The following is a list of features that are no longer supported starting with SPS 6.0.11.
|
|
Caution:
Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.
If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.
If you do not know the type of your hardware or when it was purchased, complete the following steps:
-
Login to SPS.
-
Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.
-
Open a ticket at https://support.oneidentity.com/create-service-request/.
-
Upload the file you downloaded from SPS in Step 1.
-
We will check the type of your hardware and notify you. |
-
Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.
-
SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:
-
You cannot configure SPS if your browser does not support at least TLSv1.
-
If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.
-
Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.
-
Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.
Shorter than 1024-bit SSH keys
Following the upgrade, support for less than 1024-bit SSH keys is lost.
You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.
Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS.
Minimum version of encryption protocol for the web UI
The Basic Settings > Local Services > Required minimum version of encryption protocol option has been removed. This option governed the encryption protocol required to access the SPS web interface.
Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.
This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.
Deprecation of RPC API
The RPC API is deprecated as of SPS 5 F7 and will be removed in an upcoming feature release. One Identity recommends using the REST API instead.
Screen content search in sessions indexed by the old Audit Player
It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.
As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.
The following is a list of issues addressed in this release.
Table 2: General resolved issues in release 6.0.11
|
The authentication cache needs to be updated only when the authentication is not done from the cache.
The authentication cache was updated every time a user was authenticated, therefore, the soft_limit always equaled the hard_limit.
This issue has been fixed and now the cache is only updated when the authentication is not done from the cache. |
PAM-15016 |
|
The Terminate button did not disappear from the UI when the session was terminated.
Now, after the Terminate button is clicked and the session is terminated, the Terminate button disappears, and the Generate button is displayed. |
PAM-14974 |
|
SPS did not allow to delete the referred policy, as the related checks were slow and were executed at the page loading, which could look like a system error.
SPS did not allow to delete the referred policy. In case of archive policies, even the record of the audit trails are checked, which can be very slow. This check was executed when the page was loading, which could look like a system error from the users' perspective.
With this fix, SPS checks the archive policy - audit trail integrity at the delete request, and the loading of the page does not get stuck. |
PAM-13970 |
|
Uninformative and noisy logs were created when the cluster nodes failed to synchronize policies or cluster configuration from the central management node, which was typically due to transient errors.
When a typically transient problem (for example, an administrator holding the configuration lock on the web user interface temporarily) prevented an SPS cluster node from updating its policies or cluster configuration from the central management node, then a traceback was logged in syslog without any information about the root cause of the problem. This has been fixed, so transient problems only trigger a shorter log message, which also contains information about the root cause. |
PAM-13599 |
|
On certain endpoints, in incomplete request bodies, the REST API silently filled missing configuration elements with default values.
For certain endpoints, incomplete configurations were accepted and the missing values were silently filled in with the default values. This has been fixed.
The affected endpoints were:
-
/api/configuration/aaa/local_database/users/
-
/api/configuration/http/settings_policies/
-
/api/configuration/mssql/settings_policies/
-
/api/configuration/ssh/connections/ |
PAM-13542 |
|
Incorrect fallback to secondary DNS server if the lookup returned no results (NXDOMAIN)
When a connection is started, SPS looks up host names and IP addresses of the client and the server. If a lookup returned no results (that is, the DNS lookup result was NXDOMAIN), SPS incorrectly switched to the secondary name server.
This has been fixed, failover to the secondary name server now only happens when the result is an actual error (that is, SERVFAIL, timeout, or similar errors). Additionally, host names with no dots in them are now queried only if "Append domains" is configured for the connection. |
PAM-13361 |
|
The MetaDB import feature reported import errors if broken (unclosed) sessions remained in the database after a restart.
The MetaDB import feature reported import errors if broken (unclosed) sessions remained in the database after a restart. This issue has been fixed. |
PAM-10254 |
The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.
Table 3: General known issues
|
Report generation may fail if a report subchapter references a connection policy that has been deleted previously.
SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.
For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.
This affects scheduled report generation as well. |
Before installing SPS 6.0.11, ensure that your system meets the following minimum hardware and software requirements.
The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:
