Thales Data Protection on Demand 

https://thalesdocs.com/dpod/support/changelog/index.html

New certificate issuer for North American datacenter

This change has been rescheduled to Tuesday February 8th 14:00 UTC to give customers more time to adjust their environments.

A knowledge base article with a full description of the change is available hereThe article contains important information on mandatory changes for users on 10.0 or 10.1 client versions in North America.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change on Tuesday February 8th 14:00 UTC  to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl

Additional registration fields are being made mandatory for tenant registration

The following fields are being made mandatory for tenant registration:

  • Address
  • City
  • ZIP or postal code

If you have automation using the API for tenant registration and tenant updating you should modify your automation to account for these new mandatory fields. 

See the Data Protection on Demand (DPoD) Public API for more information about available endpoints and fields.

Impact to HTTP White Listing

Under Development

If you are using an IP address in your HTTP Network Connection between your DPoD service and the DPoD platform we recommend you update your configuration to use the fully qualified domain name as described in Network Connectivity.

If your network configuration uses any hard coded IP addresses, be aware that upcoming changes to the DPoD platform will disrupt your connection to the service.

10.3 Luna Cloud HSM Service Client

Added

  • Version 10.3 of the HSM service client is now available for download from Thales Data Protection on Demand. This client supports hybrid usage of both Luna Cloud HSM services and the Luna HSM product line, as detailed in the HSM on Demand Client User Guide. See Upgrading your Luna Cloud HSM Service Client for more information about updating your Luna Cloud HSM service client.

Bugs Found

  • LUNA-14009 - Executing cmu verifyhsm does not prompt the user to enter a challenge string. Always specify a challenge string using cmu verifyhsm -challenge <string>.
  • LUNA-13907 - Requesting a certificate using cmu requestcertificate using the wrong attribute to specify the private key returns an incorrect error message. Use the -privateouid to specify a private key on a Luna Cloud HSM service.
  • LUNA-13780 - Executing cmu import to import a DSA key fails. Use an RSA public key instead.
  • LUNA-13761 - Executing cmu selfsigncertificate with no arguments specified, on Linux, cmu fails to prompt the user for the relevant object handles/OUIDs. Always specify the object handles/OUIDs using -publichandle and -privatehandle or -publicouid and -privateouid.
  • LUNA-12822 - ckmdeo option Get OUID (39) returns OUIDs with extra zeroes appended. Use option Get Attribute (24) to view the correct OUID.
  • LUNA-11269 - In HA configurations, where a Luna Cloud HSM service is configured as a standby, some events (such as when a connection drops and recovers due to a timeout when contacting the service) are not recorded in the HA log file.
  • SH-5595 - Deriving X9.42 DH2 keys returns CKR_OBJECT_HANDLE_INVALID. We recommend you avoid upgrading your Luna Cloud HSM service client until the issue is resolved. 
  • SH-4194 - Executing cmu getpkc to confirm a public key can fail. Execute the ckdemo Display Object (27) function to confirm the key pairs origins and security in the HSM. If the CKA_NEVER_EXTRACTABLE attribute is present it confirms that the private key was created in the HSM and has never been extracted.

Bugs Fixed

  • SH-4987 - The displayed serial numbers of self-signed certificates created using cmu selfsigncertificate now match the input serial number.

Update to Service Elections Process

Added 

Bugs Found

  • DPS-6769 - The Salesforce Key Broker service does not update the Last Modified At and Modified By columns in the Service Details tables when service secrets are updated.

Bugs Fixed

  • DPS-6737 DPoD Terms of Service now display correctly in the Safari browser. The DPoD Terms of Service are always available from the support portal. 
  • DPS-6761 - If the DPoD user interface cannot display the Salesforce Secret Type, the DPoD user interface will display the Salesforce value. 

Release 1.17

Added

  • The CipherTrust Key Broker for Google Cloud EKM service is now available. Register for the service through the Google Marketplace to gain access to an HSM secured key encryption key for use as a wrapping key in Google Cloud EKM. Access the service documentation for more information about the CipherTrust Key Broker for Google Cloud EKM service.

Bugs Found

  • EKMS-652 - The Add Key Ring button is disabled in the CipherTrust Key Broker for Google Cloud EKM service if you attempt to create a Key Ring without first adding an EKM Policy. Create an EKM Policy before adding a Key Ring.
  • EKMS-659 - The CipherTrust Key Broker for Google Cloud EKM dashboard URL shows a 404.  Access the CipherTrust Key Broker for Google Cloud EKM log in page and enter the FQDN of your CipherTrust Key Broker for Google Cloud EKM dashboard to log in.
  • DPS-5823 - New service clients created in the North America (NA) environment cannot connect to a service on Windows Server 2012r2 operating systems.

Release 1.16

Added

  • Version 10.2 of the HSM service client is now available for download from Thales Data Protection on Demand. This client supports hybrid usage of both HSMoD services and the Luna HSM product line, as detailed in the HSM on Demand Client User Guide. Refer to the HSM Client 10.2 Customer Release Notes document for more information. See Upgrading your HSMoD Service Client for more information about updating your HSMoD service client. 
  • HSM on Demand service clients now use JWT authentication. 
  • The HSMoD service client is now supported on the following operating systems:
    • RHEL8/CentOS8
    • Windows Server 2019 (standard and core)
  • You can configure additional logs (Application Error Logs and Curl Logs) in the application console. See the HSM on Demand Troubleshooting section for more information. 

Changed

  • The new HSMoD service has updated entries in the REST and XTC sections of the crystoki.ini (Windows) and the Chrystoki.conf (Linux) configuration files. Refer to the Configuration File Summary for a description of the default options and additional settings. 
  • Deleting a client from a JWT authenticated HSMoD service now revokes the client ID and client secret associated with that client. Create a new HSMoD service client for the service to resume access. See Managing HSMoD Services for more information about deleting a service client and revoking the service credentials. 

Removed

  • Older Java versions are no longer supported. See the HSM Client 10.2 Customer Release Notes document for more information.
  • If your application relies on Oracle Java 7 or Java 8, you must update the advanced version provided by Oracle. You require (at minimum) version 7u131 or 82u121. Please refer to the Oracle website for more information.
  • If your application relies on IBM Java 7 or 8, do not update your service client.If you want to update your client software, consider adopting OpenJDK or another supported Java version See Supported Cryptographic APIs.

Bugs Found

  • DPS-5531 - If you exit the Suggest An Edit feature, in the DPoD Platform documentation, using the Close button, you can no longer scroll the documentation page. Refresh the page to continue scrolling.
  • DPS-5493 - The Rotation Policies section of the Salesforce Key Broker service do not display. There is no workaround at this time.
  • DPS-5433 - Tenant administrator users cannot reset their password using the Actions column in the User Details table. Change your Tenant Administrator password by clicking Change password in the upper right corner of the DPoD UI. 
  • SH-4987 - When creating a self-signed certificate with cmu selfsigncertificate, additional characters are added to the specified serial number. Use cmu getattribute to list the actual serial number assigned to the certificate.

Bugs Fixed

  • Luna-11616 - LunaCM displays available slots if the client fails to resolve the DPoD service's hostname. Restart LunaCM to re-attempt the connection to the service.
  • Luna-11447 - Resolved a segmentation fault stopping HA members from failing over to an HSMoD service.
  • HOD-957 - The default log level in the client was updated to provide improved details. 

Release 1.15

Added

  • Tenant Administrator users can now use HSM on Demand services.

Deprecated

  • Removing support for the DPoD API endpoint /services in the next release. We recommend you begin using the /service_instances endpoint for all related HSMoD service client operations. 

Bugs Found

  • DPS-2808: When the Service Provider deletes a Tenant, if the deletion fails the Tenant Details page is not accessible. Workaround: This issue results from attempting to delete a Tenant with active services. To clear this state you must remove the blocking service from the Tenant's Application Owner users.
  • HOD-957: There is no user feedback in the lunacm utility on connection timeout. As a result, the client can appear to hang indefinitely. Workaround: Wait for the client to timeout or close and restart lunacm to re-attempt the connection.
  • KBR-620: The Salesforce Key Broker service is not available over the API. Workaround: Use a DPoD Application Owner account to configure a Salesforce Key broker service.
  • DPS-2161: Services with extended ascii characters in their name do not display properly in reports. Workaround: Open the report in a spreadsheet program with UTF-8 encoding.

Bugs Fixed

  • DPS-3083: The DPoD API endpoint /service_instances succeeds on the bind HSMoD service client operation.
  • DPS-2614: Tenant names are now trimmed on creation.
  • DPS-2494: Non-functional tenants that appear in the "Pending" state in the user interface are no longer included in reports.

Release 1.10

Features under development

  • FIPS Certification Firmware Candidate - The HSM firmware is undergoing FIPS certification coordination.

Added

  • Added the Virtual Token Library (VTL) to the 1.10 HSMoD service client. 
  • Client patched reducing timeout and failover issues during key and certificate migration.
  • Direct link to SafeNet Data Protection on Demand **Status Page** available in user interface footer.
  • The Company name no longer needs to be unique. Now, multiple enterprise tenants can share a common company name.
  • Service provider monthly reports now include the minimum billable units (MBU) selection from the tenants **Initial Elections** form.

Deprecated

  • Deprecating support for 32-bit operating systems.
  • Ending support for Windows Server 2008 and Windows Server 2008 R2.

Removed

  • You cannot download a new HSMoD service client for a service which existed prior to release 1.5. Recreate the service.

Bugs Fixed

  • DPS-3071 - Deleting an application owner account before deleting any associated platform credentials results in being unable to delete both the platform credentials and any associated subscriber group.
  • DPS-3006 - The HSM on Demand service generic mapping refers to key_vault in reports and the API.

Release 1.9

Features under development

  • FIPS Certification Firmware Candidate - The HSM firmware is undergoing FIPS certification review.

Added

Changed

Deprecated

  • LunaProvider.jar

Removed

  • You cannot download new HSMoD service clients for a service which existed prior to release 1.5. Recreate the service.
Show Previous EntriesShow Previous Entries