One Identity Safeguard for Privileged Sessions 6.9.3 - Release Notes

Resolving SPS IP address in content subchapter configuration has been fixed

To display links to sessions recorded by SPS in reports, the IP address of the SPS appliance has to be resolved and presented in the content subchapter configuration.

Previously, it was always the physical address of the default network interface (eth0) that was used as the IP address of SPS, which in rare cases, when a customer configured and used another network interface to access SPS, caused an error during the presentation of the subchapter configuration.

This issue has been fixed by using the first available SPS IP address from Basic Settings > Local Services > Web Login (Admin and User), which always points to a valid and usable IP address.

Backward compatibility issue in custom subchapter configuration change has been fixed

To display tables without row numbers in SPS reports, the custom subchapter configuration had to be modified. This modification added a new chart type for tables without row numbers. However, backward compatibility with older subchapter configurations was not addressed properly, which caused an error during firmware upgrade.

This has been fixed and previously created subchapter configurations can be used as well.

The SPS RDP proxy terminated abruptly when trying to copy more than 8192 files over the clipboard

When trying to copy more than 8192 files over the clipboard redirection of a Remote Desktop Protocol connection, the SPS proxy handling the connection terminated abruptly.

This limit was too low; therefore, it has been increased to 32768 files and the proxy now properly reports an error and does not terminate abruptly.

Harden grub password hash generation

Fixed a potential security issue, where the box would generate a grub password without proper salting and insufficient HMAC iterations.

Details of the new password:

- PBKDF2-SHA512

- 300000 iterations

- 32 bytes of cryptographically secure random salt

SPS does not handle properly the domain name autologon suffix on the interactive interface

When handling autologon credentials, SPS did not remove properly the domain name autologon suffix on the interactive interface, which lead to credentials not being looked up properly for the automatic logon.

This has been fixed.

The missing host key for "scb-other" has been added to the configuration to prevent the administrator from having to manually verify host keys when navigating between HA nodes

When the administrator attempted to log in to the HA pair from an SPS node, the host key verification was up to the administrator. This was caused by the missing key value for the "scb-other" hostname. However, it worked correctly when the IP addresses, or the "scb1", or the "scb2" hostnames were used specifically.

This fix makes the login easier and more convenient by allowing to use the "scb-other" hostname, regardless of the current node allocation. The "scb-other" hostname can be used to SSH from any of the nodes because the related host key is already known by the origin SSH client.

If the SNMP service was enabled in Local Services, the disk-related information was not included

If the SNMP service is enabled in Local Services, the disk-related information, such as, free space and total capacity, is now reported when the SNMP server is queried.

The HTTP service aborts with "Fatal Python error: deallocating None"

Under certain circumstances, the HTTP proxy on SPS printed "Fatal Python error: deallocating None" to the logs and aborted while generating a core dump.

The underlying reference counting issue has been fixed.

The GSSAPI gateway authentication could be skipped in some SSH connections

The authentication state machine in the SPS SSH proxy contained an error that could be used to skip the actual GSSAPI authentication of the client and go on with connecting to the server.

This has been fixed.

The UI needs all private keys to decrypt screenshots

The user was unable to decrypt screenshots with one key because the UI does not handle the 'OR' and 'AND' relationships between encryption certificates in screenshot decryption.

This issue has been fixed.

The Session Timeline page contents filter is not linkable

The Session Timeline page contents filter is not linkable, this causes redirection to the 'All' filter.

Structured information in xcbLoginFailure SNMP trap

The xcbLoginFailure SNMP was emitted with all the information in the description field. According to the relevant MIB object definiton, the following should be in separate fields:

- description

- username

- peerAddress

This has been corrected.

On the refactored Vault /SPP/ details page, there was no `Back to search` option

There was no `Back to search` option on the refactored vault details page. This is now fixed and it is consistent with a basic session details page.

SPS was logging a Python backtrace if the DNS lookup for the target name of an SSH server failed

The SSH proxy of SPS was missing an additional check, which lead to a Python traceback being printed in the log.

This has been fixed.

The search query input field on the refactored subchapter create side-sheet was not able to fully display long search queries

The input field was changed to a bigger text area with dynamic height.

