Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.7.0 - Release Notes

Deprecated features

The Splunk forwarder is deprecated

The Splunk forwarder is deprecated as of Safeguard for Privileged Sessions(SPS) 6.7 and will be removed in an upcoming release. One Identity recommends using the universal SIEM forwarder instead.

Arguments of Authentication and Authorization and Credential Store plugins that begin with target_ have been deprecated

These arguments were deprecated because the target_host or target_server arguments either contained a hostname or an IP address.

Now, new arguments have been added to the Authentication and Authorization and Credential Store plugins to replace deprecated arguments. The new argument names explicitely define the values they contain. That is, a server_ip argument will always contain an IP address, and a server_hostname argument will always contain a hostname.

The deprecated arguments are the following:

Authentication and Authorization plugin: get_password_list and get_private_key_list input arguments:

  • target_username

  • target_host

  • target_port

  • target_domain

Credential Store plugin: authorize method:

  • target_server

  • target_port

  • target_username

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in release 6.7.0
Resolved Issue Issue ID

Title detection issue on Windows 10 with a high DPI scaling

Title detection on Windows 10 with high DPI scaling of 100-200% DPI did not work properly. This has been fixed.

PAM-12613

Read-only privilege issue on the details page of the Search interface

If users with read-only privileges accessed the details page on the Search interface, an unauthorized landing page was displayed. This has been fixed.

PAM-12605

Pipeline exceptions issue

In case of an error, the pipeline restarted indefinitely. This has been fixed and now the pipeline will move to a failed state after 2 hours of trying. This way, the error will be visible, and can be addressed.

Also, reloading the pipeline is now working properly.

PAM-12528

Result counter issue on the Search interface for a valid search with no result

If there was a search on the Search interface with a valid search query but no result, the result counter was displayed.

This has been fixed and now the result counter is not displayed.

PAM-12513

Click-to-search error for sessions with multiple interesting events

If a session had more than one analytics interesting event, the click-to-search did not work. This has been fixed.

PAM-12509

OCR engine failure

In some cases, the OCR process reached an internal memory limit, which caused it to crash. This has been fixed and the internal memory limit was raised to meet the requirements of the new OCR engine.

PAM-12434

Introduces a new feature to ease the information collection for troubleshooting purposes.

A new directory (under /var/lib/support) has been created for files requested by support that will be automatically included by the support bundle.

These files are kept only for a limited time (for a week after creation) to prevent them filling the disk up on a long run.

The files bigger than 300MB are only listed in the bundle instead of having them to prevent to grow the bundles themselves over a manageable size.

PAM-12384

Could not download a .zatx file larger than 1GB.

A .zatx file larger than 1GB could not be downloaded. This has been fixed.

PAM-12337

Event processing error

Some special mouse buttons were not handled correctly by the analytics pipeline, which has now been fixed.

PAM-12276

Fix screenshot generation process

Sometimes the screenshot generation failed and did not load the picture. This has been corrected.

PAM-12259

Server host key modificaton made config lock

Under SSH Control > Server Host Key menu item, when the user modified the keys, it caused unexpected configuration lock. This has been corrected.

PAM-12213

Content service error messages did not appear on SPS

Due to a key mismatch in HTTP, responses received from content service (responsible for initiating content search), SPS did not receive error messages from the service. This left a void in the SPS message logs as brief reasons of service errors are not logged.

This was not a big problem when SPS was in standalone configuration, but in search master-minion environments, where content service is serving requests from the minion node, the master node logs lacked information about the service error.

This has now been fixed and the user will not have to go to the minion node for checking brief reasons of content search related errors.

PAM-12179

Having a mismatching host key stored on the appliance could make the host key configured in backup policies ignored.

If the root user visited the backup host via SSH, it was prompted whether to have the offered host key stored or not. If the administrator selected to have it, that key was used later when performing backup (configured with Rsync over SSH), regardless the one configured on the WebUI.

The fix ensures that the user provided host key will be compared to the one presented by the backup server.

PAM-12173

Dialogs did not disappear after timeout on the audit data access page

After timeout, dialogs did not disappear on the audit data access page. This has been fixed.

PAM-12150

SPS installation on Azure vm made the firmware tainted

The service walinuxagent, which is required to be run on azure instances, creates files at runtime and this made the firmware tainted. These files have been added to the tainted whitelist.

PAM-12090

Fixed timestamp conversion in report generation

When the timezone of SPS was other than UTC, timestamps for recorded sessions got converted to local time twice accidentally.

This has been fixed and the user should see the timestamps in connection with recorded sessions in their local time in case local timezone is applied on the box.

PAM-12087

Added missing acceptable special ACLs for session endpoints

When a particular user was granted special ALL access rights on Users > Access Control > Appliance Access page, even though the ALL access right was granted, the user received a permission denied error when searching for sessions either on the Search page or using REST.

The missing acceptable rights has been added and now the user is able to search sessions with special ALL ACL.

PAM-12071

Certificate chain upload might fail with cross-signed intermediates

When uploading a certificate chain, if any of the intermediate CA-s in the chain was also a publicly trusted root, the upload failed with an error message. This has been corrected.

PAM-12059

All of the global notifications lower cap restriction has been removed.

Previously, because of inconsistent error messages coming from the rest, all of the global notifications were transformed to lower cap. With this fix, all possible error messages had been checked. All of the messages now comes in acceptable style, so the lower cap css transformation had been removed.

PAM-12053

Version redundancy on the About page

The About page had a Firmware version and a Version, which was redundant as it contained the same information. This has been fixed and the Version has been removed.

PAM-12052

RDP device redirection only works if the Sound channel is enabled

Because of restrictions in Windows RDP servers device redirection only works if the "Sound" channel is enabled. A warning has been added that warns the user if device redirection is configured in the channel policies without having the "Sound" channel enabled.

PAM-12051

External links were not One Identity blue

The external links on the Basic settings -> System -> License page are now One Identity blue.

PAM-12023

Fix firmware upgrade page reload

After firmware upgrade, when the appliance reboots the single page application it should redirect to the login page and not reload it. This has been fixed.

PAM-11926

Fixed protocol binding in REST-based subchapter configurations

In REST-based reporting subchapter configurations under the binding options, protocol was either missing or it's value was written in lower case.

However, protocol values in ElasticSearch are stored in upper case form and when reporting queried our REST with protocol filter, due to the casing mismatch, no data were retrieved or not exactly the right data was being retrieved in some situations. This has been corrected.

PAM-11708

Dedicated hot spare disk monitoring added to the RAID status monitoring and send alert from them.

Dedicated hot spare disk was not checked, because it was not part of the RAID array in term of the RAID controller, but it is a useful information to know the status of the dedicated hot spare disk. Now we check the status of the hot spare disk: send SNMP alert and show a RAID status warning about that.

PAM-11701

One character long events were not clickable

Every one character (Cyrillic, Kanji, and so on) string is now clickable.

PAM-11677

Fixed unhandled invalid duration parameters

Some of the invalid duration values were not handled on the Search page in the advanced search query filter. Consequently, the user received internal server error. This has been fixed and the user now will receive informative error messages about the correct values.

PAM-11624

Configuration of remote timestamping fails if policy is not set

When configuring remote timestamping on the protocol Global Settings page and the policy OID was not set, committing the change failed with a generic error message. (When using the REST API, the error type was InvalidPropertyError.) This has been corrected.

PAM-11401

Audit trail location was not retrieved correctly.

The exact location of an audit trail was not retrieved correctly in a cluster configuration. This has been fixed and now the audit trail location is retrieved correctly.

PAM-11153

Cleanup left metadata on search local machine in case there was a search master in the cluster.

The bug has been fixed and all data will be deleted properly during a cleanup.

PAM-11117

Rename Balabit in email attachments

In email attachments, Balabit Shell Control Box, which is the legacy product name, was still used. This has now been changed to One Identity Safeguard for Privileged Sessions.

PAM-10911

Fixed mapping of 0 value in pie chart

When the Analytics score field was presented with a 0 value in the pie chart, the 'n/a' value was mapped in the report instead of 0 which is misleading. Now this problem is solved, so any field of a type 0 value is mapped to 0.

PAM-10066

On the about page section, the hardware chart is now updated periodically.

Previously, because of a technical upgrade, if the values have not changed, the charts' values were not updated. With this fix, the chart values will be updated periodically.

PAM-12358

Source Network Address Translation not working

A change introduced in version 6.5.0 inadvertently broke the SNAT feature for connections. It was partially fixed in version 6.6.0, but that fix did not work for certain source and target network combinations. The patch is now complete and the feature works properly again.

PAM-12357

The new system monitor displays the disk space accurately.

Previously, the new system monitor displayed the used disk percentage inaccurately. This has been fixed and the correct value is now displayed.

PAM-12329

Window title detection fix for Windows 2012 R2.

Window title detection did not find window titles when the DPI was slightly higher than the default one on Windows 2012.

PAM-12328

Linux desktop resizing issues with Citrix 1912 LTSR

When using a Citrix Linux VDA with Citrix 1912 LTSR, the desktop could not be resized properly. This has been fixed.

PAM-12255

When an invalid search was entered after a successful search, the quick statistics chart data was not cleared.

If an invalid search query is entered after a successful search, the quick statistics data now will be set back to it's original status, which means that it is now cleared.

PAM-12235

In Mozilla Firefox, the user could not copy the public key.

This has been resolved by making the area read-only from disabled.

PAM-12221

The HTTP and MSSQL sessions were trying to load the screenshot.

When trying to load non-existent screenshots, for example, for HTTP and MSSQL, which do not have screenshots, screenshots were trying to load. This has been corrected.

PAM-12200

Fixes a usability issue with the "Join to Starling" page on the web interface.

After a successful join to Starling, the "Basic settings -> Join to Starling" page will no longer show the "If you press OK, all unsaved changes will be lost!" error message when navigating away from the page. The error message was shown by mistake, there are no changes to be saved further.

PAM-12171

"MSSQL" filter value was missing from the protocol list in query.

When the user tried to search for the MSSQL protocol in a query, it was missing from the list so it could not use the filter. The "MSSQL" filter value was added to the protocol list, and now it is available.

PAM-12158

Empty MenuInfo block appears instead of login screen

Invalid browser cookies could be set that prevented the rendering of the normal SPS login page.This has been corrected.

PAM-11985

Wrong value in fields caused error in dynamic report generation

Dynamic report generation could have run into an error if the query field tried to use an invalid value. It has been fixed.

PAM-11844

Browsers could not open several links on license and plugin page.

It has been corrected and now the links are working.

PAM-11699

Fixed mapping of unknown IP addresses

The customer was confused when a report was generated with "127.0.0.1" valid IP address but there was no connection with it. As this was set as default IP address, the unknown IP addresses were mapped with this value. Now this problem is solved, so unknown IP addresses are mapped to N/A both in REST and in reports.

PAM-11673

Fixed quoting content search queries for content service

Content search query argument was not quoted in the URL when invoking our internal content service.

This resulted in an internal error when the content query contained non-ASCII characters (for example, Cyrillic) while without quotation and encoding only ASCII was supported.

This has been fixed and the user can now search for any kinds of characters.

PAM-11340

Minor PCI-DSS report content changes

PCI-DSS report contained some misspellings, outdated links and old naming conventions that have been fixed.

PAM-11077

Unable to change network settings

In rare cases the appliance could boot with incomplete network configuration.

This caused a configuration commit failure, on basic/networking page.

This issue has been fixed.

PAM-10498

Search URL paste issue with search options not updated.

Previously, if you had a filtered search query, copied the URL, visited another tab or changed the search query, then you pasted the copied URL, the search and the basic search options were changed according to the copied URL parameters. This has been corrected.

PAM-10225

Could not select all of the fields from csv export.

The display field overflowed when too many fields were selected, and some fields could not be selected. It has been resolved by making the display area scrollable.

PAM-8901

MD5 certificates may break the configuration

If a certificate chain was uploaded as a Server X.509 certificate, which contained a certificate that was signed using the MD5 algorithm, the web server was unable to start.

Since the MD5 signing algorithm is not considered as safe, such certificate chains are now rejected at all places at configuration time. This means that client or server certificate chains configured for any purpose (eg. for connecting to LDAP or mail server or configuring a Signing CA or a Timestamping Authority) are not accepted if any of the certificates in the chain (except the root) is signed using MD5. It is not possible to upgrade to this version of SPS if the current configuration contains such certificates or certificate chains. The only exception to this is the indexer / encryption "certificate", which is essentially just a container of a public key, therefore all the X.509 details are ignored for such certificates.

Note that the current error which blocks the upgrade contains unnecessary technical details on the UI (this is tracked as PAM-12447). The relevant error message is that the "md [is] too weak".

PAM-7758

Table 2: General resolved issues in release 6.5.0
Resolved Issue Issue ID

SSH connections may not be denied when the server host key algorithm changes and the server host key check method is set to "Accept key for the first time".

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Accept key for the first time" in "SSH Control > Connections > Server side host key settings > Plain host key check" and SPS already stored a trusted key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported only the "ssh-ed25519" host key algorithm, then the connection succeeded, even though it should have been rejected.

The cause of this error was that SPS and the server negotiated "ssh-ed25519" as the host key algorithm, but since no "ssh-ed25519" host key was stored in SPS yet, it proceeded to learn the new "ssh-ed25519" key. This could have been used by a rogue server impersonating a legitimate server, to trick SPS into accepting a connection by offering a host key algorithm that the legitimate server did not offer.

This has been fixed, SPS now only offers those host key algorithms for which it already has a trusted key. It only offers all host key algorithms when no trusted host key is stored yet for the target server.

PAM-11685

SSH connections may fail when server side host key check method is is set to "Only accept trusted keys"

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Only accept trusted keys" in "SSH Control > Connections > Server side host key settings > Plain host key check" and SPS has already stored a correct trusted server host key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported both the "ssh-ed25519" and the "ssh-rsa" host key algorithms, then the connection failed, even though it should have succeeded.

The cause of the connection failure was that SPS and the server negotiated the "ssh-ed25519" host key algorithm, not "ssh-rsa", but no trusted "ssh-ed25519" host key was stored.

This has been fixed, SPS now only offers to the server those host key algorithms that it already stores a trusted host key for. When the host key check method is set to "Accept key for the first time", and no host key is stored yet, all algorithms are offered. This allows learning a preferred host key.

PAM-11531

View log files > Tail window remains open even after the administrator has logged out.

The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session.

PAM-11510

Missing timestamps in audit trails and "Error connecting TSA" messages in the logs.

A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed.

PAM-11391

Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster.

Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster.

PAM-11390

From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS.

The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time.

During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it.

The newly generated cert has the following additional properties:

  • validity is 800 days long;
  • extendedKeyUsage has been specified,

which makes it compliant with the recent Chrome+macOS combination.

PAM-11122

Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware)

During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration. This has now been fixed and these events are no longer generated.

PAM-10771

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

A systemd service (proc-sys-fs-binfmt_misc.mount) failed to start at boot.

The proc-sys-fs-binfmt_misc.mount unit failed to start at boot. This generated alerts for the customer which resulted in SNMP trap or email, depending on the configuration. The service now starts at boot.

PAM-9935

In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

PAM-11523

When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot.

After this fix this process will run only once.

PAM-11618

Under the "Reporting > Search subchapters" page, it was possible to navigate away from the page without saving the changes to the configuration, without any notification.

We have created a notification dialog and when the user has unsaved changes, we will notify them on page leave.

PAM-11347

Table 3: General resolved issues in release 6.6.0
Resolved Issue Issue ID

Private key generation is broken for local Credential Stores

After generating an RSA key for a local Credential Store, committing the change failed with the following error message: 'Connection failed. Server is inaccessible, shut down, or not servicing requests.'

This has been corrected.

PAM-12104

SPS installation on Azure vm made the firmware tainted

The service walinuxagent, which is required to be run on azure instances, creates files at runtime and this made the firmware tainted. These files have been added to the tainted whitelist.

This has been corrected.

PAM-12090

Two active menu items at the same time

When opening a menu item and then another menu item while the previous is loading, two menu items appear active at the same time.

This has been corrected.

PAM-12028

Fixed content search in case session indexed state

For sessions with full indexing policy and containing lots of screen content, the indexing process took so much time that the user was able to issue a content search either via REST or UI.

As a result, internal server error was returned because in these scenarios the content file have not been written to disk and could not be opened for content search.

This has been corrected.

PAM-12022

Save hashed PSK value in support bundle

In order to diagnose clustering issues, it is important to verify that the cluster members share the same IPSec pre-shared keys, but this was impossible, because the values were masked out. Following this change, the generated PSK tokens of the configuration are replaced by their SHA256 hash value. This means that the comparison can be performed while the actual values still remain secret.

PAM-11976

Give user hints in case of service or minion unavailability during content search

When trying to search content for a session that was recorded on minion node in cluster environment, in case the minion node was unavailable, content search failed with error and the user did not get any feedback about the underlying cause.

User will now also receive information if the minion node is available but content service is not running.

PAM-11961

Audit Data Access menu element was not filtered with the right permission.

The Audit Data Access menu was always visible to the user even if permission settings did not allow this.

This has been corrected.

PAM-11897

When the user opens a session with an invalid sessionID the user has been redirected to the 404 Not found page.

If an invalid session id was given, the search page did not open the details tab, instead the user was informed about the invalid sessionID parameter.

This has been corrected.

PAM-11859

Wrong value in fields caused error in dynamic report generation

Dynamic report generation could have run into an error if the query field tried to use an invalid value. It has been fixed.

PAM-11844

On the about page the system monitor charts now uses GB for displaying data and now include legends for additional info.

Each system monitor chart now displays the current, total, used and free amount of relevant data. The legends and presentation use unified number and amount presentation (2 digits and GB).

PAM-11836

A session that have started and finished in a different day but did not last longer than 24 hours only the start date was present.

If a session is not longer than 24 hours, but starts and ends on a different day, now both the start and end date is displayed on the search page.

PAM-11806

Errors not shown on Audit data access rules input fields

Validation errors were not shown correctly on Audit data access rules input fields. This has been corrected.

PAM-11785

Under Appliance Access rename the AAA to Users & Access Control

After the Users & Access Control menu item rename, the Appliance Access menu still displayed the old naming convention. This has been corrected.

PAM-11774

Text changes to clarify the pages goal.

The Audit data access page contained typos. This has been corrected and the descriptions are now more clear.

PAM-11773

Update the menu names that have changed in the last release.

The AAA menu has changed to Users & Access Control in the last release, however, only Users & Access was visible. This has been corrected and Users & Access Control is now displayed.

PAM-11772

Audit data access rules look editable when the user does not have permission

Audit data access rules looked editable when the user had only read permission. However, this was only a visual bug and the server still checked permissions when the user wanted to edit rules.

This has been corrected and we created a read-only view for the Audit data access rules manage page.

PAM-11763

Brackets were removed from around IPv6 addresses by the HTTP proxy in headers

The HTTP proxy removed the brackets from around IPv6 addresses in relayed HTTP headers, eg. "Host: [2001:db8::]" became "Host: 2001:db8::1", which caused problems on the server side. This has been fixed and such headers are now relayed properly.

PAM-11758

Traceroute: switch to ICMP

Traceroute utility traditionally defaults to UDP probe packets, but such packets are likely to be filtered out by firewalls, even between SPS cluster nodes. It is expected that ICMP probes are more tolerated on networks, thus Troubleshooting > Traceroute has been changed to use ICMP instead of UDP.

PAM-11755

Missing validation for RDP connections when NLA is enabled but TLS is not.

When SPS was configured to use Network Level Authentication in an RDP connection, but Legacy RDP Security Layer was selected for that connection, then no connection could be established. A traceback was written to the system log.

This has been fixed, SPS now validates that a connection for which NLA is enabled also has TLS Transport Security selected.

PAM-11753

AA plugin "authorize" hook receives wrong domain name if autologon suffix is in use

The "authorize" hook of the AA plugin received the domain name with the autologon suffix left in place. This has been corrected.

PAM-11748

Starting up and shutting down logs are transferred from boot journal to core firmware logs

There were many cases when logs have not been transferred from boot journal store to core firmware. In that case, the network-related issues were not transferred. This has been corrected. Starting up and shutting down logs are transferred from boot journal to core firmware logs. This makes the investigation easier, because all the logs are in one place and these logs are stored for longer time.

PAM-11738

Error messages appear in HTTP proxy logs when Authorization headers are not valid base64 encoded data

Our HTTP proxy tried to decode the Authorization header and if it could not, it logged an error because there was an error with the encoding. These log messages could be misleading as such headers happen frequently, so they were disabled.

PAM-11713

Fixed the hardware charts under the About page

Previously only the relative amount of memory was displayed on the About page > hardware charts. This has been corrected and the user can see the current, total, user and free values for each chart converted and displayed in GB.

PAM-11705

Restore the version number and the hostname to the header.

In previous versions of SPS, the version number and host name were removed from the header. This has been corrected and the version and the host name are now displayed on the header.

PAM-11704

When an audit trail was missing from the SPS, all further archiving processes failed

When an audit trail was missing from SPS, all further archiving processes failed. This has been corrected and the archiving will continue to the next audit trail file, and SPS records the error in the local database.

PAM-11700

The firmware manipulation via console (core-shell) with firmwarectl synchronizes the firmware to the HA pair node.

The firmwarectl console tool, which can be called on the core-shell, did not synchronize the firmware to the other HA node which caused firmware version mismatch in case of a failover.

From now firmwarectl synchronizes the firmware to the other HA node just like the Basic Settings > High Availability page on the web-ui does.

PAM-11642

The copyright end date always should present the shipped years.

The copyright date showed the actual year instead of the shipped years. This has been corrected.

PAM-11620

Displaying the login page triggers General error (xcbError) SNMP or email alert

When the login page was loaded in a browser, then a background request attempted to access a resource which mistakenly required an already authenticated user. If the General error (xcbError) alert was enabled on the Basic Settings / Alerting & Monitoring page, then this condition triggered sending SNMP or email alerts. This has been fixed.

PAM-11597

High memory consumption related to the indexer-jobgenerator service with sessions containing lots of channels

The jobgenerator service now handles channel related messages which are not required to store in memory anymore.

PAM-11513

No warning is displayed when navigation away from a modified page without commit.

Even when the "Warn when unsaved changes may be lost" option in the preferences was checked, no warning was displayed when navigating away from a modified page without commit. This has been corrected.

PAM-11307

Allow additional text in PEM files for ED25519 private keys

RFC7468 requires parsers to tolerate additional data in PEM files, however, earlier versions of Safeguard for Privileged Sessions rejected ED25519 private keys with an error message. This has been corrected and additional data (such as certificates or lines of text) in the PEM files are ignored for both PKCS#8 and OpenSSH formatted keys.

PAM-11236

Multiple IPv4 addresses on the network interface which is assigned to clustering can break cluster node communication if other than the first one is used for clustering

Assigning multiple IPv4 addresses to the network interface which is used for clustering, and using other than the first one for secure communication between the cluster nodes results in a non-working configuration. Configuration validation has been extended with checks which prevent saving such configuration.

PAM-11047

HA IP negotiation fails when more than two SPS hosts are accessible on the HA interface

When more than two SPS instances are accessible through the HA interface, the third host cannot obtain a valid HA IP address as the other two addresses are already taken. As this is not a supported way of working, a warning message is now shown to the user on the console.

PAM-10916

Remove Go back button from Reporting page, because it cause inconsistency.

The Go back button on the reporting page of the auditor portal navigated to the wrong place. This has been corrected.

PAM-10715

On the search UI the click to search and manual time selection was interfered.

Previously you were able to select incorrect date ranges on the Search interface. This has been corrected.

PAM-10513

Some browsers did not show submenus correctly.

Some browsers did not show submenus correctly. This has been corrected.

PAM-10430

Events with really long name could overlap with different areas on the search detail page.

Events with really long name could overlap with different areas on the search detail page. This has been corrected and long names now break into multiple lines.

PAM-10328

On the HTTP session' detailed page the terminate button appeared, but it should not be.

On the HTTP session's detailed page, the terminate button has been removed due to technical limitations.

PAM-10280

On the search page, the errors of the search query and the timeline was not synchronized.

When the search query was invalid, the timeline showed an error message. This has been corrected.

PAM-10269

The logout countdown timer is not refreshed

The logout countdown did not show time correctly. This has been corrected.

PAM-10036

Quick statistics cannot shows the whole server hostname

Quick statistics did not show longer domain names. This has been corrected and now if you move the cursor over the domain name, it shows the whole domain name.

PAM-9999

A session with too many events wasn't properly displayed on search.

Sessions with more than 10.000 events produced strange UI behavior, and after the first 1000 pages, empty pages were displayed. This has been corrected and now the empty pages are not displayed.

PAM-9360

On the search page, the search bar did not get focus on load.

This has been corrected and now the search bar gets the focus.

PAM-9179

New sessions notification bell sometimes appear with the wrong number

New sessions notification bell, which tells how many new sessions come to list sometimes appear with the wrong number.

This has been corrected and we cut down the chance of occurrence.

PAM-8235

Unnecessary expiration warnings for indexer decryption key certificates

The decryption keys and the certificates that belong to them, used by the internal indexer to process encrypted audit trails, may still be needed in the configuration in order to access older audit data, long after the certificate itself is expired. Due to this, the expiration of these certificates will no longer trigger configuration validation warnings.

PAM-7653

Fix referenced subchapter delete

Under the Search Subchapters menu, the subchapter delete functionality was not correct previously. This has been corrected.

PAM-5979

In IE11, the first row of the search result list had a time column with misaligned values.

In IE11, the first row of the search result list had a time column with misaligned values. This has been corrected.

PAM-4613

Table 4: General resolved issues in release 6.5.0
Resolved Issue Issue ID

SSH connections may not be denied when the server host key algorithm changes and the server host key check method is set to "Accept key for the first time".

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Accept key for the first time" in "SSH Control > Connections > Server side host key settings > Plain host key check" and SPS already stored a trusted key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported only the "ssh-ed25519" host key algorithm, then the connection succeeded, even though it should have been rejected.

The cause of this error was that SPS and the server negotiated "ssh-ed25519" as the host key algorithm, but since no "ssh-ed25519" host key was stored in SPS yet, it proceeded to learn the new "ssh-ed25519" key. This could have been used by a rogue server impersonating a legitimate server, to trick SPS into accepting a connection by offering a host key algorithm that the legitimate server did not offer.

This has been fixed, SPS now only offers those host key algorithms for which it already has a trusted key. It only offers all host key algorithms when no trusted host key is stored yet for the target server.

PAM-11685

SSH connections may fail when server side host key check method is is set to "Only accept trusted keys"

SPS can validate an SSH server by checking its host public key against a set of stored trusted public keys. When this host key check method was set to "Only accept trusted keys" in "SSH Control > Connections > Server side host key settings > Plain host key check" and SPS has already stored a correct trusted server host key in "SSH Control > Server Host Keys" of the type "ssh-rsa", and the server supported both the "ssh-ed25519" and the "ssh-rsa" host key algorithms, then the connection failed, even though it should have succeeded.

The cause of the connection failure was that SPS and the server negotiated the "ssh-ed25519" host key algorithm, not "ssh-rsa", but no trusted "ssh-ed25519" host key was stored.

This has been fixed, SPS now only offers to the server those host key algorithms that it already stores a trusted host key for. When the host key check method is set to "Accept key for the first time", and no host key is stored yet, all algorithms are offered. This allows learning a preferred host key.

PAM-11531

View log files > Tail window remains open even after the administrator has logged out.

The browser window displaying the live machine logs (Basic Settings > Troubleshooting > View log files > Tail) did not stop displaying new log messages after an administrator has logged out of their session. This has been corrected. Note that the window displaying the past log messages remains open even after logging out of the session.

PAM-11510

Missing timestamps in audit trails and "Error connecting TSA" messages in the logs.

A bug in ICA proxy caused missing timestamps in audit trails and "Error connecting TSA" messages in the logs. This has been fixed.

PAM-11391

Change in the trusted host keys did not trigger configuration synchronization in the SPS cluster.

Adding or removing a trusted host key now triggers configuration synchronization in the SPS cluster.

PAM-11390

From now on, Chrome on a newer version of macOS accepts the certificate generated by SPS.

The macOS has strictened its certificate policies, andthe generated certificate of SPS was not compliant with it. On Chrome, one could not turn off the warnings about the invalid certificate, rendering users unable to configure SPS for the first time.

During initial configuration (or later) one could upload a custom server certificate of course, but the browser did not allow the user to reach SPS to configure it.

The newly generated cert has the following additional properties:

  • validity is 800 days long;
  • extendedKeyUsage has been specified,

which makes it compliant with the recent Chrome+macOS combination.

PAM-11122

Invalid software RAID-related events generated during one-shot checking (affects only MBX T1 hardware)

During the periodic checking of the software RAID array, DeviceDisappeared and NewDevice events were generated. These events were sent through SNMP or email, depending on the configuration. This has now been fixed and these events are no longer generated.

PAM-10771

Core files are generated for ICA sessions

In certain situations after the client has closed an ICA session, SPS generated a core file. This has been corrected.

PAM-10316

A systemd service (proc-sys-fs-binfmt_misc.mount) failed to start at boot.

The proc-sys-fs-binfmt_misc.mount unit failed to start at boot. This generated alerts for the customer which resulted in SNMP trap or email, depending on the configuration. The service now starts at boot.

PAM-9935

In case of high amount of information, paginated data storage solution was implemented, but not used by the indexer tool.

To prevent overloading the database operations, data storage, for example, screen content storage during information collection from audit trail now works in an optimized way.

PAM-11523

When high amount of audit trails were stored on the disk, a process could cause performance issues during upgrade, HA takeover or boot.

After this fix this process will run only once.

PAM-11618

Under the "Reporting > Search subchapters" page, it was possible to navigate away from the page without saving the changes to the configuration, without any notification.

We have created a notification dialog and when the user has unsaved changes, we will notify them on page leave.

PAM-11347

Table 5: General resolved issues in release 6.4.0
Resolved Issue Issue ID

Traceback in the logs after rejecting a four-eyes authorization request

A traceback appeared in the logs after rejecting a four-eyes authorization request. This has been corrected, the event is now handled properly.

PAM-10881

Traceback appears in the logs if the LDAP server is down

A traceback appeared in the logs if the LDAP server was unavailable and SPS tried to access this server. This has been corrected, the error is now properly handled.

PAM-11028

False data in archiving notice

After deleting a Connection Policy that had recorded sessions and creating a new policy with the same name, the number of archived files in the archiving notice was invalid. This has been corrected.

NOTE: It is not recommended to delete Connection Policies that were used in production systems, as this can prevent SPS from archiving the files and data related to these policies. We recommend disabling unneeded Connection Policies instead.

PAM-9615

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly

After upgrading a High Availability cluster, the Basic Settings > High Availability page displayed the Boot firmware version of the Other node incorrectly, as if that node was still running the old firmware version. Despite the information displayed on the web user interface, both nodes were running the new firmware version. This has been fixed.

PAM-10413

Timeout in RDGW sessions causes core files on SPS

If a connection required for a Remote Desktop Gateway session could not be established within the expected timeout, the session failed and a core file appeared on SPS. This has been corrected, such timeout errors are now handled properly.

PAM-11123

Resizing the screen in ICA sessions to span multiple monitors did not work

If the number of relayed monitor screens was changed during an ICA session the change was not relayed by SPS properly which made such changes impossible. The problem is now fixed and it is possible to change the number of monitors during the session.

PAM-10988

Sessions are terminated when using the credit-card detection and alerting features

In certain cases when the credit-card detection and alerting features were used, SPS terminated the affected sessions even when the Terminate action was not selected. This has been corrected.

PAM-11134

RDP sessions shown as active even after client disconnects

In certain cases, SPS reported RDP sessions as active even after the client has disconnected. This has been corrected.

PAM-11168

Client unexpectedly closes RemoteApp sessions

In certain situations using RemoteApp connections, SPS sent an unneeded certificate to the client, causing the client to close the connection. This has been corrected, the unneeded certificate is not sent to the client.

PAM-11187

Overriding the global verbosity level in ICA connection policies had no effect

In order to help troubleshooting, the global log verbosity level can be overridden in connection policies. This setting was ignored in ICA connections. This has been fixed, ICA connection policies now also allow setting a per-connection verbosity level.

PAM-11251

Configuration changes not taking effect

In some cases, when the user modified system-related configuration settings of SPS, they did not take effect after committing the changes. This could happen for example when committing networking changes, and restarting the networking service was very slow. This has been corrected, such errors are now handled properly.

PAM-10336

Password reuse always allowed when changing the password over REST

It is possible to configure SPS to prevent reusing previous passwords when changing the user password. This was not enforced when the password changed was performed through the REST API. It is now fixed and the restriction is enforced over the API, too.

