May 2021 release (10.9.000066)

These release notes provide information about new features, enhancements or updates that are included to IBM® Security Verify Privilege On-Premises in May 2021.

Release date: 14 May 2021

Upgrade notes

Upgrade at the earliest opportunity.

Version 10.9.66 (10.9.0000066)

New features and enhancements

Added support for Traditional Chinese

Traditional Chinese is now a supported language.

SSH Command Blocklisting

SSH command blocklisting allows administrators to configure lists of commands that a user cannot enter during a proxied SSH session. See SSH Blocked Command Lists.

Pre-Check-in Pipeline Trigger

More trigger conditions are available for secret event policy pipelines. Pre-check-in triggers apply when a secret check in is requested before the check in occurs. The trigger can stop the pipeline with an error message or run commands.

Configuration Management

Configuration management adds export and import of Privilege Vault On-Premises configuration settings.

This feature facilitates transferring configurations from test to production environments. It also makes setup and configuration of new Privilege Vault On-Premises instances easier for customers and partners with multiple installations.

Timeouts for Tiered Workflow

Workflow templates have new timeout configuration options. They allow a workflow to automatically advance to the next step if insufficient responses are received during a configurable period.

Selectable Workflow Steps

Workflow approvals now allow an administrator to choose the next action when a step of the workflow is approved. Available actions are:

  • Approving the entire workflow, disregarding any later steps
  • Moving to the next step of the workflow
  • Moving to a later step in the workflow

CSV Scheduled Reports

Scheduled report configuration now includes the option to attach the report to the scheduled email in a spreadsheet-friendly comma-separated value (CSV) file.

User Interface
  • Migrated to an Angular framework which better supports usability and accessibility.
  • Left navigation menu is now a menu role, which helps accessibility and quickens keyboard navigation.
  • Updated color palette for accessibility.
  • Updated numerous buttons and links that were previously inaccessible with keyboard to improve keyboard navigation and accessibility.
  • Fixed an issue that caused selection and drop-down components to clip behind scrollable elements.
  • Improved labeling and tool tips for Connection Manager configuration.
  • Added a column in the new UI for admins in the users grid for 2FA. The same was added to API user search results.
  • The secret detail side menu now stays present in the UI after navigating away from secret.
General
  • Added user-defined metadata sections and field values on users, groups, folders, or secrets.
  • Updated and expanded the “custom launcher arguments” field character limit to prevent impact on scripted launchers.
  • Added a redirect service to direct Privilege Vault On-Premises internal hyperlink traffic to the updated Thycotic documentation portal.
  • Clarified the heartbeat status message on the secret page.
  • Added additional license key support for the Privilege Manager Unix/Linux Server.
  • Improved user data entry input security during Connect As sessions.

Fixes

Fixes the following issues.

API
  • Fixed an issue when creating workflow steps due to the template step stub not being available for the configuration object.
  • Fixed an issue returning a 500 error when getting the triggers for an event pipeline (/api/v1/event-pipeline/{id}/trigger).
  • Corrected the documentation on the endpoint for OAuth to obtain a refresh token.
  • Corrected the documentation to properly cite that a description is required for ReportCreateArgs to create reports.
Heartbeat and RPC
  • Fixed an issue with heartbeat on an AD Sync that prompted an exception.
  • Fixed an issue where the test action of SSH RPC configuration could not handle a dollar sign as the first character of the password.
  • Fixed an issue with a RPC and heartbeat PowerShell script that failed when a privileged account lacked additional permissions.
  • Fixed an issue that caused RPC to have “invalid” failures if values in the password changer were blank, even though the fields were not mandatory according to the configuration.
SSH Terminal
  • Fixed an issue where the SSH terminal did not honor host restrictions for secret launches.
  • Fixed an issue where SSH command menu commands through the SSH terminal did not reset the SSH proxy’s timer, causing an inactivity timeout.
  • Fixed an issue where the UI component for the SSH terminal blocklist settings was not visible when the SSH terminal setting was set to “No.”
  • Fixed an issue that locked Privilege Vault On-Premises user accounts when Unix connections to SSH terminal were made with a keypair and no passphrase. Authentication prompts are determined by SS > Admin > Config > Login > Enable SSH Key Integration (for SSH terminal). If this check box is left unchecked (assuming SSH proxy and terminal are enabled), the user is prompted for a password after trying to SSH into Privilege Vault On-Premises. If the box is checked, no attempts to log on with a private key are allowed if “Password Only” is selected. If one of the three other Unix authentication methods are selected, the private key is attempted first (or exclusively, in the case of “Public Key Only”).
User Interface
  • Fixed an issue where the UI would freeze when attempting to edit the manual host range on the discovery scanners page.
  • Fixed an issue where in the UI it did not properly display a site after being disabled from a discovery source on a domain.
  • Fixed an issue where the UI would not automatically adjust to display scrolling in modal windows.
  • Fixed an issue in the new UI where moving a folder would not correctly inherit the new parent folder’s permissions as displayed.
  • Fixed an issue in the new UI where a validation error was not displayed when a folder was moved to a folder containing a folder of the same name. The fix provides an error message to notify the user and allows the user to pick a new destination.
  • Fixed an issue in the new UI where a group search was not restricted by owner.
  • Fixed an issue with the RPC’s associated secrets table hiding columns after a column was resized beyond the workspace.
General
  • Fixed an issue impacting proper display of last login record in audits for OpenID Connect.
  • Fixed an issue that could cause discovery logs to take longer than usual to load and display.
  • Fixed an issue in Active Directory domain settings that caused the synchronization secret to revert to a previous entry.
  • Fixed an issue that prevented using some identifiers on the distinguished name in directory services. Added a base distinguished name code in the LDAP field configuration to ensure some identifiers do not cause an error.
  • Fixed an issue for Okta SAML login failures due to accounts being re-enabled.
  • Fixed an issue for RDP proxying where the remote host name was not being passed to the protocol handler for the RDP client to display.
  • Fixed an issue where additional DLL files were removed when a distributed engine was upgraded. A data directory “ignore list” file was added to list files that shall not be deleted during the upgrade process.
  • Fixed an issue that prevented a secret’s security settings from being edited when an event pipeline policy was set through a secret policy.
  • Fixed an issue that prompted a file upload error on a folder when attempting to attach a file. This occurred when the folder included a secret policy with an event pipeline policy.
  • Fixed an issue with protocol handler where an encoder was initializing even if session recording was disabled. Now the encoder is loaded only if screenshots are taken.
  • Fixed an issue with the C# SDK returning a null after the cache has expired for CacheThenServerAllowExpired.
  • Fixed an issue that could prevent users from logging in using SAML.
  • Fixed an issue in the new UI that prevented domain selection when creating a new user.
  • Fixed an issue where the site connector for a local site would not accept changes to the configuration in the UI. This only applied to system sites.
  • Fixed a permissions issue that occurred when enabling “view requires edit” on a password field that caused a user with only view permissions on a secret to no longer view the one-time password.
  • Fixed an issue with the SAML log on workflow that caused an invalid login page redirection loop with OpenID Connect.
  • Fixed an issue when using the move folder command causing removal of secret policy settings and inherit permissions.
  • Fixed an issue with SDK client management in client onboarding improperly displaying disabled application accounts when editing a user.
  • Fixed an issue with session recording the caused inactivity timeouts when activity timeout was not enabled.
  • Fixed an issue that caused SMTP send failures when the mail server was configured for implicit SSL.
  • Fixed an issue affecting 2FA login when OATH was not properly configured for the user. Log on now redirects to an error page with indication of the configuration issue.
  • Fixed an issue when disabled users were removed from local groups when new members were added to the group.
  • Fixed an issue where browsers can become unresponsive when producing long-running reports.
  • Fixed an issue where Privilege Vault On-Premises was not sending metadata to PBA when assigned to a site with a distributed engine, preventing SSO.
  • Fixed an issue where a permissions error is incorrectly prompted when setting a favorite folder.
  • Fixed an issue with SecureBlackbox TISSHClient not being compatible with -etm MAC algorithms. An update for SecureBlackbox has resolved this.
  • Fixed an issue where in SSC where the SSH proxy port was not being accepted.
  • Fixed an issue in 10.9 Upgrade where SQL was missing the DBO schema when creating the table tbEngineServerCapabilties, producing an “object not found” error when verifying the deltas.
  • Fixed an intermittent issue causing an error when using RDP proxy session recording with keystroke recording enabled. The error was intermittent based on which engine handled the connection.
  • Fixed an issue where custom logos set in Privilege Vault On-Premises did not display correctly caused by browser-level caching.
  • Fixed an issue where secrets were not checking in after the launcher is closed while using RDP proxy.
  • Fixed an issue where setting the “Allow Duplicate Secret Names” permission option to “No” caused a bulk delete action to produce an error

Pending deprecations

This section describes planned feature or platform-support deprecations in Privilege Vault On-Premises.

  • Internet Explorer 11: Support for Internet Explorer 11 will end on 31 August 2021. Privilege Vault On-Premises releases after that date will not support Internet Explorer 11.
  • Privilege Vault On-Premises Classic UI: The Classic UI option in Privilege Vault On-Premises is scheduled for removal in Q1 2022. After the announced date, the New UI will be the only on in Privilege Vault On-Premises.