Thales Data Protection on Demand has made the following changes to how billing and service subscriptions work in DPoD:

• The trial state no longer applies to the tenant, tenants are instead entitled to a 30-day evaluation period for each unique DPoD service type. The trial begins when you first create a new DPoD service of a service type and deleting the service does not stop or pause the trial.
• The Service Elections submission and approval process remains unchanged, but it now triggers the conversion of trial subscriptions to production subscriptions or directly creates production subscriptions. When a service elections form is processed the selected service types become paid subscriptions.
• Service providers, tenant administrators and application owners can review their subscription data using the Subscriptions tab in the DPoD GUI.
• All services of a new service type provisioned after April 15th are "Trial" subscriptions, with a 30-day evaluation. 

Tenants that have an accepted Service Elections form will have the following changes: 

• All paid subscriptions (DPoD Monthly, DPoD Term, Google) will be visible from the Subscriptions tab in the DPoD GUI.
• All services created before April 15th under a service elections form become "Term" (or "Uncommitted" if the Term is expired) subscriptions.
• All services created before April 15th and not under a service elections form become "Uncommitted" subscriptions.

Tenants that do not have an accepted Service Elections form will have the following changes:

• All existing services become "Trial" subscriptions, beginning April 15th, with a 30-day evaluation. 

Note: If your tenant is unable to retrieve and display subscriptions please contact Thales support to resolve the issue. You will be unable to provision new services until the issue is resolved. 

The Service Provider Tenant Usage Report and the associated tenants/usageReport, tenants/usageDetails, and service_instances/usageDetails endpoints are deprecated and will be removed from the platform by the end of 2023. 

As an alternative use the Service Report in the DPoD service provider tenant or the /v1/service_instances/usageBillingReport endpoint, and the /v1/backoffice/serviceAgreements{tenantId} endpoint to compile tenant usage information.

The CipherTrust Data Security Platform is now visible in EU tenants as a beta service offering. Access to the beta service is restricted at this time. The beta service is disabled in all tenants that are not participating in the beta.

For more information about registering for the CipherTrust Data Security Platform beta please contact steve.kingston@thalesgroup.com.

The enterprise tenant View Services table now includes a Status column. The Status column provides details on the service provisioning state of the service. 

Possible values for Status include:

• Provisioning
• Provisioned
• Provisioning Failed
• Deprovisioning
• Deprovisioning Failed

See the View Services Table for more information.

Bugs Found 

• DPS-10104 - Luna Cloud HSM Partition Cloning Fails with the 10.5 Client
  Cloning keys between two Luna Cloud HSM partitions fails when using the 10.5 client. There are currently two possible workaround scenarios.
  -> Workaround #1 - If there is a Luna SA7 (or any other separate device to use as an intermediary for the cloning) then clone to and from that device.
  -> Workaround #2 - If there is no separate device then completely uninstall the 10.5 client and install the 10.4 client from scratch. For this option please raise a support ticket to the Thales Customer Support portal to request to join the 2 partitions together as the 10.4 client does not support dynamic partition loading.
  You can make the request by following this link:
  https://thalesdocs.com/dpod/resources/client_resources/client_connect_to_multiple_services/index.html

The DPoD Platform API has deprecated the tileId parameter on the POST /serviceAgreements endpoint and the tileName parameter on the GET /serviceAgreements{tenantId} endpoint.

The  tileId parameter on the POST /serviceAgreements and tileName parameter on the GET /serviceAgreements{tenantId} endpoint will be removed from the platform in a future update.

See the Subscriptions API for more information about available endpoints, fields and scopes.

As of UC 10.5, the configuration of multiple users will be supported which allows multiple partition slots to be accessed from a single client instance. This allows customers to add multiple UserID's (a combination of unique AuthTokenClientID, AuthTokenClientSecret, AuthTokenConfigURI) without the need to restart the application after the addition of a new UserID. This will enable a service provider to configure multiple UserID's without impacting the service any of the other users in the same UC instance.

The ability to load multiple partitions to the same UserID without impacting service to other users will also be supported. If an attempt is made to add the same partition ID to a different user that will be ignored and a Warning log will be generated.

More info can be found here: "Dynamic Partition Loading for Luna Cloud HSM Services"

Thales Data Protection on Demand now collects audit logs for Luna Cloud HSM Services using client version 10.2 and newer. Users can generate audit log files and retrieve signed URLs for access to the audit log files using the Audit Query API /v1/audit-log-exports endpoint. Audit logs provide a record of the outcome of an action by an actor on a resource. 

For more information about Audit Logging see About the Audit Log API. 

The servicePlan field is being made mandatory for service creation when using the API, for example when using POST/service_instances or POST/services.

If you use the API to provision services, you will need to pass a value matching one of the plans listed in the Open Service Broker catalog. For Luna Cloud HSM services, you must pass "single_hsm". Failure to pass a valid plan will result in a 400 error.

See the Thales Documentation Portal for more information about available endpoints and fields.

A new certificate issuer will be used in the European data center for Luna Cloud HSM clients starting in August 2022.

A knowledge base article with a full description of the change is available here. The article contains important information on mandatory changes for users on 10.0 or 10.1 client versions.

This change introduces a new endpoint for validating the certificate status. Please ensure that operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. 

Ensure that these certificate revocation lists (CRLs) are accessible from the client machine prior to the planned change in August 2022 to guarantee continuity of service.

Current CRL: http://crl.godaddy.com/gdig2s1-3235.crl
New CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
Platform CRL: http://crl3.digicert.com/ssca-sha2-g7.crl