SSH connections abort after receiving an incorrectly encoded keyboard-interactive response

The SSH proxy on SPS did not properly handle non-UTF-8 input in keyboard-interactive authentication responses. Receiving such a value triggered abortion of the process, termination of all running SSH sessions, and generated a core file.

This has been fixed.

The fix prevents some unwanted exceptions to be present in the logs, previously, rarely caused by unavailable internal services during SNMP-related email sending

Rarely, it can happen that the SNMP traps are sent before the whole system completely boots up. In these cases, if the system is configured to send SNMP traps in email, it could happen that the business logic attempted to connect to an internal service responsible for email sending before it was started and waiting for emails to deliver.

The change prepares the sending part for these cases and ensures that email sending, even in these corner cases, is more reliable.

Fixing wording issues reported on the cluster management page

Wording issues reported on the cluster management page were fixed.

None

Sometimes, the search field does not suggest fields based on the input texts. This issue has been fixed.

Subchapter needs to be reloaded after renaming

After we renamed a subchapter, the name was not refreshed automatically, but the whole page had to be refreshed.

This issue has been fixed.

Although the user has edit rights for the PCI-DSS report, the user is unable to edit the PCI-DSS report

The problem was that the PCI-DSS report creation was not based on the rights for the PCI-DSS, but on the rights for editing the custom reports. This is fixed now, the permission is separated on the report page.

The chapter name must be unique

Previously, if a chapter name was not unique, the server responded with error 500 if the user tried to commit the duplicate chapter name. The error 500 message was not informative enough for the users. This issue has been corrected. In the current operation, if the users enter a chapter name that is not unique, the 'Chapter name must be unique' error message is displayed in the form, below the Chapter name field.

Fix the image download problem in IE11

Previously, a user was unable to download a screenshot in IE11. With this fix, now a picture can be downloaded or opened from the timeline tab of the session.

SPS was logging a Python backtrace if a DNS lookup for the target name of a Telnet server failed

The Telnet proxy of SPS was missing an additional check, which lead to a Python traceback being printed in the log.

This has been fixed.

There was no information about the cluster status page when it was disabled

The cluster page was empty when the feature was disabled.

This issue has been fixed.

The trust store delete error message was not understandable

The error message has been fixed.

Automatic reconnection to an RDP session after network issues fails in certain SPS configurations

If the interactive RDP interface of SPS is in use, automatic reconnection to RDP sessions did not work and logged a Python traceback.

This has been fixed: no traceback is printed in the log, and reconnection is possible if it is done within 10 seconds.

Download reports header misalignment in Internet Explorer 11

The reports download page header is misaligned in Internet Explorer 11 and that caused usability issues. This issue has been fixed.

Events are no longer saved to metadb and sent to the portal

Events are no longer saved to metadb and sent to the portal from Zorp using content policies, instead we rely on indexers. To achieve near-real-time behavior, make sure to enable indexing with near real-time priority for the affected connections. Alerts are still handled in the same way as before.

Inconsistent memory reporting on Web UI and REST API

The REST API and the Web UI used slightly different metrics to report the available free memory on the system. The /api/health-status endpoint on the REST API has been extended to provide additional details about the system, such as processor usage and various memory figures. (Check the documentation for details.) The Web UI in turn has been changed to use the same metrics as the Health Status API.

Note that SNMP alerts still use slightly different metrics when calculating the available free memory, as the calculation algorithm is fixed in the definition of the message. Also, the figures reported show a snapshot of the different usage metrics. The actual resource consumption may change more rapidly than it is possible to report.

On the SSH Keys page, the filter disabled new items

It was not possible to add a new SSH host key when the filter was on.

This issue has been fixed.

When a keystore was set up, on IE11, the screenshots were in an endless loading mode

The user was unable to unlock the keystore with the given credentials because of an endless loading. This was resolved in IE11, now the lock and the unlock method is displayed correctly.

Possible RDP connection failure when a TLS certificate with an RSA key greater than 2048 bits is configured

When "Use the same certificate for each connection" was configured for an RDP connection policy with TLS enabled, and the uploaded RSA private key was greater than 2048 bits, an error could occur in the licensing protocol, and cause the client to terminate the connection.

This has been fixed, licensing no longer depends on the TLS certificate.

The displayed ZAT/ZATX date does not contain the timezone of the host anymore

Now the date information is displayed in the same way on every platform and it does not contain the timezone information of the host. The localized name of the day and month are in a short form and use the system language.

SDP did not work on macOS Big Sur beta

From now on, SDP requires macOS Catalina (10.15) or newer.

SPS now supports certificate chains with keys other than RSA/DSA.

When a certificate chain is uploaded (for example, as the web server certificate), SPS verifies that the entire certificate chain is valid. A certificate chain is considered valid if it does not include weak certificates and a trust relationship exists between them.

Previously, certificate chain validation has worked only for certificates that had RSA and DSA public keys. Other chains have been rejected with a No such digest method error message. This issue is now fixed so that every certificate chain that can be verified by OpenSSL 1.1.1 is now accepted.

Fixed memory leak during HTTP WebSocket connections.

Previously, memory leak could occur during audit-enabled HTTP WebSocket connections under certain conditions. This issue is now fixed.

Fixed screenshot preview reload issues on the Events tab of the Search interface with the introduction of the new Timeline tab.

Previously, recorded screenshots sometimes unexpectedly reloaded on the Search > Events tab. This issue has been fixed following the introduction of the new Timeline tab, superseding the former Events, Alerts and Contents tabs.

Fixed an issue resulting in the Search > Details tab showing an invalid indexing status for certain sessions.

Previously, when configuring a connection policy without indexing, the Search > Details tab could show an invalid indexing status for some sessions of the connection (namely, showing the Auditing not enabled message instead of Session indexing not required in the Indexing status field). This issue is now fixed to ensure that the Indexing status field always shows the correct monitoring information for each session.

Fixed a potential Permission denied error on the Sessions > Details > Analytics tab.

Previously, if you have tried opening the Analytics tab of a session in Sessions > Details with a user that belonged to a user group with a specific set of permissions, you could receive a Permission denied error, preventing you to check the contents of the Analytics tab. This issue has been fixed so that the Analytics tab appears only if your user has the proper permissions to access it.

Fixed an issue where the user interface sometimes remained interactable while a commit was in progress.

In certain cases, it could happen that the SPS UI remained interactable while a configuration change commit was in progress. This has been fixed by adding an overlay to the UI that prevents navigation while the commit is in progress.

The password of the admin user can now be changed over the REST API when using an LDAP user database.

Previously, when an LDAP user database was configured, you could not change the password of the admin user via the REST API. This has been fixed by having the admin user always authenticated locally, so you can always change its password using an LDAP user database.

Improved application proxy and message queuing data collection.

The data collection process related to the internal application proxy and the message queuing subsystem has been improved to provide a deeper insight for SPS product experts for troubleshooting. The collected data is available in the generated support bundle.

Added rollback feature to firmware update process.

To make the firmware update process more fault-tolerant, the procedure has been enhanced with a rollback feature. The rollback feature restores the original firmware, if the firmware update procedure fails on any node of a High Availability SPS cluster.

Fixed an issue where the Unsaved changes popup dialog prevented automatic logout in case of an idle session.

SPS has an automatic logout feature that closes the user login session if no user interaction is detected for 5 minutes. However, previously, if the Unsaved changes popup dialog remained open, it prevented the automatic logout popup dialog from appearing and then closing the idle session. This has been fixed so that idle sessions are now automatically logged out, even if the Unsaved changes popup dialog is also open.

Fixed the aspect ratio of screenshots in the Search interface on Internet Explorer 11 browsers.

Previously, the screenshots shown on the former Contents tab of the Search interface could appear with an incorrect aspect ratio when using Internet Explorer 11. This has been fixed so that captured screenshots now always appear with the correct aspect ratio on the new Timeline tab of the Search interface.

Python tracebacks are now immediately printed to the log.

Zorp processes print tracebacks into the log for certain error types that provide detailed information about the error. However, in some cases, these tracebacks have not been printed until the Zorp process was stopped.

This issue is now fixed, so tracebacks are now logged immediately.

Removed a harmless error message that could occur when executing large archiving jobs concurrently.

