[4.31] - August 06, 2024

Fortanix Data Security Manager (DSM) 4.31 comes with some exciting new features, improvements, and resolved issues.

1. New Features

• This release supports a new feature for DCAP (Data Center Attestation Primitives) clusters that allows Fortanix DSM system administrators to control the joining of new nodes to the cluster, ensuring that only trusted nodes can be added to this cluster. A new tab called TRUST CENTER is added to the System Administration → CLUSTER page where the system administrators can maintain the list of trusted CPU identities (IDs) (JIRA: PM-110).
  
  For more information, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.

2. Other Improvements

• Updated the groups (sys/v1/groups) and apps (sys/v1/apps) API to support list limit and sorting (JIRA: PM-205).
• Implemented improvements to make Cassandra and sdkms pods tolerant of NotReady nodes (JIRA: DEVOPS-4938).
• Enabled null attestation as the default attestation method for DSM Non-SGX nodes (JIRA: DEVOPS-4819). For more details, refer to the Fortanix Data Security Manager Software Pre-Upgrade Checks – Manual.

3. Client Improvements

• Enhanced the EKM client to always use basic authentication tokens (API keys) for all the cryptographic operations to optimize the session management process (JIRA: PROD-8660).
• Updated the End User License Agreement (EULA) in the Windows client installer to reflect the latest terms and conditions (JIRA: PROD-8892).
• The Sequoia PGP client now supports generating keys of type nistp256, nistp384, nistp521, and rsa2k (JIRA: PM-381).

4. DSM-Accelerator Improvements and Bug Fixes

• DSM-Accelerator JCE Provider
  • A new variant of DSM-Accelerator JCE Provider Thin client is now created as a single unified JAR that contains the Fortanix dependencies (sdkms-client and dsm-accelerator) (JIRA: PROD-8857).
    For more details, refer to the following documents:
    
    • DSM Accelerator JCE Provider Deployment Guide
    • DSM Accelerator JCE Provider Downloads
  • Improved the key retrieval process in the DSM-Accelerator JCE Provider to utilize the cached data more efficiently (JIRA: PROD-8799).
  • Fixed the NoPadding scheme for the DSM-Accelerator JCE Provider where the ciphertext length correctly matches the input length (JIRA: ES-385).

5. Integrations and Use Cases

• Fortanix DSM now integrates with Databricks for seamless tokenization and detokenization operations (JIRA: ROQA-5580).
  For more information, refer to the Using Fortanix Data Security Manager with Databricks.

6. Quality Enhancements

• Upgraded Kubernetes to version 1.29.6 (JIRA: DEVOPS-4625).
  For more information, refer to the Administration Guide: Fortanix Data Security Manager (Release 4.31) Kubernetes Version Upgrade to 1.29 K8s.
• Updated the fluentd image to version 1.16.2-debian-1.1 (JIRA: DEVOPS-4867).
  

7. Bug Fixes

• Fixed a Cassandra timeout issue when loading the Fortanix DSM Dashboard for accounts with more than three million security objects (JIRA: ES-342).
• Fixed an issue where the user was unable to import a wrapped AES key into Fortanix DSM (JIRA: ES-374).
• Fixed an issue where the deactivation_date was not being set in copy-based key rotation (JIRA: PROD-7656).
• Fixed an issue where Fortanix DSM nodes were not entering the reboot cycle after being drained (JIRA: DEVOPS-4648).
• Fixed and issue where importing an ECSecP256K1 key into a hardware-protected Azure Premium Key Vault failed in the browser UI (JIRA: PROD-8808).
• Fixed an issue where linked keys were not being rotated correctly (JIRA: ROFR-4989).

8. Known Issues

• A Fortanix DSM account, whether normal or system administrator, with the "No Roles Can Login with Password" role selected, may experience issues when attempting to log in using a password. If the users select such an account and enter the SSO credentials, they will be logged out instead of accessing the account (JIRA: ROFR-4998).
  Workaround: The users should log in directly with SSO after the "No Roles Can Login with Password" role is set to access the account.
• When you edit the starting time of a Key rotation policy for a security object with the value as single digit time, for example: 01:00 am, it shows an error “Invalid date/time selected. Please make sure you filled in a valid 12-hour time” (JIRA: ROFR-4786).
  Workaround: Re-enter the rotate start time by removing the “0” before the single digit time and enter a new time (for example, 01:00 am to 2:00 am).
• After downgrading Fortanix DSM to version 4.25, it still shows the Node size field with a null value for LMS keys that were added in DSM version 4.26, even though the Node size is not a supported parameter in the older version (JIRA: PROD-8278).
• Unable to create an LMS key with the following height combinations of 20 (JIRA: PROD-8248).
  
  • 5, 20, and vice versa.
• The hyperlink color for the field “Follow the instructions in” in the “Add Instance” form for Google Workspace Client-Side Encryption (CSE) still reflects the old link color value (JIRA: ROFR-4789).
  
  
• The sync key API returns a “400 status code and response error” if its short-term access token expires during the synchronization of a group linked to AWS KMS (JIRA: PROD-3903).
  Workaround: Increase the timeout of the temporary session token beyond the expected duration of the sync key operation.
• exclude does not work in the proxy configuration for operations such as attestation (JIRA: PROD-3311).
• If an Azure key is rotated and then soft-deleted, only one version of the key is soft-deleted (JIRA: PROD-6947).
  Workaround: Perform a key scan in DSM to synchronize the key state with Azure.
• The create operation for security object creation does not work for the Azure Managed HSM plugin (JIRA: PROD-7078).
• Copying an RSA or EC key from a normal DSM group to an AWS KMS-backed DSM group does not work as expected and results in an error (JIRA: PROD-7787).
  Workaround: Export the RSA or EC key from the normal DSM group and import it into the AWS KMS-backed DSM group.
• The Fortanix DSM user interface (UI) fails to load groups beyond 1000. Therefore, any security object associated with a group beyond 1000 will not be displayed (JIRA: ROFR-4378).
• The admin applications (apps) cannot retrieve the details for GET /users/{uuid} and instead returns the error "Inappropriate authorization for the requested operation" (JIRA: PROD-9212).
  Workaround: Use GET /users/{uuid} using the system administrator credentials to retrieve the user ID details.
• If the email configuration is incorrect, clicking RESEND VERIFICATION EMAIL on the Fortanix DSM user interface (UI) will result in a 500 Internal Server Error from the resend_confirm_email API (JIRA: PROD-9243).
  
  TIP

  Before enforcing email confirmation, ensure the System Administrator's email has been confirmed. Otherwise, if the email configuration is incorrect, the administrator might get locked out of the system.
  Workaround: Email verification is not enforced for the entire cluster; therefore, only a few users must verify their emails. If the email configuration is incorrect, their accounts will remain accessible and not be blocked.

9. Fortanix Data Security Manager Performance Statistics

9.1 Series 2

________________________________________________________________________________________________________________

9.2 Azure Standard_DC8_v2

________________________________________________________________________________________________________________

9.3 Series 2 JCE

________________________________________________________________________________________________________________

9.4 Azure Standard DC8 JCE

10. Fortanix Data Security Manager-Accelerator Performance Statistics

10.1 Runtime Environment

________________________________________________________________________________________________________________

10.2 DSM-Accelerator Webservice

________________________________________________________________________________________________________________

10.3 Additional Modes

11. Installation