  • and the version of the SPS appliance is 6.2.0 or 6.0.2.

The error has been corrected.

To find out whether this error has occurred in your environment, complete the following steps.

  1. Login to your SPS appliance as a user who has access to the Search page.

  2. On the Search page, enter the following search query: recording.additional_metadata: gp=

    • If there are no search results, the error did not occur in your environment. Upgrade to SPS version 6.3.0a or 6.0.3 to ensure that it does not occur in the future.

    • If there are search results, continue with the next step of this procedure.

  3. Click the ... button on the right of the Export CSV button.

  4. Add the Gateway Username and the Recording Connection Policy fields to the list of fields to export.

  5. Check which Authentication Policies do the Connection Policies that appear in Recording Connection Policy fields use.

  6. Navigate to SSH Control > Authentication Policies, and check which Authentication Backend do the affected Authentication Policies use.

  7. Contact the users appearing in the Gateway Username field to change their password in the affected backends.

PAM-11073

Deadlock in HTTP proxy

In some rare cases the HTTP proxy could get in a deadlock and stop working.

This has been fixed.

PAM-11016

HA takeover issues after multi-step upgrades

If a system was upgraded in multiple steps (eg. from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes.

The problem has been fixed and these kinds of upgrades now work well.

PAM-11292

Report generator service failure

In some cases, the report generator service on the SPS appliance could fail due to a problem in the way the "Top 10 users" reports were generated.

The problem has been fixed and reports are generated properly.

PAM-10389

Error messages not shown during Starling join

When a join to the Starling platform was initiated, the error messages such as SSL certificate errors were not shown to the user, making troubleshooting difficult.

These error messages are now shown on the UI.

PAM-10969

Dynamic Virtual Channels in RDP proxy are not handled properly

Some of the Dynamic Virtual Channels in RDP proxy were allowed even if they were not enabled in a channel policy.

Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic Virtual Channels channel policy.

PAM-11319

The built-in Cisco pattern set in telnet proxy does not work with Cisco Nexus 5000 devices

Due to a different login prompt, the built-in Cisco pattern set did not extract the username properly in Cisco Nexus 5000 devices.

This has been fixed.

PAM-10908

Wrong file transfer direction in RDP proxy

File uploads (from the client machine to the remote server) were tagged with "download", and downloads (from the remote server to the client machine) with "upload".

This has been corrected and tagged properly.

PAM-10799

Table 2: General resolved issues in release 6.3.0
Resolved Issue Issue ID

Downloading audit trails fails on the Central Search node

In a cluster environment, downloading from audit trails from the web interface failed on the Central Search node. This has been corrected.

PAM-10971

The Protocol field on the Search page contains invalid value

In certain cases, the Protocol filed contained the '-1' value instead of the name of the protocol. This has been corrected.

PAM-10906

The connections of an SPP access request on a joined SPS-SPP fail after upgradind to SPS 6.2

The automatic upgrade of the SGAA/SGCredStore plugins caused a failure during the connections due to a plugin wrapper selection mistake. The plugin wrapper selection is fixed, connections now work as expected.

PAM-10888

'Analytics details are not available' warning appears on the UI

In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session.

PAM-10886

The Analytics tab of a session keeps loading infinitely

Opening the Analytics tab of a session without the required privileges kept loading the page infinitely, instead of displaying a permission error. This has been corrected.

PAM-10859

If the session database is very large, opening new sessions is very slow

In some cases, persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS.

The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections.

PAM-10821

Clicking on the chart in Flow view does not create the proper search query

Click on the chart in the Flow view of the Search page created incorrect search queries. This has been corrected.

PAM-10794

Report queries are not updated

In some cases, the queries of certain report subchapters were not updated, and therefore the reports contained outdated information. This has been corrected.

PAM-10787

None

PAM-10787

Error in handling compressed ICA traffic causes the server to terminate the session

In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs:

'Compression PD: Unable to expand slab'

This has been corrected, the traffic is now handled properly.

PAM-10781

Corrections to the on-screen instructions on checking plugin integrity

The instructions on how to check the integrity of the plugins have been updated on the Basic Settings > Plugins page.

PAM-10675

None

When selecting a session in the Search page, clicking the 'Analytics' tab for first time showed an unnecessary error message for a second, before the actual contents were loaded. This has been corrected.

PAM-10671

Files copy-pasted in FreeRDP sessions cannot be exported

Files copy-pasted in FreeRDP sessions were recorded in the audit trail, but exporting them failed. This has been corrected.

PAM-10668

Clicking the Back button on the Search page removes every filter

Clicking the Back button of the browser on the Search page removed every filter, not only the last one. This has been corrected.

PAM-10636

After deleting a filter on the Search page you cannot re-add it

After deleting a filter from the query on the Search page, clicking on the same filed to re-add the filter did not have any effect. This has been corrected.

PAM-10583

Duplicate header appears on the ICA Control > Channel Policies page

While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected.

PAM-10575

The Edit option is displayed on the Search Subchapter page to users with only read rights

On the Reporting > Search Subchapters page, the Edit and Create New Subchapter options were visible even if the user had only Read privileges to the page. This has been corrected.

PAM-10429

SDP cannot replay VNC sessions with TightSecurity

SDP failed to replay audit trails that contained VNC over WebSocket sessions that had TightSecurity enabled. This has been corrected, now SDP can replay these sessions.

PAM-10279

Clicking values with special characters on the Search page are not escaped

Clicking on values on the Search page added the value to the search query, but special characters were not escaped, resulting in incorrect search queries if the selected value contained Lucene-specific characters. This has been corrected.

PAM-10234

Misspelled OK buttons on the web interface

Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected.

PAM-10155

Inaccurate warning when upgrading external indexers

When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected.

PAM-9707

Content search field does not handle the '<' character

Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly.

PAM-9264

OpenSSL encryption failure when changing the password of a permanent keystore

In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message:

'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62'

This has been corrected.

PAM-8345

If completing the Welcome Wizard using the REST API fails, the appliance becomes unreachable

If completing the Welcome Wizard using the REST API failed, an internal error made the product unreachable: the IP address became 192.168.1.1 and the console access of the root user was disabled. From now on, the console access of the root user remains active, so it can be used to fix such situations.

PAM-7760

The 'Timestamping policy' field is displayed for Local policies

On the <Protocol> > Global Options > Audit page, the 'Timestamping policy' field was displayed even when the timestamping policy was set to 'Local'. This has been corrected, now the field appears only if 'Remote' timestamping is selected.

PAM-426

System requirements

Before installing SPS 6.4, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Supported web browsers and operating systems

Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

NOTE:

SPS displays a warning message if your browser is not supported or JavaScript is disabled.

NOTE:

The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.

Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

Documents connexes