When an archive job affected a large amount of data, it could occur that multiple archive processes worked on the same directory. In certain cases, when these processes handled the existence and creation of specific directories in parallel, a race condition could occur, resulting in a Failed to create archive directory error message when the processes attempted to create the directories the second time. This error message was then logged and (depending on the active configuration) could be sent out in an e-mail or as an SNMP alert.

To solve this issue, One Identity increased the robustness of directory checking and creation in this release.

Fixed the unnecessary horizontal scroll of the Basic System > Network page.

Previously, the Basic System > Network page was always scrollable horizontally, even if the contents of the page were completely visible. This has been fixed so that horizontal scrolling is enabled only if the contents of the screen do not fit the size of the browser window.

Linking a Safeguard for Privileged Passwords (SPP) node to SPS now redirects to the new SPS UI.

Previously, when linking an SPP node to SPS via the Cluster management settings, the redirect URL loaded the old SPS UI once the SPP node sent the authentication information to SPS. This is now fixed, so once SPP has been linked to SPS, the current SPS UI loads.

Fixed an internal error that could occur when opening the User Menu > Private Keystore tab after configuring a new passphrase.

When you created a new passphrase in the User Menu > Private Keystore tab, it could occur that reopening the Private Keystore tab after logging out and logging in again resulted in a Passphrase Invalid error message. Reloading the last page or the main page then redirected to the old UI. This issue is now fixed with the redesign of the User Menu.

Fixed the issue of clicking Go back on the Search interface clearing the configured search filters or opening the page you visited before the Search interface.

When you checked session data on the Search interface with custom filters (such as a date range or a search expression) configured, it could occur that opening the details of a session with the Details button and then clicking the Go back button resulted either in the filter settings being reset, or opening the UI page that you visited before opening the Search interface. This issue has been fixed with the redesign of the Search interface, and the Go back button has also been renamed to Search results.

Fixed interference between the Go back button of the SPS UI and the Back button of the web browser.

When checking the details of the sessions listed in the Search > Details page, it could occur that clicking the Go back button on the Details page opened the Details page of the previously viewed session instead of going back to the Search interface. This scenario happened if you previously navigated from the Details page of the previous session back to the Search interface with the Back button of the web browser instead of the Go back button of the SPS UI. This issue has been fixed with the redesign of the Search interface, so that clicking the Back button of the browser no longer interferes with the Go back button of SPS (now known as Search results).

Fixed the Generate video (now known as Start rendering) button missing from the Search > Details page for SSH connections with a Session exec channel type.

Previously, when opening the Details page of an SSH session on the Search interface, the Generate video button has been missing for SSH sessions with a Session exec channel type. This has been now fixed, so that the button (now known as Start rendering) always appears for such channels if they have renderable content.

Fixed an issue with the drop-down filter combo boxes on the Search interface being reset after clicking Go back on the Details page of a session.

Previously, when setting up a Simplified Search via drop-down combo boxes, the configured combo boxes were reset to their default empty state after you clicked Go back on the Details page of a selected session. This has been fixed with the redesign of the Search interface, so opening the Details page of a session and then returning to the Search interface with the Search results button now longer resets the configured search filters.

Fixed misleading search bar in the Details page of the Search interface.

Previously, when checking the details of a session in the Search interface by clicking the Details button of a session, opening the Contents tab showed a content search bar, even if the session contained no searchable content (for example, because of lightweight indexing or the lack of any audit trails). This issue has been fixed during the redesign of the Search interface: now the new Search > Details > Timeline tab displays a No results found message if no searchable content is available for the selected session.

Changing RDP domain membership settings over REST API did not persist.

You can configure RDP domain membership over the REST API, except for actually joining the domain.

When you changed RDP domain membership using the REST API, and you committed the changes, the configuration has been applied. However, it has not been persisted, which resulted in reverting to the previous RDP domain settings shortly thereafter, for example after committing changes on the web UI.

This has been fixed, so that changing RDP domain membership settings on the REST API now properly persists.

Fixed the IPv6 Add button of the Basic Settings > Network > Routing table setting not being visible in lower screen resolutions.

Previously, when opening the SPS UI on screens using a resolution width of 1024 pixels (for example, 1024x768), the Add button of the IPv6 routing settings in Basic Settings > Network > Routing Table was not visible. The Routing Table interface has been modified to resolve this problem.