[4.17] - May 16, 2023

Fortanix Data Security Manager (DSM) SaaS 4.17 comes with some exciting new features, general enhancements, improvements, and resolved issues.

  • This release is for SaaS only and not available for On-Prem installations.
  • If you are installing Fortanix DSM for the first time (fresh install), then the nodes should be at 5.4.0-26-generic, Kernel before installation.

1. New Functionality/Feature(s)

1.1 Support key rotation for GCP BYOK security objects (JIRA: PM-28):

This release adds support to rotate a GCP BYOK native key with another native key.


For more details refer to the User’s Guide: Google Cloud KMS.

2. Enhancements to Existing Features

  1. Improved the quorum approval request modal window for long request bodies (JIRA: ROFR-3953).

    The following improvements are made:

    • The dimension of the modal window for quorum approval requests is now bigger to view more content.
    • The toggle Enable line wrapping is added for line wrapping in the JSON viewer.


    For more details, refer to User’s Guide: Quorum Policy

  2. Warn about deletion of pending invites when email is updated for an account (JIRA: ROFR-3976).
    When updating the user’s email using the Profile settings in DSM, a warning will be displayed to tell the user that all pending account invites of the user will be removed.
  3. Enforce users with a password who have logged in to DSM with OAuth while verifying email to mandatorily log in with password (JIRA: ROFR-3944).


  4. Added support to allow only verified users to Quorum approval policy using REST API (JIRA: PROD-6082):.

    This release does not allow unverified users to be added to the Quorum approval policy using REST API. The UI to disallow unverified users in the Quorum approval policy will be supported in the upcoming DSM releases. Users with pending invites will not be allowed to be added as an approver in the Quorum approval policy.

    For more information, refer to the User’s Guide: Quorum Policy.

  5. The crypto/v1/derive API now supports a new HKDF derive key mechanism variant (JIRA: PROD-4137). 
    For more details, refer to Example Code: Deriving Security Object.

3. Other Improvements

  1. Added support for “first” in the BGP neighbor IP calculation method (JIRA: DEVOPS-3716).
  2. The logo in the SAML validator is now optional (JIRA: ROFR-4003).
  3. Only verified users can set up two-factor authentication and security code (JIRA: PROD-6080). For more details, refer to User’s Guide: Authentication and Authorization.

4. Integrations

5. Client Improvements

  • Added support for subjectaltName extension of type iPAddress in PKCS#10 Certification Request Plugin (JIRA: PROD-6254).
  • Updated the query enumeration tags in KMIP to avoid deserialization failure. (JIRA: PROD-6566).
  • Updated the CNG client to support CitriX FAS integration (JIRA: PROD-6719).

6. DSM-Accelerator Client Improvements

  • DSM-Accelerator JCE Provider:
  • DSM-Accelerator Webservice:
    • Added support to auto-delete keys from the cache based on TTL (JIRA: PROD-5640).
    • Added support for policy awareness for security objects in the DSM-Accelerator Webservice (JIRA: PROD-5648).
    • Added support for policy awareness for apps in the DSM-Accelerator Webservice (JIRA: PROD-5649).
    • Added app-based Effective Key Policy to Security Object Model (JIRA: PROD-6385).
    For more details, refer to Developer’s Guide: Fortanix DSM-Accelerator Webservice.
  • DSM-Accelerator Webservice:
    • Added Cache TTL support for DSM-Accelerator PKCS#11 library (JIRA: PROD-6534).
    For more details, refer to Developer’s Guide: Fortanix DSM-Accelerator PKCS#11 Client.

7. Terraform Provider Client Improvements

  • Added support for creating and updating Key Access Justification policy when creating security objects for Google Cloud EKM (JIRA: PROD-4928).

8. Bug Fixes

  • Fixed the following issues in the GCP BYOK key rotation feature (JIRA: ROFR-4056).
    • The check box Deactivate original key after rotation is now removed.
    • The Edit Parameters button for Key Type is now removed since GCP only supports AES 256 key type/size.
    • Removed Rotate to DSM key check box at the bottom left corner of the GCP Rotate Key dialog box since the feature is not supported.
  • Fixed an issue where the users were not able to add the reviewers in the Quorum policy and Key Custodian policy (JIRA: ROFR-4048).
  • Fixed an issue where creating an RSA showed a "Restrict key operations" modal window (JIRA: ROFR-4044).
  • Fixed an issue that resulted in a 404 error – page not found when accessing the security object table for a plugin (JIRA: ROFR-4042).
  • Fixed an issue in the Quorum approval policy Configuration where in “Advanced options” OR should be the default option selected instead of AND (JIRA: ROFR-4017).
  • Fixed an issue where after adding two-factor authentication, the user was unable to log in (JIRA: PROD-6606).
  • Fixed an issue where the UI sometimes sends old captcha tokens to the backend, resulting in a 500 error (JIRA: ROFR-4006).
  • Fixed an issue in two-factor authentication where the modal window was not closing after approving a task (JIRA: ROFR-4004).
  • Fixed an issue in the Salesforce easy wizard where the Instance status toggle was not getting disabled when clicked (JIRA: ROFR-3996).
  • Fixed an issue where the user was able to see the custom roles without enabling the Custom Roles flag in the System Administration settings (JIRA: ROFR-3992).
  • Fixed an issue where the Create group tutorial is shown even when you already have groups (JIRA: ROFR-3981).
  • Fixed an issue where an empty label or value can be saved in ATTRIBUTES/TAGS tab for custom attributes (JIRA: ROFR-3983).
  • Fixed an issue where the DSM UI does not support adding an existing plugin to a group when there is a quorum policy on the group (JIRA: ROFR-3977).
  • Fixed an issue where the user was unable to create an ECKCDSA key with default values (JIRA: ROFR-3974).
  • Fixed an issue where the user was getting a "Missing Cryptographic Policy in group" console error when clicking on the Apps page (JIRA: ROFR-3964).
  • Fixed an issue where the “Copy API key” changed to “View API Key Details” after creating the Admin app (JIRA: ROFR-3887).
  • Fixed an issue in DSM-Accelerator JCE where GCM, CCM, and OFB mode was not supported for AES encrypt or decrypt operation (JIRA: PROD-6022)
  • Fixed an issue where the DataTable states selected in the filter were not retained during a screen refresh (JIRA: ROFR-3233).
  • Fixed an issue where the Pending Changes message was not shown for a newly invited user (JIRA: ROFR-4047).
  • Fixed an issue that resulted in a "Token is invalid" message while validating the user's email in DSM (JIRA: ROFR-4016)
  • Fixed an issue where the Quorum approval request was not being shown when viewing the DSM app API key if the group with quorum approval policy has approvers as users and an application (JIRA: ROFR-3933).

9. Known Issues

  • The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
  • Unable to create an app when a Custom Group Role has the Create Apps permission enabled (JIRA: PROD: 5764).
  • Adding a key rotation policy to schedule key rotation for GCP BYOK keys is not supported (JIRA: PROD: 6713).
    Workaround: You must manually rotate the key.
  • Rotating a GCP BYOK virtual key to a Fortanix DSM-backed key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
    You can manually copy the AES 256 key from a normal DSM group to a GCP-backed group.
  • The “Rotate linked key” feature does not work where a Fortanix DSM source key is rotated along with its linked keys by choosing the “Rotate linked keys” check box, where the linked key might belong to a GCP group in which case rotating linked key results in rotating the key in GCP as well as generating the new key in GCP (JIRA: ROFR: 4075).
    Workaround: You must first manually rotate the source key in the normal DSM group and then copy the rotated key to the GCP group.
  • Saving Google Workspace CSE configuration using easy wizard results in an error in the UI, but the corresponding API call succeeds, and the configuration is saved successfully (JIRA: ROFR: 4090). Workaround: Click Cancel to continue.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful