Deprecated features
The following is a list of features that are no longer supported starting with SPS 6.0.
-
X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.
-
DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.
-
The log ingestion feature of SPS has been removed from the product.
Deprecated features between SPS 5.1 and SPS 5.11
The following is a list of features that are no longer supported starting with SPS 6.0.
|
|
Caution:
Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release. If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1. If you do not know the type of your hardware or when it was purchased, complete the following steps:
|
-
Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.
-
SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:
-
You cannot configure SPS if your browser does not support at least TLSv1.
-
If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.
-
-
Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.
-
Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.
Shorter than 1024-bit SSH keys
Following the upgrade, support for less than 1024-bit SSH keys is lost.
You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.
Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS.
Minimum version of encryption protocol for the web UI
The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.
Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.
This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.
Deprecation of RPC API
The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.
Screen content search in sessions indexed by the old Audit Player
It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.
As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.
Resolved issues
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
When SNMP service was enabled in Local Services, disk-related information was not included When SNMP service is enabled in Local Services, disk-related information such as free space and total capacity is now reported when the SNMP server is queried. |
PAM-13741 |
|
HTTP service aborts with "Fatal Python error: deallocating None" Under certain circumstances the HTTP proxy on SPS printed "Fatal Python error: deallocating None" to the logs and aborted while generating a core dump. The underlying reference counting issue has been fixed. |
PAM-13727 |
|
Zorp RDP instance could crash and create a core dump. Certain I/O patterns could trigger an assertion in the RDP proxy that led to a crash and a core dump file being written, terminating all currently active RDP connections. This has been fixed. |
PAM-13364 |
|
SPS now supports certificate chains with keys other than RSA/DSA. When a certificate chain is uploaded (for example, as the web server certificate), SPS verifies that the entire certificate chain is valid. A certificate chain is considered valid if it does not include weak certificates and a trust relationship exists between them. Previously, certificate chain validation has worked only for certificates that had RSA and DSA public keys. Other chains have been rejected with a "No such digest method" error message. This issue is now fixed so that every certificate chain that can be verified by OpenSSL 1.1.1 is now accepted. |
PAM-13154 |
|
Fixed a potential "Permission denied" error on the Sessions > Details > Analytics tab. Previously, if you have tried opening the Analytics tab of a session in Sessions > Details with a user that belonged to a user group with a specific set of permissions, you could receive a "Permission denied" error, preventing you to check the contents of the Analytics tab. This issue has been fixed so that the Analytics tab appears only if your user has the proper permissions to access it. |
PAM-13014 |
|
Fixed the Generate video (now known as Start rendering) button missing from the Search > Details page for SSH connections with a Session exec channel type. Previously, when opening the Details page of an SSH session on the Search interface, the Generate video button has been missing for SSH sessions with a Session exec channel type. This has been now fixed, so that the button (now known as Start rendering) always appears for such channels if they have renderable content. |
PAM-12927 |
| Resolved Issue | Issue ID |
|---|---|
|
Permission denied error on the session details tab You could get a Permission denied error on the session details tab if you created a group with special permissions. This has been fixed. |
PAM-13014 |
|
Administrator password cannot be changed over the REST API when user database is LDAP The "admin" user is always authenticated locally, so even though changing the password of normal users is not supported when LDAP user database is configured, it should still be allowed for the administrator's password. |
PAM-12706 |
|
Application proxy and message queuing data collection improved. By improving the data collection related to the internal application proxy and the message queuing subsystems, we allow our product experts to have a deeper insight in case of troubleshooting. The collected data is not available on any user interface but is a part of the generated support bundle. |
PAM-12686 |
|
The firmware installation is extended with a rollback functionality. The firmware installation is extended with a rollback functionality that restores the original state if the firmware installation fails on any node of an HA cluster that makes the installation process more fault-tolerant. |
PAM-12681 |
|
Title detection issue on Windows 10 with a high DPI scaling Title detection on Windows 10 with high DPI scaling of 100-200% DPI did not work properly. This has been fixed. |
PAM-12613 |
|
