One Identity Safeguard for Privileged Sessions 6.0.5 - Release Notes

Brackets were removed from around IPv6 addresses by the HTTP proxy in headers

The HTTP proxy removed the brackets from around IPv6 addresses in relayed HTTP headers, eg. "Host: [2001:db8::]" became "Host: 2001:db8::1", which caused problems on the server side. This has been fixed and such headers are now relayed properly.

Error messages appear in HTTP proxy logs when Authorization headers are not valid base64 encoded data

Our HTTP proxy tried to decode the Authorization header and if it could not, it logged an error because there was an error with the encoding. These log messages could be misleading as such headers happen frequently, so they were disabled.

Timestamps in upgrade logs are misleading

During the upgrade SPS produces log files which are separated from the standard syslog. Into these log files the timestamps of the log lines were added manually. These timestamps were not accurate.

When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot.

After this fix this process will run only once.

Displaying the login page triggers General error (xcbError) SNMP or email alert

When the login page was loaded in a browser, then a background request attempted to access a resource which mistakenly required an already authenticated user. If the General error (xcbError) alert was enabled on the Basic Settings / Alerting & Monitoring page, then this condition triggered sending SNMP or email alerts. This has been fixed.

HTTP request URIs were sometimes forwarded incorrectly to the target server, with escaped URI parts not kept properly escaped.

The HTTP proxy in SPS improperly transformed URIs with escaped '/' characters. This has been fixed, and the requested URI is now passed intact to the target server.

In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

High memory consumption related to the indexer-jobgenerator service with sessions containing lots of channels

The jobgenerator service now handles channel related messages which are not required to store in memory anymore.

Assigning "All" privileges to a user group did not grant access to the Active Connections page

Assigning "All" (read and write/perform) privileges to a user group at the Users & Access Control / Appliance Access (formerly: AAA / Access Control) page did not grant access to the Active Connections page for the selected group. This has been fixed.

Multiple IPv4 addresses on the network interface which is assigned to clustering can break cluster node communication if other than the first one is used for clustering

Assigning multiple IPv4 addresses to the network interface which is used for clustering, and using other than the first one for secure communication between the cluster nodes results in a non-working configuration. Configuration validation has been extended with checks which prevent saving such configuration.

HA IP negotiation fails when more than two SPS hosts are accessible on the HA interface

When more than two SPS instances are accessible through the HA interface, the third host cannot obtain a valid HA IP address as the other two addresses are already taken. As this is not a supported way of working, a warning message is now shown to the user on the console.

Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware)

During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration.

This has now been fixed and these events are no longer generated.

Unnecessary expiration warnings for indexer decryption key certificates

The decryption keys and the certificates that belong to them, used by the internal indexer to process encrypted audit trails, may still be needed in the configuration in order to access older audit data, long after the certificate itself is expired. Due to this, the expiration of these certificates will no longer trigger configuration validation warnings.

In case of high amount of information paginated data, storage solution was implemented but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

View log files > Tail window remains open even after the administrator has logged out.

The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session.

Missing timestamps in audit trails and "Error connecting TSA" messages in the logs.

A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed.

Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster.

Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster.

Dynamic virtual channels in RDP proxy are not handled properly.

Some of the Dynamic virtual channels in RDP proxy were allowed even if they were not enabled in a Channel Policy. Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic virtual channels channel policy.

HA takeover issues after multi-step upgrades

If a system was upgraded in multiple steps (for example, from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes. This issue has been fixed and these type of upgrades now work well.

From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS.

The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time.

During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it.

The newly generated cert has the following additional properties:

• validity is 800 days long
• extendedKeyUsage has been specified

which makes it compliant with the recent Chrome+macOS combination.

On HA takeover, the IP address of SPS was not updated in other computer's ARP table in certain conditions.

SPS did not wait for the interface to be in the UP state, therefore sending the gratuitous ARP message was not successful when the interface didn't come up quickly. This has been fixed by waiting for the interface first.

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

Overriding the global verbosity level in ICA connection policies had no effect

In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level.

Password reuse always allowed when changing the password over REST

It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too.

Client unexpectedly closes RemoteApp sessions

In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client.

RDP sessions shown as active even after client disconnects

In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected.

The SPS initiated workflow fails in case of SSH protocol.

Starting with Safeguard for Privileged Sessions version 6.2 it became possible to join Safeguard for Privileged Sessions and Safeguard for Privileged Passwords and make use of the full password approval workflow in SPP for sessions initiated through SPS. This feature was backported to the 6.0.2 maintenance release, but due to a problem with the backport, it did not work properly for SSH sessions. The problem is now fixed and SSH sessions can also be used in this scenario.

Improve the debug logging of ldapservice

The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs.

Sessions are terminated when using the credit-card detection and alerting features

In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected.

Upgrading to SPS 6.0.2 fails if SPS is joined into SPP

Because of an error in the upgrade of Safeguard plugins, upgrade to SPS 6.0.2 failed if SPS was joined to SPP.

This has been corrected, in SPS 6.0.3 the upgrade works as expected.

Timeout in RDGW sessions causes core files on SPS

If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly.

Traceback appears in the logs if the LDAP server is down

A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled.

Resizing the screen in ICA sessions to span multiple monitors did not work

If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session.

'Analytics details are not available' warning appears on the UI

In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session.

Traceback in the logs after rejecting a four-eyes authorization request

A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly.

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed.

IPv6 routing table is missing from the support bundle

The IPv6 routing table was missing from the support bundle. This has been corrected.

Configuration changes not taking effect

In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when commiting networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly.

Failed screenshots in content subchapter reports

Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs:

'Cannot retrieve image for screencontent'

This has been corrected, screenshots are now properly generated for the reports.

Remote Desktop Gateway authentication fails for Windows 2012 R2 clients

Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected.

False data in achiving notice

After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected.

NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead.

In some cases persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS.

The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections.

Error in handling compressed ICA traffic causes the server to terminate the session

In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs:

'Compression PD: Unable to expand slab'

This has been corrected, the traffic is now handled properly.

Ignore the actual result of the whoami request when checking the availability of an LDAP server

To check the availability of an LDAP server, SPS performs a "who am I" query against that server. If that query was disabled on the server, SPS treated the response as a sign of the server being down, even if it was handling other requests properly. This behavior has been changed and SPS now only checks if the server responds at all.

Low idle timeouts on LDAP servers not handled correctly

SPS did not correctly handle if an LDAP server closed idle sessions after less than 600 seconds. After this fix, idle timeout settings above 120s work correctly.

Connection data backup not available in the console menu

It is possible to manually initiate a backup process from the menu accessible via SSH or the appliance console. Due to a bug, only the system backup option was available there and the option to backup data associated with connection policies (such as audit trails) was not. This is now fixed and all backup options are available again.

Duplicate header appears on the ICA Control > Channel Policies page

While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected.

Login page can redirect to arbitrary external sites

To streamline the login process, SPS was able to redirect the user to the site they originally wanted to access after a successful login. However, this feature also redirected the user to any URL if the login page was accessed through a properly crafted link. This made phishing attacks against the administrators of SPS easier, so the login page now only redirects to URLs on SPS itself.

On an extremely overloaded machine, the OCR scanning (indexing) process could crash

When the machine was so overloaded that the connection between the process that controls the OCR scanning and indexing operation (indexerworker) and the process doing the computation (indexerservice) was lost, the worker process tried to abort the processing but crashed. The index job might be finished successfully later. The problem was fixed and the worker process now handles this outage correctly.

Disk fill-up prevention should always deny incoming connections when limit is reached

Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached.

Session verdict is 'auth-fail' after a failed gateway authentication attempt even if it succeeds after a retry

If the user enters a wrong password or the gateway authentication attempt failed for another reason, the "verdict" for that session on the search interface remained "auth-failed", even if a second attempt was offered for the user and that succeeded. This logic is now fixed and the final authentication decision is used to decide the verdict of the session.

Console menu does not timeout

As a side-effect of an unrelated change, the console menu did not log off idle users after a timeout. This is now fixed and idle sessions are properly terminated.

Transferring files over 4GB not possible over RDP disk redirection

Files over 4GB transfers via RDP disk redirection over SPS got corrupted. This is now fixed and both download and upload of larger files is possible.

indexer-service cannot be reloaded multiple times within a short time

Reloading indexer-service occasionally returned with a false error message, even though it was actually reloaded. However, if you attempted to reload it again within a short time (within in ~3 seconds), the reload failed.

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

RDP connection problems with certain client applications

If the client did not send a cookie when establishing the initial connection to SPS, SPS sent an invalid cookie to the target server, causing the server to terminate the connection. This has been corrected.

The /api/active-sessions endpoint responds with Internal Server Error (500)

The /api/active-sessions endpoint could respond only with Internal Server Error (500) in case of an error during DELETE. From now on the /api/active-sessions endpoint can respond with Not Found Error (404) if the given session id is not found in the list of active sessions.

Misspelled OK buttons on the web interface

Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected.

Prevent joining SPS nodes running different firmware versions to a cluster

Configuration (and cluster state) synchronization may not work if the Central Management and other cluster nodes are running different versions of SPS. In order to avoid possible misconfiguration, product version compatibility will now be validated during joining nodes to an SPS cluster.

Improved error detection of Elasticsearch database for audit information

If the Elasticsearch instance that acts as a backend for the audit database failed to start for some reason, it kept retrying (and failing) and never notified the user about the problem. The problem has been fixed and such problems are properly escalated.

Inaccurate warning when upgrading external indexers

When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected.

Content search field does not handle the '<' character

Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly.

OpenSSL encryption failure when changing the password of a permanent keystore

In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message:

'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62'

This has been corrected.

bind9:

• CVE-2018-5743
• CVE-2019-6471

bzip2:

• CVE-2019-12900

curl:

• CVE-2019-5346

db5.3:

• CVE-2019-8457

dbus:

• CVE-2019-12749

elfutils:

• CVE-2018-16062
• CVE-2018-16402
• CVE-2018-16403
• CVE-2018-18310
• CVE-2018-18520
• CVE-2018-18521
• CVE-2019-7149
• CVE-2019-7150
• CVE-2019-7665

expat:

• CVE-2018-20843

ffmpeg:

• CVE-2018-15822
• CVE-2019-9718
• CVE-2019-9721

glib2.0:

• CVE-2019-12450

gnutls28:

• CVE-2018-1084
• CVE-2018-10844
• CVE-2018-10845
• CVE-2018-10846
• CVE-2019-3829

isc-dhcp:

• CVE-2019-6470

jinja2:

• CVE-2019-10906

libpng1.6:

• CVE-2019-7317

libseccomp:

• CVE-2019-9893

linux:

• CVE-2017-5715
• CVE-2017-5753
• CVE-2017-5754
• CVE-2018-12126
• CVE-2018-12127
• CVE-2018-12130
• CVE-2018-16884
• CVE-2018-3620
• CVE-2018-3639
• CVE-2018-3646
• CVE-2019-11478
• CVE-2019-11479
• CVE-2019-3874
• CVE-2019-3882
• CVE-2019-9500
• CVE-2019-9503

mysql-5.7:

• CVE-2019-2566
• CVE-2019-2581
• CVE-2019-2592
• CVE-2019-2614
• CVE-2019-2627
• CVE-2019-2628
• CVE-2019-2632
• CVE-2019-2683

openjdk-8:

• CVE-2019-2422
• CVE-2019-2426
• CVE-2019-2602
• CVE-2019-2684
• CVE-2019-2698

php7.2:

• CVE-2019-11034
• CVE-2019-11035
• CVE-2019-11036
• CVE-2019-11039
• CVE-2019-11040
• CVE-2019-9637
• CVE-2019-9638
• CVE-2019-9639
• CVE-2019-9640
• CVE-2019-9641
• CVE-2019-9675

postgresql-10:

• CVE-2019-10130
• CVE-2019-10164

python-urllib3:

• CVE-2018-20060
• CVE-2019-11236
• CVE-2019-11324

python2.7:

• CVE-2018-1000802
• CVE-2018-14647

qtbase-opensource-src:

• CVE-2018-15518
• CVE-2018-19870
• CVE-2018-19873

samba:

• CVE-2018-16860

sqlite3:

• CVE-2018-20346
• CVE-2018-20505
• CVE-2018-20506
• CVE-2019-8457
• CVE-2019-9936
• CVE-2019-9937

vim:

• CVE-2019-12735

Inconsistent merge behaviour in configuration sync

There were some cases, where a validation error occured during configuration synchronization. This has been fixed, and now System Backup is synchronized under Management, too.

Changing cluster roles may make the product tainted

When changing certain cluster roles, the firmware became tainted. This affected the upgrade process when the definition of a role changed between two releases, resulting in tainted firmware. Now this has been fixed.

Report generation can produce duplicate reports

If generating a report took more than 30 minutes, it was restarted, causing it to run twice and generate a duplicate report. This has been corrected, now report generation jobs cannot overlap to prevent processing them twice.

The default number of indexer workers was 16 on a newly installed SPS.

The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers.

Security package updates

bind9:

• CVE-2018-5743

busybox:

• CVE-2011-5325
• CVE-2018-1000517
• CVE-2018-20679
• CVE-2019-5747

curl:

• CVE-2019-5346

ffmpeg:

• CVE-2018-15822
• CVE-2019-9718
• CVE-2019-9721

file:

• CVE-2019-8905
• CVE-2019-8906
• CVE-2019-8907

isc-dhcp:

• CVE-2019-6470

ldb:

• CVE-2019-3824

libgd2:

• CVE-2019-6977
• CVE-2019-6978

libpng1.6:

• CVE-2019-7317

libxslt:

• CVE-2019-11068

linux:

• CVE-2017-5715
• CVE-2017-5753
• CVE-2017-5754
• CVE-2018-12126
• CVE-2018-12127
• CVE-2018-12130
• CVE-2018-14678
• CVE-2018-16884
• CVE-2018-18021
• CVE-2018-18397
• CVE-2018-19824
• CVE-2018-19854
• CVE-2018-3620
• CVE-2018-3639
• CVE-2018-3646
• CVE-2019-3459
• CVE-2019-3460
• CVE-2019-3874
• CVE-2019-3882
• CVE-2019-6133
• CVE-2019-6974
• CVE-2019-7221
• CVE-2019-7222
• CVE-2019-7308
• CVE-2019-8912
• CVE-2019-8980
• CVE-2019-9213
• CVE-2019-9500
• CVE-2019-9503

lua5.3:

• CVE-2019-6706

mysql-5.7:

• CVE-2019-2566
• CVE-2019-2581
• CVE-2019-2592
• CVE-2019-2614
• CVE-2019-2627
• CVE-2019-2628
• CVE-2019-2632
• CVE-2019-2683

nss:

• CVE-2018-18508

openjdk-8:

• CVE-2019-2422
• CVE-2019-2426
• CVE-2019-2602
• CVE-2019-2684
• CVE-2019-2698

openssh:

• CVE-2019-6109
• CVE-2019-6111

openssl1.0:

• CVE-2019-1559

php7.2:

• CVE-2019-11034
• CVE-2019-11035
• CVE-2019-9637
• CVE-2019-9638
• CVE-2019-9639
• CVE-2019-9640
• CVE-2019-9641
• CVE-2019-9675

python-urllib3:

• CVE-2018-20060
• CVE-2019-11236
• CVE-2019-11324

samba:

• CVE-2018-16860
• CVE-2019-3880

systemd:

• CVE-2019-3842

tiff:

• CVE-2018-10779
• CVE-2018-12900
• CVE-2018-17000
• CVE-2018-19210
• CVE-2019-6128
• CVE-2019-7663

walinuxagent:

• CVE-2019-0804

wget:

• CVE-2018-20483
• CVE-2019-5953

Search interface not available after cluster upgrade on certain versions

When upgrading the cluster between certain versions, the search functionality was not available after the nodes rebooted. This has been fixed and the search backend starts up properly after a cluster upgrade.

Core file download button not visible for read-only users

Read-only access rights to the Basic Settings/Troubleshooting page allows the user to download all kinds of debug information, including core files. The "Download" button was not visible for users with read-only rights, even though they could download these files via the API. The button is now shown correctly.

Limited logging for Citrix ICA connections

Due to an internal error, system logging about Citrix ICA protocols did not work properly. Even though audit recording was unaffected, this made troubleshooting difficult. The problem was fixed and logging now works similarly to other protocols.

Rare crash when using Remote Desktop Gateway connections

Due to an unhandled race condition, the RDP proxy could crash in very rare cases when a large number of Remote Desktop Gateway connections were open in parallel. The problem was fixed.

Changes to SIEM forwarder setting not applied

Changes to the configuration of the SIEM forwarder except the initial setup were not applied until rebooting the machine or restarting the service. This is now fixed and all changes take effect immediately.

Stale RDP connections on the Active Connections page

Since version 5.6, stale RDP sessions can remain unclosed and displayed on the "Active Connections" page. This is now fixed and all RDP sessions are now closed properly.

Wrong IP address in autogenerated HTTPS certificates

Certificates generated for proxy mode HTTPS connections are using the IP address of SPS (the proxy) instead of the hostname/address of the target server.

AAA configuration (including root password) is not synchronized to the managed hosts in an SPS cluster

The AAA configuration was blacklisted during the configuration synchronization between the central management and the managed host. This limitation is now solved, and AAA configuration is synchronized to the managed hosts.

The AAA configuration contains the local users (including admin), therefore we added the root password to the synchronized configuration data, too.

Double check of group membership during public key-based gateway authentication in SSH

When using public-key-based gateway authentication in SSH, the group filtering was performed twice, which could have a significant performance penalty. This is now fixed and this check is done only once.

Indexing RDP sessions may fail with "Size out of range" errror

RDP sessions with multiple channels sometimes resulted in indexing errors ("Size out of range"). Such audit trails could not be opened in the Desktop Player. This has been fixed.

Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 cannot be replayed

Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 could not be properly replayed, and contained garbled screens. The error has been corrected, SPS 6.0 now properly record such sessions, so they can be properly replayed.

Report a more descriptive error message when firmware upload fails

When a firmware upload fails because of insufficient disk space, invalid file uploaded, or a similar error, now a more descriptive message is displayed instead of a generic error message.

Indexing certain archived sessions fails

Indexing jobs sometimes failed with the "No such file or directory" error message. This occurred when the audit trail of the session has already been archived and the remote archive was not mounted. Now the indexer automatically remounts such archives to complete the indexing.

Deleting keytabs failed when "Verbose system logs" (debug logging) was turned on

When "Verbose system logs" (debug logging) was turned on, then a server side error prevented deleting keytabs. This has been fixed.

None

The owner of the configuration lock was not reset within a browser session. As a result, if two different users logged in after each other in the same web browser, and the second user visited the Search > Search or Basic Settings > Cluster management pages, then the System monitor showed that the configuration is locked by

REST@system

, and the user could not edit the configuration.

This problem has been fixed.

SSH sessions disconnect if SPS cannot find the account in the Credential store

If a credential store was defined for a Connection Policy and SPS could not find an entry for the given target account in the store, it disconnected immediately instead of prompting the client to authenticate. This has been fixed, and now the fallback is triggered properly.

On an appliance with a Search minion role, generating daily/weekly/monthly reports results in several error e-mails

On an appliance with the Search minion role, when generating reports every Day / Week / Month, selecting "Send reports in e-mail", and attempting to inculde a Search subchapter in the report resulted in receiving several error e-mails from all Search minions that were configured in that cluster environment. The error message in the e-mails was:

"Unknown error: Error while fetching data via REST client, error: Error response got from REST client, status code: 500, reason: The search backend is unaccessible."

This has been corrected, no error messages will be sent.

If you want to include Search subchapters in your reports, generate them on the appliance with the Search master role.

Searching for audit trails that are not indexed is not working

In some cases if the connection database was big, searching for audit trails that are not indexed on the Search > Search (classic) page did not work properly. (Selecting the 'Not indexed' option in the "Channel's Indexing Status" column resulted in a search query that was never completed.) This has been fixed.

This has been corrected.

Failed SSH sessions can cause the System Monitor to show negative value as the number of active sessions

When certain incompatible configuration settings are used (for example, GSSAPI authentication with autologin), a failed SSH connection attempt could decrease the active session count, eventually pushing it below zero. This is now fixed and such failed connections don't change the number of active sessions.

Unnecessary health check warnings in the logs of the Search master node

In central search mode, the proxies are disabled on the Search master node. However, the built-in health check processes still checked the status of the proxies and logged a warning message. This warning is now disabled for search master nodes.

Generating certificates fails for long host and domain names

SPS generates several certificates internally, and it uses the configured hostname and domain name for the appliance in the Common Name (CN) of these certificates. If any of these were long, the CN could go beyond the 64-character limit of the underlying OpenSSL libraries and the certificate generation failed. The appliance now truncates the strings to make sure the CN stays below the 64-character limit.

Multiple processing issues fixed in terminal based protocols with CJK characters

The wide characters of CJK alphabets caused issues with command detection, video rendering, screenshot export in HTML, and the follow mode of the Safeguard Desktop Player. These are now fixed.

Session database upgrade fails for some ICA sessions

Some older versions of SPS saved the protocol information of ICA sessions differently, using the name "CGP" instead of "ICA". The session database upgrade process was not prepared to handle that and moving such sessions to the new database failed. Such sessions are now handled correctly by the upgrade process.

The RDP domain membership configuration is displayed even if the appliance was not a member of the domain

The RDP domain membership configuration was displayed even if the appliance was not a member of the currently configured domain. From now on, it is displayed only if the appliance is member of the currently configured domain. The status of the appliance (joined or not) is also displayed.

Insufficient error handling during external indexer initialization

If an indexer failed to start up for some reason, in some scenarios it asked for the password for the decryption key for the trails instead of recognizing and logging the error. This is now fixed and startup errors are handled properly.

No warnings about encrypted sessions on the new search interface

The Search > Search page did not warn the user if a session could not be played back because it was encrypted and the decryption key was not available in the keystore. This is now fixed and users get a warning that helps them solve the issue.

"Search subchapters" page only available to the "admin" user

The "Search subchapters" report configuration page was only accessible to the "admin" user. The permission handling of this page has been corrected and it can be accessed by other users as well if they have the required Access Control rights.