Added

• Tenant Administrator users can now use HSM on Demand services.

Deprecated

• Removing support for the DPoD API endpoint /services in the next release. We recommend you begin using the /service_instances endpoint for all related HSMoD service client operations. 

Bugs Found

• DPS-2808: When the Service Provider deletes a Tenant, if the deletion fails the Tenant Details page is not accessible. Workaround: This issue results from attempting to delete a Tenant with active services. To clear this state you must remove the blocking service from the Tenant's Application Owner users.
• HOD-957: There is no user feedback in the lunacm utility on connection timeout. As a result, the client can appear to hang indefinitely. Workaround: Wait for the client to timeout or close and restart lunacm to re-attempt the connection.
• KBR-620: The Salesforce Key Broker service is not available over the API. Workaround: Use a DPoD Application Owner account to configure a Salesforce Key broker service.
• DPS-2161: Services with extended ascii characters in their name do not display properly in reports. Workaround: Open the report in a spreadsheet program with UTF-8 encoding.

Bugs Fixed

• DPS-3083: The DPoD API endpoint /service_instances succeeds on the bind HSMoD service client operation.
• DPS-2614: Tenant names are now trimmed on creation.
• DPS-2494: Non-functional tenants that appear in the "Pending" state in the user interface are no longer included in reports.

Changed

• The DPoD Platform Customer Release Notes (CRN) has been removed from distribution. Please refer to the Platform Changelog to stay up-to-date on the DPoD platform and its available services.
• Please refer to the Universal Client Customer Release Notes (CRN) for more information about the Universal Client used by HSM on Demand services. 

Bugs Fixed

• SH-5169 - Resolved an issue where clients with a very high session version could fail when connecting to the service.

Added

• SafeNet Data Protection on Demand now contains Partner Service Tiles. Partner service tiles redirect the user to an affiliated service site where users can register for a DPoD partner's service offering. For more information about Partner services see the Partner Services Documentation.
• Version 10.1 of the HSMoD service client is now available for download from SafeNet Data Protection on Demand. This client supports hybrid usage of both HSMoD services and the SafeNet Luna Product Line, as detailed in the HSM on Demand Client User Guide. These features include:
  • Secure key cloning between HSMoD Services and password-authenticated SafeNet Luna Network HSM 7.x or SafeNet Luna PCIe HSM 7.x.
  • Failover between HSMoD Services and password authenticated SafeNet Luna Network HSM 7.x or SafeNet Luna PCIe HSM 7.x. This feature is configured using LunaCM's high availability (ha and hagroup) commands. We recommend the default setting of the HSMoD service as a standby member of the HA group.
  • Key backup and restore with the password-authenticated SafeNet Luna G5 Backup HSM.

Bugs Fixed

• SH-4350 - Utilities included in older clients downloaded before October 2019 can have a delay of up to 20 seconds on startup. Resolution: Clients that contain this bug are no longer supported or available for download.
• SH-3519 - The LunaProvider.jar does not allow generation of FIPS 186-3-approved RSA keys. Resolution: The LunaProvider.jar included in the latest client package includes this support.
• LUNA-10915, SH-3162 - When you delete a key from the an HSMoD service, CKlog displays an incorrect object handle. Resolution: Fixed in the latest client package.

Added

• Users can now reset their password for the SafeNet Data Protection on Demand log in page without requiring administrator intervention. In the event of MFA lockout, users are still required to contact their administrator to reset the token.
• HSM on Demand Services running in Non-FIPS mode now support BIP32. There are now two BIP32 mechanisms available: CKM_BIP32_CHILD_DERIVE and CKM_BIP32_MASTER_DERIVE. In addition, ECDSA mechanisms now accept BIP32 key types for the key derivation function. The latest client version (10.0 or above) is required for these mechanisms. Clients downloaded before October 2019 do not support BIP32.
• HSM on Demand Services now fully support the 22519 elliptic curve variant.

Bugs Fixed

• SH-4240 - If you initialize the Crypto User, and then login and logout of this role without changing its password, the LunaCM session can no longer log in or log out any users, and returns the error CKR_USER_ALREADY_LOGGED_IN.
• SH-3804 - A multi-part command fails with the error CKR_OPERATION_NOT_INITIALIZED.
• KBR-758 - After Tenant creation, the new Tenant is not visible in the Tenants list.

Features under development

• FIPS Certification Firmware Candidate - The HSM firmware is undergoing FIPS certification coordination.

Added

• Added the Virtual Token Library (VTL) to the 1.10 HSMoD service client. 
• Client patched reducing timeout and failover issues during key and certificate migration.
• Direct link to SafeNet Data Protection on Demand **Status Page** available in user interface footer.
• The Company name no longer needs to be unique. Now, multiple enterprise tenants can share a common company name.
• Service provider monthly reports now include the minimum billable units (MBU) selection from the tenants **Initial Elections** form.

Deprecated

• Deprecating support for 32-bit operating systems.
• Ending support for Windows Server 2008 and Windows Server 2008 R2.

Removed

• You cannot download a new HSMoD service client for a service which existed prior to release 1.5. Recreate the service.

Bugs Fixed

• DPS-3071 - Deleting an application owner account before deleting any associated platform credentials results in being unable to delete both the platform credentials and any associated subscriber group.
• DPS-3006 - The HSM on Demand service generic mapping refers to key_vault in reports and the API.

Features under development

• FIPS Certification Firmware Candidate - The HSM firmware is undergoing FIPS certification review.

Added

• Initial Elections Form. See Converting from Evaluation to Subscriber for more information.
• Disaster Recovery.

Changed

• FIPS Mode is more restrictive. See Customer Release Notes 1.11 for more information.
• Some criteria in platform wizards now mandatory.

Deprecated

• LunaProvider.jar

Removed

• You cannot download new HSMoD service clients for a service which existed prior to release 1.5. Recreate the service.

Features under development

• FIPS Certification Firmware Candidate - The HSM firmware is undergoing FIPS certification review.
• Conversion from evaluation to subscriber tool for enterprise tenants.

Added

• Sign up page. See Registering Tenants Automatically for more information.

Removed

• You cannot download new HSMoD service clients for a service which existed prior to release 1.5. Recreate the service.

Bugs Fixed

• DPS-2159 - When the service provider administrator edits an enterprise tenant, the tenant administrator field displays empty.

Features under development

• DPoD enterprise tenant registration page
• Pipeline improvements

Added

• Introduced a multi-factor authentication requirement using an authentication application on a mobile device for all users.
• Added the following HSM on Demand service tiles:
  • HSM on Demand for CyberArk Digital Vault
  • HSM on Demand for Java Code Signer
  • HSM on Demand for Microsoft ADCS
  • HSM on Demand for Authenticode
  • HSM on Demand for Microsoft SQL Server
• Added the Key Migration Guide to the HSM Client Guides in the Help system. This migration guide now details the process for transferring key material from an Amazon Web Services (AWS) cloud HSM to a DPoD HSM on Demand service.

Changed

• Updated the following HSM on Demand service tiles:
  • HSM on Demand
  • HSM on Demand for Digital Signing
  • HSM on Demand for PKI Private Key Protection
  • HSMoD for Oracle Database
  • HSM on Demand for Hyperledger

Bugs Fixed

• DPS-2501 - The UI does not identify an invalid hostname when creating a tenant, resulting in the user having to repeat the tenant creation process.
• DPS-2159 - When the service provider administrator edits an enterprise tenant, the tenant admin field displays empty.
• DPS-2487 - Editing the tenant account name does not update the heading on the log in page.
• DPS-2434 - Deleting a tenant when the tenant account was accessed using the search box fails.

Added

• Introduced multi-tier hierarchy. 
  • Service Provider Tenant Accounts can now distribute additional tiers of Service Provider Administrators (up to two). This allows certain Service Provider Tenant Accounts to take on a marketplace operator role. 
  • Reports are now an aggregate of all service usage from all of the Service Provider's tenants and any subService Provider tenants for a specified month. 
• Application Owner HSMoD services can now support up to fifty 4096 bit RSA key pairs. Longer bit RSA keys increase security of cryptographic operations. 
• HSM on Demand service support for Windows Server 2008.

Bugs Fixed

• SH-3166 - Oracle Wallet closes automatically on Linux operating systems when using an HSMoD service.
• DPS-1553 - User cannot reset service provider administrator password.
• DPS-1538 - Cannot generate usage reports in certain time zones.
• DPS-1444 - When adding an application owner the subscriber group value does not generate.
• HOD-250 - If you delete a HSMoD service client, the dialog text displayed indicates that the HSMoD service client's access to the service will be revoked. This statement is incorrect. The client is only removed from the list.
• HOD-40 - If you attempt to create a HSMoD service client named "." or "/" the HSMoD service client appears in the list, but no HSMoD service client is downloaded.
• DPS-2162 - Listing clients for a service, when using the API, requires a size parameter.
• DPS-1358 - The Delete Subscriber Group button does not activate when the Subscriber Group is empty.
• HOD-308 - The Linux HSMoD service client .zip requires manually copying the Chrystoki.conf file to the /etc folder.

Added

• Marketplace Management - tenant administrators can configure available services. See Configuring Available Services for more information.
• Migrate keys in to DPoD.
• API Credential Management - allows API access to application owners. See the DPoD API Getting Started Guide for more information about generating, managing, and using DPoD API credentials.
• HSM on Demand for Hyperledger service tile.

Bugs Fixed

• DPS-1553 - User cannot reset service provider administrator password.
• DPS-1538 - Users cannot generate usage reports in certain time zones.
• DPS-1444 - Subscriber group population not incrementing.
• HOD-250 - HSMoD service clients not deleting fully.
• HOD-40 - If you attempt to create a HSMoD service client with an improper name no error is returned.
• DPS-1358 - The Delete Subscriber Group button does not activate when the subscriber group is empty.
• HOD-308 - The linux HSMoD service client package requires manually copying Chrystoki.conf to the /etc folder.
• HOD-212 - The command register /library fails.