[4.16] - Mar 31, 2023

Fortanix Data Security Manager (DSM) 4.16 comes with some exciting new enhancements, improvements, and resolved issues.

This release is superseded by April 14, 2023, release.

1. Enhancements to Existing Features

1. Created different input and output data types for custom tokenization (JIRA: PROD-6079).:
   

   This release allows customers to create a custom tokenization security object with two different character sets to perform tokenization and detokenization so that the input of a particular data type will be tokenized to a different data type for the output token. This feature is allowed only for “Number” data type as raw input data and the tokenized output data can be alphabetic characters from (A-J).

   For more details refer to the User’s Guide: Tokenization.
2. Enabled External Key Store (XKS) support for AWS KMS for all Fortanix DSM accounts (JIRA: PROD-5621).
   External Key Store (XKS) support for AWS KMS is now enabled for all Fortanix DSM accounts. This manifests itself as a new authentication method, “AWS XKS” for app definitions in DSM.

   For more details, refer to Integration Guide: DSM with AWS XKS.

3. Updated the UI description for the DSM Data Export feature (JIRA: ROFR-3946).
   The description of the Data Export feature has been updated to make it clear that only the security object metadata, not the sensitive data, is being exported.
4. New improved Audit log table pagination design (JIRA: ROFR-3789).
   • Added support to search audit logs using the “Select a month” filter to search audit logs for any 31-day period.
   
5. Added Email Verification pop-up banner for DSM SaaS users to verify their email address (JIRA: ROFR-3885).
   • This banner is displayed only for unverified users to re-verify their email addresses.
   • The banner will be displayed on the DSM Accounts list page and DSM, CCM, and CAI Accounts Home page.
   
   
   
6. Improved the activity logs for DSM apps and users (JIRA: ROFR-3901).
   The activity logs on the apps and users' detail page and list view page now also show the audit logs when the apps or users are actors or objects.
    
7. Improved the drop down component for loading KEKs in the drop down for the “Configure KEK from an existing group” workflow in the New Groups page and Group’s detail page (JIRA: ROFR-3891)..
   
   • Only three groups will be shown at a time in the drop down menu and the remaining groups can be selected using a scroll.
   • The KEKs in the dropdown menu are now sorted by name in ascending order.
   • Added padding below the KEK drop down menu so that you can view at least 6 KEKs without extra scroll.
8. Added a human-readable view for quorum approval request modal window when importing a key that has been encrypted (JIRA: ROFR-2941).
   Improved the modal window for quorum approval requests when importing a key that has been encrypted with another key.
   
9. The group detailed view security objects show/hide columns list is now consistent with the main security objects show/hide columns list (JIRA: ROFR-2830).
   \
    
10. Updated the AWS KMS, GCP, and Azure icons on the DSM SaaS subscription page (JIRA: ROFR-2488).
    
     
11. The RSA key creation flow in DSM now selects the default Encryption and Signature Padding policy (JIRA: ROFR-2192).
     
12. Added System Administration setting to configure the authentication retries in Fortanix DSM and lock user's account temporarily (JIRA: PROD-6406).
    This release adds a setting that allows a system administrator to set the maximum number of authentication attempts and the amount of time an account is temporarily locked to stop unauthorized access when the user tries to log in to Fortanix DSM with a wrong password.

For more details, refer to System Administration Settings Guide: Policies

2. Other Improvements

• Added control-plane toleration to Kubernetes workloads (JIRA: DEVOPS-3674).
• Node attestation now uses (“IAS-v4”) version 4 instead of version 3 (JIRA: PROD-6355). NOTE: IAS-v3 will be deprecated soon, after which you will not be able to upgrade to DSM versions below 4.8.
• Improved SWDist to handle duplicate files more efficiently (JIRA: DEVOPS-3052).
• Implemented a global service for refreshing the approval requests list (JIRA: ROFR-2869).
• Improved User Interface support for LMS, ECKCDSA, and BLS key parameters when rotating, copying, or deriving these keys (JIRA: ROFR-3922).
• Removed the maximum length limit on the email address input field (JIRA: ROFR-3936).
• A deactivated key can now be automatically enabled using the mark_key_disable_when_deactivated parameter by setting its value to false. (JIRA: PROD-6028). For more information, refer to Enabling a Deactivated Key.

3. Integrations

1. Added support for Fortanix DSM with BeyondTrust Password Safe integration (JIRA: UX-2125). For more information, refer to DSM with BeyondTrust Password Safe Guide.
2. Added support for Easy Wizard integration for DSM with Salesforce (JIRA: ROFR-3900). For more information, refer to DSM with Salesforce using easy wizard integration Guide.

4 Client Enhancements

1. Extended BLS algorithm support to the DSM Java client (JIRA: PROD-6478).
2. Published the Microsoft CNG/EKM Provider client (Windows 64bit Installer) (JIRA: DEVOPS-3408).
3. Published the Microsoft CNG Fortanix DSM client to the public repository (JIRA: DEVOPS-3326). For more details refer to the Instructions to install the CNG client from public repo.

5. DSM Accelerator Client Enhancements

• DSM-Accelerator Webservice:
  • Added GET / endpoint support in DSM-Accelerator web service (JIRA: PROD-6274).