PAM-11213

Remote Desktop Gateway authentication fails for Windows 2012 R2 clients

Remote Desktop Gateway authentication failed for Windows 2012 R2 clients (Windows client version: Windows 2012 R2 , ver. 6.3.9600 Protocol 8.1). This has been corrected.

PAM-9967

IPv6 routing table is missing from the support bundle

The IPv6 routing table was missing from the support bundle. This has been corrected.

PAM-10354

Improve the debug logging of ldapservice

The debug log messages of the ldapservice process now include a unique id to simplify troubleshooting of request-response pairs.

PAM-11135

Failed screenshots in content subchapter reports

Using external-indexer or near real time indexing lead to failed screenshots in content subchapter reports, indicated by the following error message in the logs:

'Cannot retrieve image for screencontent'

This has been corrected, screenshots are now properly generated for the reports.

PAM-10190

Following trail downloaded from Active Connections generates multiple Audit trail download events on Search

When following an .srs trail downloaded from Active Connections page through Desktop Player, it spammed the 'Audit trail downloads' section on Search > Details page of the connection in every second.

This has been fixed, the 'Audit trail downloads' section displays now only once the event of download per trail download initiated from Active Connections page.

PAM-10669

Additional Metadata field may contain Gateway Password

In certain cases, the "Additional Metadata" field contained the Gateway Password used in the session. This is the password that the user used to authenticate on the SPS gateway, and belongs to the Gateway Username of the user. The passwords used to authenticate on the target servers were not affected.

For this error to occur, all of the following circumstances must have been met:

  • the client used an SSH session to access remote servers

  • in a joined SPS-SPP scenario

  • that used the SPS-initiated workflow

  • where the Authentication Policy of the SSH Connection Policy used the "Password" Gateway Authentication Method

  • and the version of the SPS appliance is 6.2.0 or 6.0.2.

The error has been corrected.

To find out whether this error has occurred in your environment, complete the following steps.

  1. Login to your SPS appliance as a user who has access to the Search page.

  2. On the Search page, enter the following search query: recording.additional_metadata: gp=

    • If there are no search results, the error did not occur in your environment. Upgrade to SPS version 6.3.0a or 6.0.3 to ensure that it does not occur in the future.

    • If there are search results, continue with the next step of this procedure.

  3. Click the ... button on the right of the Export CSV button.

  4. Add the Gateway Username and the Recording Connection Policy fields to the list of fields to export.

  5. Check which Authentication Policies do the Connection Policies that appear in Recording Connection Policy fields use.

  6. Navigate to SSH Control > Authentication Policies, and check which Authentication Backend do the affected Authentication Policies use.

  7. Contact the users appearing in the Gateway Username field to change their password in the affected backends.

PAM-11073

Deadlock in HTTP proxy

In some rare cases the HTTP proxy could get in a deadlock and stop working.

This has been fixed.

PAM-11016

HA takeover issues after multi-step upgrades

If a system was upgraded in multiple steps (eg. from 5.11 to 6.0 to 6.3) without an HA takeover between the upgrades, a range of problems occurred while detecting the version of the firmware on the master and slave nodes.

The problem has been fixed and these kinds of upgrades now work well.

PAM-11292

Report generator service failure

In some cases, the report generator service on the SPS appliance could fail due to a problem in the way the "Top 10 users" reports were generated.

The problem has been fixed and reports are generated properly.

PAM-10389

Error messages not shown during Starling join

When a join to the Starling platform was initiated, the error messages such as SSL certificate errors were not shown to the user, making troubleshooting difficult.

These error messages are now shown on the UI.

PAM-10969

Dynamic Virtual Channels in RDP proxy are not handled properly

Some of the Dynamic Virtual Channels in RDP proxy were allowed even if they were not enabled in a channel policy.

Now it has been fixed and must be explicitly added to the "Permitted channels" under the Dynamic Virtual Channels channel policy.

PAM-11319

The built-in Cisco pattern set in telnet proxy does not work with Cisco Nexus 5000 devices

Due to a different login prompt, the built-in Cisco pattern set did not extract the username properly in Cisco Nexus 5000 devices.

This has been fixed.

PAM-10908

Wrong file transfer direction in RDP proxy

File uploads (from the client machine to the remote server) were tagged with "download", and downloads (from the remote server to the client machine) with "upload".

This has been corrected and tagged properly.

PAM-10799

Table 6: General resolved issues in release 6.3.0
Resolved Issue Issue ID

Downloading audit trails fails on the Central Search node

In a cluster environment, downloading from audit trails from the web interface failed on the Central Search node. This has been corrected.

PAM-10971

The Protocol field on the Search page contains invalid value

In certain cases, the Protocol filed contained the '-1' value instead of the name of the protocol. This has been corrected.

PAM-10906

The connections of an SPP access request on a joined SPS-SPP fail after upgradind to SPS 6.2

The automatic upgrade of the SGAA/SGCredStore plugins caused a failure during the connections due to a plugin wrapper selection mistake. The plugin wrapper selection is fixed, connections now work as expected.

PAM-10888

'Analytics details are not available' warning appears on the UI

In some cases, the 'Analytics details are not available' warning was displayed even though the analytics scores were available for the session.

PAM-10886

The Analytics tab of a session keeps loading infinitely

Opening the Analytics tab of a session without the required privileges kept loading the page infinitely, instead of displaying a permission error. This has been corrected.

PAM-10859

If the session database is very large, opening new sessions is very slow

In some cases, persisting indexer job status updates and command/title events made a big load on the database which caused big delays in opening new connections through SPS.

The way of persisting indexer events to the database was optimized in a way that it should not add delay on new connections.

PAM-10821

Clicking on the chart in Flow view does not create the proper search query

Click on the chart in the Flow view of the Search page created incorrect search queries. This has been corrected.

PAM-10794

Report queries are not updated

In some cases, the queries of certain report subchapters were not updated, and therefore the reports contained outdated information. This has been corrected.

PAM-10787

None

PAM-10787

Error in handling compressed ICA traffic causes the server to terminate the session

In some cases, SPS handled compressed ICA traffic incorrectly, causing the server to terminate the session. The following log message appeared in the system logs:

'Compression PD: Unable to expand slab'

This has been corrected, the traffic is now handled properly.

PAM-10781

Corrections to the on-screen instructions on checking plugin integrity

The instructions on how to check the integrity of the plugins have been updated on the Basic Settings > Plugins page.

PAM-10675

None

When selecting a session in the Search page, clicking the 'Analytics' tab for first time showed an unnecessary error message for a second, before the actual contents were loaded. This has been corrected.

PAM-10671

Files copy-pasted in FreeRDP sessions cannot be exported

Files copy-pasted in FreeRDP sessions were recorded in the audit trail, but exporting them failed. This has been corrected.

PAM-10668

Clicking the Back button on the Search page removes every filter

Clicking the Back button of the browser on the Search page removed every filter, not only the last one. This has been corrected.

PAM-10636

After deleting a filter on the Search page you cannot re-add it

After deleting a filter from the query on the Search page, clicking on the same filed to re-add the filter did not have any effect. This has been corrected.

PAM-10583

Duplicate header appears on the ICA Control > Channel Policies page

While editing a new Channel Policy on the ICA Control > Channel Policies page, clicking on the Show details icon caused a new header and footer to appear. This has been corrected.

PAM-10575

The Edit option is displayed on the Search Subchapter page to users with only read rights

On the Reporting > Search Subchapters page, the Edit and Create New Subchapter options were visible even if the user had only Read privileges to the page. This has been corrected.

PAM-10429

SDP cannot replay VNC sessions with TightSecurity

SDP failed to replay audit trails that contained VNC over WebSocket sessions that had TightSecurity enabled. This has been corrected, now SDP can replay these sessions.

PAM-10279

Clicking values with special characters on the Search page are not escaped

Clicking on values on the Search page added the value to the search query, but special characters were not escaped, resulting in incorrect search queries if the selected value contained Lucene-specific characters. This has been corrected.

PAM-10234

Misspelled OK buttons on the web interface

Some OK buttons were spelled as 'Ok' on the web interface. These have been corrected.

PAM-10155

Inaccurate warning when upgrading external indexers

When upgrading an external indexer, an inaccurate warning was displayed about removing the directory that contained the configuration files of the old version of the indexer. This has been corrected.

PAM-9707

Content search field does not handle the '<' character

Typing the '<' character followed by other characters in the screen content search field caused the query to disappear. This has been corrected, such queries are now handled properly.

PAM-9264

OpenSSL encryption failure when changing the password of a permanent keystore

In some rare cases, when changing the password of a permanent keystore on the web interface, encrypting the keys failed with the following error message:

'Fatal error: escapeshellarg(): Input string contains NULL bytes in /opt/scb/lib/OpenSSL.php on line 62'

This has been corrected.

PAM-8345

If completing the Welcome Wizard using the REST API fails, the appliance becomes unreachable

If completing the Welcome Wizard using the REST API failed, an internal error made the product unreachable: the IP address became 192.168.1.1 and the console access of the root user was disabled. From now on, the console access of the root user remains active, so it can be used to fix such situations.

PAM-7760

The 'Timestamping policy' field is displayed for Local policies

On the <Protocol> > Global Options > Audit page, the 'Timestamping policy' field was displayed even when the timestamping policy was set to 'Local'. This has been corrected, now the field appears only if 'Remote' timestamping is selected.

PAM-426

System requirements

Before installing SPS 6.7, ensure that your system meets the following minimum hardware and software requirements.

The One Identity Safeguard for Privileged Sessions Appliance is built specifically for use only with the One Identity Safeguard for Privileged Sessions software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

For the requirements about installing One Identity Safeguard for Privileged Sessions as a virtual appliance, see one of the following documents:

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.

Supported web browsers and operating systems

Caution:

Since the official support of Internet Explorer 9 and 10 ended in January, 2016, they are not supported in One Identity Safeguard for Privileged Sessions (SPS) version 4 F3 and later.

Caution:

Even though the One Identity Safeguard for Privileged Sessions (SPS) web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the the Safeguard Desktop Player application. For details, see "Replaying audit trails in your browser" in the Administration Guide and Safeguard Desktop Player User Guide.

NOTE:

SPS displays a warning message if your browser is not supported or JavaScript is disabled.

NOTE:

The minimum recommended screen resolution for viewing One Identity Safeguard for Privileged Sessions's (SPS's) web interface is 1366 x 768 pixels on a 14-inch widescreen (standard 16:9 ratio) laptop screen. Screen sizes and screen resolutions that are equal to or are above these values will guarantee an optimal display of the web interface.

Supported browsers

The current version of Mozilla Firefox and Google Chrome, Microsoft Edge, and Microsoft Internet Explorer 11 or newer. The browser must support TLS-encrypted HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

Supported operating systems

Windows 2008 Server, Windows 7, Windows 2012 Server, Windows 2012 R2 Server, Windows 8, Windows 8.1, Windows 10, Windows 2016, and Linux.

The SPS web interface can be accessed only using TLS-encryption and strong cipher algorithms.

Opening the web interface in multiple browser windows or tabs is not supported.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating