CipherTrust Vaultless Tokenization
Product Description
CipherTrust Vaultless Tokenization (CT-VL) is a platform-independent appliance (virtual machine or bare-metal) that offers REST-API services to protect sensitive data.
Security Updates
The CT-VL image is updated regularly with security updates.
2.9.1
Release Description
This release includes security and bug fixes.
Note
Support for DSM and KeySecure as a key manager has been deprecated.
Resolved Issues
| Reference | Description |
|---|---|
| CADP-23317 | Problem: syslog is compressing consecutive events into one entry "last message repeated X times" |
| CADP-23563 | Problem: Unable to download logs using REST in CT-VL 2.9.0 |
| CADP-20433 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-23420 | Problem: Server Certificate's show key command is not working in CT-VL 2.9.0. |
Known Issues
Note
Upgrading from CT-VL 2.9.0 to 2.9.1 will not work using vts upgrade --upload command. You can use the vts upgrade --url command.
| Reference | Description |
|---|---|
| CADP-24594 | Problem: Inconsistent log count. |
| CADP-25380 | Problem: Unable to remove a node from the cluster. |
| CADP-24695 | Problem: While upgrading from CT-VL 2.9.1 to a higher version, using vts upgrade --upload command will not work.Workaround: Use vts upgrade --url command. |
| CADP-21893 | Problem: For the restore process, UI session timeout after 10 minutes, therefore it is recommended to use CLI. Workaround: To monitor the data restore progress, use the following command: vts logfile --tail clish.log |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. Upgrading to v2.6 or higher doesn'o't fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-21939 | Problem: CT-VL backup that used a DSM cannot be restored into a CT-VL 2.9.0 VM. |
| CADP-22912 | Problem: CT-VL does not adhere to Admin group permissions for encryption/decryption. |
| CADP-22321 | Problem: Error "502 Bad Gateway" occurs when a sign/verify operation is performed with an HMAC key of size 512. |
| CADP-22331 (CADP-23347) | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-23336 | Problem: The CipherTrust Manager NAE mode: "TLS, verify client cert, user name taken from client cert, auth request is optional" is currently not supported. |
| CADP-23407 | Problem: Unable to use Client Certificate Authentication in CT-VL 2.9.0 . Workaround: Create a client certificate with complete subject instead of Common Name only. |
| CADP-22736 | Problem: Key cache expiration setting does not work with a multi-node cluster. |
2.9.0
Release Description
This release includes OS migration from CentOS to Ubuntu, security and bug fixes.
Note
Support for DSM and KeySecure as a key manager has been deprecated this release onward.
CLI Command Changes
| Command | CT-VL 2.6.x to 2.8.3 | CT-VL 2.9.0 |
|---|---|---|
network set --defroute | Supported | Not supported (use network set -- dns and network set --gateway) |
icapi setup | A message prompt to restart vts service is displayed | There is no message, the vts service will restart silently. |
vts service --restart | Status is displayed | Status is not displayed |
system df --direct | Supported | Not supported |
system terminal --terminate ALL | Supported | Not supported |
network dns | Supported | Not supported (use network set --dns) |
Resolved Issues
| Reference | Description |
|---|---|
| CADP-22387 | Problem: Mismatch in the number of log entries and data displayed on the CT-VL dashboard. |
| CADP-21154 | Problem: /var/log/messages log file does not rotate by size limit. |
Known Issues
| Reference | Description |
|---|---|
| CADP-24594 | Problem: Inconsistent log count. |
| CADP-25380 | Problem: Unable to remove a node from the cluster. |
| CADP-24695 | Problem: While upgrading from CT-VL 2.9.0 to 2.9.1, using vts upgrade --upload command will not work.Workaround: Use vts upgrade --url command. |
| CADP-23317 | Problem: Syslog is compressing consecutive events into one entry "last message repeated X times". |
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-21893 | Problem: For the restore process, UI session timeout after 10 minutes, therefore it is recommended to use CLI. Workaround: To monitor the data restore progress, use the following command: vts logfile --tail clish.log |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. Upgrading to v2.6 or higher doesn'o't fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-21939 | Problem: CT-VL backup that used a DSM cannot be restored into a CT-VL 2.9.0 VM. |
| CADP-22912 | Problem: CT-VL does not adhere to Admin group permissions for encryption/decryption. |
| CADP-22321 | Problem: Error "502 Bad Gateway" occurs when a sign/verify operation is performed with an HMAC key of size 512. |
| CADP-22331 (CADP-23347) | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-23336 | Problem: The CipherTrust Manager NAE mode: "TLS, verify client cert, user name taken from client cert, auth request is optional" is currently not supported. |
| CADP-23407 | Problem: Unable to use Client Certificate Authentication in CT-VL 2.9.0 . Workaround: Create a client certificate with complete subject instead of Common Name only. |
| CADP-23420 | Problem: Server Certificate's show key command is not working in CT-VL 2.9.0. |
| CADP-23563 | Problem: Unable to download logs using REST in CT-VL 2.9.0 Workaround: To check the logs, use the cli command: vts logfile --tail <logfile name> |
| CADP-22736 | Problem: Key cache expiration setting does not work with a multi-node cluster. |
2.8.5
Release Description
This release includes security updates and performance improvements in cryptographic services.
Note
Support for KeySecure as a key manager has been deprecated.
Resolved Issues
| Reference | Descritption |
|---|---|
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
Known Issues
| Reference | Description |
|---|---|
| CADP-25760 | Problem: CT-VL requests may result in a 504 Gateway timeout error during encryption and decryption when executing batch REST calls. |
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-22832 | Problem: CT-VL does not adhere to admin group permissions for encryption/decryption |
| CADP-21219 | Problem: Per user records for tokenization, detokenization, and crypto operations are not displayed on the UI dashboard. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-22387 | Problem: Mismatch in the number of log entries and data displayed on the CT-VL dashboard. |
| CADP-21939 | Problem: Restoring a CT-VL backup that used a DSM on CT-VL connected (registered) to the CipherTrust Manager, or a CT-VL on DSM connected (registered) to the CipherTrust Manager, is currently not supported. Workaround: To restore a CT-VL backup that used a DSM, first register CT-VL to DSM and then perform the restore operation. After the restore operation is completed, reconnect CT-VL to the CipherTrust Manager. |
2.8.4
Release Description
This release includes the operating system security updates and bug fixes.
Note
Support for KeySecure as a key manager has been deprecated.
Resolved Issues
| Reference | Description |
|---|---|
| CADP-22736 | Problem: Key cache expiration setting does not work with a multi-node cluster. |
| CADP-22331 (CADP-23347) | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-23352 | Problem: Deprecated support for SHA-1 in OpenSSH. |
Known Issues
| Reference | Description |
|---|---|
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-22832 | Problem: CT-VL does not adhere to admin group permissions for encryption/decryption |
| CADP-21219 | Problem: Per user records for tokenization, detokenization, and crypto operations are not displayed on the UI dashboard. |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-22387 | Problem: Mismatch in the number of log entries and data displayed on the CT-VL dashboard. |
| CADP-21939 | Problem: Restoring a CT-VL backup that used a DSM on CT-VL connected (registered) to the CipherTrust Manager, or a CT-VL on DSM connected (registered) to the CipherTrust Manager, is currently not supported. Workaround: To restore a CT-VL backup that used a DSM, first register CT-VL to DSM and then perform the restore operation. After the restore operation is completed, reconnect CT-VL to the CipherTrust Manager. |
2.8.3
Release Description
This release includes the Operating System security updates and bug fixes.
Resolved Issues
| Reference | Description |
|---|---|
| CADP-18193 | Problem: NAE TCP mode breaks after upgrading to CT-VL 2.7.0. |
| CADP-18446 | Problem: CT-VL is not logging which CipherTrust Manager in the cluster it has connected to. The log to show the CipherTrust Manager connections can be viewed using the following CLI command: main> vts logfile --tail haproxy.log |
| CADP-18957 | Problem: /var/log/messages are not getting compressed on rotation. |
| CADP-19352 | Problem: Incorrect DSM error message appears even if DSM is not used. |
| CADP-19783 | Problem: CT-VL can produce invalid token data if the token template is not supplied. |
| CADP-19784 | Problem: CT-VL batch tokenization can return a mismatched number of items if the token template is not supplied. |
Known Issues
| Reference | Description |
|---|---|
| CADP-22331 | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-21987 | Problem : The API logs do not include the username when there are errors in input values. |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-22387 | Problem: Mismatch in the number of log entries and data displayed on the CT-VL dashboard. |
| CADP-21939 | Problem: Restoring a CT-VL backup that used a DSM on CT-VL connected (registered) to the CipherTrust Manager, or a CT-VL on DSM connected (registered) to the CipherTrust Manager, is currently not supported. Workaround: To restore a CT-VL backup that used a DSM, first register CT-VL to DSM and then perform the restore operation. After the restore operation is completed, reconnect CT-VL to the CipherTrust Manager. |
2.8.2
Release Description
This release includes the Operating System security updates and bug fixes.
Resolved Issues
| Reference | Description |
|---|---|
| CS1526685, CS1528902, CS1530674 | Problem: A CLI utility is now available to allow cleanup of the excessive PostgreSQL WAL archive files. Note: • This is only a workaround to temporarily cleanup the excessive pgsql archive files. • This is a known issue TOK-3117 with the VMs having a base image of v2.5 or below. |
Known Issues
| Reference | Description |
|---|---|
| CADP-22331 | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-25182 | Problem: When a node or cluster of nodes is offline for a long period of time, the bdr does not synchronize correctly with the new nodes joining the existing cluster. Workaround: Break the CT-VL cluster and create a new cluster from a backup, or a good node. Rejoin all the nodes to the new cluster. If a node is expected to be offline for a long period, it is highly recommended to remove the node from the cluster and only join it back when it goes back online. |
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-18193 | Problem: Upgrading to CT-VL v2.7 or higher will break TCP mode connectivity to the CipherTrust Manager NAE interface. A fix to this issue will be available in the next patch release. In the meantime, a workaround is available. Please contact Support to obtain the workaround. |
| CADP-22387 | Problem: Mismatch in the number of log entries and data displayed on the CT-VL dashboard. |
2.8.1
Release Description
This release includes the Operating System security updates and bug fixes.
Resolved Issues
| Reference | Description |
|---|---|
| CADP-16364 | Problem: Available memory is decreasing overtime when client-certificate authentication is used. |
Known Issues
| Reference | Description |
|---|---|
| CADP-22331 | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-18193 | Problem: Upgrading to CT-VL v2.7 or higher will break TCP mode connectivity to the CipherTrust Manager NAE interface. A fix to this issue will be available in the next patch release. In the meantime, a workaround is available. Please contact Support to obtain the workaround. |
2.8.0
Release Description
This release includes security and bug fixes.
New Features and Enhancements
Support for AES-CTR and AES-GCM algorithms with the CipherTrust Manager (CM).
Known Issues
| Reference | Description |
|---|---|
| CADP-22331 | Problem: Tokenization services continue to fail even after communication to the CipherTrust Manager has been restored. This can happen if VTS services were restarted while communication to the CipherTrust Manager was still broken. |
| CADP-25141 | Problem: If a key has either a tokenize or detokenize permission assigned, the user cannot delete the key using API curl -k -X DELETE hostname/vts/km/v1/keys/keyname even after removing the key permissions. This API request deletes the key from both CT-VL and CM.Workaround:Delete the key using the UI or DELETE API: curl -k -X DELETE hostname/api/keys/keynameThis request deletes the key name from CT-VL. Ensure the key is also deleted from the KeyManager. |
| CADP-21987 | Problem: The API logs do not include the username when there are errors in input values. |
| CADP-16484 | Problem: CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117 | Problem: Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-18193 | Problem: Upgrading to CT-VL v2.7 or higher will break TCP mode connectivity to the CipherTrust Manager NAE interface. A fix to this issue will be available in the next patch release. In the meantime, a workaround is available. Please contact Support to obtain the workaround. |
| CADP-21154 | Problem: /var/log/messages log file does not rotate by size limit. |
2.7.0
Release Description
This release includes new features and resolved issues.
New Features and Enhancements
Support for RSA encryption with the CipherTrust Manager (CM)
Support for Oracle Cloud Infrastructure (OCI)
Resolved Issues
| Reference | Description |
|---|---|
| TOK-3173 | CT-VL would no longer register to DSM successfully if the hostname of DSM has been renamed. |
| TOK-3164 | Intermittent invalid error response (HTTP 400 Error) can occur when batch encryption is used. |
| CADP-16506 | CT-VL can't migrate from DSM and register to the CipherTrust Manager after upgrading to v2.6.10. |
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
| CADP-18193 | Upgrading to CT-VL v2.7 or higher will break TCP mode connectivity to the CipherTrust Manager NAE interface. A fix to this issue will be available in the next patch release. In the meantime, a workaround is available. Please contact Support to obtain the workaround. |
2.6.10
Release Description
This release includes resolved issues.
Resolved Issues
| Reference | Description |
|---|---|
| TOK-3159 | Powering off the failover CipherTrust Manager in the HA mode causes a 30-second delay in CTS token calls. CT-VL uses a round robin connection to connect to different CipherTrust Managers (CMs). Today, the 30-second delay is a timeout if one of the CMs in the HA mode does not respond. With this patch, a health monitoring service is added to CT-VL. This service continuously monitors all the CMs. If a CM is down, the service removes the CM from the list of CMs. After the CM comes back online, the service adds the CM to the list. |
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
2.6.9
Release Description
This release includes resolved issues.
Resolved Issues
| Reference | Description |
|---|---|
| TOK-3155 | Statistics in the dashboard and CSV export are inaccurate. |
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
2.6.8
Release Description
This release includes resolved issues.
Resolved Issues
| Reference | Description |
|---|---|
| TOK-3150 | Basic Authentication in the header is not getting validated correctly. |
This patch release fixes the issue where credentials in the header are not base64-encoded.
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
2.6.7
Release Description
This release includes known issues, new features and enhancements.
New Features and Enhancements
Audit Logging in CT-VL
Added audit logging in CT-VL for crypto operations (encrypt/decrypt). With the addition of this feature, audit logs for crypto operations can no longer mix with application logs.
Audit logs for crypto operations contain the following:
Timestamp
Operation (encrypt/decrypt)
Username
Key name
Source IP/hostname of the application calling REST
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
2.6.6
Release Description
This release includes resolved issues.
Resolved Issues
| Reference | Description |
|---|---|
| TOK-3070, TOK-3123 | CT-VL backup fails due to insufficient disk space. When a user creates a backup using the Web UI, the process could fail with an error "No space left on device". This issue can also happen if the cluster is reset with data preserved. This issue is caused by having a large number of API clients from different IP addresses. After applying the patch, the user should be able to create a backup successfully. |
| TOK-3114 | CT-VL unable to update configurations. A restore from a backup or a reset of the cluster could render CT-VL unable to update configurations. For example, the user may not be able to add new users, groups, or keys. This failure can occur if the user has a large volume of tokenization or cryptographic historical data. |
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
2.6.5
Release Description
This release includes known issues, new features and enhancements.
New Features and Enhancements
Below is the list of new features and enhancements included in this patch release:
Support for Key Management and Cryptographic Services with the CipherTrust Manager (CM).
Note
This release does not support:
Custom attributes for symmetric and asymmetric keys
Opaque objects
Key alias feature
NIST key states
AES-CTR and AES-GCM modes of encryption
Encrypt, decrypt, sign, and verify with RSA keys
Support for deployment in Azure Stack.
Known Issues
| Reference | Description |
|---|---|
| CADP-16484 | CKMS encryption could momentarily fail to respond (HTTP 502 Error) if it encounters numerous invalid encryption requests. |
| TOK-3117, CS1526685, CS1528902, CS1530674 | Excessive PostgreSQL WAL archive files could occur causing disk space issues. This could happen with the VMs having a base image of v2.5 or below. Upgrading to v2.6 or higher will not fix the issue. The real fix is to recreate the cluster with a base image of v2.6 or higher. |
