Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.10.0 - Release Notes

Deprecated features

RPC API

The RPC API has been deprecated and removed. One Identity recommends using the REST API instead.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.10.0
Resolved Issue Issue ID

Session Details > Timeline tab error for HTTP session type

Previously there was an error for the HTTP session type on the Session Details > Timeline tab and the session was not archived. This has been fixed.

PAM-14531

Disk full alerting not working

Disk full alerting was not working. The relevant sub-tree was missing from the SNMP message. This has been fixed.

PAM-14278

A lock file created during system backups could have incorrect permissions, preventing certain configuration options from functioning properly.

A scheduled backup policy could have created the lock file /opt/scb/var/lock/xml with incorrect permissions, preventing users from creating connection policies and committing (unless the lock was removed manually). This lock is now created with the proper permissions.

PAM-14081

SSH public key gateway authentication without a user mapping policy does not work

Performing a public key based gateway authentication with SPS without a user mapping policy configured required a gateway username to be explicitly set in the username on the SSH client in order to work.

This has been fixed.

PAM-14694

If there was a proxy misfunction, the sessions were left open until the next reboot

There was an issue that caused that if a proxy component crashed, some sessions got stuck in active state on the auditor portal and did not close until SPS was restarted. This issue has been fixed.

PAM-14178

RDP connections through SPS fail to authenticate with target user names present in multiple domains

SPS did not forward the domain name information properly when authenticating to remote desktop servers with Network Level Authentication.

This caused connection issues if the username did not uniquely identify a target user. This issue has been fixed.

PAM-14493

Resolving SPS IP address in content subchapter configuration has been fixed

To display links to sessions recorded by SPS in reports, the IP address of the SPS appliance has to be resolved and presented in the content subchapter configuration.

Previously, it was always the physical address of the default network interface (eth0) that was used as the IP address of SPS, which in rare cases, when a customer configured and used another network interface to access SPS, caused an error during the presentation of the subchapter configuration.

This issue has been fixed by using the first available SPS IP address from Basic Settings > Local Services > Web Login (Admin and User), which always points to a valid and usable IP address.

PAM-14500

Backward compatibility issue in custom subchapter configuration change has been fixed

To display tables without row numbers in SPS reports, the custom subchapter configuration had to be modified. This modification added a new chart type for tables without row numbers. However, backward compatibility with older subchapter configurations was not addressed properly, which caused an error during firmware upgrade.

This has been fixed and previously created subchapter configurations can be used as well.

PAM-14495

Selecting the WebSocket channel type in an HTTP channel policy threw an error

When the WebSocket channel type was selected in an HTTP channel policy, the "Could not create template" error message was displayed. This has been fixed.

PAM-14530

Downloading a certificate or key in DER format could provide an unparsable file for some certificates and keys

When a certificate or key was downloaded from the Web interface in DER format and the resulting binary blob ended with bytes that could be interpreted as ASCII whitespace or NULL (0x00, 0x09, 0x0a, 0x0b, 0x0d, 0x20), then those bytes were truncated, resulting in an invalid file. This has been fixed.

PAM-14227

The Report subchapter could not be saved

The report creation has a different UI now for creating subchapters and the subchapter can be saved.

PAM-12420

Fixing the channel selector before playing the video file

With the new online/browser player, the channel selector has been fixed.

PAM-9849

When creating a new subchapter from the Reporting page, pressing ESC closed all the side-sheets

Now this is handled in the correct way, all side-sheets are not closed, only the top-most one.

PAM-13069

Previously, sometimes the Play/Pause functionality got into an endless loop in the Onbox/Browser player and could not play the video file

The play and pause functionality of the Browser/Onbox player has been fixed.

PAM-8062

With a locked private keystore, the 'Start rendering' button was not displayed

After the browser/onbox enhancement, it is not necessary to render videos.

PAM-11023

There was a rare scenario, where notification and Python threads could cause a deadlock

There was a rare scenario where a deadlock could happen, involving the notification thread and Python's global interpreter lock (GIL). The issue has been fixed by only holding the GIL for the minimum required duration during a critical part and the dependency causing the potential deadlock was broken.

PAM-13544

The link at the end of the search walkthrough pointed to a non-existing URL

Now the link is fixed, so it points to the correct URL.

PAM-12534

The RDP security protocol and encryption method negotiation is not logged

When an RDP connection succeeded, or failed due to security protocol or encryption method negotiation failure, it was hard to determine what protocol was selected or tried, and what caused the negotiation failure.

This has been fixed. Now, every RDP connection emits a log line containing information about the security protocols, and, if the legacy standard RDP security is used, a log line is emitted also about the encryption methods.

PAM-12535

SWAP monitoring could send false alarms through email and/or SNMP for appliances where no SWAP was configured for the appliance, mostly effecting virtual machine-based SPS appliances

Due to an upstream bug, it happened rarely that the SNMP monitoring sent out false alarms each time the appliance was restarted or the monitoring-related configuration was changed. This only happened when the SWAP available on the system was 0 bytes (SWAP was disabled) and where that value was compared to the available amount. The upstream issue related to the comparison of these values and that caused the alert to be sent out also if these values were equal, and not only when the available SWAP was below the configured threshold.

PAM-13156

In Basic Settings > Trust Stores, the CA certificates with EC keys / ECDSA signing algorithm was not supported

The Key Upload component previously did not support the ECC signing algorithm certificates. This has been fixed.

PAM-14003

The copyright date was 2020

The copyright date has been updated to 2021.

PAM-14066

The user was unable to create a new content-based subchapter from the Reporting page

The user now is able to create a new subchapter. This issue was caused by an open issue from Microsoft & IE11. The user now is able to edit or create a new content-based subchapter.

PAM-14069

LDAP-based authentication did not work after an LDAP server issue

If an LDAP server that we had been trying to authenticate with returned some errors, the LDAP client in SPS got stuck in an error state, where it was impossible to do any LDAP operations. As a workaround, the ldapservice.service unit was restarted.

This issue has been fixed.

PAM-14160

The timeline and sankey chart did not show any data

With this fix, the data is displayed correctly and updated on every search.

PAM-14093

The hardware usage charts did not display any information

With this fix, the hardware charts display the corresponding data, which is updated periodically.

PAM-14104

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: General known issues
Known Issue

CAUTION: If you are using SHA1 (Secure Hash Algorithm 1) signed certificates, SPS does not allow Remote Desktop Protocol (RDP) connections to Windows Servers.

Use the Microsoft Management Console (MMC) to verify your certificate:

  • If Remote Desktop Services (RDS) uses a self-signed certificate, make sure that you update your system to the latest patch level, then delete the certificate and restart the Remote Desktop Configuration service in order to re-generate the self-signed certificate.

  • If RDS is using a certificate imported from a Public Key Infrastructure (PKI), contact your PKI admin for a new SHA256 certificate.

If you have an SPS cluster with an SPP and SPS search minions linked, session termination in follow mode by Safeguard Desktop Player initiated from the SPP Activity Center will show an Invalid JSON response error message for sessions proxied through search minions. Also, an Access Request Session Failure error will be logged on the SPP-side.

You can ignore this error because connection termination always takes place immediately.

If your SPS is linked to SPP, and you have two search minion nodes on SPS, and one node has a regular license while the other node has a license only for Sudo iolog, an SPP initiated RDP connection might fail if SPP connects to a search minion node that has no valid license to run the RDP proxy.

If you have upgraded your SPS from 4 LTS to the latest 6.10.0 version, you cannot use the Sudo iolog feature in SPS.

System requirements

Before installing SPS 6.10.0 , ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating