Release Notes

Product Description

CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.

Product Abbreviations

Name	Abbreviation
CipherTrust Batch Data Transformation	BDT
CipherTrust Manager	CM
CipherTrust Application Data Protection	CADP
CipherTrust Application Key Management	CAKM
CipherTrust Cloud Key Manager	CCKM
CipherTrust Data Protection Gateway	DPG
CipherTrust RESTful Data Protection	CRDP
CipherTrust Database Protection (formerly known as ProtectDB)	CDP
CipherTrust Live Data Transformation	LDT
CipherTrust Transparent Encryption	CTE
CipherTrust Transparent Encryption for Kubernetes	CTE-K8s
CipherTrust Transparent Encryption for Ransomware	RWP
CipherTrust Transparent Encryption UserSpace	CTE UserSpace
CipherTrust Intelligent Protection	CIP
CipherTrust Data Discovery and Classification	DDC
CipherTrust Vaulted Tokenization	CT-V
CipherTrust Vaultless Tokenization	CT-VL
Data Protection on Demand	DPoD
CipherTrust Secrets Management	CSM

Release Description

This release is available on the Customer Support Portal in the following formats:

• An upgrade file for physical k570, k470 and standard k160 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.

  Note

  The High Assurance (HA) k160 model is not supported with this release.

• An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.

• A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.

• A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack or RedHat OpenShift.

In addition, 2.21.0 Virtual CipherTrust Manager will be available on the following public clouds, as the Community Edition:

• Amazon Web Services: SafeNet Cloud Provisioning System

• Google Cloud

  Note

  As 2.21.0 is not the default version, you must use the gcloud CLI to retrieve it.

• Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace

• Oracle Cloud

• IBM Cloud

  • An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.

  • A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.

2.21.0 contains a number of new features and enhancements. Refer to Release 2.21.0 for details. For the list of known issues, refer to Known Issues.

Features and Enhancements

Release 2.23

Platform

• Deprecation: The legacy syslog connection available through Admin Settings is now deprecated. The + Add button to add a new connection of this type on the CipherTrust WebUI is now removed. Existing legacy syslog connections created prior to upgrading remain in place. The preferred replacement syslog configuration is through Connection Manager and Log Forwarders commands and menus.

• Technical Preview: Add capacity reports in REST API and ksctl CLI to display numbers of active keys, active domains,and orphaned keys. Expanded the Grafana CipherTrust Manager Resources dashboard to display these counts.

• Added automatic Certificate Revocation List (CRL) checking for the connection to an external syslog server, for forwarding the host logs available to ksadmin.

  Note

  This syslog connection is separate from the syslog connections available to forward audit records or KMIP/NAE activity logs.

• Added support for bulk export of keys using /v1/vault/keys-bulk-export API. However, wrapping of the key material is not supported.

CCKM

CTE Suite

Information in this section applies to all types of CTE Agents unless stated specifically.

CTE

CTE for Kubernetes (CTE K8s)

Ransomware Protection

CTE UserSpace

Notes on CTE UserSpace

CTE UserSpace is a kernel-independent file encryption product. The resources of CTE UserSpace clients running 10.0 and higher Agent versions are managed by the Transparent Encryption application on the CipherTrust Manager.

This release does not support the following features:

• Kernel Compatibility Matrix

• Agent and System locks

• CBC and XTS keys

• COS, IDT, and LDT policies and GuardPoints

DDC

Application Data Protection

• All Application Data Protection Clients: Added support for generating irreversible tokens.

• All Application Data Protection Clients: Added support for using a random nonce in FPE algorithms.

• All Application Data Protection Clients: Added support for the DATEv3 algorithm in protection policies. This algorithm enables protection and reveal of date formats.

• All Application Data Protection Clients: Added support for the AES/CTR algorithm in protection policies.

• CRDP: Added support for configurable keep-alive connections.

• CAKM For Oracle TDE: Added support for managing CAKM DB instances and database clients. This includes:

  • Creating database instances (API).

  • Listing database instances (UI and API).

  • Deleting database instances (UI and API).

  • Modifying client configurations (UI and API).

  • Adding, editing, and deleting CDBs and PDBs (UI and API).

• CAKM For Oracle TDE: Added support for registering CAKM for Oracle TDE connectors with Application Data Protection.

CipherTrust Database Protection (CDP)

Enhanced audit logging to capture all CDP tile operations.

Resolved Issues

Issue	Synopsis
KY-111928	If you attempt to rotate the HSM Key Encryption Key (KEK) for an HSM-anchored domain through the CipherTrust WebUI, the operation fails with the error [NCERRConflict: Failed due to a conflict with the current state of the target resource]: This error is due to a timeout mid-operation.
KY-111498	If you attempt to add an additional Luna Network HSM connection for HSM-anchored domain or CCKM on a CipherTrust Manager, the HSM HA group does not synchronize keys automatically.
KY-110943	User cannot log in to CipherTrust Manager using default or custom web interface, if interface does not contains the value user in the Allowed Identity Types field.
KY-109896	Unable to delete application if the associated registration token gets deleted.
KY-109133	When setting or updating column encryption properties, the IV column name is validated even if the IV type is set to column level.
KY-108863	If you login to a non-root domain, and navigate to Access Management > Users, the option to unassign a user from the domain is unavailable on this page for users in the admin group.
KY-106777	The external CipherTrust Manager read and test connection fails when only CCKM admin permission is granted. Workaround: Add user to the Connection Admins group.
KY-92312	If you attempt to configure an HSM root-of-trust on the CipherTrust Web UI, the UI sometimes displays a timeout error, but the HSM configuration succeeds.

System Upgrade Supported Releases

System upgrades on a single unclustered device have been tested from releases 2.11.8, 2.22.0, 2.21.0, and 2.20.0 on physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.

Refer to the System Upgrade page for instructions to perform an upgrade or downgrade, and for supported upgrade paths for the k160 physical device.

The cluster upgrade section provides instructions to perform an upgrade on a cluster of devices. Supported upgrade paths depend on the method used to upgrade the cluster.

• In-place offline cluster upgrade is supported from 2.11.8

• In-place online cluster upgrade is supported from 2.22.0.

• Cluster remove/rebuild is supported from 2.11.8, 2.22.0, 2.21.0, and 2.20.0.

Restoring a backup from release 2.20.x or later is supported; however, restoring a newer backup to an older version is never supported.

An unclustered CipherTrust Manager can be downgraded to the previous minor version. For release-specific upgrade/downgrade information, refer to the release notes for your release.

Advisory Notes

This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.

Cluster In-Place Upgrade Only Available from 2.22.0

Due to better lifecycle management for system critical components starting in 2.22, the cluster in-place upgrade method is only available for upgrade from 2.22.0. If you are starting at a version below 2.22.0, we recommend using cluster in-place online to upgrade to 2.21.0, and then using cluster remove/rebuild to upgrade to 2.23.0.

Change Port Assignments for Cluster After Upgrade from 2.21 or Lower

Due to better lifecycle management for system critical components for the port assignments for cluster have changed in 2.22.0. To create clusters after upgrade from 2.21 or lower, allow network traffic inbound and outbound to 5432 and 2380.

Add All AWS CloudHSMs in AWS Cluster for High Availability of Root of Trust

If you plan to have more than one AWS CloudHSM in an AWS Cluster, you must manually add each additional to CipherTrust Manager as soon as possible.

Otherwise, if none of the configured CloudHSMs is available on root-of-trust service restart, CipherTrust Manager does not recognize the additional, unconfigured CloudHSMs. The CipherTrust Manager application is not accessible with no root of trust available. Contact customer support to recover from this state.

Multi-Port Session Handling

You cannot open two CipherTrust Manager UI Web interfaces with different ports in the same browser. To open UI with different ports, use different browser windows.

Policies

Policies created to manage authentication based on the Client IP parameter don't apply to the requests coming to the NAE and KMIP interfaces with "anonymous login" mode enabled. For details, refer to Client IP.

Recommendation for NAE KeyQueryRequest

If a domain has more than 1000 cryptographic objects (keys and opaque objects), to fetch keys, it is recommended to use KeyNamesRequest instead of KeyQueryRequest. The response time of KeyQueryRequest is proportional to the number of keys on the CipherTrust Manager, therefore, it may lead to a timeout exception on the client side.

Log Forwarders

The log forwarders are not configured to use the system's proxy configuration. If proxy is configured, the log forwarders bypass the proxy servers.

Backup and Restore

The backup and restore of users and groups in a domain only works among the domains of different CipherTrust Managers. This feature does not support backup and restore among different domains of the same CipherTrust Manager.

Client Renewal

During client renewal, if another client (which has Auth mode set to DN) already exists in the system with a matching subject DN, the client renewal may fail. This applies to external or local CA clients. For external CA certificates, delete the client to be renewed and register a new client with a new certificate and different subject DN.

However, for local CAs, it is not required to delete the client to be renewed, rather set the do_not_modify_subject_dn field to false. Refer to Renew Local CA Client Certificates for details.

LDAP Connections

Added a validation in the GET /v1/usermgmt/connections/{id}/users/ API to prevent it from working on LDAP Connections. It is documented in the API Playground that this API supports zone connections only. To get all the local users and the already authenticated LDAP users of all the configured LDAP connections, the GET /v1/usermgmt/users API can be used.

Update Alarms for Secure Copy Protocols (SCP/SFTP)

Customers need to modify the existing alarm if configured with the message SCP Backup. They must update the message from SCP Backup to Secure Copy Backup in the alarm.

Increased Disk Space and Cluster Node Downtime Required for Upgrade from CipherTrust Manager 2.13.x or lower

Due to major internal database upgrades in 2.14.x and 2.16.x, CipherTrust Manager upgrade requires more free disk space and cluster node downtime when upgrading from CipherTrust Manager 2.13.x or below. You cannot directly upgrade from 2.13.x to 2.20.x, so these effects apply when you first upgrade from 2.13.x to an intermediate minor version, 2.14.x, 2.15.x, or 2.16.x.

• You require 35 GB of free disk space to exercise the upgrade.

• In-place online cluster upgrade requires additional downtime for cluster nodes. An individual cluster node might be unavailable for 10 minutes or more.

• During upgrade, the message NOTICE: skipped replication for captured CCL command "LOCK TABLE in replication sets (kylo) is displayed multiple times. This is an expected part of backend database configuration and does not indicate a problem.

Required System Volume Disk Size for Virtual CipherTrust Manager

If you have deployed at a Virtual CipherTrust Manager with the previous evaluation disk size of 50 GB, you need to increase the system volume disk space to exercise the upgrade. We recommend at minimum 300 GB.

Recommendation for Secure Initialization Vector in DESede CBC, AES CBC, and AES GCM Encryption Requests

When generating a new AES or DESede key CipherTrust Manager currently generates and stores a Default IV associated with the new key. This is mainly used to support specific legacy integrations and applications.

We strongly recommend future crypto applications use a secure, unique initialization vector (IV) for each AES CBC, AES GCM, and DESede CBC encryption request, rather than relying on a default IV provided by CipherTrust Manager for the security of your data. For example, unpredictable, unique IVs for AES CBC requests protect against oracle attack techniques such as ROBOT, DROWN, POODLE, and BEAST.

We recommend to use CipherTrust Manager's random number generation to produce secure IVs, or you can provide your own IV with each AES CBC, AES GCM or DESede CBC encryption request following the security guidelines for constructing secure IVs in NIST SP800-38A and NIST SP800-38D.

In the KMIP interface, always set the RandomIV object in the Cryptographic Parameters attribute to true or provide your own secure IV in the Request Payload as an IV/Counter/Nonce object.

In the REST and NAE interfaces, use CipherTrust Manager's random number generation to produce secure IVs for cryptographic requests, or provide your own secure IV.

Some Key States Change After Upgrade

After upgrade from 2.4.x some key states are remapped as a result of harmonizing NAE-only key states. In most cases, the allowed operations for a key remain the same before and after upgrade, so key usage is not disrupted.

As you cannot upgrade directly from 2.4.x to 2.20.x, these changes take effect when you first upgrade from 2.4.x to an intermediate minor version, 2.5.x, 2.6.x, or 2.7.x.

• When a key has an NAE state of Retired and the deactivation date is set in the future, the key is set to Deactivated immediately upon upgrade. No cryptographic operations are allowed.

• When a key has an NAE state of Restricted and Protect Stop Date is set in future, the key is set to Active and the Protect Stop Date is set to the current time. Decryption, signature verification, unwrapping, and MAC verification are allowed.

• When a key has an NAE state of Active and Activation Date is not set, the activation date is set to the current time. All cryptographic operations are allowed.

• When a key has an NAE state of Active and Activation Date is set in the future, the key is set to a Pre-Active state and the Activation Date is retained. No cryptographic operations are allowed until the Activation Date is reached.

• When a key has a state of Deactivated before upgrade, its state will be unchanged after upgrade. However, the allowed operations for the Deactivated state change for 2.5. The key loses its ability to decrypt, verify signatures, unwrap, and verify MACs. You can re-activate the key after upgrade and set the ProtectStop date to restore those operations.

Protect the ksadmin Private SSH Key

The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.

TLS/SSL Must be Enabled in a Production System

As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.

DDC

Upgrading CipherTrust Manager cluster to version 2.22 or above

For CipherTrust Manager version 2.22, in-place cluster upgrades are not supported. When upgrading the cluster, you must use the cluster remove/rebuild method. Please be aware that this upgrade method deletes the active DDC node selection. This means the node that was previously assigned as the active DDC node will no longer be recognized as active after the upgrade.

After completing the upgrade, you must re-assign the active DDC node as if you were performing a fresh installation. It is recommended to select the same node that was active before the upgrade. This helps avoid the need to reconfigure your DDC agents. See the Assigning the active DDC node section to configure the DDC active node.

Clusters

• Only one CipherTrust Manager node in the cluster can have DDC activated. To access DDC, create a new DNS entry to point to the active CipherTrust Manager node.

• DDC functionality cannot be accessed through the CipherTrust Manager FQDN. DDC requests sent to an inactive CipherTrust Manager node fail (and return the impression that DDC fails randomly).

Licensing

Overlapping licenses are not supported (except for the trial license).

EOS for Legacy Reports

The support for Legacy Reports has been dropped in DDC 2.11.

EOS for KCT Datastore

End of Support for KCT Datastore Format in DDC 2.11.

Upcoming End of Support for Platforms and Features

• Linux 2.4 Node Agents

• Email Targets - Microsoft Exchange (EWS)

• Microsoft 365 - Exchange Online (EWS)

• Web Browser - Internet Explorer

Compatibility

This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.

TLS Compatibility

This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.

Interface	Minimum TLS version	Maximum TLS version	Default Minimum TLS version
Web UI	TLS 1.2	TLS 1.3	TLS 1.2
NAE	TLS 1.0	TLS 1.3	TLS 1.2
KMIP	TLS 1.0	TLS 1.3	TLS 1.2

By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:

• TLS_AES_256_GCM_SHA384 (TLSv1.3)

• TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3)

• TLS_AES_128_GCM_SHA256 (TLSv1.3)

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS Deprecation Notices

• Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.

• Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_CBC_SHA

Client Platforms

The following client Platforms are supported by the CipherTrust Manager.

CipherTrust Application Data Protection

• CADP for .NET Core: minimum version 8.11.0

• CADP for C: minimum version 8.14.0

• CADP for Java: minimum version 8.13.1

CipherTrust Application Key Management

• CAKM for Oracle TDE: minimum version 8.10.0

• CAKM for Microsoft SQL Server EKM: minimum version 8.5.0

CipherTrust Cloud Key Manager

Minimum version 1.6.3.20532

CipherTrust Database Protection

• CDP for Oracle: minimum version 8.12.0

• CDP for MSSQL: minimum version 8.12.0

• CDP for DB2: minimum version 8.12.0

• CDP pdbctl: minimum version 1.5.1

• CipherTrust Teradata Protection: minimum version 6.4.0.12

• Transformation Utility: minimum version 8.4.3

CipherTrust Transparent Encryption

Minimum version 7.0.0

CipherTrust Transparent Encryption UserSpace

Minimum version 10.2.0.83

CipherTrust Transparent Encryption for Kubernetes

Minimum version 1.0.0

CipherTrust Vaulted Tokenization

Minimum version 8.7.1

CipherTrust Batch Data Transformation

Minimum version 2.2.0.2816

CipherTrust Vaultless Tokenization

Minimum version 2.5.2.19

Data Discovery and Classification Agents

Linux minimum kernel version is 2.6.

There are no changes in Agent requirements if you are upgrading from CM 2.4 to 2.5.1. If you are upgrading from a version older than 2.4 please refer to Upgrading Agents.

TDP Version Compatibility

Data Discovery and Classification requires TDP 3.1.5.1 or newer.

• If you have an existing TDP 3.1.5 cluster, you should apply the patch 3.1.5.1.

  Following the TDP upgrade users are required to Configure TDP service HDFS again and also Configure TDP service Livy.

Known Issues

This section lists the issues known to exist in the product at the time of release.

CipherTrust Manager

Reference	Synopsis
KY-112241	Problem: If you run a force delete operation on one node to remove a node from the cluster and execute the same force delete on another node, sometimes the data replication message from the first force delete arrives to the second node after the second force delete completes. As a result, the Cluster Consensus Status is reported inconsistently on the remaining nodes in the cluster, and some nodes are unresponsive. Workaround: Run the force delete operation again with the same node ID on all nodes on the cluster. Ensure the connectivity between remaining nodes is healthy, for example by checking that the allowlist configuration is up-to-date on every node in the cluster.
KY-111328	Problem: If you attempt to add an additional Luna Network HSM connection for HSM-anchored domain or CCKM on a clustered CipherTrust Manager, the HSM HA group is not recognized on every CipherTrust Manager node. Requests to create Luna keys originating from other CipherTrust Manager nodes fail. Workaround: After you create or update an HSM connection on one CipherTrust Manager node, run "Test Connection" on every CipherTrust Manager node in the cluster.
KY-111138	Problem: If you delete an HSM connection used for CCKM or HSM-anchored domain, and later attempt to add a new Luna HSM partition connection, the operation sometimes fails with the error Error finding token info for provided slot info. Workaround: Run a system reset to return the internal HSM configuration to default settings.
KY-108144	Problem: Due to key caching on the NAE and KMIP interfaces, not all cryptographic operations (such as decryption) are recorded in the server or Loki audit logs. Multiple operations using the same key within the cache interval may only generate a single audit record. The audit log entry is generated after the key cache expires and the key is re-exported.
KY-105131	Problem: A user which is assigned to both the admin and User Admins groups cannot assign other users to the admin group. Workaround: Remove the user which is assigned to both groups from the User Admins group. Logout and login as this user. Re-attempt assigning the desired user to the admin group.
KY-95972	Problem: If you attempt to login in an LDAP user using the ksctl login command, specifying the connection name through the --user parameter only, the login fails with the error message Connection name <provided_name> in username do not match with connection local_account. Workaround: Provide the connection name using the --connection parameter in the ksctl login command.
KY-87394	Problem: In the TLS verify client cert, Allow anonymous logins mode, NAE/KMIP clients remain in the expired state after the client certificate is renewed, but continue to operate normally with the renewed certificate.
KY-87241	Problem: When renewing NAE/KMIP clients, details of the new certificate are not updated until the client remains idle for approximately 10 minutes. For KMIP clients, this issue occurs only in the TLS, verify client cert, user must supply password mode whereas for NAE clients it is observed in all modes. For NAE clients, you can retrieve the updated certificate details using the /v1/protectapp/clients-get API or through the CM UI under Legacy Clients > Registered Clients section. For KMIP clients, keep the client idle for at least 10 mins, after renewal.
KY-87183	Problem: Client renewal fails, if interface mode is changed from TLS, verify client cert, user must supply password to TLS, verify client cert, user name taken from client cert, auth request is optional before certificate renewal. It is recommended to avoid modifying the interface mode when renewing the client. Workaround: Restore the interface mode to its previous value and proceed with client renewal, or delete and re-register the client.
KY-84562	Problem: Deactivating the CipherTrust Manager Full Trial license does not deactivate individual trial licenses. Workaround: Reactivate the Full Trial license and re-attempt deactivation.
KY-82087	Problem: After client renewal, it takes around 10 minutes for the client to switch from expired state to active state. During this time, the client operates normally with the renewed certificate.
KY-80554, KY-81695	Problem: If a client certificate contains both OCSP and CRL URLs, the certificate revocation check (for NAE and KMIP clients) only considers the OCSP and never falls back to check the CRL even if the OCSP URL is inaccessible.
KY-66351, KY-63083	Problem: Clients registered in a deleted domain are not excluded from the License usage. Workaround: 1. Log on to the root shell. 2. Delete the entries of the clients registered with the deleted domain from the database.
KY-64823, KY-61196	Problem: In a CipherTrust Manager cluster, if two nodes are disconnected and you create the same user on both nodes and update them with same DN, on re-connect, duplicate users get created. Workaround: Duplicate users cannot be authenticated as regular users, therefore, function as redundant users. It is recommended to delete these users to avoid any confusion. However, if you don't delete them, you will be allowed to log in with one user only.
KY-64600	Problem: If you create multiple automatic key rotation scheduled jobs, and they are scheduled to run at the same time, a key rotation intermittently fails with the message 'There is an ongoing key rotation job, cannot add another'. Workaround: Schedule automatic key rotation jobs to run at different times from one another.
KY-64597	Problem: Typing a % (percent character) into the embedded API Guide for GET operations leads to inconsistent results, and sometimes crashes the page. Workaround: As a best practice, avoid naming resources with the % character. If you must retrieve a resource with a % in its name, use the UI or CLI to do so.
KY-61892	Problem: The NAE and KMIP clients get auto-registered even if the system property, ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN, is disabled and the user impersonated by the client certificate is not created in the root domain and the registration token is generated in the root domain. However, the client wont be able to communicate using impersonated user for interface mode 'TLS, verify client cert, user name taken from client cert, auth request is optional'.
KY-61722	Problem:Deleting a domain that contains an NAE (ProtectApp) client returns status code 500.
KY-61054	Problem: While migrating from KeySecure Classic to CipherTrust Manager, if the local CA is signed by an external CA, the migration will fail for the local CA even if the external CA is added to the known CA list. Workaround: If an externally imported CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, the CA will be migrated as an external CA, but the certificates will not be migrated to the CipherTrust Manager. Therefore, to use the same certificate for the NAE/KMIP interface on the CipherTrust Manager, select the migrated external CA and upload its certificate manually by editing the NAE interface on the CipherTrust Manager. Similarly, if a local CA and its certificates are used on the NAE/KMIP interface of KeySecure Classic, use auto-generation or issue a new certificate and upload the certificate to the interface.
KY-56426	Problem: Deleted groups still show up in the key details information on the CipherTrust Manager.
KY-56213	Problem: If you attempt to create a Luna Network HSM STC partition in connection manager and upload a partition identity file, the upload fails with the error Code 14: NCERRInternalServerError: unexpected error. This is because CipherTrust Manager doesn't recognize the format of the partition identity file downloaded from Luna Network HSM. Workaround: Use the Linux command base64 -wo on the partition identity file to convert it to base64 format, and then re-attempt the STC partition creation.
KY-55416	Problem: Alarms table does not support retention policy. Record based alarms will fill up the table. Workaround: Contact customer support.
KY-52137	Problem: If you rotate the root of trust key for an HSM and then reboot the appliance, services fail to start up and the reboot does not complete. This can happen when the HSM contains two root of trust keys with the same name, and the wrong HSM key is loaded. Workaround: If you are stuck in services startup, access the HSM with another client, and re-label one of the duplicate keys.
KY-51664	Problem: When nShield Connect HSM is configured as root of trust, there are intermittent connectivity issues. The nShield HSM occasionally returns a ServerAccessDenied error, and CipherTrust Manager raises the HSM is offline system alarm. Workaround: Wait for connectivity issues to resolve after a few automatic reconnection attempts.
KY-39354	Problem: Scheduled Partial Domain Backups and Domain Backups fail when there is an SCP connection. The backup file is created on CipherTrust Manager, but it is not forwarded through SCP, and the file is invalid. Workaround: If scheduled backup through SCP is needed, create a System Backup.
KY-27450	Problem: Local Certificate Authorities (CAs) do not allow commas , in any of the fields. Workaround: Configure an External CA instead. Use a backslash \ in the Distinguished Name (DN) while creating a user if you are using certificate based login. For example, C=IN,ST=UP,L=Noida,O=Thales\,INC,OU=ENC,CN=test is an accepted value. All other printable characters are allowed, as per RFC 5280 definition of PrintableString. @ and & are also allowed, beyond the definitions of the RFC.
KY-11517	Problem: ProtectApp Application: The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.
KY-7288	Problem: When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText. Workaround: For migration use cases, when using AES-GCM with KeySecure Classic: Decrypt the data using KeySecure Classic. Encrypt the data with keys stored on CipherTrust Manager. After migration to CipherTrust Manager, the AAD tag is not appended to the data. It is sent as a separate tag.
NC-2063	Problem: If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.
KY-106904	Problem: Restoring a full or partial domain backup in a non-root domain containing customer fragments will fail for the customer fragments, displaying an error message. However, all other resources will be restored successfully. Workaround: Disable Akeyless service, restore the backup, and then enable Akeyless again.
KY-109452	Problem: In a cluster, the Cluster Consensus Status may be shown as up even when more than 50% of the ports are down. This indicates that the Cluster Consensus Status and the Consensus port up/down are not directly correlated. Therefore, one should not assume that if a node's Consensus port is down, the Cluster Consensus Status must also be down.
KY-108874	Problem: Adding the second node to the cluster may take an additional 3–5 minutes compared to adding subsequent nodes. This is because the system performs multiple iterations in background to reach consensus.
KY-107099	Problem: An administrator or system user might unintentionally activate a network interface for the Web interface that isn’t configured properly. When this happens, the web interface (GUI) and API may become unresponsive. Workaround: Before enabling a network interface for the web interface, ensure that it is configured correctly. You can verify properly configured interfaces by running: kscfg net interfaces list If a user accidentally enables a network interface that isn’t configured correctly, you can fix it using: kscfg net interfaces modify
KY-108216	Problem: From UI, cluster can be created only if the default UI port (443) is in use. If the UI is using other custom interface or port, use the API to create the cluster.

CipherTrust Application Data Protection (CADP for C)

Issue	Synopsis
KY-47385	Problem: If you migrate a non-deletable VAE key from Data Security Manager to the CipherTrust Manager, the imported key is shown as "deletable". Workaround: After migration, edit the key attributes on the CipherTrust Manager to make it non-deletable.

CipherTrust Cloud Key Manager

Issue	Synopsis
KY-81514	Problem: SFDC: Refresh operations on CCKM don't remove certificates that are deleted from the SFDC console.
KY-72770	Problem: OCI: The origin field of asymmetric HSM keys with External BYOK as Origin Type is set inconsistently for initial and subsequent versions. The origin of the initial version is correctly set to EXTERNAL. However, the origin of subsequent versions is incorrectly set to INTERNAL. This issue is at the Oracle end.
KY-72067	Problem: GUI: Salesforce mTLS connection doesn't work when the Salesforce connection to the CipherTrust Manager is configured using the Password authentication. Workaround: Use the authentication type of Certificate or Client Credential (My Domain) when creating the Salesforce connection to the CipherTrust Manager.
KY-65165	Problem: SAP: A delete key job remains in the PENDING state for long time and fails intermittently. This issue is at the SAP end.
KY-42082	Problem: SAP Data Custodian: SAP key activity report doesn't show any data. This issue is at the SAP end.
KY-31186	Problem: If your proxy server does not support HTTP CONNECT, the CCKM Google cloud connection cannot use the CipherTrust Manager's proxy feature with a certificate. Workaround: Add an exception (cloudkms.googleapis.com) with no_proxy or use the proxy with username and password, and restart the services.
KY-17213	Problem: When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global". Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.

CipherTrust Database Protection

Issue	Synopsis
PDB-3293	Problem: If datatype of a column changes from char family to blob after migration, the Return replacement value option for the Error Replacement feature does not work.

CipherTrust Data Discovery and Classification

Issue	Synopsis
KY-107039	Problem: IBM DB2, SAP HANA, and other Data Stores: Scan runs with the Amount of Data Object Volume set to low fail after being stuck in the Processing state, showing the error "Error adding a new header to the archive."
KY-101179	Problem: OneDrive and Local Storage: The pause and resume functions in scan runs do not operate correctly when users repeatedly attempt the same action before the previous one has finished. For example, if a user clicks the pause icon and quickly follows by clicking the pause icon again within a short period, the functions may not work as intended.
KY-99958	Problem: Errors occur when browsing a local storage NFS share.
KY-102417	Problem: Users from different domains can access the status and download troubleshooting logs of scans located in the root domain.
KY-105035, KY-105033	Problem: The 'Scanned Data Objects' section shows inaccurate statistics when scanning a Google Drive data store with a very large dataset at the target location. The TOTAL DATA OBJECTS SCANNED card displays zero data objects when scanning a Google Drive datastore containing a very large dataset at the target location.
KY-104443	Problem: G-Mail scans with SENT, UNREAD, and IMPORTANT labels fail after remaining in the "validating" state for a short period.
KY-77002	Problem: The Total Data Object Scanned field gives incorrect count when scanning data stores that contains Blobs, docx etc.
MLAAS-1553	Problem: Empty report created for large ML scan runs. Empty reports may be created for these reasons: The data file contains a very high number of sensitive entity objects, usually more than 4 million. There may be constraints with cloud resources, like limited bandwidth between the Machine Learning as a Service (MLaaS) and the agents, or instability issues with Google Cloud Platform (GCP). Workaround: Check the agent log to identify the flagged data object that has high number of scanned entities. To fix the issue, divide the files to ensure match entities remain under the 4 million limit.
MLAAS-1555	Problem: When using similarity search for the first time, the search fails when multiple search requests are made within a short span of time. Workaround: Resubmit the failed request.
KY-100146	Problem: The TDP to DDC connection check API may intermittently return a 'Data Management Service is Not Responding' error.
KY-102053	Problem: Inactive or discontinued nodes persist in the database for DDC node clusters, causing discrepancies.
KY-100918	Problem: Incorrect metadata details, such as modification date and creator name, are shown for sensitive data objects on the Report page.
KY-100774	Problem: The Browse button functionality doesn't work for user accounts in G-Mail data stores.
KY-100393	Problem: The slave node in a 2-node cluster setup remains in the loading state after CipherTrust Manager is upgraded to 2.20.
KY-71568	Problem: The SharePoint Online Scan functionality is not available for "All List" as Target.
KY-98061	Problem: The scan run fails with an internal error when scanning Teradata data store that contains non-sensitive data. This error is observed with version 16.20 of Teradata Tools and Utilities. Workaround: Upgrade to Teradata Tools and Utilities 17.00 and above to avoid error.
KY-91988	Problem: The total count of data objects is inaccurately shown when scanning a GDrive datastore that includes empty or zero-sized files.
KY-91215	Problem: An incomplete toast message displaying 'Internal Error' shows up while browsing targets when the CipherTrust Manager license has been exhausted.
KY-79798	Problem: Scan fails with the "Scan results could not be found" error after processing for OneDrive and Exchange Online with some targets.
KY-75646	Problem: Reports of scans on Teradata tables with unique primary index show the Key Source as "Integer Non Unique Column".
KY-75083	Problem: Search for the Secrets infotypes returns less matches for the PDF data.
KY-74909	Problem: Search for the Secrets infotypes returns less matches for the MongoDB data store.
KY-73411	Problem: Probing an empty folder in an AWS S3 bucket returns the NotFound error.
KY-72978	Problem: Search for the SSH private keys returns less matches when data for multiple infotypes is present in the same file.
KY-72411	Problem: Scan on Office365 Sharepoint Online completes successfully for a non-existent file.
KY-72408	Problem: Text data in Sharepoint Online Notebooks can't be matched.
KY-72397	Problem: Images inserted in Sharepoint Online Notebooks can't be matched.
KY-9399	Problem: The XVA file contains a data object that is was reported when it should not. The XVA file format is not correctly handled. After an XVA file is scanned and the report is generated, an additional data object in the Data Objects tab is displayed in the UI. You should ignore it.
KY-8990	Problem: Scheduled scans and those launched manually via ‘run now’ only start after X hours. If an Agent and server have the wrong time set, DDC’s ability to schedule scans or to start them immediately when they are manually launched from the UI or API will be affected and the scan start may be delayed. Workaround: Configure an NTP server for DDC and all Agent hosts.
	Problem: None of the clustered nodes responds to requests to DDC. DDC is only active in one of the CipherTrust Manager nodes. Requests sent to any other nodes will return this error. Solution: Run ksctl ddc active-node to identify the CipherTrust Manager node responsible for answering DDC requests and send the requests to the indicated IP. If this does not work, please restart the CipherTrust Manager node with that IP. If the node identified by ksctl ddc active-node does not answer DDC requests correctly or is no longer active, try changing the active DDC node. If you encounter any issues during reassignment, contact Thales Customer Support.
KY-19763	Problem: OracleDB and IBM DB2: uppercase schema/table name issues. User cannot launch Oracle/DB2 scan if schema OR table was created with lowercase and DDC is configured with lowercase. Workaround: Set the target path in uppercase.
KY-21981	Problem: Postgres tables without primary keys are not completely scanned DDC can only scan Postgres tables if they have at least one primary key defined. Workaround: Configure at least one primary key in the tables and run the scan again.
KY-48874	Problem: A scan with MySQL datastore (version 8.0.30) fails due to "failed status in the scanner service".
KY-49115	Problem: Discrepancies in scan results of infotypes for the same file in DDC 2.10 and 2.9. These infotypes show discrepancies: - Australian Passport Number: 1070 (in version 2.9), 204 (in version 2.10) - China Union Pay: 1000 (in 2.9), 921 (in 2.10) - Discover: 1001 (in 2.9), 919 (in 2.10) - Diners Club: 1001 (in 2.9), 1002 (in 2.10) The above discrepancy is because of the new and improved data types, which are as follows: - The Australian Passport Number data type has been enhanced for improved accuracy and coverage of the newer passport series, with additional updates made to enable the Australian Passport Number to be detected on the passport MRZ line. - Discover Global Network cardholder data types including China Union Pay, Diners Club, Discover, and JCB have been updated to identify 14-19 digit primary account numbers (PANs) for all supported BIN ranges.
KY-51550	Problem: Office365: OneDrive for Business - Scan progress reaches more than 100%.
KY-51586	Problem: A scan of a LONGBLOB file in MySQL gets stuck while scanning. DDC should be able to scan a 20 MB table, as LONGBLOB data type supports up to 4 GB of data, yet it fails.
KY-51623	Problem: Partial Scan in BLOBs of size greater than 100 MB in MSSQL. NOTE: If a file is partially scanned, it will be considered in the inaccessible location list.
KY-52494	Problem: From this DDC version on (DDC-2.10), RHEL-compatible Agents can only be installed on environments running the matching and officially supported kernel version.
KY-52532	Problem: Autopause feature not working as expected in Azure Table scans. A scan of Azure Table with the "Autopause" feature enabled has the following issues: it fails to resume after autopause end time after it enters the "Autopaused" state from the "Pending" state, it fails to enter the "Autopaused" state from the "Running" state.
KY-23163	Problem: A scan goes into an interrupted state for CIFS after restarting the agent. This only happens on Windows Server agents and for the Exchange Server and Windows Local Storage. Solution: 1) Restart the Windows agent with the scan in the "Paused" state. Then resume the scan, and it will go into the "Scheduled" state. 2)Restart the Windows agent one more time and the scan comes back to normal.
KY-53620	Problem: Targeted scans of a smaller dataset in a G-Drive data store take a long time, if the overall data that is stored in G-Drive is of a larger size (for example, over 500 GB).
KY-56390	Problem: Scanning of any data from an Exchange Server data store works only if the agent is installed on the same machine as the Exchange Server.
KY-60493	Problem: A scan is failing with an internal error when an entire SMB share is scanned. A scan of a full SMB datastore takes a long time and and ends with an internal error. Scanning a sub folder only gives no problem and you can generate a report.
KY-66074	Problem: Azure Table: The Issue related to Azure Table Data Store has been fixed as 'Cloudant Credentials', 'Basic Auth Secret' infotypes showing correct matches if relevant data resides inside the dataset. Mongo DB: The IBM COS HMAC Credentials infotype is getting correct matches when quotes are not used while creating the dataset. But still it will get less matches with double quotes. For example, if the dataset has more than one pair of double quotes like so: "IBM COS HMAC TOKEN [-secret_accesskey]:: "687a726d2d905d575248759459871a2c4f92c54bdec6b78f"" In the above example, there are quotes around the '687a726d....' string. It will be considered an escape character, and MongoDB automatically appends '\' to ensure the string is preserved correctly. Due to this '\', the infotype will skip the match.
KY-66217	Problem: The 'IBM COS HMAC Credentials' infotype from DDC shows fewer matches for EBCDIC formatted dataset. The conversion of the text dataset to EBCDIC format leads to this issue.
KY-66306	Problem: When Google Drive is configured to use a language other than English (e.g. Portuguese), scans specifying both 'My Drive' or 'Meu Drive ' will result in a failed/incomplete scan. Possible Workaround: Configure English as the default language for the Google Drive Data Stores that you scan.
KY-76437	Problem: OneDrive: Inconsistent count of sensitive data objects after every scan of the "All Users" targets.
KY-79397	Problem: AWS S3: Report generation fails for scan results of large data objects. Workaround: On the Ambari GUI, set spark.sql.autoBroadcastJoinThreshold = -1.
KY-81147	Problem: AWS S3: DDC scan incorrectly marks data objects as inaccessible.
KY-83875	Problem: IBM DB2: Scan fails if a target path contains a table having space in its name.
KY-88518	Problem: Scan trace logs are unavailable if you initiate the clean up process through the warning banner and allow the system to stop all the running scans. Workaround: It is recommended to manually stop the running scans before initiating the clean up process.
KY-87436	Problem: When accessing scan trace logs for an in-progress scan with the Trace Log toggle disabled, an inaccessible zero-byte ZIP file of scan trace log is downloaded.
KY-84441	Problem: When trying to pause or resume a scan multiple times, the scan gets stuck in the "Running" state and the "Pause is not allowed" error is logged in the log files.
KY-86569	Problem: If DDC comes out of the degraded mode after shutting down the client and increasing its disk space, previously "Running" scans get stuck in the "Syncing" state and show an "Internal Error" on mouse hover.
KY-86244	Problem: If DDC comes out of the degraded mode after manually deleting old files, previously "Running" scans get stuck in the "Running" state with no progress.
KY-83801	Problem: MongoDB data store: Scans gets stuck in the "Processing" state if the target path contains tables with "#" and "%" in their names.
KY-28137	The following issues were encountered with GLASS expressions: Simple expressions using two built-in infotypes do not work correctly. Expressions with multiple rules involving built-in infotypes are also failing. Patterns can incorrectly match empty strings. DEFINE and REFER keywords must be in uppercase. Malformed GLASS expressions do not generate error messages.

CipherTrust Secrets Management

Issue	Synopsis
KY-102944	Problem: If the Akeyless URL is configured for a single-tenant infrastructure (for example, https://vault.eu.akeyless.io) and the CipherTrust Manager is deployed in a different region, the user sign-up on Gateway versions 4.30 may fail to generate the SSO Access ID. This failure can lead to the Akeyless tile being disabled. Workaround: Use Gateway version 4.35.1 when signing up for single-tenant infrastructure.
KY-86481	Problem: When you update the Akeyless gateway version from the Akeyless Config (UI) and the API Playground simultaneously, the gateway version doesn't match the actual Akeyless gateway version. Workaround: Update the version to any other than the current version from Akeyless Config (UI) or API and wait for the gateway to restart before updating it again.
KY-84485	Problem: When you rotate the custom rotated secret of the HSM SSH user, the HSM occasionally fails to accept the newly rotated password combination and throws an error "The desired password is invalid". Workaround: When encountering this error, rotate the secret again or upgrade the HSM version to the latest.
KY-72796	Problem: The CipherTrust Manager constantly communicates with multiple IPs of the akeyless SAAS server (for example, "52.223.11.194", "35.71.185.167", "35.192.171.171") over port 9443, which leads to a lot of irrelevant log entries.
KY-64648	Problem: The "Forgot Password" feature for email is not supported through akeyless gateway on the CipherTrust Manager. Only "Forgot API Access Key" feature is supported. Workaround: Use "Forgot Password" feature for email directly on the Akeyless website.
KY-64835	Problem: If you attempt to modify the protection key for an existing certificate-type secret in the Akeyless console, an exception stating Unexpected error is displayed. Workaround: Delete and re-create the existing secret with the desired protection key.
KY-63288	Problem: Some internet browsers, such as Mozilla Firefox, Google Chrome, or Microsoft Edge launch the secrets management tile as a pop-up, and prompt to allow pop-ups. Workaround: Allow pop-ups from the CM UI if prompted.
KY-61568	Problem: The POST /v1/connectionmgmt/services/akeyless/connections operation in the API playground to create a new Akeyless connection introduces unnecessary parameters "meta", "products", and "category". Workaround: Ignore these parameters. They do not affect the functioning of the Akeyless connection.
KY-89008	Problem: When the custom rotated secret configuration for the HSM Partition secret is changed from manual to auto-rotate or vice versa, the Webhook web timeout is set to default. Workaround: After updating the rotation configuration, ensure the Webhook web timeout is set to the desired value; otherwise, update it manually.

CipherTrust Transparent Encryption

Issue	Synopsis
KY-110867	Problem: Whenever the agent is upgraded with a new capability, the related GuardPoints are not propagated to the client. Only FHS GuardPoints are propagated.
KY-95970	After upgrading a CipherTrust Manager instance with CTE Confidential Computing clients, the Confidential Computing feature is not displayed on the Licensing page. After restarting the CipherTrust Portfolio Evaluation, the feature is visible but the license usage count remains zero. Workaround: Either enroll/re-enroll the Confidential Computing clients or restart the system.
KY-83746	Problem: Intermittent: After migrating CTE resources from DSM, the details of LDT on a migrated client shows Resume Live Data Transformation (LDT paused) even though the GuardPoint is successfully Rekeyed. Workaround: Restart the CTE Agent (service vmd restart).
KY-72096	Problem: CTE UserSpace: After upgrade to CipherTrust Manager 2.14.0, CTE UserSpace 10.1.0 clients don't show the Healthy status on GUI. This issue is resolved in the CTE-U 10.2.0 release. Workaround: Upgrade the clients to 10.2.0 or manually restart the CTE-U services (secfs-fuse restart) to restore the client communication to the Healthy state for older CTE-U client versions.
KY-72095	Problem: After upgrade to CipherTrust Manager 2.14.0, CTE clients can take up to 25 minutes to show the Healthy status on GUI. This issue has no impact on the functioning of GuardPoints. This issue is resolved in the CTE 7.5.0 release. Workaround: Upgrade the clients to 7.5.0 or manually restart the VMD service (secfs restart) to restore the client communication to the Healthy state for older CTE client versions.
KY-60249	Problem: The get /v1/transparent-encryption/policies API does not return the complete list of policies added to the CipherTrust Manager. Workaround: Run the get /v1/transparent-encryption/policies API with limit as -1.
KY-59893	Problem: Signature rules are not copied to a clone policy. Workaround: On the policy details page, manually add the missing signature rules.
KY-55739	Problem: When a CipherTrust Manager user having only CTE Admins group permissions initiates a Quorum-dependent operation, a corresponding Quorum is created. After the required Quorum approvals, the operation does not auto-trigger in the background. Workaround: Retry the operation after the required Quorum approvals.
KY-55511, KY-55527, KY-55275, KY-55528	Problem: Simultaneous composite operations (for example, update and delete) are not supported for quorums.
KY-55273	Problem: If quorum is activated for client group deletion, then bulk client group deletion generates multiple quorums in pre-active state. Workaround: Delete client groups individually.
KY-55064, KY-54442	Problem: In case of bulk client or client GuardPoint deletion, the quorum details may not be available. However, quorum operations (such as approval, rejection) can be performed. This issue has no impact on functionality.
KY-51759, KY-51754	Problem: When quorum is enabled, if you perform an operation to delete clients or GuardPoints in bulk, the quorum is created in pre-active state. Workaround: Activate the quorum using the /v1/quorum-mgmt/quorums/{id}/activate API.
KY-51135	Problem: Group members cannot be imported from ldap for user sets.
KY-34329	Problem: Browsing VxVM raw devices that have slash in the path names shows non-existing directory in the GuardPaths. Workaround: Create GuardPoints by manually entering the raw device paths.

ProtectApp

Issue	Synopsis
KSCH-16415	Problem: The Host Name field on the Client Registration screen does not have validation for host availability. Workaround: Add clients using the API.