[4.23] - November 08, 2023

Fortanix Data Security Manager (DSM) 4.23 comes with some exciting new features, improvements, and resolved issues.

1. New Features

1. Data Security Manager now supports Google Cloud Platform PR5 Sovereign Partner operations (JIRA: PM-9). 
   You can now select Fortanix as a Sovereign Partner to ensure that the data processed on your behalf by the Google Cloud Platform stays within your geographic region.
   
   
   • Added support for new DSM App permissions for Google EKM Control Plane service (JIRA: ROFR-4393).
     In the DSM 4.23 release, the new app permissions can only be accessed using the detailed view of the application using the Edit Permissions icon. See Known Issues for a workaround.
     
     
   
   
   For more details, refer to Fortanix DSM with Google Control Plane Using VPC Integration Guide.
2. Added support for generating asymmetric key pairs (RSA, ECC) in AWS KMS key stores (JIRA: PM-101).
   With this feature, a user can now create, import, and copy an RSA or ECC security object in an AWS KMS-backed DSM group so that the key material gets generated in the targeted KMS instance.
   
   
   
   For more details, refer to User’s Guide: Fortanix DSM - AWS KMS.
3. Added support to mark a key as a multi-region key during copy key operation to AWS KMS (JIRA: PM-150).
   With this feature, a user can now copy DSM keys into AWS-backed groups, creating a new AWS multi-region key in the process.
   
   
   
   For more details, refer to User’s Guide: Fortanix DSM - AWS KMS.
4. Added support to rotate a Tokenization key in DSM (JIRA: PM-104).
   
   
   
   For more details, refer to User’s Guide: Key Lifecycle Management.
5. Added support to customize the Fortanix DSM login page (JIRA: PM-149).
   A DSM system administrator can now customize the DSM login page as per the customer’s branding for logo and color using the System Administration Settings → Customization
   
   
   
   For more details, refer to System Administration Settings Guide: Customization.

2. Enhancements to Existing Features

• Removed quorum approval-related checkboxes from the modal windows for key operations when the respective quorum operations are not selected in the group Quorum approval policy (JIRA: ROFR-4434).
• Disabled the Quorum approval - Approve or Decline buttons when the Quorum approval is in a “pending” state (JIRA: ROFR-4420).
• Updated the EXPORT KEY tooltip text (JIRA: ROFR-4414).
• Added support for lazy loading of the DSM accounts in the account switcher (JIRA: ROFR-4119).
• Added support for cross-origin MFA verification (JIRA: ROFR-3915).

3. Other Improvements

• The DSM account switcher now refreshes the accounts list when opened (JIRA: ROFR-4423).
• Re-enabled Key Check Value (KCV) in the security object list view after fixing performance issues (JIRA: ROFR-4315).
• The KCV is now computed in the security object list response instead of dynamically on every security object request (JIRA: PROD-3805).
• Added cluster recovery script to the DSM installer bin directory (JIRA: DEVOPS-4249).
• Removed elastic-search Sensu check from the Sensu server artifacts (JIRA: DEVOPS-4278).
• Updated the get_csrs and install_certs scripts to support TLS and UI cert key rotation (JIRA: DEVOPS-4237).
• Customized the etcd annotation patching logic during the DSM upgrade (JIRA: DEVOPS-4230).
• Updated AIC BIOS to version ATLK0061 and Gigabyte BIOS to version F14 in the Fortanix DSM installer (JIRA: DEVOPS-4217).
• Improved the DSM upgrade prechecks (JIRA: DEVOPS-4192).
• Upgraded the Kernel version on the DSM nodes to 5.4.0.155 (JIRA: DEVOPS-4185).
• The perform_recovery.sh script is now added to the DSM installer (JIRA: DEVOPS-3943).
• Validation is now done to check that the swdist overlay has the correct version mounted before performing the DSM upgrade (JIRA: DEVOPS-4040).
• The sshd_config.fortanix file now complies with the Center for Internet Security (CIS) baseline (JIRA: DEVOPS-4184).

4. Integrations / Use Cases

• Added support for Fortanix Data Security Manager with Postgres Enterprise Database (EDB) to enable Transparent Data Encryption (TDE) (JIRA: EXTREQ-962). For more details, refer to Fortanix DSM with EDB Postgres for TDE.
• Added support for Fortanix DSM integration with GitLab (JIRA: PM-145).
  You can now use Fortanix DSM from the GitLab pipeline for the following:
  • Secrets management (set, get, and rotate secrets). For more details, refer to Fortanix DSM with the GitLab integration guide.
  • Code signing (sign a JAR file from the GitLab pipeline). For more details, refer to Fortanix DSM with GitLab for the Code Signing integration guide.

5. Client Improvements

• Sequoia PGP (sq-dsm) now supports PGP cert with two keys (JIRA: PROD-7583).
  You can now generate a PGP cert with two keys – Master or primary key for signing and sub key for encryption.

6. DSM-Accelerator Enhancements

• DSM-Accelerator JCE Provider:
  • Added support for DSM-Accelerator JCE for Windows (JIRA: PM-123). For more details, refer to the Developer’s Guide: Fortanix DSM-Accelerator JCE Provider.

7. Quality Enhancements

• Upgraded Kubernetes to 1.25.13 (JIRA: DEVOPS-3569).
• Upgraded Kubernetes to 1.27.6 (JIRA: DEVOPS-4126). For more details, refer to Administration Guide: Fortanix DSM Kubernetes version upgrade to 1.27.
• Updated to a newer version of containerd.io the package(JIRA: DEVOPS-4143).
• Updated Sensu artifacts to 6+ version (JIRA: DEVOPS-3464).

8. Bug Fixes

• Fixed an issue where the user was unable to export RSA keys using the EXPORT KEY option (JIRA: ROFR-4394).
• Fixed an issue where the DSM edit application page crashed when the app was created using the DSM REST API without the app_type parameter (JIRA: ROFR-4383).
• Fixed an issue where all custom roles checkboxes were enabled when a user with custom role – “create custom role” created a new custom role (JIRA: ROFR-4382).
• Fixed an issue where the rotate modal window does not close when a key is rotated if the group to which the key belongs has a quorum policy configured (JIRA: ROFR-4379).
• Fixed an issue where SAVE CHANGES button was enabled in the DSM Settings → AUTHENTICATION tab even though no updates were made to the page (JIRA: ROFR-4364).
• Fixed confusing iconography in DSM Key metadata policy for the section “Handling existing non-compliant keys” (JIRA: ROFR-4400).
• Fixed timing attack that caused user enumeration on DSM login API (JIRA: PROD-7574).
• Fixed timing attack that caused user enumeration on DSM password reset API (JIRA: PROD-750).
• Fixed minor bugs during upgrade prechecks using the run_prechecks.sh script (JIRA: DEVOPS-4352).
• Fixed an issue where the Quorum approval tasks were not sorted in the correct order in the DSM dashboard (JIRA: ROFR-4495).
• Fixed an issue where security object queries either return incomplete pages when called with a limit or do not display some security objects (JIRA: PROD-7631).
• Fixed an issue where security object queries either return incomplete pages when called with a limit or do not display some security objects (JIRA: PROD-7631).
• Fixed an issue where the user was unable to navigate to the plugin details page for a disabled plugin (JIRA: ROFR-4469).
• Fixed an issue where the user gets an” OOPS” page when trying to associate an existing plugin with other DSM groups (JIRA: ROFR-4468).
• Fixed a bug in the function trigger_async_scan  that causes asynchronous and scheduled HMG scans to mark active external objects as destroyed (JIRA: PROD-7621).
• Fixed a DSM system administration page crash when a user was invited with an Account Member role using a self-provisioning link in LDAP (JIRA: ROFR-4459).
• Fixed an issue where a part of the drop down menu was not visible (JIRA: ROFR-4429).
• Fixed an issue where the user was able to see the “linked key” icon next to an LMS key when performing SIGN and VERIFY operations using REST API (JIRA: ROFR-4422).
• Fixed an issue where the “Purge deleted key” button is not visible in the UI when a key that is imported in the Azure Key Vault Cloud Data Control (CDC)  group is soft-deleted (JIRA: PROD-7508).
• Fixed an issue where the “Purge deleted key” button is not visible in the UI when a key that is created in the Azure Key Vault Cloud Data Control (CDC)  group is soft-deleted (JIRA: PROD-7202). 
• Fixed an issue where the DSM Stats API calls used the wrong date range (JIRA: ROFR-4402).
• Fixed an issue in key tokenization where the right index was not preserved in partial expansion resulting in full expansion with improper indexing (JIRA: ROFR-4399).
• Fixed an issue where no notification was shown when a Snowflake instance was generated (JIRA: ROFR-4397).
• Fixed an issue where the DSM UI was reloaded during various key operations (JIRA: ROFR-4396).
• Fixed an issue in the DSM System Administration Settings → POLICIES → Email Validation Policy where there was no notification pop-up when the user used restricted characters in email (JIRA: ROFR-4391).
• Fixed an issue in the DSM System Administration Settings → POLICIES where the user was unable to request account approval if trial expiration is enforced (JIRA: ROFR-4236).
• Fixed an issue where the users get logged out after accepting the DSM system administration invite and selecting the system administration account (JIRA: ROFR-4332).
• Fixed an issue where testing the connection fails for an LDAP Single Sign-On (SSO) authentication for a DSM system administration account (JIRA: PROD-7088).
• Fixed an issue where deleting a user in the DSM System Administration → Users → USERS tab shows a popup with incorrect width size (JIRA: ROFR-4202).
• Fixed an issue in the DSM System Administration → Users → USERS tab where the user was unable to search a user email containing space (JIRA: ROFR-4226).
• Fixed an issue where updates to the DSM System Administration → Settings → EMAIL → Emails for subscription updates notifications do not enable the SAVE CHANGES button (JIRA: ROFR-4229).
• Fixed an issue where the fields under the DSM System Administration → Tasks →  PENDING tab were not aligned properly and overlapped (JIRA: ROFR-4231).
• Fixed an issue in the DSM System Administration → Policies where the system administrator was able to save the Minimum password length value as 2 under the Login/Signup section (JIRA: ROFR-4234).
• Fixed an issue where a pre-selected system administration account shows the DSM account dashboard for a short time (JIRA: ROFR-4284).
• Fixed an issue where the “/terms_of_use” page now redirects to the terms and conditions page on the DSM SaaS website (JIRA: ROFR-4302).
• Fixed an issue where the DSM on-premises customers were able to sign up for DSM without accepting the Terms and Conditions (JIRA: ROFR-4304).
• Fixed an issue where the get_csrs script accepted the IP address value for the domain name (JIRA: DEVOPS-2002).
• Fixed the regular expression for DSM node name filtering in the Kubernetes upgrade scripts (JIRA: DEVOPS-4170).
• Fixed an issue where the sdkms-cluster create operation fails when there are upper case letters in the hostname (JIRA: DEVOPS-3277).

9. Known Issues

• The sync key API returns a “400 status code and response error” if its short-term access token expires during synchronization of a group linked to AWS KMS (JIRA: PROD-3903). Workaround: increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
• exclude does not work in the proxy configuration for operations such as attestation (JIRA: PROD: 3311).
• Unable to create an app when a Custom Group Role has the Create Apps permission enabled. This affects users who need to create App or Plugin entries (JIRA: PROD: 5764). Workaround: use the predefined Administrative User definition under Settings.
• Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
  Workaround: You can manually copy the AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring.
• The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
  Workaround: You must first manually rotate the source key in the normal DSM group and then copy the rotated key to the GCP group.
• If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD: 6947).
  Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
• The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
• The retry mechanism does not work as expected in the DSM-Accelerator Webservice (JIRA: PROD-7068).
• The following new app permissions for Google EKM Control Plane service can only be accessed using the edit application (app) workflow. It is not visible when creating a GCP EKM application (JIRA: ROFR-4393)
  • Get Info
  • Get Public Key
  Workaround: Create a GCP application using the regular workflow. After creating the app, go to the detailed view of the app and click the Edit Permissions icon to edit or update the above two GCP EKM Control Plane Service app permissions.

10. Fortanix Data Security Manager Performance Statistics

10.1 Series 2

________________________________________________________________________________________________________________

10.2 Azure Standard_DC8_v2

________________________________________________________________________________________________________________

10.3 Series 2 JCE

________________________________________________________________________________________________________________

10.4 Azure Standard_DC8 JCE

11. Fortanix Data Security Manager-Accelerator Performance Statistics

11.1 Runtime Environment

________________________________________________________________________________________________________________

11.2 DSM-Accelerator Webservice

________________________________________________________________________________________________________________

11.3 Additional Modes

12. Installation