Enhancements
The following is a list of enhancements implemented in SPS 6.2.
| Enhancement | Issue ID |
|---|---|
|
When storing hostnames and fully-qualified domain names in Channel policies, you can now configure SPS to use a custom domain name server to resolve the hostnames. For details, see "Creating and editing channel policies" in the Administration Guide. |
|
|
You can verify the integrity of the plugins uploaded to SPS from the web interface. |
|
|
Enabling debug logging now does not automatically increase the verbosity level of the logs related to the audited network traffic. For details, see "Collecting logs and system information for error reporting" in the Administration Guide. |
Resolved issues
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
Security package updates bind9:
bzip2:
expat:
glib2.0:
libmspack:
linux:
mysql-5.7:
nss:
openjdk-8:
openldap:
openssl:
patch:
postgresql-10:
python2.7:
redis:
sqlite3:
vim:
walinuxagent:
|
PAM-10817 |
|
Ignore the actual result of the whoami request when checking the availability of an LDAP server To check the availability of an LDAP server, SPS performs a "who am I" query against that server. If that query was disabled on the server, SPS treated the response as a sign of the server being down, even if it was handling other requests properly. This behavior has been changed and SPS now only checks if the server responds at all. |
PAM-10729 |
|
Low idle timeouts on LDAP servers not handled correctly SPS did not correctly handle if an LDAP server closed idle sessions after less than 600 seconds. After this fix, idle timeout settings above 120s work correctly. |
PAM-10674 |
|
Connection data backup not available in the console menu It is possible to manually initiate a backup process from the menu accessible via SSH or the appliance console. Due to a bug, only the system backup option was available there and the option to backup data associated with connection policies (such as audit trails) was not. This is now fixed and all backup options are available again. |
PAM-10576 |
|
Login page can redirect to arbitrary external sites To streamline the login process, SPS was able to redirect the user to the site they originally wanted to access after a successful login. However, this feature also redirected the user to any URL if the login page was accessed through a properly crafted link. This made phishing attacks against the administrators of SPS easier, so the login page now only redirects to URLs on SPS itself. |
PAM-10560 |
|
On an extremely overloaded machine, the OCR scanning (indexing) process could crash When the machine was so overloaded that the connection between the process that controls the OCR scanning and indexing operation (indexerworker) and the process doing the computation (indexerservice) was lost, the worker process tried to abort the processing but crashed. The index job might be finished successfully later. The problem was fixed and the worker process now handles this outage correctly. |
PAM-10547 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10510 |
|
Session verdict is 'auth-fail' after a failed gateway authentication attempt even if it succeeds after a retry If the user enters a wrong password or the gateway authentication attempt failed for another reason, the "verdict" for that session on the search interface remained "auth-failed", even if a second attempt was offered for the user and that succeeded. This logic is now fixed and the final authentication decision is used to decide the verdict of the session. |
PAM-10509 |
|
Console menu does not timeout As a side-effect of an unrelated change, the console menu did not log off idle users after a timeout. This is now fixed and idle sessions are properly terminated. |
PAM-10441 |
|
Transferring files over 4GB not possible over RDP disk redirection Files over 4GB transfers via RDP disk redirection over SPS got corrupted. This is now fixed and both download and upload of larger files is possible. |
PAM-10418 |
|
indexer-service cannot be reloaded multiple times within a short time Reloading indexer-service occasionally returned with a false error message, even though it was actually reloaded. However, if you attempted to reload it again within a short time (within in ~3 seconds), the reload failed. |
PAM-10355 |
|
Core files are generated for ICA sessions In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected. |
PAM-10316 |
|
Search interface easier to use on smaller displays Some of the controls on the search interface were difficult to use on displays with less than 1480 horizontal pixels. The design was made more responsive to accomodate for smaller displays, too. |
PAM-10285 |
|
RDP connection problems with certain client applications If the client did not send a cookie when establishing the initial connection to SPS, SPS sent an invalid cookie to the target server, causing the server to terminate the connection. This has been corrected. |
PAM-10284 |
|
The /api/active-sessions endpoint responds with Internal Server Error (500) The /api/active-sessions endpoint could respond only with Internal Server Error (500) in case of an error during DELETE. From now on the /api/active-sessions endpoint can respond with Not Found Error (404) if the given session id is not found in the list of active sessions. |
PAM-10281 |
|
Removed deprecated and duplicate fields from the search interface Many no longer used or duplicate fields were offered in the selectors on the search interface which made them difficult to use. That list was reviewed and now only relevant fields are available to be selected. |
PAM-10175 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10039 |
|
Prevent joining SPS nodes running different firmware versions to a cluster Configuration (and cluster state) synchronization may not work if the Central Management and other cluster nodes are running different versions of SPS. In order to avoid possible misconfiguration, product version compatibility will now be validated during joining nodes to an SPS cluster. |
PAM-10020 |
|
Improved error detection of Elasticsearch database for audit information If the Elasticsearch instance that acts as a backend for the audit database failed to start for some reason, it kept retrying (and failing) and never notified the user about the problem. The problem has been fixed and such problems are properly escalated. |
PAM-10018 |
|
Indexing status does not change on UI after successfully reindexing a failed session If indexing of an audit trail failed for some reason and reindexing was triggered manually, the status of indexing was never updated on the UI even if reindexing was successful. This has been fixed and the latest and correct indexing status is shown in the interface at all times. |
PAM-9753 |
|
Stopping more data-producing processes when disk fillup prevention is triggered The disk fillup prevention feature in SPS proactively stops traffic passing through if this usage reaches a predefined threshold to avoid more severe errors caused by the disk being filled up completely. Besides ongoing traffic there are several services that also produce data, which are now also stopped, providing further protection. |
PAM-8012 |
|
The default number of indexer workers was 16 on a newly installed SPS. The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers. |
PAM-3739 |
System requirements
Before installing SPS 6.2, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:
Supported web browsers and operating systems
|
|
Caution:
Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later. |
|
|
Caution:
Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide. |
|
|
NOTE:
SPS displays a warning message if your browser is not supported or JavaScript is disabled. |
|
|
NOTE:
The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface. |
Supported browsers
The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.
Supported operating systems
Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.
The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.
Opening the web interface in multiple browser windows or tabs is not supported.