サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Sessions 6.0 LTS - Release Notes

Deprecated features

The following is a list of features that are no longer supported starting with SPS 6.0.

  • X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.

  • DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.

  • The log ingestion feature of SPS has been removed from the product.

Deprecated features between SPS 5.1 and SPS 5.11

The following is a list of features that are no longer supported starting with SPS 6.0.

Caution:

Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SPS.

  2. Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.

  3. Open a ticket at https://support.oneidentity.com/create-service-request/.

  4. Upload the file you downloaded from SPS in Step 1.

  5. We will check the type of your hardware and notify you.

  • Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.

  • SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:

    • You cannot configure SPS if your browser does not support at least TLSv1.

    • If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.

  • Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.

  • Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.

Shorter than 1024-bit SSH keys

Following the upgrade, support for less than 1024-bit SSH keys is lost.

You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.

Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or "Configuring usermapping policies" in the Administration Guide.

Minimum version of encryption protocol for the web UI

The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.

Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.

This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.

Deprecation of RPC API

The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.

Screen content search in sessions indexed by the old Audit Player

It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

Resolved issues

The following is a list of issues addressed in this release.

Table 2: General resolved issues in release 6.0
Resolved Issue Issue ID

Security package updates

bind9:

  • CVE-2018-5743

busybox:

  • CVE-2011-5325
  • CVE-2018-1000517
  • CVE-2018-20679
  • CVE-2019-5747

curl:

  • CVE-2019-5346

ffmpeg:

  • CVE-2018-15822
  • CVE-2019-9718
  • CVE-2019-9721

file:

  • CVE-2019-8905
  • CVE-2019-8906
  • CVE-2019-8907

isc-dhcp:

  • CVE-2019-6470

ldb:

  • CVE-2019-3824

libgd2:

  • CVE-2019-6977
  • CVE-2019-6978

libpng1.6:

  • CVE-2019-7317

libxslt:

  • CVE-2019-11068

linux:

  • CVE-2017-5715
  • CVE-2017-5753
  • CVE-2017-5754
  • CVE-2018-12126
  • CVE-2018-12127
  • CVE-2018-12130
  • CVE-2018-14678
  • CVE-2018-16884
  • CVE-2018-18021
  • CVE-2018-18397
  • CVE-2018-19824
  • CVE-2018-19854
  • CVE-2018-3620
  • CVE-2018-3639
  • CVE-2018-3646
  • CVE-2019-3459
  • CVE-2019-3460
  • CVE-2019-3874
  • CVE-2019-3882
  • CVE-2019-6133
  • CVE-2019-6974
  • CVE-2019-7221
  • CVE-2019-7222
  • CVE-2019-7308
  • CVE-2019-8912
  • CVE-2019-8980
  • CVE-2019-9213
  • CVE-2019-9500
  • CVE-2019-9503

lua5.3:

  • CVE-2019-6706

mysql-5.7:

  • CVE-2019-2566
  • CVE-2019-2581
  • CVE-2019-2592
  • CVE-2019-2614
  • CVE-2019-2627
  • CVE-2019-2628
  • CVE-2019-2632
  • CVE-2019-2683

nss:

  • CVE-2018-18508

openjdk-8:

  • CVE-2019-2422
  • CVE-2019-2426
  • CVE-2019-2602
  • CVE-2019-2684
  • CVE-2019-2698

openssh:

  • CVE-2019-6109
  • CVE-2019-6111

openssl1.0:

  • CVE-2019-1559

php7.2:

  • CVE-2019-11034
  • CVE-2019-11035
  • CVE-2019-9637
  • CVE-2019-9638
  • CVE-2019-9639
  • CVE-2019-9640
  • CVE-2019-9641
  • CVE-2019-9675

python-urllib3:

  • CVE-2018-20060
  • CVE-2019-11236
  • CVE-2019-11324

samba:

  • CVE-2018-16860
  • CVE-2019-3880

systemd:

  • CVE-2019-3842

tiff:

  • CVE-2018-10779
  • CVE-2018-12900
  • CVE-2018-17000
  • CVE-2018-19210
  • CVE-2019-6128
  • CVE-2019-7663

walinuxagent:

  • CVE-2019-0804

wget:

  • CVE-2018-20483
  • CVE-2019-5953

Search interface not available after cluster upgrade on certain versions

When upgrading the cluster between certain versions, the search functionality was not available after the nodes rebooted. This has been fixed and the search backend starts up properly after a cluster upgrade.

PAM-9768

Core file download button not visible for read-only users

Read-only access rights to the Basic Settings/Troubleshooting page allows the user to download all kinds of debug information, including core files. The "Download" button was not visible for users with read-only rights, even though they could download these files via the API. The button is now shown correctly.

PAM-9693

Limited logging for Citrix ICA connections

Due to an internal error, system logging about Citrix ICA protocols did not work properly. Even though audit recording was unaffected, this made troubleshooting difficult. The problem was fixed and logging now works similarly to other protocols.

PAM-9671

Rare crash when using Remote Desktop Gateway connections

Due to an unhandled race condition, the RDP proxy could crash in very rare cases when a large number of Remote Desktop Gateway connections were open in parallel. The problem was fixed.

PAM-9596

Changes to SIEM forwarder setting not applied

Changes to the configuration of the SIEM forwarder except the initial setup were not applied until rebooting the machine or restarting the service. This is now fixed and all changes take effect immediately.

PAM-9499

Stale RDP connections on the Active Connections page

Since version 5.6, stale RDP sessions can remain unclosed and displayed on the "Active Connections" page. This is now fixed and all RDP sessions are now closed properly.

PAM-9473

Wrong IP address in autogenerated HTTPS certificates

Certificates generated for proxy mode HTTPS connections are using the IP address of SPS (the proxy) instead of the hostname/address of the target server.

PAM-9337

AAA configuration (including root password) is not synchronized to the managed hosts in an SPS cluster

The AAA configuration was blacklisted during the configuration synchronization between the central management and the managed host. This limitation is now solved, and AAA configuration is synchronized to the managed hosts.

The AAA configuration contains the local users (including admin), therefore we added the root password to the synchronized configuration data, too.

PAM-9295

Double check of group membership during public key-based gateway authentication in SSH

When using public-key-based gateway authentication in SSH, the group filtering was performed twice, which could have a significant performance penalty. This is now fixed and this check is done only once.

PAM-9268

Indexing RDP sessions may fail with "Size out of range" errror

RDP sessions with multiple channels sometimes resulted in indexing errors ("Size out of range"). Such audit trails could not be opened in the Desktop Player. This has been fixed.

PAM-9267

Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 cannot be replayed

Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 could not be properly replayed, and contained garbled screens. The error has been corrected, SPS 6.0 now properly record such sessions, so they can be properly replayed.

PAM-9232

Report a more descriptive error message when firmware upload fails

When a firmware upload fails because of insufficient disk space, invalid file uploaded, or a similar error, now a more descriptive message is displayed instead of a generic error message.

PAM-9231

Indexing certain archived sessions fails

Indexing jobs sometimes failed with the "No such file or directory" error message. This occurred when the audit trail of the session has already been archived and the remote archive was not mounted. Now the indexer automatically remounts such archives to complete the indexing.

PAM-9230

Deleting keytabs failed when "Verbose system logs" (debug logging) was turned on

When "Verbose system logs" (debug logging) was turned on, then a server side error prevented deleting keytabs. This has been fixed.

PAM-9224

None

The owner of the configuration lock was not reset within a browser session. As a result, if two different users logged in after each other in the same web browser, and the second user visited the Search > Search or Basic Settings > Cluster management pages, then the System monitor showed that the configuration is locked by

REST@system

, and the user could not edit the configuration.

This problem has been fixed.

PAM-9150

SSH sessions disconnect if SPS cannot find the account in the Credential store

If a credential store was defined for a Connection Policy and SPS could not find an entry for the given target account in the store, it disconnected immediately instead of prompting the client to authenticate. This has been fixed, and now the fallback is triggered properly.

PAM-9128

On an appliance with a Search minion role, generating daily/weekly/monthly reports results in several error e-mails

On an appliance with the Search minion role, when generating reports every Day / Week / Month, selecting "Send reports in e-mail", and attempting to inculde a Search subchapter in the report resulted in receiving several error e-mails from all Search minions that were configured in that cluster environment. The error message in the e-mails was:

"Unknown error: Error while fetching data via REST client, error: Error response got from REST client, status code: 500, reason: The search backend is unaccessible."

This has been corrected, no error messages will be sent.

If you want to include Search subchapters in your reports, generate them on the appliance with the Search master role.

PAM-9001

Searching for audit trails that are not indexed is not working

In some cases if the connection database was big, searching for audit trails that are not indexed on the Search > Search (classic) page did not work properly. (Selecting the 'Not indexed' option in the "Channel's Indexing Status" column resulted in a search query that was never completed.) This has been fixed.

This has been corrected.

PAM-9000

Failed SSH sessions can cause the System Monitor to show negative value as the number of active sessions

When certain incompatible configuration settings are used (for example, GSSAPI authentication with autologin), a failed SSH connection attempt could decrease the active session count, eventually pushing it below zero. This is now fixed and such failed connections don't change the number of active sessions.

PAM-8959

Unnecessary health check warnings in the logs of the Search master node

In central search mode, the proxies are disabled on the Search master node. However, the built-in health check processes still checked the status of the proxies and logged a warning message. This warning is now disabled for search master nodes.

PAM-8857

Generating certificates fails for long host and domain names

SPS generates several certificates internally, and it uses the configured hostname and domain name for the appliance in the Common Name (CN) of these certificates. If any of these were long, the CN could go beyond the 64-character limit of the underlying OpenSSL libraries and the certificate generation failed. The appliance now truncates the strings to make sure the CN stays below the 64-character limit.

PAM-8693

Multiple processing issues fixed in terminal based protocols with CJK characters

The wide characters of CJK alphabets caused issues with command detection, video rendering, screenshot export in HTML, and the follow mode of the Safeguard Desktop Player. These are now fixed.

PAM-8611

Session database upgrade fails for some ICA sessions

Some older versions of SPS saved the protocol information of ICA sessions differently, using the name "CGP" instead of "ICA". The session database upgrade process was not prepared to handle that and moving such sessions to the new database failed. Such sessions are now handled correctly by the upgrade process.

PAM-8465

The RDP domain membership configuration is displayed even if the appliance was not a member of the domain

The RDP domain membership configuration was displayed even if the appliance was not a member of the currently configured domain. From now on, it is displayed only if the appliance is member of the currently configured domain. The status of the appliance (joined or not) is also displayed.

PAM-8372

Insufficient error handling during external indexer initialization

If an indexer failed to start up for some reason, in some scenarios it asked for the password for the decryption key for the trails instead of recognizing and logging the error. This is now fixed and startup errors are handled properly.

PAM-8329

No warnings about encrypted sessions on the new search interface

The Search > Search page did not warn the user if a session could not be played back because it was encrypted and the decryption key was not available in the keystore. This is now fixed and users get a warning that helps them solve the issue.

PAM-7585

"Search subchapters" page only available to the "admin" user

The "Search subchapters" report configuration page was only accessible to the "admin" user. The permission handling of this page has been corrected and it can be accessed by other users as well if they have the required Access Control rights.

PAM-7136

Configuration interface is unresponsive during session database upgrade

The System Monitor shows the status of the session database upgrade process. Unfortunately, the way it queryied the current status was highly inefficient, which could significantly slow down the entire web interface if the database being upgraded was large. The status check is now much more efficient and the UI remains responsive even during the upgrade.

PAM-6204

System requirements

Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択