Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.9.3 - Release Notes

Deprecated features

The Splunk forwarder is deprecated

The Splunk forwarder is deprecated as of Safeguard for Privileged Sessions(SPS) 6.7 and will be removed in an upcoming release. One Identity recommends using the universal SIEM forwarder instead.

Content policy biometrics are deprecated
  • Pointing device biometrics - DEPRECATED: This feature is deprecated. Use the same option in Indexer Policies instead.

  • Typing biometrics - DEPRECATED: This feature is deprecated. Use the same option in Indexer Policies instead.

Arguments of Authentication and Authorization and Credential Store plugins that begin with target_ have been deprecated

These arguments were deprecated because the target_host or target_server arguments either contained a hostname or an IP address.

Now, new arguments have been added to the Authentication and Authorization and Credential Store plugins to replace deprecated arguments. The new argument names explicitely define the values they contain. That is, a server_ip argument will always contain an IP address, and a server_hostname argument will always contain a hostname.

The deprecated arguments are the following:

Authentication and Authorization plugin: get_password_list and get_private_key_list input arguments:

  • target_username

  • target_host

  • target_port

  • target_domain

Credential Store plugin: authorize method:

  • target_server

  • target_port

  • target_username

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.9.3
Resolved Issue Issue ID

Resolving SPS IP address in content subchapter configuration has been fixed

To display links to sessions recorded by SPS in reports, the IP address of the SPS appliance has to be resolved and presented in the content subchapter configuration.

Previously, it was always the physical address of the default network interface (eth0) that was used as the IP address of SPS, which in rare cases, when a customer configured and used another network interface to access SPS, caused an error during the presentation of the subchapter configuration.

This issue has been fixed by using the first available SPS IP address from Basic Settings > Local Services > Web Login (Admin and User), which always points to a valid and usable IP address.

PAM-14500

Backward compatibility issue in custom subchapter configuration change has been fixed

To display tables without row numbers in SPS reports, the custom subchapter configuration had to be modified. This modification added a new chart type for tables without row numbers. However, backward compatibility with older subchapter configurations was not addressed properly, which caused an error during firmware upgrade.

This has been fixed and previously created subchapter configurations can be used as well.

PAM-14495

RDP connections through SPS fail to authenticate with target user names present in multiple domains

SPS did not forward the domain name information properly when authenticating to remote desktop servers with Network Level Authentication.

This caused connection issues if the username did not uniquely identify a target user. This issue has been fixed.

PAM-14493

Table 2: General resolved issues in release 6.9.2
Resolved Issue Issue ID

RDP connection setup is unreliable with long user names

Initiating Remote Desktop connections with user names longer than 128 characters were unreliable: the client either connected without issues or showed an error dialog right after trying to start the connection.

Sessions initiated from Safeguard for Privileged Passwords use long user names and were affected.

The issue with the Remote Desktop Protocol implementation has been fixed and the connection setup is reliable now with long user names as well.

PAM-14281

Table 3: General resolved issues in release 6.9.1
Resolved Issue Issue ID

Incorrect parsing inband data with down-level usernames in RDP

When using down-level usernames containing key-value pairs in the form of DOMAIN\key1~value1%username, the domain name was not parsed properly, leading to issues with configurations for the AA plugins.

This has been fixed.

PAM-14200

Table 4: General resolved issues in release 6.9.0
Resolved Issue Issue ID

The SPS RDP proxy terminated abruptly when trying to copy more than 8192 files over the clipboard

When trying to copy more than 8192 files over the clipboard redirection of a Remote Desktop Protocol connection, the SPS proxy handling the connection terminated abruptly.

This limit was too low; therefore, it has been increased to 32768 files and the proxy now properly reports an error and does not terminate abruptly.

PAM-13896

Harden grub password hash generation

Fixed a potential security issue, where the box would generate a grub password without proper salting and insufficient HMAC iterations.

Details of the new password:

- PBKDF2-SHA512

- 300000 iterations

- 32 bytes of cryptographically secure random salt

PAM-13891

SPS does not handle properly the domain name autologon suffix on the interactive interface

When handling autologon credentials, SPS did not remove properly the domain name autologon suffix on the interactive interface, which lead to credentials not being looked up properly for the automatic logon.

This has been fixed.

PAM-13804

The missing host key for "scb-other" has been added to the configuration to prevent the administrator from having to manually verify host keys when navigating between HA nodes

When the administrator attempted to log in to the HA pair from an SPS node, the host key verification was up to the administrator. This was caused by the missing key value for the "scb-other" hostname. However, it worked correctly when the IP addresses, or the "scb1", or the "scb2" hostnames were used specifically.

This fix makes the login easier and more convenient by allowing to use the "scb-other" hostname, regardless of the current node allocation. The "scb-other" hostname can be used to SSH from any of the nodes because the related host key is already known by the origin SSH client.

PAM-13773

If the SNMP service was enabled in Local Services, the disk-related information was not included

If the SNMP service is enabled in Local Services, the disk-related information, such as, free space and total capacity, is now reported when the SNMP server is queried.

PAM-13741

The HTTP service aborts with "Fatal Python error: deallocating None"

Under certain circumstances, the HTTP proxy on SPS printed "Fatal Python error: deallocating None" to the logs and aborted while generating a core dump.

The underlying reference counting issue has been fixed.

PAM-13727

The GSSAPI gateway authentication could be skipped in some SSH connections

The authentication state machine in the SPS SSH proxy contained an error that could be used to skip the actual GSSAPI authentication of the client and go on with connecting to the server.

This has been fixed.

PAM-13715

The UI needs all private keys to decrypt screenshots

The user was unable to decrypt screenshots with one key because the UI does not handle the 'OR' and 'AND' relationships between encryption certificates in screenshot decryption.

This issue has been fixed.

PAM-13627

The Session Timeline page contents filter is not linkable

The Session Timeline page contents filter is not linkable, this causes redirection to the 'All' filter.

PAM-13626

Structured information in xcbLoginFailure SNMP trap

The xcbLoginFailure SNMP was emitted with all the information in the description field. According to the relevant MIB object definiton, the following should be in separate fields:

- description

- username

- peerAddress

This has been corrected.

PAM-13606

On the refactored Vault /SPP/ details page, there was no `Back to search` option

There was no `Back to search` option on the refactored vault details page. This is now fixed and it is consistent with a basic session details page.

PAM-13604

SPS was logging a Python backtrace if the DNS lookup for the target name of an SSH server failed

The SSH proxy of SPS was missing an additional check, which lead to a Python traceback being printed in the log.

This has been fixed.

PAM-13597

The search query input field on the refactored subchapter create side-sheet was not able to fully display long search queries

The input field was changed to a bigger text area with dynamic height.

PAM-13594

SSH connections abort after receiving an incorrectly encoded keyboard-interactive response

The SSH proxy on SPS did not properly handle non-UTF-8 input in keyboard-interactive authentication responses. Receiving such a value triggered abortion of the process, termination of all running SSH sessions, and generated a core file.

This has been fixed.

PAM-13550

The fix prevents some unwanted exceptions to be present in the logs, previously, rarely caused by unavailable internal services during SNMP-related email sending

Rarely, it can happen that the SNMP traps are sent before the whole system completely boots up. In these cases, if the system is configured to send SNMP traps in email, it could happen that the business logic attempted to connect to an internal service responsible for email sending before it was started and waiting for emails to deliver.

The change prepares the sending part for these cases and ensures that email sending, even in these corner cases, is more reliable.

PAM-13541

Fixing wording issues reported on the cluster management page

Wording issues reported on the cluster management page were fixed.

PAM-13522

None

Sometimes, the search field does not suggest fields based on the input texts. This issue has been fixed.

PAM-13519

Subchapter needs to be reloaded after renaming

After we renamed a subchapter, the name was not refreshed automatically, but the whole page had to be refreshed.

This issue has been fixed.

PAM-13485

Although the user has edit rights for the PCI-DSS report, the user is unable to edit the PCI-DSS report

The problem was that the PCI-DSS report creation was not based on the rights for the PCI-DSS, but on the rights for editing the custom reports. This is fixed now, the permission is separated on the report page.

PAM-13459

The chapter name must be unique

Previously, if a chapter name was not unique, the server responded with error 500 if the user tried to commit the duplicate chapter name. The error 500 message was not informative enough for the users. This issue has been corrected. In the current operation, if the users enter a chapter name that is not unique, the 'Chapter name must be unique' error message is displayed in the form, below the Chapter name field.

PAM-13451

Fix the image download problem in IE11

Previously, a user was unable to download a screenshot in IE11. With this fix, now a picture can be downloaded or opened from the timeline tab of the session.

PAM-13447

SPS was logging a Python backtrace if a DNS lookup for the target name of a Telnet server failed

The Telnet proxy of SPS was missing an additional check, which lead to a Python traceback being printed in the log.

This has been fixed.

PAM-13445

There was no information about the cluster status page when it was disabled

The cluster page was empty when the feature was disabled.

This issue has been fixed.

PAM-13411

The trust store delete error message was not understandable

The error message has been fixed.

PAM-13370

Automatic reconnection to an RDP session after network issues fails in certain SPS configurations

If the interactive RDP interface of SPS is in use, automatic reconnection to RDP sessions did not work and logged a Python traceback.

This has been fixed: no traceback is printed in the log, and reconnection is possible if it is done within 10 seconds.

PAM-13318

Download reports header misalignment in Internet Explorer 11

The reports download page header is misaligned in Internet Explorer 11 and that caused usability issues. This issue has been fixed.

PAM-13299

Events are no longer saved to metadb and sent to the portal

Events are no longer saved to metadb and sent to the portal from Zorp using content policies, instead we rely on indexers. To achieve near-real-time behavior, make sure to enable indexing with near real-time priority for the affected connections. Alerts are still handled in the same way as before.

PAM-13056

Inconsistent memory reporting on Web UI and REST API

The REST API and the Web UI used slightly different metrics to report the available free memory on the system. The /api/health-status endpoint on the REST API has been extended to provide additional details about the system, such as processor usage and various memory figures. (Check the documentation for details.) The Web UI in turn has been changed to use the same metrics as the Health Status API.

Note that SNMP alerts still use slightly different metrics when calculating the available free memory, as the calculation algorithm is fixed in the definition of the message. Also, the figures reported show a snapshot of the different usage metrics. The actual resource consumption may change more rapidly than it is possible to report.

PAM-13012

On the SSH Keys page, the filter disabled new items

It was not possible to add a new SSH host key when the filter was on.

This issue has been fixed.

PAM-12964

When a keystore was set up, on IE11, the screenshots were in an endless loading mode

The user was unable to unlock the keystore with the given credentials because of an endless loading. This was resolved in IE11, now the lock and the unlock method is displayed correctly.

PAM-12949

Possible RDP connection failure when a TLS certificate with an RSA key greater than 2048 bits is configured

When "Use the same certificate for each connection" was configured for an RDP connection policy with TLS enabled, and the uploaded RSA private key was greater than 2048 bits, an error could occur in the licensing protocol, and cause the client to terminate the connection.

This has been fixed, licensing no longer depends on the TLS certificate.

PAM-12751

Documentation links fixed

Some of the documentation links on the web interface pointed to an invalid site. This has been fixed.

PAM-12583

Table 5: General resolved issues for the Safeguard Desktop Player in release 6.9.0
Resolved Issue Issue ID

The displayed ZAT/ZATX date does not contain the timezone of the host anymore

Now the date information is displayed in the same way on every platform and it does not contain the timezone information of the host. The localized name of the day and month are in a short form and use the system language.

PAM-12589

SDP did not work on macOS Big Sur beta

From now on, SDP requires macOS Catalina (10.15) or newer.

PAM-13039

TN3270 has been extended with new codecs

TN3270 now correctly parses EBCDIC 835, 937, 939, 947, and 964 codecs.

PAM-12614

Table 6: General resolved issues in release 6.8.0
Resolved Issue Issue ID

SPS now supports certificate chains with keys other than RSA/DSA.

When a certificate chain is uploaded (for example, as the web server certificate), SPS verifies that the entire certificate chain is valid. A certificate chain is considered valid if it does not include weak certificates and a trust relationship exists between them.

Previously, certificate chain validation has worked only for certificates that had RSA and DSA public keys. Other chains have been rejected with a No such digest method error message. This issue is now fixed so that every certificate chain that can be verified by OpenSSL 1.1.1 is now accepted.

PAM-13154

Fixed memory leak during HTTP WebSocket connections.

Previously, memory leak could occur during audit-enabled HTTP WebSocket connections under certain conditions. This issue is now fixed.

PAM-13086

Fixed screenshot preview reload issues on the Events tab of the Search interface with the introduction of the new Timeline tab.

Previously, recorded screenshots sometimes unexpectedly reloaded on the Search > Events tab. This issue has been fixed following the introduction of the new Timeline tab, superseding the former Events, Alerts and Contents tabs.

PAM-13079

Fixed an issue resulting in the Search > Details tab showing an invalid indexing status for certain sessions.

Previously, when configuring a connection policy without indexing, the Search > Details tab could show an invalid indexing status for some sessions of the connection (namely, showing the Auditing not enabled message instead of Session indexing not required in the Indexing status field). This issue is now fixed to ensure that the Indexing status field always shows the correct monitoring information for each session.

PAM-13040

Fixed a potential Permission denied error on the Sessions > Details > Analytics tab.

Previously, if you have tried opening the Analytics tab of a session in Sessions > Details with a user that belonged to a user group with a specific set of permissions, you could receive a Permission denied error, preventing you to check the contents of the Analytics tab. This issue has been fixed so that the Analytics tab appears only if your user has the proper permissions to access it.

PAM-13014

Fixed an issue where the user interface sometimes remained interactable while a commit was in progress.

In certain cases, it could happen that the SPS UI remained interactable while a configuration change commit was in progress. This has been fixed by adding an overlay to the UI that prevents navigation while the commit is in progress.

PAM-12786

The password of the admin user can now be changed over the REST API when using an LDAP user database.

Previously, when an LDAP user database was configured, you could not change the password of the admin user via the REST API. This has been fixed by having the admin user always authenticated locally, so you can always change its password using an LDAP user database.

NOTE: Changing the password of normal users is still not supported in such cases.

PAM-12706

Improved application proxy and message queuing data collection.

The data collection process related to the internal application proxy and the message queuing subsystem has been improved to provide a deeper insight for SPS product experts for troubleshooting. The collected data is available in the generated support bundle.

PAM-12686

Added rollback feature to firmware update process.

To make the firmware update process more fault-tolerant, the procedure has been enhanced with a rollback feature. The rollback feature restores the original firmware, if the firmware update procedure fails on any node of a High Availability SPS cluster.

PAM-12681

Fixed an issue where the Unsaved changes popup dialog prevented automatic logout in case of an idle session.

SPS has an automatic logout feature that closes the user login session if no user interaction is detected for 5 minutes. However, previously, if the Unsaved changes popup dialog remained open, it prevented the automatic logout popup dialog from appearing and then closing the idle session. This has been fixed so that idle sessions are now automatically logged out, even if the Unsaved changes popup dialog is also open.

PAM-12588

Fixed the aspect ratio of screenshots in the Search interface on Internet Explorer 11 browsers.

Previously, the screenshots shown on the former Contents tab of the Search interface could appear with an incorrect aspect ratio when using Internet Explorer 11. This has been fixed so that captured screenshots now always appear with the correct aspect ratio on the new Timeline tab of the Search interface.

PAM-12529

Python tracebacks are now immediately printed to the log.

Zorp processes print tracebacks into the log for certain error types that provide detailed information about the error. However, in some cases, these tracebacks have not been printed until the Zorp process was stopped.

This issue is now fixed, so tracebacks are now logged immediately.

PAM-12359

Removed a harmless error message that could occur when executing large archiving jobs concurrently.

When an archive job affected a large amount of data, it could occur that multiple archive processes worked on the same directory. In certain cases, when these processes handled the existence and creation of specific directories in parallel, a race condition could occur, resulting in a Failed to create archive directory error message when the processes attempted to create the directories the second time. This error message was then logged and (depending on the active configuration) could be sent out in an e-mail or as an SNMP alert.

To solve this issue, One Identity increased the robustness of directory checking and creation in this release.

PAM-12344

Fixed the unnecessary horizontal scroll of the Basic System > Network page.

Previously, the Basic System > Network page was always scrollable horizontally, even if the contents of the page were completely visible. This has been fixed so that horizontal scrolling is enabled only if the contents of the screen do not fit the size of the browser window.

PAM-11709

Linking a Safeguard for Privileged Passwords (SPP) node to SPS now redirects to the new SPS UI.

Previously, when linking an SPP node to SPS via the Cluster management settings, the redirect URL loaded the old SPS UI once the SPP node sent the authentication information to SPS. This is now fixed, so once SPP has been linked to SPS, the current SPS UI loads.

PAM-11707

Fixed an internal error that could occur when opening the User Menu > Private Keystore tab after configuring a new passphrase.

When you created a new passphrase in the User Menu > Private Keystore tab, it could occur that reopening the Private Keystore tab after logging out and logging in again resulted in a Passphrase Invalid error message. Reloading the last page or the main page then redirected to the old UI. This issue is now fixed with the redesign of the User Menu.

PAM-11476

Fixed the issue of clicking Go back on the Search interface clearing the configured search filters or opening the page you visited before the Search interface.

When you checked session data on the Search interface with custom filters (such as a date range or a search expression) configured, it could occur that opening the details of a session with the Details button and then clicking the Go back button resulted either in the filter settings being reset, or opening the UI page that you visited before opening the Search interface. This issue has been fixed with the redesign of the Search interface, and the Go back button has also been renamed to Search results.

PAM-11256

Fixed interference between the Go back button of the SPS UI and the Back button of the web browser.

When checking the details of the sessions listed in the Search > Details page, it could occur that clicking the Go back button on the Details page opened the Details page of the previously viewed session instead of going back to the Search interface. This scenario happened if you previously navigated from the Details page of the previous session back to the Search interface with the Back button of the web browser instead of the Go back button of the SPS UI. This issue has been fixed with the redesign of the Search interface, so that clicking the Back button of the browser no longer interferes with the Go back button of SPS (now known as Search results).

PAM-10283

Fixed the Generate video (now known as Start rendering) button missing from the Search > Details page for SSH connections with a Session exec channel type.

Previously, when opening the Details page of an SSH session on the Search interface, the Generate video button has been missing for SSH sessions with a Session exec channel type. This has been now fixed, so that the button (now known as Start rendering) always appears for such channels if they have renderable content.

PAM-10245

Fixed an issue with the drop-down filter combo boxes on the Search interface being reset after clicking Go back on the Details page of a session.

Previously, when setting up a Simplified Search via drop-down combo boxes, the configured combo boxes were reset to their default empty state after you clicked Go back on the Details page of a selected session. This has been fixed with the redesign of the Search interface, so opening the Details page of a session and then returning to the Search interface with the Search results button now longer resets the configured search filters.

PAM-10212

Fixed misleading search bar in the Details page of the Search interface.

Previously, when checking the details of a session in the Search interface by clicking the Details button of a session, opening the Contents tab showed a content search bar, even if the session contained no searchable content (for example, because of lightweight indexing or the lack of any audit trails). This issue has been fixed during the redesign of the Search interface: now the new Search > Details > Timeline tab displays a No results found message if no searchable content is available for the selected session.

PAM-9890

Changing RDP domain membership settings over REST API did not persist.

You can configure RDP domain membership over the REST API, except for actually joining the domain.

When you changed RDP domain membership using the REST API, and you committed the changes, the configuration has been applied. However, it has not been persisted, which resulted in reverting to the previous RDP domain settings shortly thereafter, for example after committing changes on the web UI.

This has been fixed, so that changing RDP domain membership settings on the REST API now properly persists.

NOTE: Joining the domain using the REST API is still not supported.

PAM-4827

Fixed the IPv6 Add button of the Basic Settings > Network > Routing table setting not being visible in lower screen resolutions.

Previously, when opening the SPS UI on screens using a resolution width of 1024 pixels (for example, 1024x768), the Add button of the IPv6 routing settings in Basic Settings > Network > Routing Table was not visible. The Routing Table interface has been modified to resolve this problem.

PAM-4779

Fixed text wrapping to make tables in PDF reports always fit the page.

Previously, when generating PDF reports in Reporting > Create & Manage Reports, it could occur that the tables in the report PDF downloaded via Reporting > Download Reports did not fit the page and were truncated. This has been fixed by wrapping the text in the tables, ensuring that their content fits the page of the PDF document.

PAM-3364

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 7: Safeguard Desktop Player known issues
Known Issue

The Safeguard Desktop Player has rendering issues with bad opengl drivers on Windows, for example, when running a Windows 10 guest on a Linux host (VirtualBox).

This only affects the Windows version and mostly the virtual environments, however, the root cause is the bad opengl driver.

A quick workaround is to set a QT_OPENGL=angle system wide environment variable.

Related to Safeguard for Privileged Passwords (SPP): You cannot use the Safeguard Desktop Player version 1.10.11 to replay audit trails initiated from SPP. Alternatively, use the Safeguard Desktop Player 1.9.27.

System requirements

Before installing SPS 6.9.3, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating