[4.24] - December 12, 2023

Fortanix Data Security Manager (DSM) SaaS 4.24 comes with some exciting new features, general improvements, and resolved issues.

This release is for SaaS only and is not available for on-premises installations. Updates in this release will be part of a future on-premises release.

1. Enhancements to Existing Features

  • The Fortanix DSM user interface (UI) disallows rotation of linked multi-region AWS KMS keys copied from Fortanix DSM into AWS KMS (JIRA: ROFR-4510). MRK-Linked-Rotation.png
  • The Account ID is now included in the DSM SaaS “Expired Trial” message (JIRA: ROFR-4596).
  • The DSM SaaS Trial account expiry status now clearly reflects the source of the issue (JIRA: ROFR-4133). image (2).png

3. Other Improvements

  • The audit log for GoogleServiceAccount application - get credential API is disabled (JIRA: PROD-7515).
  • Added support to convert a key from PKCS1 to PKCS8 format (JIRA: PROD-7835).

4. Integrations/Use Cases

5. DSM-Accelerator Improvements

  • DSM-Accelerator Webservice:
    • Added support for integration of Snowflake external tokenization function with DSM-Accelerator Webservice deployed on AWS Lambda (JIRA: PM-124). For more details, refer to Snowflake with DSM-Accelerator Webservice.

6. Bug Fixes

  • Fixed an issue where support for selecting the following new DSM App permissions when creating a GCP EKM application for Google EKM Control Plane service was not working (JIRA: ROFR-4393).
    • Get Info
    • Get Public Key
  • Fixed an issue where the user was unable to log in to DSM SaaS using a multi-factor authentication (MFA) device registered on a different DSM SaaS cluster (JIRA: ROFR-4624).
  • Fixed a page crash when creating an app from the group detailed view (JIRA: ROFR-4617).
  • Fixed an issue where the user was unable to add a comment while declining a Quorum approval request (JIRA: ROFR-4530).
  • Fixed an issue where the user was able to create a new user without a name (JIRA: ROFR-4525).
  • Fixed an issue where Fortanix DSM did not support get operation with key format type pkcs8 formatting (JIRA: PROD-7694).
  • Fixed an issue where rotating an AES key to an existing DSM key shows "Tokenization" keys in the list and vice versa (JIRA: ROFR-4513).
  • Fixed an issue where importing a Secret key did not allow the selection of "Derive Key" permission (JIRA: ROFR-4507).
  • Fixed an issue in AWS and Azure group where the “ADD TAG” button was incorrectly labeled as “ADD ATTRIBUTE(JIRA: ROFR-4463).
  • Fixed an issue where the Usage API returned incorrect "operations count" (JIRA: PROD-7307).

7. Known Issues

  • Issue where the Batch API succeeds even though some APIs within it failed (JIRA: ROFR-4508).
  • The sync key API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
    Workaround: increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
  • exclude does not work in the proxy configuration for operations such as attestation (JIRA: PROD-3311).
  • Unable to create an app when a Custom Group Role has the Create Apps permission enabled. This affects users who need to create App or Plugin entries (JIRA: PROD-5764). Workaround: use the predefined Administrative User definition under Settings.
  • Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD-6722).
    Workaround: You can manually copy an existing AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring.
  • The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
    Workaround: You must first manually rotate the source key in the regular DSM group and then copy the rotated key to the GCP group.
  • If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD-6947).
    Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
  • The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
  • The retry mechanism does not work as expected in the DSM-Accelerator Webservice (JIRA: PROD-7068).
  • Copying an RSA or EC key from a normal DSM group to an AWS KMS-backed DSM group does not work as expected and results in an error (JIRA: PROD-7787).
    Workaround: Export the RSA or EC key from the normal DSM group and import it into the AWS KMS-backed DSM group.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful