[4.19] - July 02, 2023

Fortanix Data Security Manager (DSM) 4.19 comes with some exciting new features, improvements, and resolved issues.

This release is superseded by September 09, 2023, release.

1. New Features

1. Added Single Sign-On support for System Administration accounts(JIRA: ROFR-3094)
   This release adds support for configuring the following SSO integrations in DSM:
   • SAML
   • OAUTH
   • LDAP
   For more details, refer to System Administration Settings: Authentication.

2. Enhancements to Existing Features

1. Added UUID validation for Client ID in the “OAuth Client” Configuration section under the System Administration Policies settings page (JIRA: ROFR-4082).
2. Disabled linked and copied security objects that belong to external HSM or external KMS groups other than AWS and Azure from the list for the “Rotate linked keys” feature (JIRA: ROFR-4141)
3. Added support to display the “Total number of DSM applications created” on the System Administration Accounts detailed view (JIRA: ROFR-4120).

3. Other Improvements

• Implemented a generic Batch API to call multiple APIs in sequence (JIRA: PROD-6589).
  • Added audit logs for all the APIs under the Generic Batch API (JIRA: PROD-3991).
• Added support to package and install nvmupdate64e in the Fortanix DSM installer (JIRA: DEVOPS-3969).
• Improved precheck procedure to be performed before the DSM software upgrade (JIRA: DEVOPS-4052). For more details, refer to the Fortanix DSM Software Upgrade Manual Prechecks guide.
• Disallowed accidentally sending sensitive user data through the EmailReverfication form (JIRA: ROFR-4170).
• The Sensu monitoring server artifacts are now updated with containerd (JIRA: DEVOPS-3834).
• Improved audit log purging by making it more robust (JIRA: PROD-5921).
• Added support to configure the prompt value for OAuth using the DSM REST API (JIRA: PROD-5726).
• Added email confirmation for self-provisioning in the System Administration settings if the email was not already verified (JIRA: PROD-4609).
• Added support for “first” in the BGP neighbor IP calculation method (JIRA: DEVOPS-3716).
• With the 4.19 release, for new customers setting up Google CSE integration, all users who are invited to use the CSE feature must accept the Fortanix DSM account invitation and verify their email address. This restriction is temporary and will be removed in a future release (JIRA: PROD-6752).
  NOTE

  For existing customers using the Google CSE Workspace feature, users need not verify their email address to use this feature.

4. Integrations

• Implemented procedural verification of key-pair origin and provenance (JIRA: PROD-6758). For more details, refer to Fortanix DSM for Verification of Key Pair Origin and Provenance.
• Added support for DSM with Venafi – Keyless TLS integration (JIRA: EXTREQ-697). For more details, refer to Fortanix DSM with Venafi -Keyless TLS guide.
• Added support for DSM with Keyfactor IIS Orchestrator integration (JIRA: EXTREQ-421). For more details, refer to Fortanix DSM with Keyfactor IIS Orchestrator guide.
• Added support for DSM with Microsoft SQL Server TDE Always Encrypted Database (JIRA: PROD-6350). For more details, refer to Fortanix DSM with Microsoft SQL Server – Always Encrypted.

5. Client Enhancements

• Added support for the FF1 format-preserving encryption mode for tokenization in the DSM JCE Provider (JIRA: PROD-6869). For more details, refer to Developer’s Guide: Client - JCE Provider.
• Added support for adding IP addresses in PKCS#11 configuration for api_endpoint (JIRA: PROD-6684).
• Published the Microsoft CNG/EKM Provider client (Windows 32-bit Installer) (JIRA: PROD-6714). For more details, click here.
• Added support for verifying signatures in Windows CNG client (JIRA: PROD-6921).

6. DSM Accelerator Enhancements

• DSM-Accelerator JCE Provider:
  • Added support for the FF1 format-preserving encryption mode for tokenization in the DSM-Accelerator JCE Provider (JIRA: PROD-6869). 
  • Improved log messages for detailed logging of encryption and decryption operations in the DSM-Accelerator JCE Provider (JIRA: PM-12).
  For more details, refer to Developer's Guide: DSM-Accelerator JCE Provider.
• DSM-Accelerator Webservice:
  • Added Guidelines to persist logs for DSM-Accelerator Webservice (JIRA: PROD-5641). For more details, refer to the Administration Guide: Fortanix DSM-Accelerator Webservice External logging Setup Guide.
  • Improved log messages for detailed logging of encryption and decryption operations in the DSM-Accelerator Webservice (JIRA: PM-12).
  • Added support for Batch Sign and Batch Verify operations in DSM-Accelerator Webservice (JIRA: PROD-6849).
  For more details, refer to Developer's Guide: DSM-Accelerator Webservice.
• DSM-Accelerator PKCS#11:
  • Improved log messages for detailed logging of encryption and decryption operations in the DSM-Accelerator PKCS#11 (JIRA: PM-12).
  For more details, refer to Developer's Guide: DSM-Accelerator PKCS#11.

7. Quality Enhancements/Updates

• Moved to cert manager and deployed on Kubernetes 1.21.14 (JIRA: DEVOPS-3586). For post-upgrade checks after migrating to cert manager, refer to Fortanix DSM post-upgrade checks guide

8. Bug Fixes

• Fixed an issue in the System Administration Settings -> Policies page where empty text field validation was performed for each key press (JIRA: ROFR-4127).
• Fixed an issue where the System Administration Settings -> Accounts page did not list any accounts (JIRA: ROFR-4125).
• Fixed an issue in the System Administration Settings -> Policies -> Minimum password length section where setting the values for Max sequence and Max repetition was not shown after saving (JIRA: ROFR-4076).
• Fixed an issue where rotating the Kubernetes certificates within the cluster failed (JIRA: DEVOPS-3995).
• Fixed the user lockout issue that occurs when there are many parallel requests (JIRA: PROD-6712).
• Fixed an issue where the sdkms-cluster remove command took a long time to execute (JIRA: DEVOPS-3787).
• Fixed an issue where the GET operation for KMIP fails for HMAC keys (JIRA: PROD-5518).
• Fixed a page crash when users or groups are filtered by their Description field (JIRA: ROFR-4218).
• Updated the auto-generated Cassandra Cert-Manager CA validity period from 90 days to 10 years (JIRA: DEVOPS-4046).
• Fixed an issue where AuditLogTime API had an incorrect example in the Open API output (JIRA: PROD-6998).
• Fixed a page crash in the “Add application” flow when selecting the option “Set app secret key size” (JIRA: ROFR-4194).
• Fixed an issue where self-provisioned users did not need to be verified to join a DSM account when user verification was required (JIRA: PROD-6943).
• Fixed an issue where the style of the pagination component was broken in the Security Objects table (JIRA: ROFR-4180).
• Fixed an issue where new DSM account creation failed after selecting an expired DSM SaaS Trial account (JIRA: PROD-6891).
• Fixed an issue where creating a security object of type EC in an existing FIPS-backed group showed the curve type as “(Unknown)” (JIRA: ROFR-4166).
• Fixed an issue on the Security Object list page where the text "Please enter a valid value" was not going away after removing the invalid value for search parameters such as Elliptic Curve, UUID, State, and so on. (JIRA: ROFR-4162).
• Fixed an issue where, after creating a security object with an Azure Tag, there was no edit button to modify the Azure Tag (JIRA: ROFR-4159).
• Fixed an issue in the user’s profile page where the message "When changing your email, all of your pending account invites will be removed." was shown even when email confirmation was not enforced (JIRA: ROFR-4157).
• Fixed an issue where after creating a Snowflake integration using the easy wizard, the “View API Key Details” button label did not change to “Copy API Key” (JIRA: ROFR-4145).
• Fixed an issue where the System Administration Settings -> Policies -> Security parameters: HTTP Strict Transport Security (HSTS) field was shown as selected even when it was disabled (JIRA: ROFR-4132).
• Fixed an issue where the disabled toggle in the Email Configuration shows as "Email enabled" (JIRA: ROFR-4128).
• Fixed an issue where System Administration Settings -> Policies -> Email Validation Policies were not shown after saving (JIRA: ROFR-4123).
• Improved the description that appears when the user hovers their mouse pointer over an HSM/KMS group icon in the Copy Key modal window when copying a key from the HSM group to an HSM/External KMS group (JIRA: ROFR-4122).
• Improved the tooltip that appears when the user hovers their mouse pointer over an HSM/KMS group icon in the Groups table (JIRA: ROFR-4121).
• Fixed an issue when deactivating the key where the CPU utilization was showing 100% for the Cassandra process (JIRA: PROD-6788).
• Fixed an issue where the DSM backend incorrectly normalizes audit log range queries (JIRA: PROD-6759).
• Fixed a “Failed to load items” error that was briefly displayed when moving from the Security Objects page to the System Administration Settings page (JIRA: ROFR-4079).
• Fixed an issue where the user was able to add unverified users to the account Quorum approval policy (JIRA: PROD-6708).
• Fixed an issue where the editing or adding an alias in AWS for a DSM-managed AWS key did not replicate that addition or update to DSM (JIRA: ROFR-4063).
• Fixed an issue where multiple users could be created with e-mail addresses that should normalize to the same value (for example: differed only in uppercase/lowercase letters) (JIRA: PROD-6594).
• Fixed an issue where reusing the same CAPTCHA for signup resulted in a 500 error instead of a 400-range error. Reusing prior CAPTCHA response information is not supported (JIRA: PROD-6536).
• Fixed an issue where during an upgrade to DSM version 4.18, the first deploy pod goes to error state (JIRA: DEVOPS-4008).
• Fixed an issue where users were unable to confirm their email during the email verification workflow (JIRA: ROFR-4243).
• • Fixed a multi-factor authentication (MFA) issue for devices registered before July 2022 (JIRA: SOPS-255).

9. Known Issues

• The sync key API returns a “400 status code and response error” if its short-term access token expires during synchronization of a group linked to AWS KMS (JIRA: PROD-3903). Workaround: increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
• exclude does not work in the proxy configuration for operations such as attestation (JIRA: PROD: 3311).
• Unable to create an app when a Custom Group Role has the Create Apps permission enabled. This affects users who need to create App or Plugin entries (JIRA: PROD: 5764). Workaround: use the predefined Administrative User definition under Settings.
• Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
  Workaround: You can manually copy the AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring.
• The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
  Workaround: You must first manually rotate the source key in the normal DSM group and then copy the rotated key to the GCP group.
• An Azure Managed HSM external KMS group now also allows the following security object types to be generated or imported. But the Bring Your Own Key (BYOK) and rotate key functionality does not work for these security object types (JIRA: ROFR: 4192).
  • EC
  • AES 128 and AES 192
  Workaround: Do not generate or import security objects of type EC, AES 128, and AES 192 in an external KMS group of type Azure Managed HSM since the only allowed security object  types for an Azure key generated using the Generate or Import key workflows are:
  • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
  • AES 256
• The following security object types are not supported in Azure Managed HSM external KMS groups (JIRA: ROFR: 4187).
  • DES
  • DES3
  • EC-KCDSA
  Workaround: Do not generate or import security objects of type EC-KCDSA, DES, or DES3 in an external KMS group of type Azure Managed HSM since the only allowed security object types for an Azure key generated using the Generate or Import key workflows are:
  • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
  • AES 256
• If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD: 6947).
  Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
• Unable to add Custom Attributes for a Fortanix DSM security object from its detailed view (JIRA: ROFR-4252).
  
  • Clicking the ADD CUSTOM ATTRIBUTE button does not load the Label and Value fields.
    Workaround: Click the drop down for the “Custom attributes” section twice to load the Label and Value fields.
  • When you type a label of the custom attribute, the text box loses focus.
    Workaround: Enter the label of the custom attribute again for the second time to add the custom attribute successfully.
• Increasing the “Retention period for Audit Logs” setting at the account level duplicates the “purge audit log” message in the audit logs (JIRA: PROD-7031).
• Users will see the "Not a HSM group" error message while deleting the HSM/KMS group from the FIPS-backed group (JIRA: ROFR-4245).
• The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
• The AWS Key Policy section alignment moved from the bottom of the security object detailed view to the right side of the page. This is a cosmetic issue only (JIRA: ROFR-4241).
• Users without two-factor authentication do not see the pop-up message “Unable to select this account. Reason: Two-factor authentication is required for this operation” when they select an account that has two-factor authentication configured (JIRA: ROFR-4238).
• The retry mechanism does not work as expected in the DSM-Accelerator Webservice (JIRA: PROD-7068).
• No error is displayed when the password length is specified as less than 8 digits in the System Administration Settings -> Minimum password length section (JIRA: ROFR-4234).
• The SUBMIT button is not disabled when no Security Objects are selected or all security objects are in a disabled state and the user checks the Rotate linked key check box (JIRA: ROFR-4233).
• When hovering over a security object row in the SECURITY OBJECTS tab in the group detailed view, the blue row selection indicator appears too close to the check box for the row (JIRA: ROFR-4232).
• The UI labels in the System Administrator Settings -> Tasks page are overlapping without the correct alignment (JIRA: ROFR-4231).
• The SAVE CHANGES button at the bottom of the System Administration Settings -> Email page is disabled even when a value is provided for the field Email for subscription update notifications (JIRA: ROFR-4229).
• The Stats API GET operation does not get the “Total Operations” count correctly (JIRA: PROD-7041).
• Quoted special characters (for example, spaces) in e-mail addresses are not recognized in the search bar on the System Administration Settings -> Users page (JIRA: ROFR-4226).
• After editing and saving the System Administration Settings -> Policies page with the HSTS value disabled, the HSTS value still shows as enabled after the save (JIRA: ROFR-4223).
• When the Batch Sign operation is performed for Curve Ed25519/X25519 in DSM-Accelerator Webservice, the status code is showing as 500 instead of 400 (JIRA: PROD-7007).
• The style of the DELETE SELECTED, ENABLE LOGGING, DISABLE LOGGING, DESTROY SELECTED, and DOWNLOAD CSV buttons is broken for the security object row in the Security Objects table (JIRA: ROFR-4209)

10. Fortanix Data Security Manager Performance Statistics

10.1 Series 2

________________________________________________________________________________________________________________

10.2 Azure Standard_DC8_v2

________________________________________________________________________________________________________________

10.3 Series 2 JCE

________________________________________________________________________________________________________________

10.4 Azure Standard_DC8 JCE

11. Fortanix Data Security Manager-Accelerator Performance Statistics

11.1 Runtime Environment

________________________________________________________________________________________________________________

11.2 DSM-Accelerator Webservice

________________________________________________________________________________________________________________

11.3 Additional Modes