Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.6.1 - Release Notes

Deprecated features

Arguments of Authentication and Authorization and Credential Store plugins that begin with target_ have been deprecated

These arguments were deprecated because the target_host or target_server arguments either contained a hostname or an IP address.

Now, new arguments have been added to the Authentication and Authorization and Credential Store plugins to replace deprecated arguments. The new argument names explicitely define the values they contain. That is, a server_ip argument will always contain an IP address, and a server_hostname argument will always contain a hostname.

The deprecated arguments are the following:

Authentication and Authorization plugin: get_password_list and get_private_key_list input arguments:

  • target_username

  • target_host

  • target_port

  • target_domain

Credential Store plugin: authorize method:

  • target_server

  • target_port

  • target_username

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.6.1
Resolved Issue Issue ID

Source Network Address Translation not working

A change introduced in version 6.5.0 inadvertently broke the SNAT feature for connections. It was partially fixed in version 6.6.0, but that fix did not work for certain source and target network combinations. The patch is now complete and the feature works properly again.

PAM-12357

Table 2: General resolved issues in release 6.6.0
Resolved Issue Issue ID

Private key generation is broken for local Credential Stores

After generating an RSA key for a local Credential Store, committing the change failed with the following error message: 'Connection failed. Server is inaccessible, shut down, or not servicing requests.'

This has been corrected.

PAM-12104

SPS installation on Azure vm made the firmware tainted

The service walinuxagent, which is required to be run on azure instances, creates files at runtime and this made the firmware tainted. These files have been added to the tainted whitelist.

This has been corrected.

PAM-12090

Two active menu items at the same time

When opening a menu item and then another menu item while the previous is loading, two menu items appear active at the same time.

This has been corrected.

PAM-12028

Fixed content search in case session indexed state

For sessions with full indexing policy and containing lots of screen content, the indexing process took so much time that the user was able to issue a content search either via REST or UI.

As a result, internal server error was returned because in these scenarios the content file have not been written to disk and could not be opened for content search.

This has been corrected.

PAM-12022

Save hashed PSK value in support bundle

In order to diagnose clustering issues, it is important to verify that the cluster members share the same IPSec pre-shared keys, but this was impossible, because the values were masked out. Following this change, the generated PSK tokens of the configuration are replaced by their SHA256 hash value. This means that the comparison can be performed while the actual values still remain secret.

PAM-11976

Give user hints in case of service or minion unavailability during content search

When trying to search content for a session that was recorded on minion node in cluster environment, in case the minion node was unavailable, content search failed with error and the user did not get any feedback about the underlying cause.

User will now also receive information if the minion node is available but content service is not running.

PAM-11961

Audit Data Access menu element was not filtered with the right permission.

The Audit Data Access menu was always visible to the user even if permission settings did not allow this.

This has been corrected.

PAM-11897

When the user opens a session with an invalid sessionID the user has been redirected to the 404 Not found page.

If an invalid session id was given, the search page did not open the details tab, instead the user was informed about the invalid sessionID parameter.

This has been corrected.

PAM-11859

Wrong value in fields caused error in dynamic report generation

Dynamic report generation could have run into an error if the query field tried to use an invalid value. It has been fixed.

PAM-11844

On the about page the system monitor charts now uses GB for displaying data and now include legends for additional info.

Each system monitor chart now displays the current, total, used and free amount of relevant data. The legends and presentation use unified number and amount presentation (2 digits and GB).

PAM-11836

A session that have started and finished in a different day but did not last longer than 24 hours only the start date was present.

If a session is not longer than 24 hours, but starts and ends on a different day, now both the start and end date is displayed on the search page.

PAM-11806

Errors not shown on Audit data access rules input fields

Validation errors were not shown correctly on Audit data access rules input fields. This has been corrected.

PAM-11785

Under Appliance Access rename the AAA to Users & Access Control

After the Users & Access Control menu item rename, the Appliance Access menu still displayed the old naming convention. This has been corrected.

PAM-11774

Text changes to clarify the pages goal.

The Audit data access page contained typos. This has been corrected and the descriptions are now more clear.

PAM-11773

Update the menu names that have changed in the last release.

The AAA menu has changed to Users & Access Control in the last release, however, only Users & Access was visible. This has been corrected and Users & Access Control is now displayed.

PAM-11772

Audit data access rules look editable when the user does not have permission

Audit data access rules looked editable when the user had only read permission. However, this was only a visual bug and the server still checked permissions when the user wanted to edit rules.

This has been corrected and we created a read-only view for the Audit data access rules manage page.

PAM-11763

Brackets were removed from around IPv6 addresses by the HTTP proxy in headers

The HTTP proxy removed the brackets from around IPv6 addresses in relayed HTTP headers, eg. "Host: [2001:db8::]" became "Host: 2001:db8::1", which caused problems on the server side. This has been fixed and such headers are now relayed properly.

PAM-11758

Traceroute: switch to ICMP

Traceroute utility traditionally defaults to UDP probe packets, but such packets are likely to be filtered out by firewalls, even between SPS cluster nodes. It is expected that ICMP probes are more tolerated on networks, thus Troubleshooting > Traceroute has been changed to use ICMP instead of UDP.

PAM-11755

Missing validation for RDP connections when NLA is enabled but TLS is not.

When SPS was configured to use Network Level Authentication in an RDP connection, but Legacy RDP Security Layer was selected for that connection, then no connection could be established. A traceback was written to the system log.

This has been fixed, SPS now validates that a connection for which NLA is enabled also has TLS Transport Security selected.

PAM-11753

AA plugin "authorize" hook receives wrong domain name if autologon suffix is in use

The "authorize" hook of the AA plugin received the domain name with the autologon suffix left in place. This has been corrected.

PAM-11748

Starting up and shutting down logs are transferred from boot journal to core firmware logs

There were many cases when logs have not been transferred from boot journal store to core firmware. In that case, the network-related issues were not transferred. This has been corrected. Starting up and shutting down logs are transferred from boot journal to core firmware logs. This makes the investigation easier, because all the logs are in one place and these logs are stored for longer time.

PAM-11738

Error messages appear in HTTP proxy logs when Authorization headers are not valid base64 encoded data

Our HTTP proxy tried to decode the Authorization header and if it could not, it logged an error because there was an error with the encoding. These log messages could be misleading as such headers happen frequently, so they were disabled.

PAM-11713

Fixed the hardware charts under the About page

Previously only the relative amount of memory was displayed on the About page > hardware charts. This has been corrected and the user can see the current, total, user and free values for each chart converted and displayed in GB.

PAM-11705

Restore the version number and the hostname to the header.

In previous versions of SPS, the version number and host name were removed from the header. This has been corrected and the version and the host name are now displayed on the header.

PAM-11704

When an audit trail was missing from the SPS, all further archiving processes failed

When an audit trail was missing from SPS, all further archiving processes failed. This has been corrected and the archiving will continue to the next audit trail file, and SPS records the error in the local database.

PAM-11700

The firmware manipulation via console (core-shell) with firmwarectl synchronizes the firmware to the HA pair node.

The firmwarectl console tool, which can be called on the core-shell, did not synchronize the firmware to the other HA node which caused firmware version mismatch in case of a failover.

From now firmwarectl synchronizes the firmware to the other HA node just like the Basic Settings > High Availability page on the web-ui does.

PAM-11642

The copyright end date always should present the shipped years.

The copyright date showed the actual year instead of the shipped years. This has been corrected.

PAM-11620

Displaying the login page triggers General error (xcbError) SNMP or email alert

When the login page was loaded in a browser, then a background request attempted to access a resource which mistakenly required an already authenticated user. If the General error (xcbError) alert was enabled on the Basic Settings / Alerting & Monitoring page, then this condition triggered sending SNMP or email alerts. This has been fixed.

PAM-11597

High memory consumption related to the indexer-jobgenerator service with sessions containing lots of channels

The jobgenerator service now handles channel related messages which are not required to store in memory anymore.

PAM-11513

No warning is displayed when navigation away from a modified page without commit.

Even when the "Warn when unsaved changes may be lost" option in the preferences was checked, no warning was displayed when navigating away from a modified page without commit. This has been corrected.

PAM-11307

Allow additional text in PEM files for ED25519 private keys

RFC7468 requires parsers to tolerate additional data in PEM files, however, earlier versions of Safeguard for Privileged Sessions rejected ED25519 private keys with an error message. This has been corrected and additional data (such as certificates or lines of text) in the PEM files are ignored for both PKCS#8 and OpenSSH formatted keys.

PAM-11236

Multiple IPv4 addresses on the network interface which is assigned to clustering can break cluster node communication if other than the first one is used for clustering

Assigning multiple IPv4 addresses to the network interface which is used for clustering, and using other than the first one for secure communication between the cluster nodes results in a non-working configuration. Configuration validation has been extended with checks which prevent saving such configuration.

PAM-11047

HA IP negotiation fails when more than two SPS hosts are accessible on the HA interface

When more than two SPS instances are accessible through the HA interface, the third host cannot obtain a valid HA IP address as the other two addresses are already taken. As this is not a supported way of working, a warning message is now shown to the user on the console.

PAM-10916

Remove Go back button from Reporting page, because it cause inconsistency.

The Go back button on the reporting page of the auditor portal navigated to the wrong place. This has been corrected.

PAM-10715

On the search UI the click to search and manual time selection was interfered.

Previously you were able to select incorrect date ranges on the Search interface. This has been corrected.

PAM-10513

Some browsers did not show submenus correctly.

Some browsers did not show submenus correctly. This has been corrected.

PAM-10430

Events with really long name could overlap with different areas on the search detail page.

Events with really long name could overlap with different areas on the search detail page. This has been corrected and long names now break into multiple lines.

PAM-10328

On the HTTP session' detailed page the terminate button appeared, but it should not be.

On the HTTP session's detailed page, the terminate button has been removed due to technical limitations.

PAM-10280

On the search page, the errors of the search query and the timeline was not synchronized.

When the search query was invalid, the timeline showed an error message. This has been corrected.

PAM-10269

The logout countdown timer is not refreshed

The logout countdown did not show time correctly. This has been corrected.

PAM-10036

Quick statistics cannot shows the whole server hostname

Quick statistics did not show longer domain names. This has been corrected and now if you move the cursor over the domain name, it shows the whole domain name.

PAM-9999

A session with too many events wasn't properly displayed on search.

Sessions with more than 10.000 events produced strange UI behavior, and after the first 1000 pages, empty pages were displayed. This has been corrected and now the empty pages are not displayed.

PAM-9360

On the search page, the search bar did not get focus on load.

This has been corrected and now the search bar gets the focus.

PAM-9179

New sessions notification bell sometimes appear with the wrong number

New sessions notification bell, which tells how many new sessions come to list sometimes appear with the wrong number.

This has been corrected and we cut down the chance of occurrence.

PAM-8235

Unnecessary expiration warnings for indexer decryption key certificates

The decryption keys and the certificates that belong to them, used by the internal indexer to process encrypted audit trails, may still be needed in the configuration in order to access older audit data, long after the certificate itself is expired. Due to this, the expiration of these certificates will no longer trigger configuration validation warnings.

PAM-7653

Fix referenced subchapter delete

Under the Search Subchapters menu, the subchapter delete functionality was not correct previously. This has been corrected.

PAM-5979

In IE11, the first row of the search result list had a time column with misaligned values.

In IE11, the first row of the search result list had a time column with misaligned values. This has been corrected.

PAM-4613

Table 3: General resolved issues in release 6.5.0
Resolved Issue Issue ID

SSH connections may not be denied when the server host key algorithm changes and the server host key check method is set to "Accept key for the first time".

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Accept key for the first time" in "SSH Control > Connections > Server side host key settings > Plain host key check" and SPS already stored a trusted key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported only the "ssh-ed25519" host key algorithm, then the connection succeeded, even though it should have been rejected.

The cause of this error was that SPS and the server negotiated "ssh-ed25519" as the host key algorithm, but since no "ssh-ed25519" host key was stored in SPS yet, it proceeded to learn the new "ssh-ed25519" key. This could have been used by a rogue server impersonating a legitimate server, to trick SPS into accepting a connection by offering a host key algorithm that the legitimate server did not offer.

This has been fixed, SPS now only offers those host key algorithms for which it already has a trusted key. It only offers all host key algorithms when no trusted host key is stored yet for the target server.

PAM-11685

SSH connections may fail when server side host key check method is is set to "Only accept trusted keys"

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Only accept trusted keys" in "SSH Control > Connections > Server side host key settings > Plain host key check" and SPS has already stored a correct trusted server host key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported both the "ssh-ed25519" and the "ssh-rsa" host key algorithms, then the connection failed, even though it should have succeeded.

The cause of the connection failure was that SPS and the server negotiated the "ssh-ed25519" host key algorithm, not "ssh-rsa", but no trusted "ssh-ed25519" host key was stored.

This has been fixed, SPS now only offers to the server those host key algorithms that it already stores a trusted host key for. When the host key check method is set to "Accept key for the first time", and no host key is stored yet, all algorithms are offered. This allows learning a preferred host key.

PAM-11531

View log files > Tail window remains open even after the administrator has logged out.

The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session.

PAM-11510

Missing timestamps in audit trails and "Error connecting TSA" messages in the logs.

A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed.

PAM-11391

Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster.

Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster.

PAM-11390

From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS.

The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time.

During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it.

The newly generated cert has the following additional properties:

  • validity is 800 days long;
  • extendedKeyUsage has been specified,

which makes it compliant with the recent Chrome+macOS combination.

PAM-11122

Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware)

During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration. This has now been fixed and these events are no longer generated.

PAM-10771

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

A systemd service (proc-sys-fs-binfmt_misc.mount) failed to start at boot.

The proc-sys-fs-binfmt_misc.mount unit failed to start at boot. This generated alerts for the customer which resulted in SNMP trap or email, depending on the configuration. The service now starts at boot.

PAM-9935

In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

PAM-11523

When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot.

After this fix this process will run only once.

PAM-11618

Under the "Reporting > Search subchapters" page, it was possible to navigate away from the page without saving the changes to the configuration, without any notification.

We have created a notification dialog and when the user has unsaved changes, we will notify them on page leave.

PAM-11347

Table 4: General resolved issues in release 6.4.0
Resolved Issue Issue ID

Traceback in the logs after rejecting a four-eyes authorization request

A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly.

PAM-10881

Traceback appears in the logs if the LDAP server is down

A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled.

PAM-11028

False data in archiving notice

After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected.

NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead.

PAM-9615

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed.

PAM-10413

Timeout in RDGW sessions causes core files on SPS

If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly.

PAM-11123

Resizing the screen in ICA sessions to span multiple monitors did not work

If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session.

PAM-10988

Sessions are terminated when using the credit-card detection and alerting features

In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected.

PAM-11134

RDP sessions shown as active even after client disconnects

In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected.

PAM-11168

Client unexpectedly closes RemoteApp sessions

In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client.

PAM-11187

Overriding the global verbosity level in ICA connection policies had no effect

In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level.

PAM-11251

Configuration changes not taking effect

In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when committing networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly.

PAM-10336

Password reuse always allowed when changing the password over REST

It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too.

PAM-11213

Remote Desktop Gateway authentication fails for Windows 2012 R2 clients

Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected.

PAM-9967

IPv6 routing table is missing from the support bundle

The IPv6 routing table was missing from the support bundle. This has been corrected.

PAM-10354

Improve the debug logging of ldapservice

The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs.

PAM-11135

Failed screenshots in content subchapter reports

Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs:

'Cannot retrieve image for screencontent'

This has been corrected, screenshots are now properly generated for the reports.

PAM-10190

Following trail downloaded from Active Connections generates multiple Audit trail download events on Search

When following an .srs trail downloaded from Active Connections page through Desktop Player, it spammed the 'Audit trail downloads' section on Search > Details page of the connection in every second.

This has been fixed, the 'Audit trail downloads' section displays now only once the event of download per trail download initiated from Active Connections page.

PAM-10669

Additional Metadata field may contain Gateway Password

In certain cases, the "Additional Metadata" field contained the Gateway Password used in the session. This is the password that the user used to authenticate on the SPS gateway, and belongs to the Gateway Username of the user. The passwords used to authenticate on the target servers were not affected.

For this error to occur, all of the following circumstances must have been met:

  • the client used an SSH session to access remote servers

  • in a joined SPS-SPP scenario

  • that used the SPS-initiated workflow

  • where the Authentication Policy of the SSH Connection Policy used the "Password" Gateway Authentication Method

  • and the version of the SPS appliance is 6.2.0 or 6.0.2.

The error has been corrected.

To find out whether this error has occurred in your environment, complete the following steps.

  1. Login to your SPS appliance as a user who has access to the Search page.

  2. On the Search page, enter the following search query: recording.additional_metadata: gp=

    • If there are no search results, the error did not occur in your environment. Upgrade to SPS version 6.3.0a or 6.0.3 to ensure that it does not occur in the future.

    • If there are search results, continue with the next step of this procedure.

  3. Click the ... button on the right of the Export CSV button.

  4. Add the Gateway Username and the Recording Connection Policy fields to the list of fields to export.

  5. Check which Authentication Policies do the Connection Policies that appear in Recording Connection Policy fields use.

  6. Navigate to SSH Control > Authentication Policies, and check which Authentication Backend do the affected Authentication Policies use.

  7. Contact the users appearing in the Gateway Username field to change their password in the affected backends.

PAM-11073

Deadlock in HTTP proxy

In some rare cases the HTTP proxy could get in a deadlock and stop working.

This has been fixed.

PAM-11016

HA takeover issues after multi-step upgrades

If a system was upgraded in multiple steps (eg. from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes.

The problem has been fixed and these kinds of upgrades now work well.

PAM-11292

Report generator service failure

In some cases, the report generator service on the SPS appliance could fail due to a problem in the way the "Top 10 users" reports were generated.

The problem has been fixed and reports are generated properly.

PAM-10389

Error messages not shown during Starling join

When a join to the Starling platform was initiated, the error messages such as SSL certificate errors were not shown to the user, making troubleshooting difficult.

These error messages are now shown on the UI.

PAM-10969

Dynamic Virtual Channels in RDP proxy are not handled properly

Some of the Dynamic Virtual Channels in RDP proxy were allowed even if they were not enabled in a channel policy.

Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic Virtual Channels channel policy.

PAM-11319

The built-in Cisco pattern set in telnet proxy does not work with Cisco Nexus 5000 devices

Due to a different login prompt, the built-in Cisco pattern set did not extract the username properly in Cisco Nexus 5000 devices.

This has been fixed.

PAM-10908

Wrong file transfer direction in RDP proxy

File uploads (from the client machine to the remote server) were tagged with "download", and downloads (from the remote server to the client machine) with "upload".

This has been corrected and tagged properly.

PAM-10799

Table 5: General resolved issues in release 6.3.0
Resolved Issue Issue ID

Downloading audit trails fails on the Central Search node

In a cluster environment, downloading from audit trails from the web interface failed on the Central Search node. This has been corrected.

PAM-10971

The Protocol field on the Search page contains invalid value

In certain cases, the Protocol filed contained the '-1' value instead of the name of the protocol. This has been corrected.

PAM-10906

The connections of an SPP access request on a joined SPS-SPP fail after upgradind to SPS 6.2

The automatic upgrade of the SGAA/SGCredStore plugins caused a failure during the connections due to a plugin wrapper selection mistake. The plugin wrapper selection is fixed, connections now work as expected.

PAM-10888

'Analytics details are not available' warning appears on the UI

In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session.

PAM-10886

The Analytics tab of a session keeps loading infinitely

Opening the Analytics tab of a session without the required privileges kept loading the page infinitely, instead of displaying a permission error. This has been corrected.

PAM-10859

If the session database is very large, opening new sessions is very slow

In some cases, persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS.

The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections.

PAM-10821

Clicking on the chart in Flow view does not create the proper search query

Click on the chart in the Flow view of the Search page created incorrect search queries. This has been corrected.

PAM-10794

Report queries are not updated

In some cases, the queries of certain report subchapters were not updated, and therefore the reports contained outdated information. This has been corrected.

PAM-10787

None

PAM-10787

Error in handling compressed ICA traffic causes the server to terminate the session

In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs:

'Compression PD: Unable to expand slab'

This has been corrected, the traffic is now handled properly.

PAM-10781

Corrections to the on-screen instructions on checking plugin integrity

The instructions on how to check the integrity of the plugins have been updated on the Basic Settings > Plugins page.

PAM-10675

None

When selecting a session in the Search page, clicking the 'Analytics' tab for first time showed an unnecessary error message for a second, before the actual contents were loaded. This has been corrected.

PAM-10671

Files copy-pasted in FreeRDP sessions cannot be exported

Files copy-pasted in FreeRDP sessions were recorded in the audit trail, but exporting them failed. This has been corrected.

PAM-10668

Clicking the Back button on the Search page removes every filter

Clicking the Back button of the browser on the Search page removed every filter, not only the last one. This has been corrected.

PAM-10636

After deleting a filter on the Search page you cannot re-add it

After deleting a filter from the query on the Search page, clicking on the same filed to re-add the filter did not have any effect. This has been corrected.

PAM-10583

Duplicate header appears on the ICA Control > Channel Policies page

While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected.

PAM-10575

The Edit option is displayed on the Search Subchapter page to users with only read rights

On the Reporting > Search Subchapters page, the Edit and Create New Subchapter options were visible even if the user had only Read privileges to the page. This has been corrected.

PAM-10429

SDP cannot replay VNC sessions with TightSecurity

SDP failed to replay audit trails that contained VNC over WebSocket sessions that had TightSecurity enabled. This has been corrected, now SDP can replay these sessions.

PAM-10279

Clicking values with special characters on the Search page are not escaped

Clicking on values on the Search page added the value to the search query, but special characters were not escaped, resulting in incorrect search queries if the selected value contained Lucene-specific characters. This has been corrected.

PAM-10234

Misspelled OK buttons on the web interface

Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected.

PAM-10155

Inaccurate warning when upgrading external indexers

When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected.

PAM-9707

Content search field does not handle the '<' character

Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly.

PAM-9264

OpenSSL encryption failure when changing the password of a permanent keystore

In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message:

'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62'

This has been corrected.

PAM-8345

If completing the Welcome Wizard using the REST API fails, the appliance becomes unreachable

If completing the Welcome Wizard using the REST API failed, an internal error made the product unreachable: the IP address became 192.168.1.1 and the console access of the root user was disabled. From now on, the console access of the root user remains active, so it can be used to fix such situations.

PAM-7760

The 'Timestamping policy' field is displayed for Local policies

On the <Protocol> > Global Options > Audit page, the 'Timestamping policy' field was displayed even when the timestamping policy was set to 'Local'. This has been corrected, now the field appears only if 'Remote' timestamping is selected.

PAM-426

System requirements

Before installing SPS 6.6.1, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Supported web browsers and operating systems

Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

NOTE:

SPS displays a warning message if your browser is not supported or JavaScript is disabled.

NOTE:

The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.

Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating