Deprecated features
The following is a list of features that are no longer supported starting with SPS 6.0.
-
X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.
-
DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.
-
The log ingestion feature of SPS has been removed from the product.
Deprecated features between SPS 5.1 and SPS 5.11
The following is a list of features that are no longer supported starting with SPS 6.0.
|
|
Caution:
Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release. If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1. If you do not know the type of your hardware or when it was purchased, complete the following steps:
|
-
Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.
-
SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:
-
You cannot configure SPS if your browser does not support at least TLSv1.
-
If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.
-
-
Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.
-
Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.
Shorter than 1024-bit SSH keys
Following the upgrade, support for less than 1024-bit SSH keys is lost.
You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.
Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or "Configuring usermapping policies" in the Administration Guide.
Minimum version of encryption protocol for the web UI
The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.
Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.
This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.
Deprecation of RPC API
The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.
Screen content search in sessions indexed by the old Audit Player
It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.
As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.
Resolved issues
The following is a list of issues addressed in this release.
| Resolved Issue | Issue ID |
|---|---|
|
In some cases persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS. The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections. |
PAM-10821 |
|
Error in handling compressed ICA traffic causes the server to terminate the session In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs: 'Compression PD: Unable to expand slab' This has been corrected, the traffic is now handled properly. |
PAM-10781 |
|
Ignore the actual result of the whoami request when checking the availability of an LDAP server To check the availability of an LDAP server, SPS performs a "who am I" query against that server. If that query was disabled on the server, SPS treated the response as a sign of the server being down, even if it was handling other requests properly. This behavior has been changed and SPS now only checks if the server responds at all. |
PAM-10729 |
|
Low idle timeouts on LDAP servers not handled correctly SPS did not correctly handle if an LDAP server closed idle sessions after less than 600 seconds. After this fix, idle timeout settings above 120s work correctly. |
PAM-10674 |
|
Connection data backup not available in the console menu It is possible to manually initiate a backup process from the menu accessible via SSH or the appliance console. Due to a bug, only the system backup option was available there and the option to backup data associated with connection policies (such as audit trails) was not. This is now fixed and all backup options are available again. |
PAM-10576 |
|
Duplicate header appears on the ICA Control > Channel Policies page While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected. |
PAM-10575 |
|
Login page can redirect to arbitrary external sites To streamline the login process, SPS was able to redirect the user to the site they originally wanted to access after a successful login. However, this feature also redirected the user to any URL if the login page was accessed through a properly crafted link. This made phishing attacks against the administrators of SPS easier, so the login page now only redirects to URLs on SPS itself. |
PAM-10560 |
|
On an extremely overloaded machine, the OCR scanning (indexing) process could crash When the machine was so overloaded that the connection between the process that controls the OCR scanning and indexing operation (indexerworker) and the process doing the computation (indexerservice) was lost, the worker process tried to abort the processing but crashed. The index job might be finished successfully later. The problem was fixed and the worker process now handles this outage correctly. |
PAM-10547 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10510 |
|
Session verdict is 'auth-fail' after a failed gateway authentication attempt even if it succeeds after a retry If the user enters a wrong password or the gateway authentication attempt failed for another reason, the "verdict" for that session on the search interface remained "auth-failed", even if a second attempt was offered for the user and that succeeded. This logic is now fixed and the final authentication decision is used to decide the verdict of the session. |
PAM-10509 |
|
Console menu does not timeout As a side-effect of an unrelated change, the console menu did not log off idle users after a timeout. This is now fixed and idle sessions are properly terminated. |
PAM-10441 |
|
Transferring files over 4GB not possible over RDP disk redirection Files over 4GB transfers via RDP disk redirection over SPS got corrupted. This is now fixed and both download and upload of larger files is possible. |
PAM-10418 |
|
indexer-service cannot be reloaded multiple times within a short time Reloading indexer-service occasionally returned with a false error message, even though it was actually reloaded. However, if you attempted to reload it again within a short time (within in ~3 seconds), the reload failed. |
PAM-10335 |
|
Core files are generated for ICA sessions In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected. |
PAM-10316 |
|
RDP connection problems with certain client applications If the client did not send a cookie when establishing the initial connection to SPS, SPS sent an invalid cookie to the target server, causing the server to terminate the connection. This has been corrected. |
PAM-10284 |
|
The /api/active-sessions endpoint responds with Internal Server Error (500) The /api/active-sessions endpoint could respond only with Internal Server Error (500) in case of an error during DELETE. From now on the /api/active-sessions endpoint can respond with Not Found Error (404) if the given session id is not found in the list of active sessions. |
PAM-10281 |
|
Misspelled OK buttons on the web interface Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected. |
PAM-10155 |
|
Prevent joining SPS nodes running different firmware versions to a cluster Configuration (and cluster state) synchronization may not work if the Central Management and other cluster nodes are running different versions of SPS. In order to avoid possible misconfiguration, product version compatibility will now be validated during joining nodes to an SPS cluster. |
PAM-10020 |
|
Improved error detection of Elasticsearch database for audit information If the Elasticsearch instance that acts as a backend for the audit database failed to start for some reason, it kept retrying (and failing) and never notified the user about the problem. The problem has been fixed and such problems are properly escalated. |
PAM-10018 |
|
Inaccurate warning when upgrading external indexers When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected. |
PAM-9707 |
|
Content search field does not handle the '<' character Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly. |
PAM-9264 |
|
OpenSSL encryption failure when changing the password of a permanent keystore In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message: 'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62' This has been corrected. |
PAM-8345 |
|
Stopping more data-producing processes when disk fillup prevention is triggered The disk fillup prevention feature in SPS proactively stops traffic passing through if this usage reaches a predefined threshold to avoid more severe errors caused by the disk being filled up completely. Besides ongoing traffic there are several services that also produce data, which are now also stopped, providing further protection. |
PAM-8012 |
| Resolved Issue | Issue ID |
|---|---|
|
bind9:
bzip2:
curl:
db5.3:
dbus:
elfutils:
expat:
ffmpeg:
glib2.0:
gnutls28:
isc-dhcp:
jinja2:
libpng1.6:
libseccomp:
linux:
mysql-5.7:
openjdk-8:
php7.2:
postgresql-10:
python-urllib3:
python2.7:
qtbase-opensource-src:
samba:
sqlite3:
vim:
|
|
|
Inconsistent merge behaviour in configuration sync There were some cases, where a validation error occured during configuration synchronization. This has been fixed, and now System Backup is synchronized under Management, too. |
PAM-9655 |
|
Changing cluster roles may make the product tainted When changing certain cluster roles, the firmware became tainted. This affected the upgrade process when the definition of a role changed between two releases, resulting in tainted firmware. Now this has been fixed. |
PAM-9375 |
|
Report generation can produce duplicate reports If generating a report took more than 30 minutes, it was restarted, causing it to run twice and generate a duplicate report. This has been corrected, now report generation jobs cannot overlap to prevent processing them twice. |
PAM-5477 |
|
The default number of indexer workers was 16 on a newly installed SPS. The default number of indexer workers was 16 on a newly installed SPS. This has been modified, and now the number of CPU cores of the machine is taken into account when deciding the default number of indexer workers. |
PAM-3739 |
|
Disk fill-up prevention should always deny incoming connections when limit is reached Disk fill-up prevention has not denied incoming connections in the following case: IP forwarding was enabled for the NIC where the connection was coming from and a connection policy was configured to 'Use original target address of the client'. This issue has been fixed. All connections are now denied when disk fill-up limit is reached. Forwarded connections that do not match a connection policy, and therefore are not audited still pass trough the appliance even if disk fill-up limit is reached. |
PAM-10039 |
| Resolved Issue | Issue ID |
|---|---|
|
Security package updates bind9:
busybox:
curl:
ffmpeg:
file:
isc-dhcp:
ldb:
libgd2:
libpng1.6:
libxslt:
linux:
lua5.3:
mysql-5.7:
nss:
openjdk-8:
openssh:
openssl1.0:
php7.2:
python-urllib3:
samba:
systemd:
tiff:
walinuxagent:
wget:
|
|
|
Search interface not available after cluster upgrade on certain versions When upgrading the cluster between certain versions, the search functionality was not available after the nodes rebooted. This has been fixed and the search backend starts up properly after a cluster upgrade. |
PAM-9768 |
|
Core file download button not visible for read-only users Read-only access rights to the Basic Settings/Troubleshooting page allows the user to download all kinds of debug information, including core files. The "Download" button was not visible for users with read-only rights, even though they could download these files via the API. The button is now shown correctly. |
PAM-9693 |
|
Limited logging for Citrix ICA connections Due to an internal error, system logging about Citrix ICA protocols did not work properly. Even though audit recording was unaffected, this made troubleshooting difficult. The problem was fixed and logging now works similarly to other protocols. |
PAM-9671 |
|
Rare crash when using Remote Desktop Gateway connections Due to an unhandled race condition, the RDP proxy could crash in very rare cases when a large number of Remote Desktop Gateway connections were open in parallel. The problem was fixed. |
PAM-9596 |
|
Changes to SIEM forwarder setting not applied Changes to the configuration of the SIEM forwarder except the initial setup were not applied until rebooting the machine or restarting the service. This is now fixed and all changes take effect immediately. |
PAM-9499 |
|
Stale RDP connections on the Active Connections page Since version 5.6, stale RDP sessions can remain unclosed and displayed on the "Active Connections" page. This is now fixed and all RDP sessions are now closed properly. |
PAM-9473 |
|
Wrong IP address in autogenerated HTTPS certificates Certificates generated for proxy mode HTTPS connections are using the IP address of SPS (the proxy) instead of the hostname/address of the target server. |
PAM-9337 |
|
AAA configuration (including root password) is not synchronized to the managed hosts in an SPS cluster The AAA configuration was blacklisted during the configuration synchronization between the central management and the managed host. This limitation is now solved, and AAA configuration is synchronized to the managed hosts. The AAA configuration contains the local users (including admin), therefore we added the root password to the synchronized configuration data, too. |
PAM-9295 |
|
Double check of group membership during public key-based gateway authentication in SSH When using public-key-based gateway authentication in SSH, the group filtering was performed twice, which could have a significant performance penalty. This is now fixed and this check is done only once. |
PAM-9268 |
|
Indexing RDP sessions may fail with "Size out of range" errror RDP sessions with multiple channels sometimes resulted in indexing errors ("Size out of range"). Such audit trails could not be opened in the Desktop Player. This has been fixed. |
PAM-9267 |
|
Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 cannot be replayed Audit trails of Citrix ICA sessions using XenApp and XenDesktop 7.15 could not be properly replayed, and contained garbled screens. The error has been corrected, SPS 6.0 now properly record such sessions, so they can be properly replayed. |
PAM-9232 |
|
Report a more descriptive error message when firmware upload fails When a firmware upload fails because of insufficient disk space, invalid file uploaded, or a similar error, now a more descriptive message is displayed instead of a generic error message. |
PAM-9231 |
|
Indexing certain archived sessions fails Indexing jobs sometimes failed with the "No such file or directory" error message. This occurred when the audit trail of the session has already been archived and the remote archive was not mounted. Now the indexer automatically remounts such archives to complete the indexing. |
PAM-9230 |
|
Deleting keytabs failed when "Verbose system logs" (debug logging) was turned on When "Verbose system logs" (debug logging) was turned on, then a server side error prevented deleting keytabs. This has been fixed. |
PAM-9224 |
|
None The owner of the configuration lock was not reset within a browser session. As a result, if two different users logged in after each other in the same web browser, and the second user visited the Search > Search or Basic Settings > Cluster management pages, then the System monitor showed that the configuration is locked by , and the user could not edit the configuration. This problem has been fixed. |
PAM-9150 |
|
SSH sessions disconnect if SPS cannot find the account in the Credential store If a credential store was defined for a Connection Policy and SPS could not find an entry for the given target account in the store, it disconnected immediately instead of prompting the client to authenticate. This has been fixed, and now the fallback is triggered properly. |
PAM-9128 |
|
On an appliance with a Search minion role, generating daily/weekly/monthly reports results in several error e-mails On an appliance with the Search minion role, when generating reports every Day / Week / Month, selecting "Send reports in e-mail", and attempting to inculde a Search subchapter in the report resulted in receiving several error e-mails from all Search minions that were configured in that cluster environment. The error message in the e-mails was: "Unknown error: Error while fetching data via REST client, error: Error response got from REST client, status code: 500, reason: The search backend is unaccessible." This has been corrected, no error messages will be sent. If you want to include Search subchapters in your reports, generate them on the appliance with the Search master role. |
PAM-9001 |
|
Searching for audit trails that are not indexed is not working In some cases if the connection database was big, searching for audit trails that are not indexed on the Search > Search (classic) page did not work properly. (Selecting the 'Not indexed' option in the "Channel's Indexing Status" column resulted in a search query that was never completed.) This has been fixed. This has been corrected. |
PAM-9000 |
|
Failed SSH sessions can cause the System Monitor to show negative value as the number of active sessions When certain incompatible configuration settings are used (for example, GSSAPI authentication with autologin), a failed SSH connection attempt could decrease the active session count, eventually pushing it below zero. This is now fixed and such failed connections don't change the number of active sessions. |
PAM-8959 |
|
Unnecessary health check warnings in the logs of the Search master node In central search mode, the proxies are disabled on the Search master node. However, the built-in health check processes still checked the status of the proxies and logged a warning message. This warning is now disabled for search master nodes. |
PAM-8857 |
|
Generating certificates fails for long host and domain names SPS generates several certificates internally, and it uses the configured hostname and domain name for the appliance in the Common Name (CN) of these certificates. If any of these were long, the CN could go beyond the 64-character limit of the underlying OpenSSL libraries and the certificate generation failed. The appliance now truncates the strings to make sure the CN stays below the 64-character limit. |
PAM-8693 |
|
Multiple processing issues fixed in terminal based protocols with CJK characters The wide characters of CJK alphabets caused issues with command detection, video rendering, screenshot export in HTML, and the follow mode of the Safeguard Desktop Player. These are now fixed. |
PAM-8611 |
|
Session database upgrade fails for some ICA sessions Some older versions of SPS saved the protocol information of ICA sessions differently, using the name "CGP" instead of "ICA". The session database upgrade process was not prepared to handle that and moving such sessions to the new database failed. Such sessions are now handled correctly by the upgrade process. |
PAM-8465 |
|
The RDP domain membership configuration is displayed even if the appliance was not a member of the domain The RDP domain membership configuration was displayed even if the appliance was not a member of the currently configured domain. From now on, it is displayed only if the appliance is member of the currently configured domain. The status of the appliance (joined or not) is also displayed. |
PAM-8372 |
|
Insufficient error handling during external indexer initialization If an indexer failed to start up for some reason, in some scenarios it asked for the password for the decryption key for the trails instead of recognizing and logging the error. This is now fixed and startup errors are handled properly. |
PAM-8329 |
|
No warnings about encrypted sessions on the new search interface The Search > Search page did not warn the user if a session could not be played back because it was encrypted and the decryption key was not available in the keystore. This is now fixed and users get a warning that helps them solve the issue. |
PAM-7585 |
|
"Search subchapters" page only available to the "admin" user The "Search subchapters" report configuration page was only accessible to the "admin" user. The permission handling of this page has been corrected and it can be accessed by other users as well if they have the required Access Control rights. |
PAM-7136 |
|
Configuration interface is unresponsive during session database upgrade The System Monitor shows the status of the session database upgrade process. Unfortunately, the way it queryied the current status was highly inefficient, which could significantly slow down the entire web interface if the database being upgraded was large. The status check is now much more efficient and the UI remains responsive even during the upgrade. |
PAM-6204 |
System requirements
Before installing SPS 6.0, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents: