The fix pack for IBM Security Secret Server 10.7 contains enhancements or fixes for issues.
- Fixed an issue with Legacy SAML. You are encouraged to migrate to Secret Server’s updated SAML if you are still using the Legacy version. See the SAML 2.0 Configuration Guide.
- This release launches a new web password filler. To update your web password filler extension, go to the extension download site for your browser and platform.
- If you have multi-node environments that use Advanced Session Recording, you must update all ASR agents after your Secret Server upgrade to take advantage of the RabbitMQ failover updates in this release. It is suggested that you do this action. However, if you do not take this action, current functionality is not affected. See the RMQ Failover section and the Secret Server Advanced Session-Recording Agent Installation KBA.
- You will be directed to the dashboard Overview tab for your first login after upgrading.
|Download||Release Date||Size (bytes)||Download Options|
|10.7-ISS-SS-10.7.000059-PM-10.7||7 Jan 2020||336,681,795||FC|
Secret Server now allows administrators to permanently delete audit records for tables that either contain Personal Identifiable Information (PII) or tables that can grow large in enterprise environments. To configure these settings admins need to add the permission “Administer Data Retention” to the user’s role and then the user can navigate to Admin > Data Retention. See the “Data Retention” section in the Secret Server Administration Guide.
A new “Manual Rolling Upgrade” feature is available when upgrading from Secret Server version 10.7.000059 or later. Using this process, clients that use clustered web nodes with a load balancer can experience little-to-no downtime during the upgrade process. However, this process requires an administrator to perform some manual steps with Web node and database access. See the Minimizing Upgrade Downtime KBA.
Updated Secret Server to support durable exchanges for RabbitMQ (RMQ). This allows clustered site connectors to fail over without impacting Secret Server processing. Distributed engines will auto-update after Secret Server upgrade to also support durable exchanges through RMQ.
Note: Older Advanced Session Recording Agents (ASRA) can be used with this version of Secret Server but ASRAs will not benefit from this change to failover handling. To include failover capability for ASRA an updated agent must be deployed. See the Secret Server Advanced Session-Recording Agent Installation KBA.
Technical Details: The ExchangeDeclare logic in MessageQueue client was altered to attempt to create durable exchanges with logging. A durable exchange is automatically re-created if RabbitMQ restarts for any reason. Non-durable exchanges disappear when RMQ goes down and can only be re-created by some external action. If the new logic detects that creating the durable queue failed, it will log an error and attempt to create a non-durable queue.
Added a feature where Secret Server can now generate time-based one-time passwords (TOTP) for web secrets. This allows users to implement TOTP on shared secrets. Configuring secrets for TOTP begins at the secret template level. See the Secret Server Administration Guide.
Added the ability to truncate table logs for several types of data that log to the “Status Message” table. These messages can contribute to excessive log data and slow performance. The option to truncate each message type is called “Days to Keep Operational Logs” and is under the “Advanced” sections on the following list of configuration pages. Minimum message retention time is one day and the default is 30 days. The logs include:
Go to the Secret Server Administration Guide and search for “Days to Keep Operational Logs” to see all the locations where this can be configured.
Technical details: A background task was added that scans the status message table every 12 hours and checks the status messages against configured values for how long they must be retained. These configured values were added to applicable UI pages.
The Web browser extensions for Secret Server have a new look and feel and now have added browser and site support. These new extensions are available for:
These features from the old browser extensions are improved to allow more flexibility:
Users can now authenticate to Secret Server directly from the Web extension, including support for 2FA options, such as DUO. Log in via Secret Server is also available for users with single sign-on, SAML, or other multi-factor authentication mechanisms. Web extensions automatically identify manual entry of new credentials in a Web page and offer to save the credentials as a secret. There is also improved support for sites that use multi-page login mechanisms.
See the Web Password Filler section of the Secret Server Administration Guide for more information.
Enhancements available with the 10.7 On-premises release of Privilege Manager:
- Security Manager migration support added. The migration path to the latest Local Security implementation provides an analysis report of issues like missing account credentials, or accounts that are not unique across targets, which can then be remediated before the migration.
- Change History auditing is available for resource items providing information on who initiated the change, at what date and time, and what type of change was made.
- The Remove Programs Utility in previous versions available via Configuration Feeds has been fully integrated with Privilege Manager Server and the Agents installation packages. The functionality has been expanded to also include Windows 10 App Store applications.
- Export and import of policies – including all dependent filter, action, and user context type items.
- New Reset Licensing task added.
- Support filtering on the subject name of a signed digital certificate allowing for much more generic certificate management.
- Dependency checks added to Privilege Manager for:
- Agents Enhancements:
- Support for configurable session and inactivity timeouts added.
- Allow right-click as a Thycotic Admin for .msu and .msc files.
- ServiceNow ticket request numbers are displayed within Privilege Manager’s prompts.
- Restrict access rights of File-Open dialogs that are launched from elevated processes.
- Domain User support in User Context Filters.
- When choosing a resource target, if an OU (Organizational Unit) is synced, the UI will display the computer and site names in their proper hierarchical structure
- When choosing a domain user for a Role, the picker now shows the domain and group membership of that user.
- Ability to bypass policy inspection during endpoint boot-up time in order to not affect boot-up time.
- Performance improvements during agent registration.
- Admin controlled list of extensions that are excluded from agent hashing.
- Application’s friendly name displayed in approval workflow prompts.
- The default log size can be set using configuration settings in the administrative policies tab.
- The default permissions on the Application Control Agent Configuration Policies have been updated as follows:
- TMS Admins and Windows Admins have read/write to the Application Control Agent Configuration Policy (Windows)
- TMS Admins and Mac Admins have read/write to the Application Control Agent Configuration Policy (MacOS)
- TMS Admins, Windows Admins, and Mac Admins have Read/Create/Revoke access to Install codes
- MacOS specific features:
- Target specific commands on macOS using wildcards (starts with, ends with, contains) and regular expressions.
- Secure Token support.
- MacOS discovery settings are more readily accessible on the discovery configuration page.
- PKG files can now directly be uploaded within the Privilege Manager UI, alleviating the need to first perform file inventory of those applications on the endpoints. The application policy manager has added ability to inventory a PKG file to allow building of policies prior to the discovery of the package.
- MacOS Catalina support.
Added a new setting to disable keystroke data from advanced session recording metadata. The new setting is called “Default Keystroke Recording Configuration” and can be configured under Admin > Configuration > Session Recording > Configure Advanced Session Recording. Click Collection name to edit individual collection settings or agent settings. By default, advanced session recording keystrokes are enabled. See the Secret Server Administration Guide.
Added new SQL indexes for the following areas:
Added messaging for when computer or dependency scans do not run due to having no scanners configured for a discovery source.
Updated the definition of distributed engines’ offline status to be the configured heartbeat interval times three. For instance, if your heartbeat interval is configured at 5 minutes, the engine will report offline if Secret Serverand the engine do not successfully communicate within a 15-minute time period. Engine online and offline states were also added to subscription actions to allow notification to admins when engine states change. See the Event Subscriptions section in the Secret Server Administration Guide.
A second distributed engine is now available, by default, for the local site.
Added a new regex setting to automatically retry a remote password change (RPC) with a regenerated password if the original RPC failed due to a specific type of error.
Go to Admin > Remote Password Changing, click Advanced under the Configure Password Changers section. The new setting is Attempt Password Change with new password when error contains (regex). Edit it to provide the regex failure code that will trigger the automatic next password RPC. See the Secret Server Administration Guide.
Updated secret template settings for importation and exportation to include:
The secret template settings that do not transfer include:
See the Can I import or export data between Secret Servers? KBA for more information.
See the Session Recording section in the Secret Server Administration Guide.
Added Verbose Logging for:
Added a new “Unique Field Slug” ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls. See the Secret Template Field Types section in the Secret Server Administration Guide.
Added the following user-based script variables to be used in API calls as arguments:
This allows, for example, that when a specific user runs a check-out hook, they can pass a user email, ID, username, or display name as a parameter into the script to use a check-out hooks and related AD functionality in Secret Server through the API. See the “Checkout Hooks” section in the Secret Server Administration Guide.
Listed below are the bugs that have been addressed in this release. The description below reflects the product behavior prior to the fix and specific details about the fix for some of the items.
- Changing the selected collection for an SCCM collection does not correctly update membership.
- Page goes blank when navigating to Admin | Configuration and “Enable Automatic Refresh of Privilege Manager Alerts in Browser” is disabled.
- Clear remote scheduled policy parameters when the command is changed.
- Message Action text editor in UI should support formatting included in XML.
- Double-clicking on column width adjustment in the Agent Log Viewer gives an Unhandled Exception.
- The Advanced Display Message Action is running in the background.
- New schedule updates do not display clearly in the schedule.
- The Application Justification Report returns no results.
- The Resource Monitor doesn’t show counters after elevation.
- The COM Objects Elevation showing Windows UAC after canceling Thycotic prompt.
- The “folder” view in the item selector does not work.
- The Event Counts on the Privilege Manager home are incorrect.
- Events are duplicated in the Event Discovery view.
- Win32Exe filter correctly handles files that have the internal attributes stripped.
- Remote/cloud connected clients that pull tasks are broken with service hardening tasks.
- The Password Age chart is broken and does not return any results.
- The Agent falls back to using legacy services and no longer retries to connect to current services.
- Offline Approval access is not available for the Privilege Manager HelpDesk User role.
- MacOS Resource Targets are not updating when trying to add to a policy.
- On mouse-over the Statistics | Changes Period to Past Month report throws an exception.
- Changing an Azure User’s Role membership in Azure is not reflected in Privilege Manager.
- An exception is thrown when navigating back to the Privilege Manager home after a session timeout.
- System does not handle logins to a machine without standard SIDs.
- The horizontal scrollbar is showing in the table for Windows Privilege Personas.
- The Policies table is congested when opened in smaller resolution.
- Reports displayed from the homepage may scroll pass the pagination controls.
- The Top Applications widget on the homepage throws an exception
- Several reports on the home page are not loading properly in Firefox.
- Updates to an exclusion filter name are not displayed after editing.
- The no licenses installed banner is missing.
- Redundant warnings appear about the anti-virus exclusion settings.
- An exception is thrown when navigating to the Foreign Systems tab on the Configuration page.
- AD synchronization does not work correctly for users with distinguished names in excess of 256 characters.
- The report generated from Purge Maintenance - Files Undiscovered has duplicate messages.
- The Agent configuration form does not show previous values when a user clicks cancel.
- Privilege Manager instances with Secret Server integration:
- Secrets deleted from Secret Server create duplicate user credentials.
- The expiration of a Secret Server session does not prevent access to Privilege Manager.
- Changing Secret Server Role Permissions for Privilege Manager requires recycling TMS application pool.
- If an issue is encountered with local UI preferences, Thycotic recommends clearing the local storage cache to remove old preference values. This can be done by going to Admin | Diagnostics and clicking the Clear Local Storage Cache button.
- Creating copies of a Persona or currently selected task schedule does not work.
- The File Specification Filter definition does not work on macOS 10.15 (Catalina) when the File Names field starts with com.apple.preference and/or Path field starts with /System/Library/PreferencePanes/. Any Policies leveraging these filter definitions is also impacted.
- In Safari and Edge browsers column filtering for the Agent Policy State and Agent Policy State - Drilldown reports does not work.
- The macOS self-elevation feature is not supported for systems running macOS 10.11 (El Capitan). The Privilege Manager Finder Extension does not work when installed on macOS 10.11. Thycotic recommends upgrading macOS endpoints to a newer version of the macOS operating system to utilize the latest feature enhancements in the Privilege Manager 10.7 macOS endpoint agent.
- Privilege Manager macOS Administrator and Privilege Manager Windows Administrator roles:
- If you are using the Privilege Manager macOS Administrator either or both the Privilege Manager Windows Administrator roles, you must also add those members to the Privilege Manager Users role or they may not be able to view some of the application filters or actions. If you are using Secret Server authentication, restarting the Privilege Manager app pools may be required to have this take effect.
- Members of the Privilege Manager macOS Administrator either or both the Privilege Manager Windows Administrator roles may not be able to delete some items such as policies, actions and filters, even though they are editable. Have a member of the Privilege Manager Administrators role delete those items if this occurs.
10 January 2020