[4.25] - February 9, 2024

Fortanix Data Security Manager (DSM) SaaS 4.25 comes with some exciting new enhancements and resolved issues.

This release is for SaaS only and is not available for on-premises installations. Updates in this release will be part of a future on-premises release.

1. Enhancements to Existing Features

  • Added “Firstname” and “Lastname” fields in the DSM Invite User form instead of a single “Name of the invitee” field (JIRA: ROFR-4578). InviteUser.png
  • The BLS key variant type can now be updated from the Fortanix DSM UI while rotating the BLS key (JIRA: ROFR-4574). BLS.png
  • The EC curve can now be updated from the Fortanix DSM UI while rotating the EC-KCDSA key (JIRA: ROFR-4576). EC.png
  • The KCDSA subgroup size can now be updated from the Fortanix DSM UI while rotating the KCDSA key (JIRA: ROFR-4575) KCDSA.png
  • Added the “Quorum approval will be requested to rotate the object” option in the Rotate Key window (JIRA: ROFR-4518). RotateQP.png
  • Removed the “EDIT TAGS” option in the “ATTRIBUTES/TAGS” tab in the detailed view of a GCP BYOK key (JIRA: ROFR-4514). EditTags.png
  • Updated the switcher component in the DSM UI to follow consistent coloring (JIRA: ROFR-4680). Switcher1.png Switcher2.png
  • Added tooltips to show the full names in multi-assigner views (JIRA: ROFR-4646). multiassigner.png

3. Other Improvements

  • DSM now supports TLS 1.3 protection for API clients and browser access (JIRA: PM-185).
  • Added support for adding custom roles for DSM administrative applications using the API (JIRA: PM-100).
  • De-duplicated the error messages returned from the Google Workspace CSE access control check and combined the error returned for the PrivateKeySign and PrivateKeyDecrypt methods (JIRA: PROD-7902).
  • The Key Check Value (KCV) now appears only for keys of type AES, DES, and DES3 (JIRA: ROFR-4616).
  • API clients can now perform HMAC operations with an AES key in DSM (JIRA: PM-224).

4. Integrations/Use Cases

  • Fortanix DSM now integrates with Skyhigh Secure Web Gateway (SWG) to deliver Hardware Security Module (HSM) capabilities (JIRA: EXTREQ-485). For more details, refer to the integration guide: Using DSM with Skyhigh SWG.
  • Fortanix DSM now integrates with Veeam Backup and Replication to enable backup encryption (JIRA: EXTREQ-981). For more details, refer to the integration guide: Using DSM for Veeam backup encryption.

5. DSM-Accelerator Improvements

  • DSM-Accelerator JCE Provider:
  • DSM-Accelerator Webservice:
    • Validated Snowflake integration with DSM-Accelerator Webservice deployed in Amazon Web Service (AWS) Elastic Kubernetes Service (EKS) environment (JIRA: ROQA-4476).

6. Bug Fixes

  • Fixed a confusing iconography in the DSM Key Metadata Policy where the Accept option was showing red and the Forbid to use option was showing green (JIRA: ROFR-4400).
  • Fixed an issue where the Quorum approval request was not generated when deriving a BIP32 child (JIRA: ROFR-4630).
  • Fixed multiple issues in the Add LDAP Users flow (JIRA: ROFR-4618).
    • Fixed an issue where the user could not sort the columns in the LDAP table containing LDAP users.
    • Fixed an issue where the placement of the Add Users to the Account button was changing.
    • Fixed an issue where the page limit value was changing.
    • Fixed an issue where the total number of rows was sometimes shown and sometimes not shown.
  • Fixed an issue where the user was unable to paste or type the necessary key URL in step 3 of the Workspace CSE Integration workflow (JIRA: ROFR-4614).
  • Fixed an issue where the security object deactivation date in edit mode was not displaying the old value but instead displayed the current date (JIRA: ROFR-4610).
  • Fixed broken styling for radio buttons on Settings Authentication → SSO page (JIRA: ROFR-4601).
  • Fixed an issue where the input field for the Max concurrent requests option in Account → Settings → Client Configuration → PKCS#11 was “X bytes" instead of “No. of connections.” (JIRA: ROFR-4857).
  • Fixed an issue where the user was able to update the padding policy of a security object during the DSM rotate key operation using the API, but the user was unable to do the same using the DSM UI (JIRA: ROFR-4570).
  • Fixed an issue where the Fortanix DSM UI wrongly parses the padding policy response for a key (JIRA: ROFR-4569).
  • Fixed an issue where the exponent value of RSA keys was not displayed on the key details page (JIRA: ROFR-4562).
  • Fixed an issue where the “Download certificate” button on the security object details page causes issues for small screen sizes (JIRA: ROFR-4559).
  • Fixed an issue where SSO authentication integrations were displayed as configured even if the user failed to configure them due to an error (JIRA: ROFR-4557).
  • Fixed an issue where the user could not rotate a security object for the second time when the group had a quorum policy configured (JIRA: ROFR-4551).
  • Fixed an issue where “Using second-factor security key is required to approve requests" is enabled by default and non-editable when configuring quorum policy for a DSM group (JIRA: ROFR-4545).
  • Fixed an issue where, when editing the Key Rotation policy for a DSM group, the SAVE button at the bottom was enabled even though no edits were made (JIRA: ROFR-4540).
  • Fixed an issue when rotating a security object in the group with a quorum policy configured does not redirect the user to the security object list page after the rotation (JIRA: ROFR-4538).
  • Fixed a typo in the DSM LDAP configuration page (JIRA: ROFR-4529).
  • Fixed an issue where the response body of the batch API for key rotation reported the operation as successful even though the second API failed (JIRA: ROFR-4508).
  • Fixed an issue where, after publishing the public key using the “Public key published” toggle in the detailed view of a DSA, EC-KCDSA, and KCDSA keys, the URL of the API endpoint value is not displayed (JIRA: ROFR-4710).
  • Fixed an issue where adding SAML integration in the DSM Account Settings → AUTHENTICATION → SINGLE SIGN-ON results in an error (JIRA: ROFR-4707).
  • Fixed a page [SL2]  issue when adding groups on the Fortanix DSM Groups page (JIRA: ROFR-4693).
  • Fixed an issue where the SAVE CHANGES button was enabled when adding an app from the detailed view of a DSM group even though no changes were added (JIRA: ROFR-4692).
  • Fixed an issue where the LOG IN button changes color even when in a disabled state (JIRA: ROFR-4659).
  • [SL3]  Fixed an issue where even though the user failed to save tags when creating an AWS key using the HSM/External KMS workflow in DSM, the key was successfully created (JIRA: PROD-7932).
  • Fixed an issue where the Fortanix DSM UI does not give an option for deleting key material and reimporting the key material for the imported BYOK keys (JIRA: ROFR-4656).
  • Fixed non-functional vertical scroll bar in all DSM UI pages (JIRA: ROFR-4643).

7. Known Issues

  • The sync key API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
    Workaround: increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
  • exclude does not work in the proxy configuration for operations such as attestation (JIRA: PROD-3311).
  • Unable to create an app when a Custom Group Role has the Create Apps permission enabled. This affects users who need to create App or Plugin entries (JIRA: PROD-5764). Workaround: use the predefined Administrative User definition under Settings.
  • Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD-6722).
    Workaround: You can manually copy an existing AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring.
  • The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
    Workaround: You must first manually rotate the source key in the regular DSM group and then copy the rotated key to the GCP group.
  • If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD-6947).
    Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
  • The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
  • The retry mechanism does not work as expected in the DSM-Accelerator Webservice (JIRA: PROD-7068).
  • Copying an RSA or EC key from a normal DSM group to an AWS KMS-backed DSM group does not work as expected and results in an error (JIRA: PROD-7787).
    Workaround: Export the RSA or EC key from the normal DSM group and import it into the AWS KMS-backed DSM group.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful