Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Sessions 6.5.0 - Release Notes

Deprecated features

Arguments of Authentication and Authorization and Credential Store plugins that begin with target_ have been deprecated

These arguments were deprecated because the target_host or target_server arguments either contained a hostname or an IP address.

Now, new arguments have been added to the Authentication and Authorization and Credential Store plugins to replace deprecated arguments. The new argument names explicitely define the values they contain. That is, a server_ip argument will always contain an IP address, and a server_hostname argument will always contain a hostname.

The deprecated arguments are the following:

Authentication and Authorization plugin: get_password_list and get_private_key_list input arguments:

  • target_username

  • target_host

  • target_port

  • target_domain

Credential Store plugin: authorize method:

  • target_server

  • target_port

  • target_username

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.5.0
Resolved Issue Issue ID

SSH connections may not be denied when the server host key algorithm changes and the server host key check method is set to "Accept key for the first time".

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Accept key for the first time" in "SSH Control > Connections > Server side hostkey settings > Plain host key check" and SPS already stored a trusted key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported only the "ssh-ed25519" host key algorithm, then the connection succeeded, even though it should have been rejected.

The cause of this error was that SPS and the server negotiated "ssh-ed25519" as the host key algorithm, but since no "ssh-ed25519" host key was stored in SPS yet, it proceeded to learn the new "ssh-ed25519" key. This could have been used by a rogue server impersonating a legitimate server, to trick SPS into accepting a connection by offering a host key algorithm that the legitimate server did not offer.

This has been fixed, SPS now only offers those host key algorithms for which it already has a trusted key. It only offers all host key algorithms when no trusted host key is stored yet for the target server.

PAM-11685

SSH connections may fail when server side host key check method is is set to "Only accept trusted keys"

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Only accept trusted keys" in "SSH Control > Connections > Server side hostkey settings > Plain host key check" and SPS has already stored a correct trusted server host key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported both the "ssh-ed25519" and the "ssh-rsa" host key algorithms, then the connection failed, even though it should have succeeded.

The cause of the connection failure was that SPS and the server negotiated the "ssh-ed25519" host key algorithm, not "ssh-rsa", but no trusted "ssh-ed25519" host key was stored.

This has been fixed, SPS now only offers to the server those host key algorithms that it already stores a trusted host key for. When the host key check method is set to "Accept key for the first time", and no host key is stored yet, all algorithms are offered. This allows learning a preferred host key.

PAM-11531

View log files > Tail window remains open even after the administrator has logged out.

The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session.

PAM-11510

Missing timestamps in audit trails and "Error connecting TSA" messages in the logs.

A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed.

PAM-11391

Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster.

Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster.

PAM-11390

From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS.

The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time.

During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it.

The newly generated cert has the following additional properties:

  • validity is 800 days long;
  • extendedKeyUsage has been specified,

which makes it compliant with the recent Chrome+macOS combination.

PAM-11122

Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware)

During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration. This has now been fixed and these events are no longer generated.

PAM-10771

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

A systemd service (proc-sys-fs-binfmt_misc.mount) failed to start at boot.

The proc-sys-fs-binfmt_misc.mount unit failed to start at boot. This generated alerts for the customer which resulted in SNMP trap or email, depending on the configuration. The service now starts at boot.

PAM-9935

In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

PAM-11523

When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot.

After this fix this process will run only once.

PAM-11618

Under the "Reporting > Search subchapters" page, it was possible to navigate away from the page without saving the changes to the configuration, without any notification.

We have created a notification dialog and when the user has unsaved changes, we will notify them on page leave.

PAM-11347

Table 2: General resolved issues in release 6.4.0
Resolved Issue Issue ID

Traceback in the logs after rejecting a four-eyes authorization request

A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly.

PAM-10881

Traceback appears in the logs if the LDAP server is down

A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled.

PAM-11028

False data in archiving notice

After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected.

NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead.

PAM-9615

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed.

PAM-10413

Timeout in RDGW sessions causes core files on SPS

If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly.

PAM-11123

Resizing the screen in ICA sessions to span multiple monitors did not work

If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session.

PAM-10988

Sessions are terminated when using the credit-card detection and alerting features

In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected.

PAM-11134

RDP sessions shown as active even after client disconnects

In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected.

PAM-11168

Client unexpectedly closes RemoteApp sessions

In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client.

PAM-11187

Overriding the global verbosity level in ICA connection policies had no effect

In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level.

PAM-11251

Configuration changes not taking effect

In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when committing networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly.

PAM-10336

Password reuse always allowed when changing the password over REST

It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too.

PAM-11213

Remote Desktop Gateway authentication fails for Windows 2012 R2 clients

Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected.

PAM-9967

IPv6 routing table is missing from the support bundle

The IPv6 routing table was missing from the support bundle. This has been corrected.

PAM-10354

Improve the debug logging of ldapservice

The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs.

PAM-11135

Failed screenshots in content subchapter reports

Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs:

'Cannot retrieve image for screencontent'

This has been corrected, screenshots are now properly generated for the reports.

PAM-10190

Following trail downloaded from Active Connections generates multiple Audit trail download events on Search

When following an .srs trail downloaded from Active Connections page through Desktop Player, it spammed the 'Audit trail downloads' section on Search > Details page of the connection in every second.

This has been fixed, the 'Audit trail downloads' section displays now only once the event of download per trail download initiated from Active Connections page.

PAM-10669

Additional Metadata field may contain Gateway Password

In certain cases, the "Additional Metadata" field contained the Gateway Password used in the session. This is the password that the user used to authenticate on the SPS gateway, and belongs to the Gateway Username of the user. The passwords used to authenticate on the target servers were not affected.

For this error to occur, all of the following circumstances must have been met:

  • the client used an SSH session to access remote servers

  • in a joined SPS-SPP scenario

  • that used the SPS-initiated workflow

  • where the Authentication Policy of the SSH Connection Policy used the "Password" Gateway Authentication Method

  • and the version of the SPS appliance is 6.2.0 or 6.0.2.

The error has been corrected.

To find out whether this error has occurred in your environment, complete the following steps.

  1. Login to your SPS appliance as a user who has access to the Search page.

  2. On the Search page, enter the following search query: recording.additional_metadata: gp=

    • If there are no search results, the error did not occur in your environment. Upgrade to SPS version 6.3.0a or 6.0.3 to ensure that it does not occur in the future.

    • If there are search results, continue with the next step of this procedure.

  3. Click the ... button on the right of the Export CSV button.

  4. Add the Gateway Username and the Recording Connection Policy fields to the list of fields to export.

  5. Check which Authentication Policies do the Connection Policies that appear in Recording Connection Policy fields use.

  6. Navigate to SSH Control > Authentication Policies, and check which Authentication Backend do the affected Authentication Policies use.

  7. Contact the users appearing in the Gateway Username field to change their password in the affected backends.

PAM-11073

Deadlock in HTTP proxy

In some rare cases the HTTP proxy could get in a deadlock and stop working.

This has been fixed.

PAM-11016

HA takeover issues after multi-step upgrades

If a system was upgraded in multiple steps (eg. from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes.

The problem has been fixed and these kinds of upgrades now work well.

PAM-11292

Report generator service failure

In some cases, the report generator service on the SPS appliance could fail due to a problem in the way the "Top 10 users" reports were generated.

The problem has been fixed and reports are generated properly.

PAM-10389

Error messages not shown during Starling join

When a join to the Starling platform was initiated, the error messages such as SSL certificate errors were not shown to the user, making troubleshooting difficult.

These error messages are now shown on the UI.

PAM-10969

Dynamic Virtual Channels in RDP proxy are not handled properly

Some of the Dynamic Virtual Channels in RDP proxy were allowed even if they were not enabled in a channel policy.

Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic Virtual Channels channel policy.

PAM-11319

The built-in Cisco pattern set in telnet proxy does not work with Cisco Nexus 5000 devices

Due to a different login prompt, the built-in Cisco pattern set did not extract the username properly in Cisco Nexus 5000 devices.

This has been fixed.

PAM-10908

Wrong file transfer direction in RDP proxy

File uploads (from the client machine to the remote server) were tagged with "download", and downloads (from the remote server to the client machine) with "upload".

This has been corrected and tagged properly.

PAM-10799

Table 3: General resolved issues in release 6.3.0
Resolved Issue Issue ID

Downloading audit trails fails on the Central Search node

In a cluster environment, downloading from audit trails from the web interface failed on the Central Search node. This has been corrected.

PAM-10971

The Protocol field on the Search page contains invalid value

In certain cases, the Protocol filed contained the '-1' value instead of the name of the protocol. This has been corrected.

PAM-10906

The connections of an SPP access request on a joined SPS-SPP fail after upgradind to SPS 6.2

The automatic upgrade of the SGAA/SGCredStore plugins caused a failure during the connections due to a plugin wrapper selection mistake. The plugin wrapper selection is fixed, connections now work as expected.

PAM-10888

'Analytics details are not available' warning appears on the UI

In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session.

PAM-10886

The Analytics tab of a session keeps loading infinitely

Opening the Analytics tab of a session without the required privileges kept loading the page infinitely, instead of displaying a permission error. This has been corrected.

PAM-10859

If the session database is very large, opening new sessions is very slow

In some cases, persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS.

The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections.

PAM-10821

Clicking on the chart in Flow view does not create the proper search query

Click on the chart in the Flow view of the Search page created incorrect search queries. This has been corrected.

PAM-10794

Report queries are not updated

In some cases, the queries of certain report subchapters were not updated, and therefore the reports contained outdated information. This has been corrected.

PAM-10787

None

PAM-10787

Error in handling compressed ICA traffic causes the server to terminate the session

In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs:

'Compression PD: Unable to expand slab'

This has been corrected, the traffic is now handled properly.

PAM-10781

Corrections to the on-screen instructions on checking plugin integrity

The instructions on how to check the integrity of the plugins have been updated on the Basic Settings > Plugins page.

PAM-10675

None

When selecting a session in the Search page, clicking the 'Analytics' tab for first time showed an unnecessary error message for a second, before the actual contents were loaded. This has been corrected.

PAM-10671

Files copy-pasted in FreeRDP sessions cannot be exported

Files copy-pasted in FreeRDP sessions were recorded in the audit trail, but exporting them failed. This has been corrected.

PAM-10668

Clicking the Back button on the Search page removes every filter

Clicking the Back button of the browser on the Search page removed every filter, not only the last one. This has been corrected.

PAM-10636

After deleting a filter on the Search page you cannot re-add it

After deleting a filter from the query on the Search page, clicking on the same filed to re-add the filter did not have any effect. This has been corrected.

PAM-10583

Duplicate header appears on the ICA Control > Channel Policies page

While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected.

PAM-10575

The Edit option is displayed on the Search Subchapter page to users with only read rights

On the Reporting > Search Subchapters page, the Edit and Create New Subchapter options were visible even if the user had only Read privileges to the page. This has been corrected.

PAM-10429

SDP cannot replay VNC sessions with TightSecurity

SDP failed to replay audit trails that contained VNC over WebSocket sessions that had TightSecurity enabled. This has been corrected, now SDP can replay these sessions.

PAM-10279

Clicking values with special characters on the Search page are not escaped

Clicking on values on the Search page added the value to the search query, but special characters were not escaped, resulting in incorrect search queries if the selected value contained Lucene-specific characters. This has been corrected.

PAM-10234

Misspelled OK buttons on the web interface

Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected.

PAM-10155

Inaccurate warning when upgrading external indexers

When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected.

PAM-9707

Content search field does not handle the '<' character

Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly.

PAM-9264

OpenSSL encryption failure when changing the password of a permanent keystore

In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message:

'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62'

This has been corrected.

PAM-8345

If completing the Welcome Wizard using the REST API fails, the appliance becomes unreachable

If completing the Welcome Wizard using the REST API failed, an internal error made the product unreachable: the IP address became 192.168.1.1 and the console access of the root user was disabled. From now on, the console access of the root user remains active, so it can be used to fix such situations.

PAM-7760

The 'Timestamping policy' field is displayed for Local policies

On the <Protocol> > Global Options > Audit page, the 'Timestamping policy' field was displayed even when the timestamping policy was set to 'Local'. This has been corrected, now the field appears only if 'Remote' timestamping is selected.

PAM-426

System requirements

Before installing SPS 6.5, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Supported web browsers and operating systems

Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

NOTE:

SPS displays a warning message if your browser is not supported or JavaScript is disabled.

NOTE:

The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.

Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

Documents connexes