OCR engine failure In some cases, the OCR process reached an internal memory limit, which caused it to crash. This has been fixed and the internal memory limit was raised to meet the requirements of the new OCR engine. |
PAM-12434 |
|
Fixes an possible (harmless) error message that could occur when executing large archiving jobs concurrently. When an archive job affected a large amount of the data it could happen that multiple archive processes worked on the same directory. In special cases a race condition could occur when the existence and the creation of given directories were handled in parallel and the second creation attempt caused an error message that was logged and (depending on the current configuration) also sent out as email or SNMP alert. This fix makes the directory checking and creation more robust. |
PAM-12344 |
|
Changing RDP domain membership settings over REST API was not persisted It is possible to configure RDP domain membership over the REST API, except for actually joining the domain. When RDP domain membership was changed using the REST API, and the changes were committed, the configuration has been applied. However, it has not been persisted, which resulted in reverting to the previous RDP domain settings shortly thereafter, for example by committing changes on the web UI. This has been fixed, changing RDP domain membership settings on the REST API is now properly persisted. Note that joining the domain using the REST API is still not supported. |
PAM-4827 |
|
None In advanced statistics, the tables were truncated when too many columns were used in a table. With CSS modification, all text in tables are wrapped now and the tables fit into the size of the generated pdf. |
PAM-3364 |
| Resolved Issue | Issue ID |
|---|---|
|
Introduces a new feature to ease the information collection for troubleshooting purposes. A new directory (under /var/lib/support) has been created for files requested by support that will be automatically included by the support bundle. These files are kept only for a limited time (for a week after creation) to prevent them filling the disk up on a long run. The files bigger than 300MB are only listed in the bundle instead of having them to prevent to grow the bundles themselves over a manageable size. |
PAM-12384 |
|
Could not download a .zatx file larger than 1GB. A .zatx file larger than 1GB could not be downloaded. This has been fixed. |
PAM-12337 |
|
Dedicated hot spare disk monitoring added to the RAID status monitoring and send alert from them. Dedicated hot spare disk was not checked, because it was not part of the RAID array in term of the RAID controller, but it is a useful information to know the status of the dedicated hot spare disk. Now we check the status of the hot spare disk: send SNMP alert and show a RAID status warning about that. |
PAM-11701 |
|
Fixed unhandled invalid duration parameters Some of the invalid duration values were not handled on the Search page in the advanced search query filter. Consequently, the user received internal server error. This has been fixed and the user now will receive informative error messages about the correct values. |
PAM-11624 |
|
Audit trail location was not retrieved correctly. The exact location of an audit trail was not retrieved correctly in a cluster configuration. This has been fixed and now the audit trail location is retrieved correctly. |
PAM-11153 |
|
Cleanup left metadata on search local machine in case there was a search master in the cluster. The bug has been fixed and all data will be deleted properly during a cleanup. |
PAM-11117 |
|
Minor PCI-DSS report content changes PCI-DSS report contained some misspellings, outdated links and old naming conventions that have been fixed. |
PAM-11077 |
|
Fixed mapping of 0 value in pie chart When the Analytics score field was presented with a 0 value in the pie chart, the 'n/a' value was mapped in the report instead of 0 which is misleading. Now this problem is solved, so any field of a type 0 value is mapped to 0. |
PAM-10066 |
|
MD5 certificates may break the configuration If a certificate chain was uploaded as a Server X.509 certificate, which contained a certificate that was signed using the MD5 algorithm, the web server was unable to start. Since the MD5 signing algorithm is not considered as safe, such certificate chains are now rejected at all places at configuration time. This means that client or server certificate chains configured for any purpose (eg. for connecting to LDAP or mail server or configuring a Signing CA or a Timestamping Authority) are not accepted if any of the certificates in the chain (except the root) is signed using MD5. It is not possible to upgrade to this version of SPS if the current configuration contains such certificates or certificate chains. The only exception to this is the indexer / encryption "certificate", which is essentially just a container of a public key, therefore all the X.509 details are ignored for such certificates. Note that the current error which blocks the upgrade contains unnecessary technical details on the UI (this is tracked as PAM-12447). The relevant error message is that the "md [is] too weak". |
PAM-7758 |
| Resolved Issue | Issue ID |
|---|---|
|
Window title detection fix for Windows 2012 R2. Window title detection did not find window titles when the DPI was slightly higher than the default one on Windows 2012. |
PAM-12328 |
|
Linux desktop resizing issues with Citrix 1912 LTSR When using a Citrix Linux VDA with Citrix 1912 LTSR, the desktop could not be resized properly. This has been fixed. |
PAM-12255 |
|
Missing validation for RDP connections when NLA is enabled but TLS is not. When SPS was configured to use Network Level Authentication in an RDP connection, but Legacy RDP Security Layer was selected for that connection, then no connection could be established. A traceback was written to the system log. This has been fixed, SPS now validates that a connection for which NLA is enabled also has TLS Transport Security selected. |
PAM-12186 |
|
Having a mismatching host key stored on the appliance could make the host key configured in backup policies ignored. If the root user visited the backup host via SSH, it was prompted whether to have the offered host key stored or not. If the administrator selected to have it, that key was used later when performing backup (configured with Rsync over SSH), regardless the one configured on the WebUI. The fix ensures that the user provided host key will be compared to the one presented by the backup server. |
PAM-12173 |
|
SPS installation on Azure vm made the firmware tainted The service walinuxagent, which is required to be run on azure instances, creates files at runtime and this made the firmware tainted. These files have been added to the tainted whitelist. |
PAM-12090 |
|
Fixed timestamp conversion in report generation When the timezone of SPS was other than UTC, timestamps for recorded sessions got converted to local time twice accidentally. This has been fixed and the user should see the timestamps in connection with recorded sessions in their local time in case local timezone is applied on the box. |
PAM-12087 |
|
Certificate chain upload might fail with cross-signed intermediates When uploading a certificate chain, if any of the intermediate CA-s in the chain was also a publicly trusted root, the upload failed with an error message. This has been corrected. |
PAM-12059 |
|
RDP device redirection only works if the Sound channel is enabled Because of restrictions in Windows RDP servers device redirection only works if the "Sound" channel is enabled. A warning has been added that warns the user if device redirection is configured in the channel policies without having the "Sound" channel enabled. |
PAM-12051 |
|
Core files are produced when stopping or restarting proxy services The proxy service component could crash and write a core dump during shutdown when timestamping was enabled but the timestamping server was unreachable. |
PAM-12016 |
|
Empty MenuInfo block appears instead of login screen Invalid browser cookies could be set that prevented the rendering of the normal SPS login page.This has been corrected. |
PAM-11985 |
|
Save hashed PSK value in support bundle In order to diagnose clustering issues, it is important to verify that the cluster members share the same IPSec pre-shared keys, but this was impossible, because the values were masked out. Following this change, the generated PSK tokens of the configuration are replaced by their SHA256 hash value. This means that the comparison can be performed while the actual values still remain secret. |
PAM-11976 |
|
Traceroute: switch to ICMP Traceroute utility traditionally defaults to UDP probe packets, but such packets are likely to be filtered out by firewalls, even between SPS cluster nodes. It is expected that ICMP probes are more tolerated on networks, thus Troubleshooting > Traceroute has been changed to use ICMP instead of UDP. |
PAM-11755 |
|
Starting up and shutting down logs are transferred from boot journal to core firmware logs There were many cases when logs have not been transferred from boot journal store to core firmware. In that case, the network-related issues were not transferred. This has been corrected. Starting up and shutting down logs are transferred from boot journal to core firmware logs. This makes the investigation easier, because all the logs are in one place and these logs are stored for longer time. |
PAM-11738 |
|
Fixed protocol binding in REST-based subchapter configurations In REST-based reporting subchapter configurations under the binding options, protocol was either missing or it's value was written in lower case. However, protocol values in ElasticSearch are stored in upper case form and when reporting queried our REST with protocol filter, due to the casing mismatch, no data were retrieved or not exactly the right data was being retrieved in some situations. This has been corrected. |
PAM-11708 |
|
When an audit trail was missing from the SPS, all further archiving processes failed When an audit trail was missing from SPS, all further archiving processes failed. This has been corrected and the archiving will continue to the next audit trail file, and SPS records the error in the local database. |
PAM-11700 |
|
The firmware manipulation via console (core-shell) with firmwarectl synchronizes the firmware to the HA pair node. The firmwarectl console tool, which can be called on the core-shell, did not synchronize the firmware to the other HA node which caused firmware version mismatch in case of a failover. From now firmwarectl synchronizes the firmware to the other HA node just like the Basic Settings > High Availability page on the web-ui does. |
PAM-11642 |
|
Configuration of remote timestamping fails if policy is not set When configuring remote timestamping on the protocol Global Settings page and the policy OID was not set, committing the change failed with a generic error message. (When using the REST API, the error type was InvalidPropertyError.) This has been corrected. |
PAM-11401 |
|
Rename Balabit in email attachments In email attachments, Balabit Shell Control Box, which is the legacy product name, was still used. This has now been changed to One Identity Safeguard for Privileged Sessions. |
PAM-10911 |
|
Unable to change network settings In rare cases the appliance could boot with incomplete network configuration. This caused a configuration commit failure, on basic/networking page. This issue has been fixed. |
PAM-10498 |
| Resolved Issue | Issue ID |
|---|---|
|
Brackets were removed from around IPv6 addresses by the HTTP proxy in headers The HTTP proxy removed the brackets from around IPv6 addresses in relayed HTTP headers, eg. "Host: [2001:db8::]" became "Host: 2001:db8::1", which caused problems on the server side. This has been fixed and such headers are now relayed properly. |
PAM-11758 |
|
Error messages appear in HTTP proxy logs when Authorization headers are not valid base64 encoded data Our HTTP proxy tried to decode the Authorization header and if it could not, it logged an error because there was an error with the encoding. These log messages could be misleading as such headers happen frequently, so they were disabled. |
PAM-11713 |
|
Timestamps in upgrade logs are misleading During the upgrade SPS produces log files which are separated from the standard syslog. Into these log files the timestamps of the log lines were added manually. These timestamps were not accurate. |
PAM-11619 |
|
When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot. After this fix this process will run only once. |
PAM-11618 |
|
Displaying the login page triggers General error (xcbError) SNMP or email alert When the login page was loaded in a browser, then a background request attempted to access a resource which mistakenly required an already authenticated user. If the General error (xcbError) alert was enabled on the Basic Settings / Alerting & Monitoring page, then this condition triggered sending SNMP or email alerts. This has been fixed. |
PAM-11597 |
|
HTTP request URIs were sometimes forwarded incorrectly to the target server, with escaped URI parts not kept properly escaped. The HTTP proxy in SPS improperly transformed URIs with escaped '/' characters. This has been fixed, and the requested URI is now passed intact to the target server. |
PAM-11534 |
|
In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool. To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way. |
PAM-11523 |
|
High memory consumption related to the indexer-jobgenerator service with sessions containing lots of channels The jobgenerator service now handles channel related messages which are not required to store in memory anymore. |
PAM-11513 |
|
Assigning "All" privileges to a user group did not grant access to the Active Connections page Assigning "All" (read and write/perform) privileges to a user group at the Users & Access Control / Appliance Access (formerly: AAA / Access Control) page did not grant access to the Active Connections page for the selected group. This has been fixed. |
PAM-11392 |
|
Multiple IPv4 addresses on the network interface which is assigned to clustering can break cluster node communication if other than the first one is used for clustering Assigning multiple IPv4 addresses to the network interface which is used for clustering, and using other than the first one for secure communication between the cluster nodes results in a non-working configuration. Configuration validation has been extended with checks which prevent saving such configuration. |
PAM-11047 |
|
HA IP negotiation fails when more than two SPS hosts are accessible on the HA interface When more than two SPS instances are accessible through the HA interface, the third host cannot obtain a valid HA IP address as the other two addresses are already taken. As this is not a supported way of working, a warning message is now shown to the user on the console. |
PAM-10916 |
|
Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware) During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration. This has now been fixed and these events are no longer generated. |
PAM-10771 |
|
Unnecessary expiration warnings for indexer decryption key certificates The decryption keys and the certificates that belong to them, used by the internal indexer to process encrypted audit trails, may still be needed in the configuration in order to access older audit data, long after the certificate itself is expired. Due to this, the expiration of these certificates will no longer trigger configuration validation warnings. |
PAM-7653 |
|
Commit Log Requirement settings did not take effect immediately in REST API configuration transactions Changes in Commit Log Requirement settings did not take effect immediately in REST API configuration transactions. This has been fixed. Also, the response for {{GET /api/transaction}} requests now indicates if a commit message is required for saving configuration changes. |
PAM-4957 |
| Resolved Issue | Issue ID |
|---|---|
|
In case of high amount of information paginated data, storage solution was implemented but not used by the indexer tool. To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way. |
PAM-11523 |
|
View log files > Tail window remains open even after the administrator has logged out. The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session. |
PAM-11510 |
|
Missing timestamps in audit trails and "Error connecting TSA" messages in the logs. A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed. |
PAM-11391 |
|
Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster. Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster. |
PAM-11390 |
|
Dynamic virtual channels in RDP proxy are not handled properly. Some of the Dynamic virtual channels in RDP proxy were allowed even if they were not enabled in a Channel Policy. Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic virtual channels channel policy. |
PAM-11319 |
|
HA takeover issues after multi-step upgrades If a system was upgraded in multiple steps (for example, from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes. This issue has been fixed and these type of upgrades now work well. |
PAM-11292 |
|
From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS. The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time. During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it. The newly generated cert has the following additional properties:
which makes it compliant with the recent Chrome+macOS combination. |
PAM-11122 |
|
On HA takeover, the IP address of SPS was not updated in other computer's ARP table in certain conditions. SPS did not wait for the interface to be in the UP state, therefore sending the gratuitous ARP message was not successful when the interface didn't come up quickly. This has been fixed by waiting for the interface first. |
PAM-10860 |
|
Core files are generated for ICA sessions In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected. |
PAM-10316 |
|
A systemd service (proc-sys-fs-binfmt_misc.mount) failed to start at boot. The proc-sys-fs-binfmt_misc.mount unit failed to start at boot. This generated alerts for the customer which resulted in SNMP trap or email, depending on the configuration. The service now starts at boot. |
PAM-9935 |
| Resolved Issue | Issue ID |
|---|---|
|
Overriding the global verbosity level in ICA connection policies had no effect In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level. |
PAM-11251 |
|
Password reuse always allowed when changing the password over REST It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too. |
PAM-11213 |
|
Client unexpectedly closes RemoteApp sessions In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client. |
PAM-11187 |
|
RDP sessions shown as active even after client disconnects In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected. |
PAM-11168 |
|
The SPS initiated workflow fails in case of SSH protocol. Starting with Safeguard for Privileged Sessions version 6.2 it became possible to join Safeguard for Privileged Sessions and Safeguard for Privileged Passwords and make use of the full password approval workflow in SPP for sessions initiated through SPS. This feature was backported to the 6.0.2 maintenance release, but due to a problem with the backport, it did not work properly for SSH sessions. The problem is now fixed and SSH sessions can also be used in this scenario. |
PAM-11139 |
|
Improve the debug logging of ldapservice The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs. |
PAM-11135 |
|
Sessions are terminated when using the credit-card detection and alerting features In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected. |
PAM-11134 |
|
Upgrading to SPS 6.0.2 fails if SPS is joined into SPP Because of an error in the upgrade of Safeguard plugins, upgrade to SPS 6.0.2 failed if SPS was joined to SPP. This has been corrected, in SPS 6.0.3 the upgrade works as expected. |
PAM-11132 |
|
Timeout in RDGW sessions causes core files on SPS If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly. |
PAM-11123 |
|
Traceback appears in the logs if the LDAP server is down A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled. |
PAM-11028 |
|
Resizing the screen in ICA sessions to span multiple monitors did not work If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session. |
PAM-10988 |
|
'Analytics details are not available' warning appears on the UI In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session. |
PAM-10886 |
|
Traceback in the logs after rejecting a four-eyes authorization request A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly. |
PAM-10881 |
|
After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed. |
PAM-10413 |
|
IPv6 routing table is missing from the support bundle The IPv6 routing table was missing from the support bundle. This has been corrected. |
PAM-10354 |
|
Configuration changes not taking effect In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when commiting networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly. |
PAM-10336 |
|
Failed screenshots in content subchapter reports Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs: 'Cannot retrieve image for screencontent' This has been corrected, screenshots are now properly generated for the reports. |
PAM-10190 |
|
Remote Desktop Gateway authentication fails for Windows 2012 R2 clients Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected. |
PAM-9967 |
|
False data in achiving notice After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected. NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead. |
PAM-9615 |
|
If completing the Welcome Wizard using the REST API fails, the appliance becomes unreachable If completing the Welcome Wizard using the REST API failed, an internal error made the product unreachable: the IP address became 192.168.1.1 and the console access of the root user was disabled. From now on, the console access of the root user remains active, so it can be used to fix such situations. |
PAM-7760 |
| Resolved Issue | Issue ID |
|---|---|
|
In some cases persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS. The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections. |
PAM-10821 |
|
Error in handling compressed ICA traffic causes the server to terminate the session In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs: 'Compression PD: Unable to expand slab' This has been corrected, the traffic is now handled properly. |
PAM-10781 |
|
Ignore the actual result of the whoami request when checking the availability of an LDAP server To check the availability of an LDAP server, SPS performs a "who am I" query against that server. If that query was disabled on the server, SPS treated the response as a sign of the server being down, even if it was handling other requests properly. This behavior has been changed and SPS now only checks if the server responds at all. |
PAM-10729 |
|
Low idle timeouts on LDAP servers not handled correctly SPS did not correctly handle if an LDAP server closed idle sessions after less than 600 seconds. After this fix, idle timeout settings above 120s work correctly. |
PAM-10674 |
|
Connection data backup not available in the console menu It is possible to manually initiate a backup process from the menu accessible via SSH or the appliance console. Due to a bug, only the system backup option was available there and the option to backup data associated with connection policies (such as audit trails) was not. This is now fixed and all backup options are available again. |
PAM-10576 |
|
Duplicate header appears on the ICA Control > Channel Policies page While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected. |
PAM-10575 |
|
Login page can redirect to arbitrary external sites To streamline the login process, SPS was able to redirect the user to the site they originally wanted to access after a successful login. However, this feature also redirected the user to any URL if the login page was accessed through a properly crafted link. This made phishing attacks against the administrators of SPS easier, so the login page now only redirects to URLs on SPS itself. |
PAM-10560 |
|
On an extremely overloaded machine, the OCR scanning (indexing) process could crash When the machine was so overloaded that the connection between the process that controls the OCR scanning and indexing operation (indexerworker) and the process doing the computation (indexerservice) was lost, the worker process tried to abort the processing but crashed. The index job might be finished successfully later. The problem was fixed and the worker process now handles this outage correctly. |
PAM-10547 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10510 |
|
Session verdict is 'auth-fail' after a failed gateway authentication attempt even if it succeeds after a retry If the user enters a wrong password or the gateway authentication attempt failed for another reason, the "verdict" for that session on the search interface remained "auth-failed", even if a second attempt was offered for the user and that succeeded. This logic is now fixed and the final authentication decision is used to decide the verdict of the session. |
PAM-10509 |
|
Console menu does not timeout As a side-effect of an unrelated change, the console menu did not log off idle users after a timeout. This is now fixed and idle sessions are properly terminated. |
PAM-10441 |
|
Transferring files over 4GB not possible over RDP disk redirection Files over 4GB transfers via RDP disk redirection over SPS got corrupted. This is now fixed and both download and upload of larger files is possible. |
PAM-10418 |
|
indexer-service cannot be reloaded multiple times within a short time Reloading indexer-service occasionally returned with a false error message, even though it was actually reloaded. However, if you attempted to reload it again within a short time (within in ~3 seconds), the reload failed. |
PAM-10335 |
|
Core files are generated for ICA sessions In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected. |
PAM-10316 |
|
RDP connection problems with certain client applications If the client did not send a cookie when establishing the initial connection to SPS, SPS sent an invalid cookie to the target server, causing the server to terminate the connection. This has been corrected. |
PAM-10284 |
|
The /api/active-sessions endpoint responds with Internal Server Error (500) The /api/active-sessions endpoint could respond only with Internal Server Error (500) in case of an error during DELETE. From now on the /api/active-sessions endpoint can respond with Not Found Error (404) if the given session id is not found in the list of active sessions. |
PAM-10281 |
|
Misspelled OK buttons on the web interface Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected. |
PAM-10155 |
|
Prevent joining SPS nodes running different firmware versions to a cluster Configuration (and cluster state) synchronization may not work if the Central Management and other cluster nodes are running different versions of SPS. In order to avoid possible misconfiguration, product version compatibility will now be validated during joining nodes to an SPS cluster. |
PAM-10020 |
|
Improved error detection of Elasticsearch database for audit information If the Elasticsearch instance that acts as a backend for the audit database failed to start for some reason, it kept retrying (and failing) and never notified the user about the problem. The problem has been fixed and such problems are properly escalated. |
PAM-10018 |
|
Inaccurate warning when upgrading external indexers When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected. |
PAM-9707 |
|
Content search field does not handle the '<' character Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly. |
PAM-9264 |
|
OpenSSL encryption failure when changing the password of a permanent keystore In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message: 'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62' This has been corrected. |
PAM-8345 |
|
Stopping more data-producing processes when disk fillup prevention is triggered The disk fillup prevention feature in SPS proactively stops traffic passing through if this usage reaches a predefined threshold to avoid more severe errors caused by the disk being filled up completely. Besides ongoing traffic there are several services that also produce data, which are now also stopped, providing further protection. |
PAM-8012 |
| Resolved Issue | Issue ID |
|---|---|
|
bind9:
bzip2:
curl:
db5.3:
dbus:
elfutils:
expat:
ffmpeg:
glib2.0:
gnutls28:
isc-dhcp:
jinja2:
libpng1.6:
libseccomp:
linux:
mysql-5.7:
openjdk-8:
php7.2:
postgresql-10:
python-urllib3:
python2.7:
qtbase-opensource-src:
samba:
sqlite3:
vim:
|
|
|
Inconsistent merge behaviour in configuration sync There were some cases, where a validation error occured during configuration synchronization. This has been fixed, and now System Backup is synchronized under Management, too. |
PAM-9655 |
|
Changing cluster roles may make the product tainted When changing certain cluster roles, the firmware became tainted. This affected the upgrade process when the definition of a role changed between two releases, resulting in tainted firmware. Now this has been fixed. |
PAM-9375 |
|
Report generation can produce duplicate reports If generating a report took more than 30 minutes, it was restarted, causing it to run twice and generate a duplicate report. This has been corrected, now report generation jobs cannot overlap to prevent processing them twice. |
PAM-5477 |
|
The default number of indexer workers was 16 on a newly installed SPS. The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers. |
PAM-3739 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10039 |
| Resolved Issue | Issue ID |
|---|---|
|
Security package updates bind9:
busybox:
curl:
ffmpeg:
file:
isc-dhcp:
ldb:
libgd2:
libpng1.6:
libxslt:
linux:
lua5.3:
mysql-5.7:
nss:
openjdk-8:
openssh:
openssl1.0:
php7.2:
python-urllib3:
samba:
systemd:
tiff:
walinuxagent:
wget:
|
|
|
Search interface not available after cluster upgrade on certain versions When upgrading the cluster between certain versions, the search functionality was not available after the nodes rebooted. This has been fixed and the search backend starts up properly after a cluster upgrade. |
PAM-9768 |
|
Core file download button not visible for read-only users Read-only access rights to the Basic Settings/Troubleshooting page allows the user to download all kinds of debug information, including core files. The "Download" button was not visible for users with read-only rights, even though they could download these files via the API. The button is now shown correctly. |
PAM-9693 |
|
Limited logging for Citrix ICA connections Due to an internal error, system logging about Citrix ICA protocols did not work properly. Even though audit recording was unaffected, this made troubleshooting difficult. The problem was fixed and logging now works similarly to other protocols. |
PAM-9671 |
|
Rare crash when using Remote Desktop Gateway connections Due to an unhandled race condition, the RDP proxy could crash in very rare cases when a large number of Remote Desktop Gateway connections were open in parallel. The problem was fixed. |
PAM-9596 |
|
Changes to SIEM forwarder setting not applied Changes to the configuration of the SIEM forwarder except the initial setup were not applied until rebooting the machine or restarting the service. This is now fixed and all changes take effect immediately. |
PAM-9499 |
|
Stale RDP connections on the Active Connections page Since version 5.6, stale RDP sessions can remain unclosed and displayed on the "Active Connections" page. This is now fixed and all RDP sessions are now closed properly. |
PAM-9473 |
|
Wrong IP address in autogenerated HTTPS certificates Certificates generated for proxy mode HTTPS connections are using the IP address of SPS (the proxy) instead of the hostname/address of the target server. |
PAM-9337 |
|
AAA configuration (including root password) is not synchronized to the managed hosts in an SPS cluster The AAA configuration was blacklisted during the configuration synchronization between the central management and the managed host. This limitation is now solved, and AAA configuration is synchronized to the managed hosts. The AAA configuration contains the local users (including admin), therefore we added the root password to the synchronized configuration data, too. |
PAM-9295 |
|
Double check of group membership during public key-based gateway authentication in SSH When using public-key-based gateway authentication in SSH, the group filtering was performed twice, which could have a significant performance penalty. This is now fixed and this check is done only once. |
PAM-9268 |
|
Indexing RDP sessions may fail with "Size out of range" errror RDP sessions with multiple channels sometimes resulted in indexing errors ("Size out of range"). Such audit trails could not be opened in the Desktop Player. This has been fixed. |
PAM-9267 |
|
Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 cannot be replayed Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 could not be properly replayed, and contained garbled screens. The error has been corrected, SPS 6.0 now properly record such sessions, so they can be properly replayed. |
PAM-9232 |
|
Report a more descriptive error message when firmware upload fails When a firmware upload fails because of insufficient disk space, invalid file uploaded, or a similar error, now a more descriptive message is displayed instead of a generic error message. |
PAM-9231 |
|
Indexing certain archived sessions fails Indexing jobs sometimes failed with the "No such file or directory" error message. This occurred when the audit trail of the session has already been archived and the remote archive was not mounted. Now the indexer automatically remounts such archives to complete the indexing. |
PAM-9230 |
|
Deleting keytabs failed when "Verbose system logs" (debug logging) was turned on When "Verbose system logs" (debug logging) was turned on, then a server side error prevented deleting keytabs. This has been fixed. |
PAM-9224 |
|
None The owner of the configuration lock was not reset within a browser session. As a result, if two different users logged in after each other in the same web browser, and the second user visited the Search > Search or Basic Settings > Cluster management pages, then the System monitor showed that the configuration is locked by , and the user could not edit the configuration. This problem has been fixed. |
PAM-9150 |
|
SSH sessions disconnect if SPS cannot find the account in the Credential store If a credential store was defined for a Connection Policy and SPS could not find an entry for the given target account in the store, it disconnected immediately instead of prompting the client to authenticate. This has been fixed, and now the fallback is triggered properly. |
PAM-9128 |
|
On an appliance with a Search minion role, generating daily/weekly/monthly reports results in several error e-mails On an appliance with the Search minion role, when generating reports every Day / Week / Month, selecting "Send reports in e-mail", and attempting to inculde a Search subchapter in the report resulted in receiving several error e-mails from all Search minions that were configured in that cluster environment. The error message in the e-mails was: "Unknown error: Error while fetching data via REST client, error: Error response got from REST client, status code: 500, reason: The search backend is unaccessible." This has been corrected, no error messages will be sent. If you want to include Search subchapters in your reports, generate them on the appliance with the Search master role. |
PAM-9001 |
|
Searching for audit trails that are not indexed is not working In some cases if the connection database was big, searching for audit trails that are not indexed on the Search > Search (classic) page did not work properly. (Selecting the 'Not indexed' option in the "Channel's Indexing Status" column resulted in a search query that was never completed.) This has been fixed. This has been corrected. |
PAM-9000 |
|
Failed SSH sessions can cause the System Monitor to show negative value as the number of active sessions When certain incompatible configuration settings are used (for example, GSSAPI authentication with autologin), a failed SSH connection attempt could decrease the active session count, eventually pushing it below zero. This is now fixed and such failed connections don't change the number of active sessions. |
PAM-8959 |
|
Unnecessary health check warnings in the logs of the Search master node In central search mode, the proxies are disabled on the Search master node. However, the built-in health check processes still checked the status of the proxies and logged a warning message. This warning is now disabled for search master nodes. |
PAM-8857 |
|
Generating certificates fails for long host and domain names SPS generates several certificates internally, and it uses the configured hostname and domain name for the appliance in the Common Name (CN) of these certificates. If any of these were long, the CN could go beyond the 64-character limit of the underlying OpenSSL libraries and the certificate generation failed. The appliance now truncates the strings to make sure the CN stays below the 64-character limit. |
PAM-8693 |
|
Multiple processing issues fixed in terminal based protocols with CJK characters The wide characters of CJK alphabets caused issues with command detection, video rendering, screenshot export in HTML, and the follow mode of the Safeguard Desktop Player. These are now fixed. |
PAM-8611 |
|
Session database upgrade fails for some ICA sessions Some older versions of SPS saved the protocol information of ICA sessions differently, using the name "CGP" instead of "ICA". The session database upgrade process was not prepared to handle that and moving such sessions to the new database failed. Such sessions are now handled correctly by the upgrade process. |
PAM-8465 |
|
The RDP domain membership configuration is displayed even if the appliance was not a member of the domain The RDP domain membership configuration was displayed even if the appliance was not a member of the currently configured domain. From now on, it is displayed only if the appliance is member of the currently configured domain. The status of the appliance (joined or not) is also displayed. |
PAM-8372 |
|
Insufficient error handling during external indexer initialization If an indexer failed to start up for some reason, in some scenarios it asked for the password for the decryption key for the trails instead of recognizing and logging the error. This is now fixed and startup errors are handled properly. |
PAM-8329 |
|
No warnings about encrypted sessions on the new search interface The Search > Search page did not warn the user if a session could not be played back because it was encrypted and the decryption key was not available in the keystore. This is now fixed and users get a warning that helps them solve the issue. |
PAM-7585 |
|
"Search subchapters" page only available to the "admin" user The "Search subchapters" report configuration page was only accessible to the "admin" user. The permission handling of this page has been corrected and it can be accessed by other users as well if they have the required Access Control rights. |
PAM-7136 |
|
Configuration interface is unresponsive during session database upgrade The System Monitor shows the status of the session database upgrade process. Unfortunately, the way it queryied the current status was highly inefficient, which could significantly slow down the entire web interface if the database being upgraded was large. The status check is now much more efficient and the UI remains responsive even during the upgrade. |
PAM-6204 |
System requirements
Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents: