Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.0.10 - Release Notes

Deprecated features between SPS 5.1 and SPS 5.11

The following is a list of features that are no longer supported starting with SPS 6.0.10.

 Caution:

Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SPS.

  2. Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.

  3. Open a ticket at https://support.oneidentity.com/create-service-request/.

  4. Upload the file you downloaded from SPS in Step 1.

  5. We will check the type of your hardware and notify you.

  • Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.

  • SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:

    • You cannot configure SPS if your browser does not support at least TLSv1.

    • If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.

  • Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.

  • Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.

Shorter than 1024-bit SSH keys

Following the upgrade, support for less than 1024-bit SSH keys is lost.

You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.

Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS.

Minimum version of encryption protocol for the web UI

The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.

Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.

This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.

Deprecation of RPC API

The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.

Screen content search in sessions indexed by the old Audit Player

It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

Resolved issues

The following is a list of issues addressed in this release.

Table 2: General resolved issues in release 6.0.10
Resolved Issue Issue ID

RDP connection setup is unreliable with long user names

Initiating Remote Desktop connections with user names longer than 128 characters were unreliable: the client either connected without issues or showed an error dialog right after trying to start the connection.

Sessions initiated from Safeguard for Privileged Passwords use long user names and were affected.

The issue with the Remote Desktop Protocol implementation has been fixed and the connection setup is reliable now with long user names as well.

PAM-14281

Downloading a certificate or key in DER format could provide an unparsable file for some certificates and keys

When a certificate or key was downloaded from the Web interface in DER format and the resulting binary blob ended with bytes that could be interpreted as ASCII whitespace or NULL (0x00, 0x09, 0x0a, 0x0b, 0x0d, 0x20), then those bytes were truncated, resulting in an invalid file. This has been fixed.

PAM-14227

The missing host key for "scb-other" has been added to the configuration to prevent the administrator from having to manually verify host keys when navigating between HA nodes

When the administrator attempted to log in to the HA pair from an SPS node, the host key verification was up to the administrator. This was caused by the missing key value for the "scb-other" hostname. However, it worked correctly when the IP addresses, or the "scb1", or the "scb2" hostnames were used specifically.

This fix makes the login easier and more convenient by allowing to use the "scb-other" hostname, regardless of the current node allocation. The "scb-other" hostname can be used to SSH from any of the nodes because the related host key is already known by the origin SSH client.

PAM-13773

The fix prevents some unwanted exceptions to be present in the logs, previously, rarely caused by unavailable internal services during SNMP-related email sending

Rarely, it can happen that the SNMP traps are sent before the whole system completely boots up. In these cases, if the system is configured to send SNMP traps in email, it could happen that the business logic attempted to connect to an internal service responsible for email sending before it was started and waiting for emails to deliver.

The change prepares the sending part for these cases and ensures that email sending, even in these corner cases, is more reliable.

PAM-13541

SWAP monitoring could send false alarms through email and/or SNMP for appliances where no SWAP was configured for the appliance, mostly effecting virtual machine-based SPS appliances

Due to an upstream bug, it happened rarely that the SNMP monitoring sent out false alarms each time the appliance was restarted or the monitoring-related configuration was changed. This only happened when the SWAP available on the system was 0 bytes (SWAP was disabled) and where that value was compared to the available amount. The upstream issue related to the comparison of these values and that caused the alert to be sent out also if these values were equal, and not only when the available SWAP was below the configured threshold.

PAM-13156

Possible RDP connection failure when a TLS certificate with an RSA key greater than 2048 bits is configured

When "Use the same certificate for each connection" was configured for an RDP connection policy with TLS enabled, and the uploaded RSA private key was greater than 2048 bits, an error could occur in the licensing protocol, and cause the client to terminate the connection.

This has been fixed, licensing no longer depends on the TLS certificate.

PAM-12751

Pipeline exceptions issue

In case of an error, the pipeline restarted indefinitely. This has been fixed and now the pipeline will move to a failed state after 2 hours of trying. This way, the error will be visible, and can be addressed.

Also, reloading the pipeline is now working properly.

PAM-12528

Preventing OOM killer from force-stopping Elasticsearch in a low memory scenario

It was necessary to prevent OOM killer from force-stopping Elasticsearch in a low memory scenario, because if Elasticsearch was force-stopped, it could cause translog corruption.

PAM-12510

Event processing error

Some special mouse buttons were not handled correctly by the analytics pipeline, which has now been fixed.

PAM-12276

If the disk was full, the queuing system on SPS could not start

If the disk was full, the queuing system on SPS could not start, and traffic could not go through it. This issue has been solved by having a safety margin on the disk, to prevent the disk from being fully written.

PAM-11253

System requirements

Before installing SPS 6.0.10, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

Supported web browsers and operating systems

 Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

 Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

 NOTE:

SPS displays a warning message if your browser is not supported or JavaScript is disabled.

 NOTE:

The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.

Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating