[4.12] - Oct 28, 2022

Fortanix Data Security Manager (DSM) SaaS 4.12 comes with some exciting new features, general enhancements, improvements, and resolved issues.

This release is superseded by November 07, 2022, release.

1. New Functionality/Feature(s)

1.1 AWS multi-region primary key support (JIRA: ROFR-3452):

This release adds support for creating AWS multi-region primary keys. When a key is being generated/imported (BYOK) in AWS KMS from Fortanix DSM, it can be marked as a multi-region primary key. Similarly, when keys are scanned from AWS KMS, Fortanix DSM will identify multi-region primary and replica keys and mark them accordingly.

For more details, refer to the User’s Guide: AWS External KMS.

1.2 Subject Alternate Name (SAN) URL will not redirect to the default interface configured (JIRA: ROFR-3478):

If a SAN certificate is configured to access the Fortanix DSM cluster through multiple fully qualified domain names (FQDNs) using the Fortanix DSM System Administration Settings – Interface page, you can use the Redirect toggle to always access Fortanix DSM using the default interface configured.

For more details, refer to the Sysadmin Settings – Interface guide.

1.3 Google Workspace CSE features:

• Moved Google Workspace CSE from Account Settings to the Integrations tab (JIRA: ROFR-3561):
  The Google Workspace CSE feature has now moved to the Fortanix DSM Integrations tab from the Account Settings page.
     
• Added Authorization Provider for Google Calendar (JIRA: ROFR-3445):
• Added Authorization Provider for Google Meet (JIRA: ROFR-3441):
  This release adds support for predefined configurations to add Google Meet and Google Calendar as new authorization providers.
   
   
• Added “Back” link in the Google Workspace wizard (JIRA: PROD-5195):
  Added a “Back” link on the “Review” step of the Google Workspace UI so that the user can go back and make changes.
    For more details, refer to Integration Guide – Google Workspace CSE.

1.4 Plugin to generate Certificate Signing Request (CSR) for Fortanix DSM security objects (JIRA: PROD-5389):

This release adds a new plugin to obtain certificates for key pairs protected by Fortanix DSM, by generating a CSR for any security object that has signing capability.

1.5 Added a skeleton loading indicator when data is loading for the Custom Group Roles table (JIRA: ROFR-3489):

This release adds a skeleton loading placeholder to indicate that the data is loading in the Custom Group Roles table.

1.6 Added human-readable view for Quorum approval request in GCP-Key Access Justification at key-level (JIRA: PROD-5163)

The quorum approval window now shows a human-readable view for the additions/deletions/modifications made to the GCP-key access justifications at the key level.

2. Enhancements to Existing Features

1. Grouping of Fortanix HSM Gateway types in the HSM/External KMS group creation section (JIRA: ROFR-2161).
   

   The Fortanix Self-Defending KMS and Fortanix Self-Defending KMS FIPS Cluster options are now grouped into:

   • Fortanix DSM
     • Store keys externally (formerly “Fortanix Self-Defending KMS FIPS Cluster”)
     • Store keys locally (formerly “Fortanix Self-Defending KMS”)
   
   

    

2. Plugin Enhancements:
   
   • Disabled the Plugin Create button after the plugin was created (JIRA: ROFR-1693).
     The Create plugin button will be disabled immediately after creating the plugin to avoid duplication errors.
   • Linked the Plugin development documentation from the Plugins detailed view page and table view. (JIRA: ROFR-1781).
      
      
      
   • Disabled the Invoke Plugin button when the plugin is disabled (JIRA: PROD-3037).
      

    

3. Renamed “Google Stackdriver” to “Google Cloud’s operations suite” for External Log Management integration (JIRA: ROFR-3191).
4. DES and DES3 key improvements(JIRA: PROD-5279).
   • Set odd parity when generating and reading from the database.
   • Should not generate weak, semi-weak, or possibly weak keys.
5. Added support to capture audit logs for scheduled key rotation (JIRA: PROD-5318).
6. Tokenization improvements:
   • The custom tokenization UI now takes care of scenarios of multiple sections with special characters overlapping (JIRA: ROFR-3512).
      
      
   • Changed the color of the Ellipses block from white to blue for the token pattern section (JIRA: ROFR-3523).
      
      
7. Removed the empty lined block from the Create new security object form for keys of types other than EC or EC-KCDSA (JIRA: PROD-5195).
    
    
8. Security objects reporting improvements:
   • Removed the “Origin” column from the Security Objects download report (JIRA: PROD-3558).
     Since the “Origin” column and the “Source” column means the same thing and since the “Origin” column shows only the “imported” value, it is removed from the report.
      
      
   • Added a new column to the report (JIRA: ROFR-3638)..
     Added a new column called “Rotation Status” to show the rotation status of a security object. The new column should have one of the following values -
     • If the security object was never rotated, the value should be empty.
     • If the security object was rotated and is at the top of the chain, then the value should be ‘Rotated at <created_at date>’.
     • If the security object was rotated but is not at the top of the chain, then the value should be ‘Rotated to <UUID>’.
     
9. Removed the “Old Key” section from the Key Rotation modal window (JIRA: ROFR-3597).
   In the Key Rotation modal, the "old key" display hint is removed. Instead, users are expected to refer to the description underneath the "new key" UI to understand what happens to the old key.
    

3. Other Improvements

1. This release allows you to log CPUSVN, ISVSV, and other useful SGX information when you start a node (JIRA: PROD-5714).
2. Investigated the scenario for key creation from an enclave (JIRA: PROD-5671).
3. Added load tests to run the customer’s plugin on DSM (JIRA: PROD-5623).
4. Created a report to improve reusing TLS sessions (JIRA: PROD-5602).
5. The drop database timeout is now configurable for testing(JIRA: PROD-5546).
6. Refactored the DSM CLI tests (JIRA: PROD-5373).
7. Combined request and response logs into a single log line (JIRA: PROD-4032).

4. Client Improvements

1. JCE: Added a new constructor with key operations (JIRA: PROD-5681).
2. BLS: Support for BLS blockchain algorithm in DSM (JIRA: PROD-5663).
3. CNG:
   1. The retry timeout value in the EKM provider is now configurable (JIRA: PROD-5532).
   2. Added automatic retry (JIRA: PROD-5519).
   3. Two authentication API calls are not performed upfront (JIRA: PROD-5519).

5. Quality Enhancements/Updates

1. Added new build configuration for managed Kubernetes deployment (JIRA: ROFR-3588).

6. Bug Fixes

• Fixed the out-of-position layout of the certificate text box in the Splunk Log management section in System Administration settings (JIRA: ROFR-2867).
• Fixed an issue where the “Last run” field after running a plugin always shows “Never” (JIRA: ROFR-2915).
• Fixed an issue where the X/Y coordinates were not visible in the Sys Admin account charts due to the color scheme (JIRA: ROFR-3100).
• Fixed a visual issue where the DSM logo in the sidebar would get partially cut off on certain screen sizes (JIRA: ROFR-3112).
• Fixed a page crash in the UI on the Authorization settings page for child accounts (JIRA: ROFR-3112).
• Fixed a page crash in the DSM UI when searching for a “Requester” by name in the Tasks Completed tab (JIRA: ROFR-3574).
• Fixed an issue where a search for a security object of type “ECKCDSA” was not returning all the security objects of type “EC-KCDSA” (JIRA: ROFR-3587).
• Fixed an issue in the Custom Roles workflow, where inviting a user with Exclusive custom group role results in an error (JIRA: ROFR-3565).
• Fixed an issue where encryption with GCM mode fails for DSM-Accelerator PKCS#11 library (JIRA: PROD-5479).
• Fixed a missing padding policy while importing a wrapped key (JIRA: PROD-3562).
• Fixed an issue where the Custom Group Roles tab was missing on certain pages (JIRA: ROFR-3559).
• Fixed an issue where the Custom Group Roles tab was missing on certain pages (JIRA: ROFR-3559).
• Fixed a page crash on the DSM UI when using the token pattern slider for the SSN format in the tokenization UI (JIRA: ROFR-3551).
• Fixed an issue that allows the WRAP/UNWRAP permissions to be removed while rotating a key (JIRA: ROFR-3521).
• Fixed an issue where the browser does not detect the username during the login or signup flow (JIRA: ROFR-3509).
• Fixed a DSM UI crash that occurs when the optional fields in the Client Configuration UI are missing (JIRA: ROFR-3508).
• Fixed a UI crash when you approve a Quorum Approval request for the WRAP key operation (JIRA: ROFR-3483).
• Fixed an issue where the user was unable to rotate a key when you have the Key Access Justification policy configured (JIRA: ROFR-3460).
• Fixed an issue in custom token creation that shows the message “Add non-overlapping delimiter” for different token types and letter cases (Uppercase vs lowercase) (JIRA: ROFR-3448).
• Fixed an issue when inviting a user to a custom group role, where assigning and unassigning a group to the user results in the user continuing to be assigned to the same group (JIRA: ROFR-3388).
• Fixed an issue in the revert API where the endpoint /crypto/v1/keys/{key-id}/revert should be a POST request instead of a PUT request (JIRA: ROFR-5076).
• Fixed an issue where performing an update on a group after configuring a custom group role, would in some circumstances require unnecessarily strict permissions (JIRA: ROFR-3352).
• Fixed a missing toast message after creating an instance from the easy wizard Integration tab (JIRA: ROFR-3315).
• Fixed an issue that results in multiple toast messages instead of single ones when there are multiple mismatches while uploading a custom logo (JIRA: ROFR-3259).
• Fixed the custom logo header text on the Account Customization page (JIRA: ROFR-3256).
• Fixed multiple issues in the Google Workspace CSE Easy Wizard integration workflow (JIRA: ROFR-3645).
• Fixed regression issues due to incorrect AppConfig.isSaaS conditionals (JIRA: ROFR-3630).
• Fixed missing Sign Up and Support button on the DSM SaaS Login page (JIRA: ROFR-3628).
• Fixed an issue in the BIPS32 key type that allows the index 2147483647 for a hardened child (JIRA: ROFR-3621).
• Fixed an issue that applies the DSM SaaS subscription rules to the DSM on-prem environment in the create group workflow (JIRA: ROFR-3617).
• Fixed a DSM UI crash when the user navigates to the “My Profile” page (JIRA: ROFR-3616).
• Fixed an issue in the key generation form where the “Tokenization” option was missing in the “Choose a type” section (JIRA: ROFR-3612).
• Fixed an issue that displays warnings with the install_certs script after pasting certificates in Kubernetes version 1.19 (JIRA: ROFR-3213).
• Fixed an export_key test case failure in the sdkms-cli-test.sh script (JIRA: PROD-5637).
• Fixed missing BMC package after upgrading DSM to version 4.11 (JIRA: DEVOPS-3194).
• Fixed an issue that does not allow the user to run recovery for Cluster Deployment Key (CDK) (JIRA: DEVOPS-3188).
  For more details, refer to the Administration Guide: Backup and Restore with CDK for non-SGX Cluster.
• Fixed missing Export permission red icon from the mini permission icon set in the Key operations permitted section (JIRA: ROFR-3606).
• Fixed an incorrect logic in the $any operator (JIRA: PROD-5550).
• Fixed missing value for the Subscription Type on the DSM SaaS Home page even when it was configured with a custom subscription (JIRA: ROFR-3584).

7. Known Issues

• The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
• exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
• Unable to create an app when a Custom Group Role has the Create Apps permission enabled (JIRA: PROD: 5764).