Deprecated features
The following is a list of features that are no longer supported starting with SPS 6.0.
-
X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.
-
DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.
-
The log ingestion feature of SPS has been removed from the product.
Deprecated features between SPS 5.1 and SPS 5.11
The following is a list of features that are no longer supported starting with SPS 6.0.
|
|
Caution:
Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release. If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1. If you do not know the type of your hardware or when it was purchased, complete the following steps:
|
-
Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.
-
SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:
-
You cannot configure SPS if your browser does not support at least TLSv1.
-
If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.
-
-
Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.
-
Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.
Shorter than 1024-bit SSH keys
Following the upgrade, support for less than 1024-bit SSH keys is lost.
You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.
Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or "Configuring usermapping policies" in the Administration Guide.
Minimum version of encryption protocol for the web UI
The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.
Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.
This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.
Deprecation of RPC API
The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.
Screen content search in sessions indexed by the old Audit Player
It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.
As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.
Resolved issues
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
bind9:
bzip2:
curl:
db5.3:
dbus:
elfutils:
expat:
ffmpeg:
glib2.0:
gnutls28:
isc-dhcp:
jinja2:
libpng1.6:
libseccomp:
linux:
mysql-5.7:
openjdk-8:
php7.2:
postgresql-10:
python-urllib3:
python2.7:
qtbase-opensource-src:
samba:
sqlite3:
vim:
|
|
|
Inconsistent merge behaviour in configuration sync There were some cases, where a validation error occured during configuration synchronization. This has been fixed, and now System Backup is synchronized under Management, too. |
PAM-9655 |
|
Changing cluster roles may make the product tainted When changing certain cluster roles, the firmware became tainted. This affected the upgrade process when the definition of a role changed between two releases, resulting in tainted firmware. Now this has been fixed. |
PAM-9375 |
|
Report generation can produce duplicate reports If generating a report took more than 30 minutes, it was restarted, causing it to run twice and generate a duplicate report. This has been corrected, now report generation jobs cannot overlap to prevent processing them twice. |
PAM-5477 |
|
The default number of indexer workers was 16 on a newly installed SPS. The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers. |
PAM-3739 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10039 |
System requirements
Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents: