[4.20] Patch - August 28, 2023

Fortanix Data Security Manager SaaS (DSM SaaS) 4.20.2274 release provides an overview of the new improvements and known issues.

1. Other Improvements

• Updated AIC BIOS to version ATLK0061 in the Fortanix DSM installer (JIRA: DEVOPS-4217).
• You can now import an RSA certificate with an exponent range between 3 and 65537 (JIRA: PROD-7421).

2. Known Issues

• The DSM login page is shown briefly after performing an SSO login (JIRA: ROFR-4148).
• exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).
• The sync key API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
  Workaround: increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
• Rotating a GCP BYOK key to a pre-existing Fortanix DSM-hosted key (Rotate to DSM key) is not supported (JIRA: PROD: 6722).
  Workaround: You can manually copy an existing AES 256 key from a normal DSM group to a GCP-backed group. This key automatically becomes the currently active crypto key version in the GCP key ring
• The “Rotate linked key” feature fails with an error for keys in an externally backed group where the external entity is a Google Cloud Platform key ring (JIRA: PROD-6828).
  Workaround: You must first manually rotate the source key in the regular DSM group and then copy the rotated key to the GCP group.
• An Azure Managed HSM external KMS group now also allows the following security object types to be generated or imported. But the Bring Your Own Key (BYOK) and rotate key functionality does not work for these security object types (JIRA: ROFR: 4192).
  • EC
  • AES 128 and AWS 192
  Workaround: Do not generate or import security objects of type EC, AES 128, and AES 192 in an external KMS group of type Azure Managed HSM since the only allowed security object  types for an Azure key generated using the Generate or Import key workflows are:
  • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
  • AES 256
• An Azure Managed HSM external KMS group now also allows the following security object types to be generated or imported. But the Bring Your Own Key (BYOK) and rotate key functionality does not work for these security object types (JIRA: ROFR: 4192).
  • EC
  • AES 128 and AES 192
  Workaround: Do not generate or import security objects of type EC, AES 128, or AES 192 in an external KMS group of type Azure Managed HSM since the only allowed security object types for an Azure key generated using the Generate or Import key workflows are:
  • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
  • AES 256
• If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD: 6947).
  Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
• Unable to add Custom Attributes for a Fortanix DSM security object from its detailed view (JIRA: ROFR-4252).
  
  • Clicking the ADD CUSTOM ATTRIBUTE button does not load the Label and Value fields.
    Workaround: Click the drop down for the “Custom attributes” section twice to load the Label and Value fields.
  • When you type a label of the custom attribute, the text box loses focus.
    Workaround: Enter the label of the custom attribute again for the second time to add the custom attribute successfully.
• Increasing the “Retention period for Audit Logs” setting at the account level duplicates the “purge audit log” message in the audit logs (JIRA: PROD-7031).
• Users will see the "Not a HSM group" error message while deleting the HSM/KMS group from the FIPS-backed group (JIRA: ROFR-4245).
• The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
• The AWS Key Policy section alignment moved from the bottom of the security object detailed view to the right side of the page. This is a cosmetic issue only (JIRA: ROFR-4241).
• Users without two-factor authentication do not see the pop-up message “Unable to select this account. Reason: Two-factor authentication is required for this operation” when they select an account that has two-factor authentication configured (JIRA: ROFR-4238).
• The retry mechanism does not work as expected in the DSM-Accelerator Webservice (JIRA: PROD-7068).
• The SUBMIT button is not disabled when no Security Objects are selected or all security objects are in a disabled state and the user checks the Rotate linked key check box (JIRA: ROFR-4233).
• The SUBMIT button is not disabled when no Security Objects are selected or all security objects are in a disabled state and the user checks the Rotate linked key check box (JIRA: ROFR-4233).
• When the Batch Sign operation is performed for Curve Ed25519/X25519 in DSM-Accelerator Webservice, the status code is showing as 500 instead of 400 (JIRA: PROD-7007).
• When a user logs in to a DSM account with Azure OAuth login details where the account was configured with the OAuth Single Sign-On authentication method with “No Roles can login with password” option, it redirects the user again to the Azure OAuth login page again instead of redirecting to the selected account (JIRA: ROFR-4298).
• When a key is soft-deleted from the DSM Azure Key Vault Cloud Data Control (CDC) group, the “Purge deleted key” button is not visible in the UI (JIRA: PROD-7202).
• Rotating a linked AWS KMS key when the source key in a regular DSM group is rotated, does not display the modal window to confirm the linked key rotation (JIRA: ROFR-4324).
• The “Copy Key” feature for LMS key results in an error (JIRA: PROD-7336).

For a complete list of new features, enhancements to existing features, other improvements, and bug fixes refer to the full description of the 4.20 DSM SaaS release.