Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.12.0 - Release Notes

Deprecated features

Apache Lucene database

Starting from SPS 7.0 LTS, One Identity plans to modify the search for screen content in session data to use the Elasticsearch database only. The current Apache Lucene database support will be phased out, but the query language will remain Lucene-like.

After the switch to the Elasticsearch database, you will be able to access content stored in an Apache Lucene database only if you regenerate the content with the reindex tool.

Splunk forwarder

The Splunk forwarder is deprecated as of SPS 6.7 and is now removed. One Identity recommends using the universal SIEM forwarder instead.

Resolved issues

NOTE: CVE-2021-44228, also named Log4Shell, is a Remote Code Execution (RCE) class vulnerability. The Apache Log4j library has been updated to version 2.17.1; therefore, SPS is protected against CVE-2021-44228 and against the following related vulnerabilities:

  • CVE-2021-44832

  • CVE-2021-45046

  • CVE-2021-45105

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.12.0
Resolved Issue Issue ID

Right after the welcome wizard, there was a small time window when SPS could not login the users.

The login is implemented by multiple services on SPS. Right after the welcome wizard, when SPS showed the login screen, not all the required services were ready. With this fix the required services are started before the login screen appears.

PAM-15595

Text overflowed when the session had additional metadata, because the whole text was displayed in one line.

Text overflow was fixed by applying line break for this filed.

PAM-15593

Incorrect copyright notice was displayed on the "About" page.

Copyright notice is fixed on the "About" page.

PAM-15580

Online Player screen sometimes falls apart in SSH terminal sessions.

Online Player did not display the SSH terminal sessions correctly. It displayed a little space after each line. This issue has been fixed.

PAM-15553

Configuration synchronization failed when the SNMP v3 agent was in use in the SNMP server local service on the Managed Host nodes.

When the SNMP server local services option was enabled and the SNMP v3 agent was configured on a Managed Host node of an SPS cluster, then that node failed to synchronize configuration from the Central Management node, and an error appeared in the log of the Managed Host node saying: "nnx.unmarshaller.UnmarshalError: Supplying both plain and hashed values is not supported".

PAM-15541

SPP detects that SPS is unavailable. The possible reason is that when SPP checks the "configuration_sync" field of the response from `/api/cluster/status/<node-id> SPS did not fill out the "configuration_sync" field for the `central-management` node.

Now SPS fills out the "configuration_sync" field for the `central-management` node as an `up-to-date` node.

PAM-15404

The specific customer problem was insufficient memory allocated to the VM.

The retry idle time has been increased to further decrease the possibility of an ElasticSearch translog corruption.

In case of errors, the following configuration values can be used to fine tune the system:

pam.reindex.mergeableBatchSize = 1000000

pam.reindex.nonMergeableBatchSize = 50000

pam.reindex.retryIdleMinutes = 180

pam.reindex.idleMillis = 1000

PAM-15402

Safeguard for Sudo fails when using the SPS Sudo iolog as a log server.

When Safeguard for Sudo was configured to use SPS Sudo iolog as a log server, it failed to send logs to the SPS. This was caused by the missing 'log_id' field in a ServerMessage sent as a reply to the initial AcceptMessage. This has been fixed, SPS now fills the log_id field with the SPS session ID.

PAM-15378

Unnecessary scrollbar on the side of the pane.

Removed unnecessary scrollbar.

PAM-15331

Downloading SNMP MIB files does not work.

On the UI of SPS, users can download SNMP MIB files in a .zip file, and instead of the .zip file, it showed an error message. This has been fixed now and the .zip file can be downloaded.

PAM-15270

When upgrading SPS, forced shutdown may result in Postgresql upgrade failure.

When SPS is upgraded, SPS needs to be rebooted. If the reboot happened in a forceful way or the Postgresql service has extreme amount of Write-Ahead-Logging data, it may result in upgrade failure. Forceful shutdown is not supported. This fix is about fixing the upgrade path.

PAM-15264

Starting video playback of audit trails may be slower than expected.

On the Search User Interface of Safeguard for Privileged Sessions, you can view the recordings of the sessions (audit trails).

Once you watch an audit trail, the video is cached at the server side. Previously, due to a misconfiguration, the cache did not work properly and allowed roughly one video to be stored in the cache, causing delays when video playback is started for audit trails that have already been watched once.

The cache configuration has been fixed and videos are cached appropriately in order to provide a more fluent playback experience.

PAM-15224

Display detailed information about the SPS-SPP join status.

Detailed information is displayed about the SPS-SPP join status, for example, the IP address of the connected SPP is displayed.

PAM-15216

Show all information in the error message when joining to SPP failed. Show a short description about the error, and make it possible to view the raw error response.

A short description of the error is added, and it is possible now to view the raw error response.

PAM-15194

Due to an unexpected side effect of a change in SPS versions 6.10.0 and 6.0.10, the AWS images were accidentally shipped with a hard-coded node ID. This prevented SPS nodes hosted on AWS from being able to join a cluster, and also the backup and the archival of the different nodes might have resulted in overwritten files.

Amazon images now come with a fixed node ID. The problem was fixed by changing the way the initial node ID was generated. Note that the node ID of existing installations are not changed, because the node ID change drops the node out of a management cluster and makes the previous archives and backups unavailable.

Only the Amazon deployments were affected, the node ID on any other platforms has always been generated correctly on the first boot.

PAM-15192

The SPP fetcher cannot handle SshKey access requests.

The SPP fetcher can now handle SshKey access requests.

PAM-15190

False validation errors in the logs and HTTP responses when there is a GPG public key set for encryption of exported configuration.

False validation errors have been fixed. If there was a GPG public key set to be used for the encryption of exported configuration, then when certain temporary problems occurred, the system could report invalid configuration in the logs, and the web user interface and the REST API could respond with HTTP 500 Internal Server Error. This could happen even if the configuration had not been modified since the last time it was validated. When this error occurred, the system logs would contain the following message: "nnx.unmarshaller.UnmarshalError: Could not load GPG public key; error: The given public key is invalid; path=Path('gpg_public_key')", despite the configured GPG public key being valid.

PAM-15122

A connection policy can be deleted while it is referenced in a subchapter and the user gets no feedback if a report fails because of a missing subchapter. If a report contains such a subchapter, a ComposerException is returned. This exception is present in the log, but no failed report is generated.

This issue has been fixed by substituting ComposerException with a MissingSubchapter, a subchapter containing the error message, and has been added to the generated report.

PAM-15108

When having an SPS report configuration with a custom report logo that was uploaded in a firmware prior to 6.8.0, report generation that included custom report logo may have failed.

SPS can include custom report logo in the report cover page. The custom report logo upload mechanism along with the report configuration UI has changed in the 6.8.0 release.

Due to the change in the logo upload mechanism, the report generation for custom report logos that had been uploaded prior to 6.8.0 could fail, because the reporting service did not have permissions to read those logos.

This has been fixed and report generation should work with the legacy custom report logos as well.

PAM-15106

Atop service fails to start.

Due to a missing step during the appliance upgrade, the internal atop service unit failed to start after SPS had been upgraded to 6.10.0 from a version later than 6.0.8 or 6.7.0. This error has been fixed.

PAM-15086

There are "I need help" buttons which do not work correctly.

These "I need help" buttons had a bad url, that is why they returned 404 Not Found error messages. The links have been corrected and now the buttons work properly.

PAM-15058

The 'items-to-include' input field does not have a correct validation.

The validation worked with (1,10000), but it was not correct. The correct validation is [1,10000].

PAM-15040

ICA connections could fail, if an application had non-ASCII characters in its title.

If an ICA application contained non-ASCII characters in its title, the connection could fail, and the error message "Unable to convert application name to UTF-8" could appear in the system log. The issue has been fixed, now both UTF-8 and UTF-16 encodings are supported.

PAM-15032

The authentication cache needs to be updated only when the authentication is not done from the cache.

The authentication cache was updated every time a user was authenticated, therefore, the soft_limit always equaled the hard_limit.

This issue has been fixed and now the cache is only updated when the authentication is not done from the cache.

PAM-15016

The encoding settings in the video player did not store the settings by users or browsers. Only one configuration was saved in the local storage. When another user logged in to the SPS, the same configuration was overwritten.

Now the encoding settings are stored globally for everyone. The different encoding setting are stored for every user.

PAM-14982

The information pane on the side-sheet covered the action buttons.

With this fix, the main part of the side-sheet is scrollable and does not cover the action buttons.

PAM-14973

Opening and closing without further action on the built-in reports side-sheet empties the built-in report list.

With this fix, you are free to watch the configuration options, and if there is nothing to change, the original settings are displayed.

PAM-14918

The IP address of the SPP cluster was not visible by default on the cluster page.

The IP address of the SPP cluster is now visible by default on the cluster page.

PAM-14911

The button for terminating iolog sessions was visible on the search UI. Termination of the iolog sessions is not supported. Clicking that button caused an error.

Iolog session cannot be terminated, the button is removed from the UI on this session type.

PAM-14612

Limited next hop monitoring feature. Next hop monitoring is configured only to a subset of the available interfaces.

Although the number of the interfaces increased in the latest hardware configurations, where the new interfaces could be used for management and/or production network traffic, the next hop monitoring feature configuration was not extended accordingly.

In this fix, the configuration related user interface elements has been extended to enable full support for these new network interfaces.

PAM-14564

When there is a new report created or an existing one modified, and the user generates a report, the name of the report is not displayed in the Download page search options.

With this fix, the elements are properly updated, and you can select the newly modified report.

PAM-14545

SSH connections using Kerberos based gateway authentication failed when initiated via an SPS which was linked with SPP.

SSH connections using Kerberos based gateway authentication now work when initiated via an SPS which was linked with SPP, but the identity of users must be provided by an LDAP or AD server which is configured properly on both SPS and SPP. Note that the Identity Provider's Name as configured in SPP must match the Kerberos principal's REALM (case insensitively).

PAM-13717

Users are not allowed to modify the IP addresses on the "Create new subchapter" side-sheet.

Users are allowed to modify the IP addresses on the "Create new subchapter" side-sheet.

PAM-13708

Backend validation for 'items-to-include' only checked if the limit for the maximum number of sessions included in the subchapter was an integer.

Backend validation now also checks if the set value for 'items-to-include' is within the range of 1 and 10000. Since ElasticSearch can only return 10000 hits at a time by default, a search-based subchapter can contain maximum 10000 sessions, thus this limit was applied here as well.

PAM-13041

All static asserts were cached which caused caching bugs.

Cache option is removed from index.html files.

PAM-12725

If the indexer could not parse a query string, REST returned 500 - Internal Error.

After this fix, if the indexer returns a parse error, REST returns 400 - InvalidContentQueryInput with the reason: "Invalid search expression in content query".

PAM-12616

The N/A filed got the same color as the first element of the pie chart.

The pie chart now shows the data with different colors.

PAM-12260

Make it possible to customize the error pages for HTTP connections. If there is no customized error page for HTTP connections, make sure that a redesigned error page is displayed by default.

It is possible now to customize the error pages for HTTP connections. If there is no customized error page for HTTP connections, a new, redesigned error page is displayed by default.

PAM-4784

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: General known issues
Known Issue

In SPS version 6.12.0, users with no decryption keys can access encrypted Sudo iolog sessions and contents.

TLS version 1.3 is not supported when using the inWebo, Okta or One Identity Starling 2FA plugins. To ensure that TLS 1.2 is used by SPS during negotiation, specify the minimum and maximum TLS version as follows:

  • For the minimum TLS version, select TLS version 1.2.

  • For the maximum TLS version, select TLS version 1.3.

For more information, see "Verifying certificates with Certificate Authorities using trust stores" in the Administration Guide.

The accuracy of replaying audit trails in Asian languages (Traditional Chinese, Korean) has been enhanced. Due to this change, when upgrading SPS to version 6.11.0, all your sessions will be reindexed, and while reindexing is in progress, your sessions on the Search interface are incomplete. For this reason, plan your upgrade to SPS 6.11.0 accordingly.

Report generation may fail if a report subchapter references a connection policy that has been deleted previously.

SPS can create reports giving detailed information about connections of every connection policy. For this, the user can add connection subchapters in the Report Configuration Wizard, under Reporting > Create & Manage Reports.

For a successful report generation, the referenced connection policy must exist on the appliance. However, when deleting a connection policy that is referenced as a connection subchapter, the user is not warned that the report subchapter must be removed, otherwise the subsequent report generation will fail.

This affects scheduled report generation as well.

System requirements

Before installing SPS 6.12.0, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating