1. Fortanix
  2. Downloads
  3. Data Security Manager (DSM)
  4. DSM Software Release Notes
  5. 4.10 (SaaS only)

[4.10] - Aug 26, 2022

Last Updated: 

Fortanix Data Security Manager (DSM) SaaS 4.10 comes with some exciting new features, general enhancements, improvements, and resolved issues.

This release is superseded by the August 30, 2022, release

NOTE
This release is for SaaS only and not available for On-Prem installations.

1. New Functionality/Feature(s)

1.1 Native BIP32 Key API Support (JIRA: PROD-4261):

This release allows you to import a new type of security object called BIP32. BIP32 is a parent key inside a Bitcoin hierarchical deterministic wallet (HD Wallet). This key can be used to recover all keys beneath it in the tree, for example: it can be used to sign transaction hashes and derive hardened and non-hardened children.

BIP32.png

For more details, refer to User’s Guide: Key Lifecycle Management.

1.2 Added a new operation for BIP32 keys (JIRA: ROFR-3459):

  • “Transform” operation for non-hardened child key.

BIP32Ops.png

For more details, refer to User’s Guide: Key Lifecycle Management.

1.3 Added “Transform” operation to the app and group permitted operations for the BIP32 keys (JIRA: ROFR-3467):

When you create a group or app from the Fortanix DSM UI, it will additionally have the new “TRANSFORM operation active by default.

BIP32App.png

For more details, refer to User’s Guide: Security Controls for Fortanix Data Security Manager Applications.

1.4 Allow downloading all security objects as a CSV file (JIRA: ROFR-3451):

In addition to downloading the currently visible security objects on the Security Objects page using the DOWNLOAD AS CSV option, you can also download all the security objects in the account using the DOWNLOAD ALL button.

DownloadCSV.png

1.5 Support for BYOK Plugin for Oracle Cloud Infrastructure (OCI) Vault (JIRA: PROD-4050): 

This release adds support for generating a symmetric and asymmetric encryption key in Fortanix DSM and then BYOK it into the OCI vault.

For more details, refer to User’s Guide: Plugin Library.

2. Enhancements to Existing Features

  1. Automatic Linked key rotation for Azure Keys (JIRA: PROD-5163).
    You can now schedule a key rotation policy for the Fortanix DSM source key that has linked Azure keys that are copies of the source key so that the linked Azure keys are also periodically rotated automatically. This can be enabled by selecting the Rotate all copied keys option. AzureKeyRotation.png

    For more details, refer to User’s Guide: Azure Key Vault External KMS.

  2. Automatic Linked key rotation for AWS External KMS Keys (JIRA: PROD-5050).
    You can now schedule a key rotation policy for the Fortanix DSM source key that has linked AWS KMS keys that are copies of the source key so that the linked AWS KMS keys are also periodically rotated automatically. This can be enabled by selecting the Rotate all copied keys option. AWSKeyRotation.png

    For more details, refer to User’s Guide: AWS External KMS.

  3. Automatic Linked key rotation for Azure Managed HSM Keys (JIRA: PROD-3037).

    You can now schedule a key rotation policy for the Fortanix DSM source key that has linked AWS Managed HSM keys that are copies of the source key so that the linked Azure Managed HSM keys are also periodically rotated automatically. This can be enabled by selecting the Rotate all copied keys option.

    AWSKeyRotation.png
    For more details, refer to User’s Guide: Azure Managed HSM.
  4. The “Create” permission is now hidden for Quorum approval policy for a Fortanix DSM group (JIRA: ROFR-3159).

    As there is no Quorum policy check for the "Create" operation and the action of creating a security object does not initiate a Quorum approval request, hence the “Create” security object operation is hidden from the list of operations that require quorum approval.

    QuorumApprovalCreateOp.png
  5. Custom Tokenization – restored max Length limit and removed max Value limit (JIRA: ROFR-3295).

    Added max Length limit for custom tokenization and removed the wrongly added limit for the max Value field.

    TokenCustom.png

    For more details, refer to User’s Guide: Tokenization.

  6. Added toast message when renaming and deleting the u2f security key (JIRA: ROFR-3295).
    U2F.png

3. Other Improvements

  1. Flattened the cache structure for Signed JWT to avoid the small cap on the number of keys per source (JIRA: PROD-5195).
  2. Enhanced the API for Fortanix DSM Groups (JIRA: PROD-4603).
  3. Obtained the relations/mapping report for Fortanix DSM security objects, groups, users, and so on (JIRA: PROD-4571).
  4. Enhanced the GET All accounts API to take query parameters for start and end to be able to return all accounts (JIRA: PROD-4093).

4. Bug Fixes

  • Fixed an issue where the backend ignores connect-src whitelist in the manifest.json file (JIRA: ROFR-3176).
  • Fixed an issue where after upgrading to DSM 4.9, GET_SOBJECTS was returned by error in the UI during quorum approval (JIRA: PROD-5196).
  • Fixed an issue where the Fortanix AWX plugin was not working as expected (JIRA: DEVOPS-2982).
  • Fixed an issue where ActionType::Administrative is used instead of ActionType::RunPlugin during plugin invocation. (JIRA: PROD-5185).
  • Fixed an issue where the sdkms-cli shows byte array instead of a base64 encoding strong (JIRA: PROD-5170).
  • Fixed an issue where a user was unable to add Quorum policy to an existing KEK group after removing the Quorum policy (JIRA: PROD-5159).
  • Fixed a JSON error message on deletion of Splunk log integration (JIRA: ROFR-3424).
  • Fixed a user PATCH panic in mfa/u2f path (JIRA: PROD-5132).
  • Fixed an issue where a user should not be allowed to update the group of KEK to another secondary group (JIRA: ROFR-3415).
  • Fixed an issue where a user was unable to delete a security object after deleting the group (JIRA: PROD-5005).
  • Fixed backend parsing issues for minimum/maximum length custom token schemas (JIRA: ROFR-3293).
  • Fixed an issue where a password continued to be stored while disabling the U2F (JIRA: ROFR-3284).
  • Fixed alignment issues and error message updates on the U2F recovery page (JIRA: ROFR-3272).
  • Fixed an issue where the input Secret object values were not saved after importing resulting in a mismatch with the output Secret object value for the value format text(UTF-8) (JIRA: ROFR-3225).

5. Quality Enhancements/Updates

  • Set dclocal_read_repair to 0 on all tables in Cassandra keyspace. (JIRA: DEVOPS-2898).
  • Implemented Cassandra Heap and Memory Tuning (JIRA: DEVOPS-2898).
  • Implemented audit log partitioning by time in Cassandra database (JIRA: PROD-5150).
  • Enabled trickle_fsync by setting it to true in Cassandra when using with solid-state drives (SSDs) for better performance (JIRA: DEVOPS-2896).
  • Configured Cassandra to use G1GC in JVM for performing more efficient JVM Garbage Collections (GCs) (JIRA: DEVOPS-2566).

6. Security Fixes

  • Blocked the ICMP and TCP timestamp requests that can be used to determine system time (JIRA: DEVOPS-2915).
  • Set etcd ciphersuite to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 to ensure that all communication has guarantees (JIRA: DEVOPS-2914).

7. Known Issues

  • An account could be lost if account tables are inconsistent between nodes. Make sure a backup is successful before proceeding with ANY upgrade (JIRA: PROD-4234).
  • When a node is removed from a 3-node cluster with build 4.2.2087, and the 2-node cluster is upgraded with build 4.3.xxxx, it is possible that the deploy job is exited and marked completed before cluster upgrade (JIRA: DEVOPS-2068). Workaround: If all the pods are healthy, you can deploy the version again.
  • The sync key API returns a “400 status code and response error” due to the short-term access token expiry during the sync key operation of a group linked to AWS KMS (JIRA: PROD-3903).
  • exclude does not work in the proxy config for operations such as attestation (JIRA: PROD: 3311).

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful