KeySecure CUSTOMER RELEASE NOTES. Contents. Version: Issue Date: 2 February 2015 Document Part Number: , Rev A.

Transcription

1 KeySecure CUSTOMER RELEASE NOTES Version: Issue Date: 2 February 2015 Document Part Number: , Rev A Contents Product Description... 3 Key Management... 3 High Performance... 3 Broad Flexibility... 3 Robust Security... 3 Release Description... 4 Supported SafeNet Client Platforms and Versions... 4 Supported Upgrade Paths... 4 Supported Migration Paths... 4 New Features and Enhancements... 5 Format Preserving Encryption (FPE) Algorithm... 5 Certificate Signing Request Creation in XML Interface... 6 Additive Only Restore... 6 Known Hosts Validation for SCP Operations... 6 SCP Key Authentication for Backup and Restore... 7 Web Certificate Import... 7 Advisory Notes... 8 Duplicate IP Address for Virtual Machines... 8 Port Parameters on Virtual Machines... 8 Initialization... 8 Certificate Authorities... 8 Group Permissions and Certificates... 8 Clock Synchronization... 8 Clustering, Backup, and Restore between Platforms... 8 Key Management and Crypto Operation Failure after Remote HSM Disconnection... 9 Best Practices for High Availability Ethernet Connections on 460 and Disable SSL Backup protocols... 9 Page 1 of 13

2 Remote HSM Documentation... 9 Hardware Advisory Note... 9 Dell idrac Interface... 9 Resolved and Known Issues Issue Severity and Classification Resolved Issues Known Issues Product Documentation Technical Support Information Page 2 of 13

3 Product Description By providing centralized management of keys, policies, and essential functions, KeySecure simplifies administration, helps ensure compliance, and maximizes security. Key Management KeySecure offers robust capabilities for managing cryptographic keys across their entire lifecycle, including key generation, key import and export, key rotation and much more. With KeySecure, all cryptographic keys are stored in a centralized, hardened appliance to simplify administration while ensuring tight security for the broadest array of data types. High Performance Even for large distributed enterprises that use multiple encryption solutions, keys can be centrally managed without making any perceptible impact on system performance. In addition, customers can deploy multiple KeySecure appliances in a clustered configuration with real-time replication of keys, policies, and configuration information across multiple appliances - enabling complete disaster recovery and business continuity. Broad Flexibility KeySecure offers key management capabilities that can be integrated with virtually any commercial encryption product. Supported technologies include: Luna SA HSM partitions and Luna PCI HSMs. Application encryption, either software or hardware based. Database encryption, including native database encryption. Device encryption. File and storage level encryption solutions. KeySecure supports a wide range of open cryptographic standard interfaces, including PKCS #11, JCE, and.net. KeySecure also supports the Key Management Interoperability Protocol (KMIP). Further, customers and partners can take advantage of KeySecure s NAE-XML interface to develop their own custom software utilizing the enterprise key management functionality of KeySecure. Robust Security KeySecure offers a range of robust security features: Capabilities for segregating administrative duties between different administrators. Granular authorization capabilities that enable constraints to be placed on user operations based on specific key permissions. Active alerting capabilities that inform administrators if attempts to breach protected data occur. Secure key distribution through support of TLS. Secure storage of key encryption keys on a Luna HSM card. Page 3 of 13