6. Quality Enhancements/Updates

• Added a script that checks whether cold standby nodes are joined or removed successfully (JIRA: DEVOPS-3754). The script is available at the location /opt/fortanix/sdkms/bin/node_info.sh.
• Added a script to automate prechecks using Sensu so that users can configure a Sensu check and run it using Sensu agent (JIRA: DEVOPS-3753). For more information, refer to the Administration Guide: Fortanix DSM Upgrade Checks using Sensu – Automated.
• Improved the cluster restore automation script for better performance (JIRA: DEVOPS-3752). For more information, refer to the Administration Guide: Fortanix DSM Cluster Restoration Guide – Automated.
• Added a script to automate DC labeling configuration (JIRA: DEVOPS-3709). For more information, refer to the Administration Guide: DSM Data Center Labeling - Automated.

7. Bug Fixes

• Fixed an issue where the user was unable to detokenize with cipher_char_set and preserve parameter (JIRA: PROD-6538).
• Fixed an issue where email confirmation link sent during user signup had an invalid user ID (JIRA: PROD-6509).
• Fixed a crash in the DSM app creation flow (JIRA: ROFR-3967).
• Fixed an issue that failed to enable the “Public key published” and resulted in an error upon Save (JIRA: ROFR-3966).
• Fixed an issue where the default permissions were not enabled when creating an AES key in the AWS KMS and Azure Key Vault groups (JIRA: ROFR-3965).
• Fixed an uncaught error when regenerating the DSM app credentials and setting an expiry date (JIRA: ROFR-3963).
• Fixed a page crash when searching a DSM group using the groups filter (JIRA: ROFR-3961).
• Fixed an error that breaks the UI when creating an HMG configuration with TLS set to disabled or opportunistic (JIRA: ROFR-3947).
• Fixed an issue where the DSM UI did not show the secret when clicking on the Show button (JIRA: ROFR-3945).
• Fixed an issue where the DSM-Accelerator webservice did not support PEM-formatted private keys (JIRA: PROD-6436).
• Fixed the alignment when the AWS keys are in “Pending deletion” state (JIRA: ROFR-3921).
• Fixed a 500 status error when the size query parameter is 0 in the GET audit logs API (JIRA: PROD-6367).
• Fixed an issue where the Quorum approval policy still exists even after deleting it from the Account Settings page (JIRA: ROFR-3913).
• Fixed an issue where admin apps were not shown in the “Created by” column in the security objects table view (JIRA: ROFR-3911).
• Fixed an issue that did not allow removing the HMG configuration from a FIPS-backed group (JIRA: ROFR-3883).
• Fixed the following issues for the following DSM application workflows (JIRA: ROFR-3882).
  • Fixed an issue that resulted in displaying wrong Credentials button label during a DSM app creation of a particular interface type.
  • Fixed inconsistent label for the submit button when changing an application’s authentication method.
• Fixed an issue in the EC key generation workflow where the “Curve” value should be blank rather than unknown (JIRA: ROFR-3871).
• Fixed an issue where an LDAP user was not able to log in when the cluster is in read-only mode (JIRA: DEVOPS-3552).
• Fixed some UX issues in the easy wizard integration for Cloud Data Control with log aggregation (JIRA: ROFR-3855).
• Fixed an issue where the KCV value was missing in the security object CSV reports (JIRA: ROFR-3903).
• Fixed an issue where a user gets a “Token is invalid” error due to a conflicting email address in the email verification workflow (JIRA: ROFR-3809).
• Fixed an issue in DSM-Accelerator JCE where GCM, CCM, and OFB modes were not supported for AES encrypt or decrypt operations (JIRA: PROD-6022).
• Fixed an issue in DSM-Accelerator JCE where "iv" was required to perform decryption for AES cipher mode: ECB, KW, or KWP and for DES and DES3 modes: ECB (JIRA: PROD-6021).
• Fixed an issue where triggering an email change should not break the previous email verification state (JIRA: PROD-6020).
• Fixed an issue where key wrapping using the RSA key did not show the supported padding schemes (JIRA: ROFR-3750).
• Fixed an issue where even after enabling the Get All Approval Requests custom role, the user was unable to see the request in the Tasks tab (JIRA: PROD-2336).
• Fixed different audit backup TAR file names in the Azure container (JIRA: DEVOPS-3068).
• Fixed incorrect user email verification state (JIRA: PROD-4833).
• Fixed an issue where the user was unable to update the authentication token in the Splunk log management configuration in the System Administration settings (JIRA: ROFR-2919).
• Fixed an issue where the user was unable to disable the "audit log" on a secret or opaque object (JIRA: ROFR-2421).
• Fixed an issue where the user was unable to get into maintenance mode using the ipmitool sol activate command when performing an Ubuntu recovery (JIRA: DEVOPS-3339).

8. Known Issues

• When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
• The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
• exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
• Unable to perform Local encrypt/decrypt operation in Fortanix DSM-Accelerator using DES3 algorithm in CBC/ECB mode with the key size 112 (JIRA: PROD-5598).

9. Fortanix Data Security Manager Performance Statistics

9.1 Series 2

________________________________________________________________________________________________________________

9.2 Azure Standard_DC8_v2

________________________________________________________________________________________________________________

9.3 Series 2 JCE

________________________________________________________________________________________________________________

9.4 Azure Standard_DC8 JCE

10. Fortanix Data Security Manager-Accelerator Performance Statistics

10.1 Runtime Environment

________________________________________________________________________________________________________________

10.2 DSM-Accelerator Webservice

________________________________________________________________________________________________________________

10.3 Additional Modes