Fortanix Data Security Manager (DSM) SaaS 4.10 comes with some exciting new features, general enhancements, improvements, and resolved issues.
This release is superseded by the August 30, 2022, release.
1. New Functionality/Feature(s)
1.1 Native BIP32 Key API Support (JIRA: PROD-4261):
This release allows you to import a new type of security object called BIP32. BIP32 is a parent key inside a Bitcoin hierarchical deterministic wallet (HD Wallet). This key can be used to recover all keys beneath it in the tree, for example: it can be used to sign transaction hashes and derive hardened and non-hardened children.
For more details, refer to User’s Guide: Key Lifecycle Management.
1.2 Added a new operation for BIP32 keys (JIRA: ROFR-3459):
- “Transform” operation for non-hardened child key.
For more details, refer to User’s Guide: Key Lifecycle Management.
1.3 Added “Transform” operation to the app and group permitted operations for the BIP32 keys (JIRA: ROFR-3467):
When you create a group or app from the Fortanix DSM UI, it will additionally have the new “TRANSFORM operation active by default.
For more details, refer to User’s Guide: Security Controls for Fortanix Data Security Manager Applications.
1.4 Allow downloading all security objects as a CSV file (JIRA: ROFR-3451):
In addition to downloading the currently visible security objects on the Security Objects page using the DOWNLOAD AS CSV option, you can also download all the security objects in the account using the DOWNLOAD ALL button.
1.5 Support for BYOK Plugin for Oracle Cloud Infrastructure (OCI) Vault (JIRA: PROD-4050):
This release adds support for generating a symmetric and asymmetric encryption key in Fortanix DSM and then BYOK it into the OCI vault.
For more details, refer to User’s Guide: Plugin Library.
2. Enhancements to Existing Features
- Automatic Linked key rotation for Azure Keys (JIRA: PROD-5163).
You can now schedule a key rotation policy for the Fortanix DSM source key that has linked Azure keys that are copies of the source key so that the linked Azure keys are also periodically rotated automatically. This can be enabled by selecting the Rotate all copied keys option.
For more details, refer to User’s Guide: Azure Key Vault External KMS.
- Automatic Linked key rotation for AWS External KMS Keys (JIRA: PROD-5050).
You can now schedule a key rotation policy for the Fortanix DSM source key that has linked AWS KMS keys that are copies of the source key so that the linked AWS KMS keys are also periodically rotated automatically. This can be enabled by selecting the Rotate all copied keys option.
For more details, refer to User’s Guide: AWS External KMS.
- Automatic Linked key rotation for Azure Managed HSM Keys (JIRA: PROD-3037).
You can now schedule a key rotation policy for the Fortanix DSM source key that has linked AWS Managed HSM keys that are copies of the source key so that the linked Azure Managed HSM keys are also periodically rotated automatically. This can be enabled by selecting the Rotate all copied keys option.
For more details, refer to User’s Guide: Azure Managed HSM.
- The “Create” permission is now hidden for Quorum approval policy for a Fortanix DSM group (JIRA: ROFR-3159).
As there is no Quorum policy check for the "Create" operation and the action of creating a security object does not initiate a Quorum approval request, hence the “Create” security object operation is hidden from the list of operations that require quorum approval.
- Custom Tokenization – restored max Length limit and removed max Value limit (JIRA: ROFR-3295).
Added max Length limit for custom tokenization and removed the wrongly added limit for the max Value field.
For more details, refer to User’s Guide: Tokenization.
- Added toast message when renaming and deleting the u2f security key (JIRA: ROFR-3295).
3. Other Improvements
- Flattened the cache structure for Signed JWT to avoid the small cap on the number of keys per source (JIRA: PROD-5195).
- Enhanced the API for Fortanix DSM Groups (JIRA: PROD-4603).
- Obtained the relations/mapping report for Fortanix DSM security objects, groups, users, and so on (JIRA: PROD-4571).
- Enhanced the
GET All accountsAPI to take query parameters for
startand end to be able to return all accounts (JIRA: PROD-4093).
4. Bug Fixes
- Fixed an issue where the backend ignores
connect-srcwhitelist in the
manifest.jsonfile (JIRA: ROFR-3176).
- Fixed an issue where after upgrading to DSM 4.9,
GET_SOBJECTSwas returned by error in the UI during quorum approval (JIRA: PROD-5196).
- Fixed an issue where the Fortanix AWX plugin was not working as expected (JIRA: DEVOPS-2982).
- Fixed an issue where
ActionType::Administrativeis used instead of
ActionType::RunPluginduring plugin invocation. (JIRA: PROD-5185).
- Fixed an issue where the sdkms-cli shows byte array instead of a base64 encoding strong (JIRA: PROD-5170).
- Fixed an issue where a user was unable to add Quorum policy to an existing KEK group after removing the Quorum policy (JIRA: PROD-5159).
- Fixed a JSON error message on deletion of Splunk log integration (JIRA: ROFR-3424).
- Fixed a user PATCH panic in mfa/u2f path (JIRA: PROD-5132).
- Fixed an issue where a user should not be allowed to update the group of KEK to another secondary group (JIRA: ROFR-3415).
- Fixed an issue where a user was unable to delete a security object after deleting the group (JIRA: PROD-5005).
- Fixed backend parsing issues for minimum/maximum length custom token schemas (JIRA: ROFR-3293).
- Fixed an issue where a password continued to be stored while disabling the U2F (JIRA: ROFR-3284).
- Fixed alignment issues and error message updates on the U2F recovery page (JIRA: ROFR-3272).
- Fixed an issue where the input Secret object values were not saved after importing resulting in a mismatch with the output Secret object value for the value format text(UTF-8) (JIRA: ROFR-3225).
5. Quality Enhancements/Updates
0on all tables in Cassandra keyspace. (JIRA: DEVOPS-2898).
- Implemented Cassandra Heap and Memory Tuning (JIRA: DEVOPS-2898).
- Implemented audit log partitioning by time in Cassandra database (JIRA: PROD-5150).
trickle_fsyncby setting it to
truein Cassandra when using with solid-state drives (SSDs) for better performance (JIRA: DEVOPS-2896).
- Configured Cassandra to use G1GC in JVM for performing more efficient JVM Garbage Collections (GCs) (JIRA: DEVOPS-2566).
6. Security Fixes
- Blocked the ICMP and TCP timestamp requests that can be used to determine system time (JIRA: DEVOPS-2915).
- Set etcd ciphersuite to
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256to ensure that all communication has guarantees (JIRA: DEVOPS-2914).
7. Known Issues
- An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
- When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
- The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
excludedoes not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).