One Identity Safeguard for Privileged Sessions 6.0.4 - Upgrade Guide

Read the entire document thoroughly before starting the upgrade.

Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 6.0) to a feature release (6.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 7.0) is published.

According to recent cryptographic research, SHA-1 algorithm cannot be trusted as secure anymore, because signatures can be forged with reasonable costs. As a result, SHA-1 algorithm is not supported in SPS for X.509 certificate chains. Starting from SPS versions 6.0.4 and 6.5.0, certificates with SHA1-based signatures are no longer trusted for Active Directory or LDAP authentication, and future versions might refuse to validate SHA-1 signatures altogether.

Note that Root CA certificates may still contain SHA-1 signatures, because the signature is not validated for self-signed certificates. It is expected that other software such as clients and servers connected to SPS might reject SHA-1 signatures in a similar fashion.

Signing CAs in SPS generate certificates with SHA-256 since versions 4.3.4 and 5.0.0.

Make sure to check the value configured in Disk space fill-up prevention before starting the upgrade process. From SPS version 6.0.4, the value range of Disconnect clients when disks are: x percent used field in Basic Settings > Management > Disk space fill up prevention is limited to 50-98 percent. If your configured value is outside this range, you cannot start upgrading.

If you are authenticating your SPS users to an LDAP/Active Directory server, make sure that the response timeout of the LDAP/Active Directory server is at least 120 seconds.

• X.509 host certificates are not supported, the related options have been removed from the product. One Identity recommends using public keys instead.

• DSA keys are not supported, the related options have been removed from the product. One Identity recommends using RSA keys instead.

• The log ingestion feature of SPS has been removed from the product.

• Support for the Lieberman ERPM credential store has been deprecated, this feature will be removed from the upcoming One Identity Safeguard for Privileged Sessions (SPS) 6 LTS release. One Identity recommends to use Safeguard for Privileged Passwords instead. For details, contact our Sales Team.

Due to a change in the underlying database, the upgrade process removes all risk scores generated earlier by One Identity Safeguard for Privileged Analytics. Sessions initiated after the upgrade will be scored again.

• SSLv3 encryption is not supported in SPS version 5.10 and later. This has the following effects:

  • You cannot configure SPS if your browser does not support at least TLSv1.

  • If you are auditing HTTP, Telnet or VNC sessions that use TLS encryption, the client- and server applications must support at least TLSv1.

• Support for X.509 host certificates is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using public keys instead.

• Support for DSA keys is deprecated. This feature will be removed from SPS version 6 LTS (6.0). One Identity recommends using RSA keys instead.

As part of the upgrade, SPS upgrades its session database. This involves the following processes:

• The first phase of the upgrade happens before SPS boots up and takes about 10-20 minutes. During this time, no production traffic goes through SPS, and SPS functionality is inaccessible. Rebooting or shutting down SPS at this stage of the upgrade may result in data loss. You can check the status of the upgrade process through either the console or the boot-time HTTP server, which allows you to view boot console log messages through your browser.

• Depending on the size of the session database, the second phase can take several days or even weeks to finish. You can check the status of the upgrade process through the System Monitor on the web interface of SPS.

  This second phase of the upgrade is running in the background and consumes minimal resources. All functionality of SPS is accessible and SPS works as normal. The only limitation during this phase is that the session database used when searching on the REST API and the new Search interface is incomplete. The upgrade process starts with the most recent sessions and works its way backward in time until it reaches the oldest sessions. The classic search is unaffected.

If there are any errors during the upgrade, contact our Support Team.

Following the upgrade, support for less than 1024-bit SSH keys is lost.

One Identity Safeguard for Privileged Sessions (SPS) 5 F4 and later versions use a new encryption algorithm to encrypt the recorded audit trails (AES128-GCM). This change has the following effects:

• If you are using external indexers to index your audit trails, you must upgrade them to the latest version. Earlier versions will not be able to index encrypted audit trails recorded with SPS 5 F4 and later.

• To replay an encrypted audit trail recorded with SPS 5 F4 or later, you can use the latest version of the Safeguard Desktop Player application, or the browser-based player of SPS. You cannot replay such audit trails using earlier versions of Safeguard Desktop Player, nor any version of the Audit Player application.

It is no longer possible to search for screen contents indexed by the old Audit Player on the new search UI and the REST interface. Searching in session metadata (such as IP addresses and usernames) and in extracted events (such as executed commands and window titles that appeared on the screen) remains possible.

As the old Audit Player was replaced and deprecated as an indexing tool during the 4.x versions, this should only affect very old sessions. Sessions that were processed by the new indexing service will work perfectly. If you wish to do screen content searches in historical sessions, contact our Support Team.

The Basic Settings > Local Services > Required minimum version of encryption protocol option is removed as of One Identity Safeguard for Privileged Sessions (SPS) version 5.8.0.

Regardless of the TLS version you configured previously, SPS will uniformly use TLS version 1.2.

This change might have the effect that using old (likely unsupported) browsers, it will not be possible to access the web interface of SPS.

Command detection and window title detection in content policies have changed and they are case-insensitive as of One Identity Safeguard for Privileged Sessions (SPS) version 5.8.0. In earlier versions, both used to be case-sensitive.

You can now use an Authentication Policy with GSSAPI and a Usermapping Policy in SSH connections. When an SSH Connection Policy uses an Authentication Policy with GSSAPI, and a Usermapping Policy, then SPS stores the user principal as the Gateway username, and the username used on the target as the Server username.

Note that this change has the following side effect: when using an Authentication Policy with GSSAPI, earlier versions of SPS used the client-username@REALM username to authenticate on the target server. Starting with version 5.9.0, it uses the client-username as username. Configure your servers accordingly, or configure a Usermapping Policy for your SSH connections in SPS.

Physical SPS appliances based on Pyramid hardware are not supported in 5 F1 and later releases. Do not upgrade to 5 F1 or later on a Pyramid-based hardware. The last supported release for this hardware is 5 LTS, which is a long-term supported release.

If you have purchased SPS before August, 2014 and have not received a replacement hardware since then, you have Pyramid hardware, so do not upgrade to SPS 5 F1 or later. If you have purchased SPS after August 2014, you can upgrade to 5 F1.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

1. Login to SPS.

2. Navigate to Basic Settings > Troubleshooting > Create support bundle, click Create support bundle, and save the file.

3. Open a ticket at https://support.oneidentity.com/create-service-request/.

4. Upload the file you downloaded from SPS in Step 1.

5. We will check the type of your hardware and notify you.