4 Release Description KeySecure version is a field upgrade release available on the KeySecure k460, KeySecure k450, KeySecure k250, KeySecure k150, DataSecure i460, DataSecure i450 and DataSecure i150 server hardware platforms. Virtual KeySecure is available for download on VMWare and Amazon Web Services Marketplace. Supported SafeNet Client Platforms and Versions KeySecure version supports the following SafeNet client platforms and versions. Client Supported Version(s) ProtectFile-Linux ProtectFile-Windows ProtectDB Oracle ProtectDB SQL Server ProtectDB DB ProtectApp-JCE ProtectApp-.Net ProtectApp-ICAPI Tokenization Manager StorageSecure, ProtectV and older versions of the above clients are expected to work with KeySecure 8.1. Use at your own risk. CAUTION SafeNet recommends testing older versions of client platforms in a non-production environment to ensure proper functionality. Contact your Sales Representative or Sales Engineer for assistance in determining specific compatibility. Supported Upgrade Paths You can upgrade older versions of KeySecure and DataSecure software operating systems to KeySecure If you upgrade a DataSecure, the Crypto License Pack and ProtectDB are enabled by default. KeySecure > KeySecure KeySecure > KeySecure > KeySecure KeySecure > KeySecure DataSecure > KeySecure Crypto License Pack Supported Migration Paths You can migrate keys from some older versions of KeySecure and DataSecure to KeySecure If you migrate from a DataSecure, Crypto License Pack must first be enabled on the new appliance. You can migrate keys Page 4 of 13

5 through backup and restore. To migrate through backup and restore, refer to the Backup and Restore chapter of the Appliance Administration Guide. The following migration paths are supported: VMware: From release To release Virtual KeySecure Virtual KeySecure Virtual DataSecure Virtual KeySecure + Crypto License Pack Virtual KeySecure Virtual KeySecure AWS: From release To release Virtual KeySecure Virtual KeySecure Virtual KeySecure Virtual KeySecure Migration to 460 (R320) appliances: From release To release KeySecure k460, KeySecure k KeySecure 460 (R320) DataSecure i460, DataSecure i450, DataSecure i KeySecure 460 (R320) + Crypto License Pack Migration to 450 (R320) appliances: From release To release KeySecure k KeySecure 450 (R320) DataSecure i450, DataSecure i KeySecure 450 (R320) + Crypto License Pack Migration to 250 appliances: From release To release KeySecure k KeySecure DataSecure i KeySecure Crypto License Pack New Features and Enhancements Format Preserving Encryption (FPE) Algorithm Format Preserving Encryption (FPE) is an algorithm which preserves the length and format of plaintext after encryption into ciphertext. For example, if you use FPE to encrypt a data segment that is a 16 digit numerical value, Page 5 of 13

6 the resulting ciphertext is also a 16 digit numerical value. In KeySecure, FPE uses existing AES keys to encrypt and decrypt. See the Supported Key Algorithms chapter of the XML Development Guide for more information about this algorithm. Certificate Signing Request Creation in XML Interface KeySecure now supports creating SSL Certificate Signing Requests in the XML interface in addition to the Management Console web interface. See the Certificate and CA Requests chapter in the XML Development guide for information about these commands. Additive Only Restore This is a new option to only restore new managed objects (keys and managed object certificates) from a backup file. With this option enabled, if a managed object exists on both the appliance and the backup file, restoring does not overwrite the managed object already on the appliance. Known Hosts Validation for SCP Operations Known hosts validation is a new option whereby the appliance checks that a remote host attempting SCP transfer is on the known hosts list. This validation is an extra layer of security which protects against unauthorized connections, and is disabled by default. When known hosts validation is enabled, the validation is performed when SCP transfer is used for the following operations: Backup and Restore CRL export CRL update Importing a certificate as a managed object Importing an SSL certificate Importing a web certificate Log transfer Remote log rotation Registering a Remote HSM or CloudHSM Software license installation Software upgrade CAUTION If you attempt to perform SCP transfer to a remote host that is not on the known hosts list and known hosts validation is enabled, the transfer fails. After upgrade, we recommend adding any remote hosts in use for SCP transfer to the known host list, and then enabling known hosts validation. See the instructions below. To set up known hosts validation after upgrade 1. Determine which remote hosts you would like to use for SCP transfer operations. 2. Obtain the remote hosts IP or hostname. 3. Navigate to the Known Hosts page (Device >> Known Hosts). Page 6 of 13

7 4. Add or import the remote hosts as described in the Known Hosts chapter in the Appliance Administration Guide. 5. In the Enable Known Hosts Validation section, click the Edit button. 6. Check the Enable Known Hosts Validation checkbox. Click Save. 7. If you want to make SCP connections to other remote hosts later, ensure that they are on the known hosts list before attempting SCP transfer. SCP Key Authentication for Backup and Restore You can now configure KeySecure to use key authentication instead of password authentication when performing an SCP transfer for backup, restore, or importing a web admin certificate. See the SSH Public Key chapter of the Appliance Administration Guide for configuration steps. Web Certificate Import KeySecure now supports importing your own web certificate for authentication during user logins to the Management Console web interface. The KeySecure generates its own self-signed Web Admin certificate during basic configuration. By default, this certificate is used for authentication whenever a user logs into the Management Console web interface. You can import your own web certificate using FTP, SCP password authentication, or SCP key authentication. If you want to use SCP key authentication method, you must first perform some configuration. If you want to use FTP transfer or SCP password authentication, go directly to the import the web certificate procedure. To perform the required configuration for SCP key authentication 1. Log into the command line interface. You can connect directly at the serial console or remotely using SSH on TCP port Compare the presented RSA or DSA key fingerprint with the corresponding key fingerprint displayed during basic configuration. 3. Type config to enter configure mode. 4. Type display sshkey to display the KeySecure's public SSH key. 5. Copy the key to your remote host's authorized_keys file. To import the web certificate 1. Log into the command line interface if you have not already. You can connect directly at the serial console or remotely using SSH on TCP port If this is your first login, compare the presented RSA or DSA key fingerprint with the corresponding key fingerprint displayed during basic configuration. 3. Type config to enter configure mode. 4. Type import webadmin certificate to import the certificate. 5. Select the transfer method: FTP, SCP password authentication, or SCP key authentication. 6. Enter the source host, username, password, source filename, and certificate password, if applicable. The KeySecure imports the certificate. 7. Log into the Management Console web interface at (assuming you set the 9443 default as the port for web administration). Use the default username admin and the password you set during basic configuration. The browser presents the imported web admin certificate. Page 7 of 13

8 Advisory Notes Duplicate IP Address for Virtual Machines When installing the KeySecure virtual machine, the system does not check to see if the IP Address you enter for the new virtual machine already exists. Be sure to choose an IP Address that is not already in use. Port Parameters on Virtual Machines The virtual machine products do not support querying and setting Ethernet port parameters from either the Management Console or the command line interface. Initialization After initializing the KeySecure, the command line prompt instructs you to press Return to continue. If you do not press Return and end the console connection before seeing the login prompt, you will not be able to establish a new console connection until you reboot the KeySecure. Certificate Authorities Certificate Authority (CA) certificates must be revoked individually. Chain revocation is not supported for Certificate Authority Certificates. If a CA certificate is revoked, the certificates signed by the CA certificate are not automatically revoked. Before installing a known CA, consult the list of CAs on the KeySecure. Do not install duplicates. Installing a known CA certificate more than once on a KeySecure can render, under some circumstances, the Certificate Revocation List (CRL) information unreliable for that CA. In such cases, a certificate that was revoked by that CA actually appears as active. Back up Local CAs after using them to issue certificates to avoid disrupting CRL operations. CAs issue serial numbers to the certificates they sign. Local CAs use a seed value to determine the serial number. Each time a certificate is signed, the seed value is incremented by one. If you back up a local CA with seed value x, and continue to issue certificates with that CA, the seed value becomes x + n, where n is the number of certificates signed by that local CA since the backup was created. If you then restore the backup, the seed value for the local CA will revert to x. After this restore, the local CA can possibly issue existing serial numbers to new certificates. Identical serial numbers on multiple certificates will interfere with CRL operations. Group Permissions and Certificates Group permissions specified for groups of certificates do not have any effect. Clock Synchronization Synchronizing the time causes the Key Server to restart if the time change is greater than one minute. While restarting, the Key Server is unavailable for up to 60 seconds. For more information on time synchronization, see Chapter 5, Date, Time and NTP in the KeySecure Appliance Administration Guide. Clustering, Backup, and Restore between Platforms A virtual platform can only cluster with, backup to, or restore to another virtual platform. A physical platform can only cluster with, backup to, or restore to another physical platform. As the physical platform has a higher level of assurance than the virtual platform, clustering, backing up and restoring between the two platforms may compromise key and certificate security. Page 8 of 13

9 Key Management and Crypto Operation Failure after Remote HSM Disconnection If a virtual KeySecure that has a remote HSM repeatedly fails key management and crypto operations, the remote HSM may have disconnected and reconnected. If you suspect this has happened, back up your keys as a test. If the backup does not contain any keys, the remote HSM has disconnected and reconnected. Log the crypto user out and then log the crypto user in. If the virtual KeySecure is in a cluster, manually synchronize the virtual KeySecure with the cluster. Best Practices for High Availability Ethernet Connections on 460 and 450 If you enable High Availability on a KeySecure 460 or KeySecure 450, we recommend that you use only one Ethernet port for all appliance functions. If you assign an Ethernet port for High Availability, and one or more other ports for other functions, the Ethernet port designated for High Availability sometimes interferes with MAC address assignment and routing on the other Ethernet port(s). Disable SSL 3.0 We strongly recommend disabling SSL 3.0 at all times, based on CVE See the National Vulnerability Database for more details: Ensure that your internet browser does not use SSL 3.0 before disabling SSL 3.0 on KeySecure. We recommend using TLS 1.2 if available on your Internet browser. Backup protocols Backup via FTP is not supported. This option will be deprecated in the future. We strongly recommend performing backups via SCP instead. Remote HSM Documentation All material referring to AWS CloudHSM in the Appliance Administration Guide and Command Line Interface Reference Guide also applies to Remote HSM for VMWare deployments. The VMWare Installation Guide contains a chapter with procedures to set up the Remote HSM feature. Hardware Advisory Note Dell idrac Interface KeySecure appliances support the idrac interface from Dell. The appliances ship with the default username and password from Dell. The default username is root, and the default password is calvin. For detailed information, see the "idrac Configuration Utility" sections in the Dell PowerEdge R320 Systems Owner's Manual that is available at Separate and more complete documentation is available as part of the Integrated Dell Remote Access Controller User Guide. Best Practice: Change the default password to disable or limit usage, if the idrac interface poses a challenge to IT policy. Page 9 of 13

10 Resolved and Known Issues Issue Severity and Classification The following table serves as a key to the severity and classification of the issues listed in the Resolved Issues table and the Known Issues table, which can be found in the sections that follow. Severity Classification Definition C Critical No reasonable workaround exists H High Reasonable workaround exists M Medium Medium-level priority problems L Low Low-level priority problems Resolved Issues Severity Issue Synopsis M DS Summary: On the High Security page (Security >> High Security), the Security Settings Configured Elsewhere only displays TLS 1.0, not TLS 1.1 or TLS 1.2. In addition, some warnings reference older internet browsers not supporting TLS 1.0. These are display issues in Management Console; all references to TLS 1.0 include TLS 1.1 and TLS 1.2 as well. Resolution: Fixed. M DS Summary: You cannot query certificates using Object Name, Common Name, or Issuer Name. Resolution: Fixed. M DS Summary: After scheduling a device backup with all keys selected, the Automated Remote Backup Schedule page displays Managed Objects: None but all managed objects selected for backup are still backed up. After the restore takes place, all managed objects are still available. Resolution: Fixed. The Automated Remote Backup Schedule page displays Managed Objects: All in this case. M DS Summary: Deleting the read-only attribute Compromise Date fails as intended, but returns the result reason Illegal operation instead of Permission Denied. Resolution: Fixed. The correct result reason is now returned. M DS Summary: Creating a key pair without providing any payload fails as expected but returns the result reason Invalid Field instead of Invalid Message. Resolution: Fixed. The correct result reason is now returned. M DS Summary: The cipherspec priority command is not functional in the command line interface. Resolution: Fixed. Page 10 of 13

11 Severity Issue Synopsis L DS Summary: The Appliance Administration Guide states that the Disable Low Security Ciphers button for SSL cipher order disables RC4-SHA1 and RC4-MD5 ciphers. This button does not disable these ciphers. Resolution: The option is now obsolete with the current available SSL ciphers, as none of them are 64-bit or smaller. References to this option are removed from documentation. The option will be formally deprecated in the future. Known Issues Severity Issue Synopsis M DS Summary: Appliance Administration Guide and Command Line Interface Reference guide do not show how to view statistics for certificate sign request operations in the NAE-XML server. Workaround: NAE-XML statistics show CSR Create and Certificate Request Sign operations. To view these statistics in Management Console, navigate to Device >> Statistics >> NAE-XML Statistics. To view these statistics in the CLI, run the show statistics command. M DS Summary: Occasionally, an NAE-XML request to generate an RSA-4096 key on a KeySecure 250 fails with the result message Unknown server error. Workaround: Retry the key generation request one or more times until the key is successfully generated. M DS Summary: You cannot perform a backup via FTP. Workaround: Perform backups via SCP. M DS Summary: SNMP does not report statistics for the CSR creation and certificate request sign operations in the NAE-XML server. This means that the number of total operations reported sometimes appears to be higher than sum of the individual operations. The total is correct; it includes the unreported CSR creation and certificate request sign operations. Workaround: If the total operations reported in SNMP appears to be too high, verify NAE-XML server statistics in the CLI with the command show statistics or in the Management Console by navigating to the NAE-XML Statistics page (Device >> Statistics >> NAE-XML Statistics). M DS Summary: You cannot recreate or download a log signing certificate via Management Console. The Recreate Log Signing Cert and Download Log Signing Cert buttons are broken. Workaround: To recreate a log signing certificate, log into the CLI and run the command "recreate logsigning certificate <cert duration>". To download a log signing certificate, log into Management Console, navigate to the log configuration page (Device >> Log Configuration), select the desired log, and click View Log Signing Cert. Copy the content of the certificate and paste it manually in a text file. Page 11 of 13

12 Severity Issue Synopsis M DS Summary: You cannot upgrade a KeySecure 150 s software version via browser upload. Workaround: Use SCP to upgrade a KeySecure 150 s software version. M DS Summary: If you restore a backup file that includes a managed object with the same name as an existing object on the appliance, a warning appears that the backup object will overwrite the existing object. This is not true when the Only import new managed objects option is selected. In that case, restoring does not overwrite existing objects with the same name. Only new objects only on the backup file are imported. Workaround: If you want to preserve existing managed objects, select the Only import new managed objects option. Ignore the warning message. L DS Summary: The Appliance Administration Guide incorrectly states that RSA-4096 keys cannot be created in the NAE-XML interface. This is outdated information. Workaround: RSA-4096 keys can be generated in the NAE-XML interface via the KeyGenRequest tag. Specify KeySize of Product Documentation The following product documentation is associated with this release: KeySecure Appliance Administration Guide (PN: ) KeySecure Command Line Interface Reference Guide (PN: ) KeySecure XML Development Guide (PN: ) KeySecure VMWare Install Guide (PN: ) KeySecure AWS Install Guide (PN: ) We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product. Page 12 of 13

13 Technical Support Information If you have questions or need additional assistance, contact Technical Support through the listings below: Contact method Address Contact information SafeNet, Inc Millennium Drive Belcamp, Maryland USA Phone United States (800) , (410) Australia and New Zealand China (86) France Germany India United Kingdom , Web Support and Downloads Customer Connection Center Provides access to the SafeNet Knowledge Base and quick downloads for various products. Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. Page 13 of 13