Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 1 of 13

KeySecure CUSTOMER RELEASE NOTES

Version: 8.1.0

Issue Date: 2 February 2015

Document Part Number: 007-012896-001, Rev A

Contents Product Description .................................................................................................................................................................... 3

Key Management ................................................................................................................................................................. 3 High Performance ................................................................................................................................................................ 3 Broad Flexibility .................................................................................................................................................................... 3 Robust Security .................................................................................................................................................................... 3

Release Description .................................................................................................................................................................... 4 Supported SafeNet Client Platforms and Versions .............................................................................................................. 4 Supported Upgrade Paths ................................................................................................................................................... 4 Supported Migration Paths .................................................................................................................................................. 4

New Features and Enhancements .............................................................................................................................................. 5 Format Preserving Encryption (FPE) Algorithm ................................................................................................................... 5 Certificate Signing Request Creation in XML Interface ........................................................................................................ 6 Additive Only Restore .......................................................................................................................................................... 6 Known Hosts Validation for SCP Operations ....................................................................................................................... 6 SCP Key Authentication for Backup and Restore ................................................................................................................ 7 Web Certificate Import ......................................................................................................................................................... 7

Advisory Notes ............................................................................................................................................................................ 8 Duplicate IP Address for Virtual Machines ........................................................................................................................... 8 Port Parameters on Virtual Machines .................................................................................................................................. 8 Initialization .......................................................................................................................................................................... 8 Certificate Authorities ........................................................................................................................................................... 8 Group Permissions and Certificates ..................................................................................................................................... 8 Clock Synchronization ......................................................................................................................................................... 8 Clustering, Backup, and Restore between Platforms ........................................................................................................... 8 Key Management and Crypto Operation Failure after Remote HSM Disconnection ............................................................ 9 Best Practices for High Availability Ethernet Connections on 460 and 450 ......................................................................... 9 Disable SSL 3.0 ................................................................................................................................................................... 9 Backup protocols ................................................................................................................................................................. 9

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 2 of 13

Remote HSM Documentation .............................................................................................................................................. 9 Hardware Advisory Note ............................................................................................................................................................. 9

Dell iDRAC Interface ............................................................................................................................................................ 9 Resolved and Known Issues ..................................................................................................................................................... 10

Issue Severity and Classification ....................................................................................................................................... 10 Resolved Issues ................................................................................................................................................................. 10 Known Issues..................................................................................................................................................................... 11

Product Documentation ............................................................................................................................................................ 12 Technical Support Information .................................................................................................................................................. 13

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 3 of 13

Product Description

By providing centralized management of keys, policies, and essential functions, KeySecure simplifies

administration, helps ensure compliance, and maximizes security.

Key Management

KeySecure offers robust capabilities for managing cryptographic keys across their entire lifecycle, including key

generation, key import and export, key rotation and much more. With KeySecure, all cryptographic keys are stored

in a centralized, hardened appliance to simplify administration while ensuring tight security for the broadest array of

data types.

High Performance

Even for large distributed enterprises that use multiple encryption solutions, keys can be centrally managed –

without making any perceptible impact on system performance. In addition, customers can deploy multiple

KeySecure appliances in a clustered configuration with real-time replication of keys, policies, and configuration

information across multiple appliances - enabling complete disaster recovery and business continuity.

Broad Flexibility

KeySecure offers key management capabilities that can be integrated with virtually any commercial encryption

product. Supported technologies include:

Luna SA HSM partitions and Luna PCI HSMs.

Application encryption, either software or hardware based.

Database encryption, including native database encryption.

Device encryption.

File and storage level encryption solutions.

KeySecure supports a wide range of open cryptographic standard interfaces, including PKCS #11, JCE, and .NET.

KeySecure also supports the Key Management Interoperability Protocol (KMIP). Further, customers and partners

can take advantage of KeySecure’s NAE-XML interface to develop their own custom software utilizing the

enterprise key management functionality of KeySecure.

Robust Security

KeySecure offers a range of robust security features:

Capabilities for segregating administrative duties between different administrators.

Granular authorization capabilities that enable constraints to be placed on user operations based on specific key permissions.

Active alerting capabilities that inform administrators if attempts to breach protected data occur.

Secure key distribution through support of TLS.

Secure storage of key encryption keys on a Luna HSM card.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 4 of 13

Release Description

KeySecure version 8.1.0 is a field upgrade release available on the KeySecure k460, KeySecure k450, KeySecure

k250, KeySecure k150, DataSecure i460, DataSecure i450 and DataSecure i150 server hardware platforms. Virtual

KeySecure 8.1.0 is available for download on VMWare and Amazon Web Services Marketplace.

Supported SafeNet Client Platforms and Versions

KeySecure version 8.1.0 supports the following SafeNet client platforms and versions.

Client Supported Version(s)

ProtectFile-Linux 8.1.0

ProtectFile-Windows 8.1.0

ProtectDB Oracle 8.1.0

ProtectDB SQL Server 8.1.0

ProtectDB DB2 8.1.0

ProtectApp-JCE 8.1.0

ProtectApp-.Net 8.1.0

ProtectApp-ICAPI 8.1.0

Tokenization Manager 8.1.0

StorageSecure, ProtectV and older versions of the above clients are expected to work with KeySecure 8.1. Use at your own risk.

CAUTION SafeNet recommends testing older versions of client platforms in a non-production environment to ensure proper functionality. Contact your Sales Representative or Sales Engineer for assistance in determining specific compatibility.

Supported Upgrade Paths

You can upgrade older versions of KeySecure and DataSecure software operating systems to KeySecure 8.1.0. If

you upgrade a DataSecure, the Crypto License Pack and ProtectDB are enabled by default.

KeySecure 6.6.1 -> KeySecure 8.1.0

KeySecure 8.0.0 -> KeySecure 8.0.1 -> KeySecure 8.1.0

KeySecure 8.0.1 -> KeySecure 8.1.0

DataSecure 6.6.1 -> KeySecure 8.1.0 + Crypto License Pack

Supported Migration Paths

You can migrate keys from some older versions of KeySecure and DataSecure to KeySecure 8 1.0. If you migrate

from a DataSecure, Crypto License Pack must first be enabled on the new appliance. You can migrate keys

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 5 of 13

through backup and restore. To migrate through backup and restore, refer to the Backup and Restore chapter of

the Appliance Administration Guide. The following migration paths are supported:

VMware:

From release To release

6.3.0 Virtual KeySecure 8.1.0 Virtual KeySecure

6.3.0 Virtual DataSecure 8.1.0 Virtual KeySecure + Crypto License Pack

8.0.1 Virtual KeySecure 8.1.0 Virtual KeySecure

AWS:

From release To release

7.1.0 Virtual KeySecure 8.1.0 Virtual KeySecure

8.0.1 Virtual KeySecure 8.1.0 Virtual KeySecure

Migration to 460 (R320) appliances:

From release To release

6.6.1 KeySecure k460, KeySecure k150 8.1.0 KeySecure 460 (R320)

6.6.1 DataSecure i460, DataSecure i450, DataSecure i150 8.1.0 KeySecure 460 (R320) + Crypto License Pack

Migration to 450 (R320) appliances:

From release To release

6.6.1 KeySecure k150 8.1.0 KeySecure 450 (R320)

DataSecure i450, DataSecure i150 8.1.0 KeySecure 450 (R320) + Crypto License Pack

Migration to 250 appliances:

From release To release

6.6.1 KeySecure k150 8.1.0 KeySecure 250

6.6.1 DataSecure i150 8.1.0 KeySecure 250 + Crypto License Pack

New Features and Enhancements

Format Preserving Encryption (FPE) Algorithm

Format Preserving Encryption (FPE) is an algorithm which preserves the length and format of plaintext after

encryption into ciphertext. For example, if you use FPE to encrypt a data segment that is a 16 digit numerical value,

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 6 of 13

the resulting ciphertext is also a 16 digit numerical value. In KeySecure, FPE uses existing AES keys to encrypt

and decrypt. See the Supported Key Algorithms chapter of the XML Development Guide for more information about

this algorithm.

Certificate Signing Request Creation in XML Interface

KeySecure now supports creating SSL Certificate Signing Requests in the XML interface in addition to the

Management Console web interface. See the Certificate and CA Requests chapter in the XML Development guide

for information about these commands.

Additive Only Restore

This is a new option to only restore new managed objects (keys and managed object certificates) from a backup

file. With this option enabled, if a managed object exists on both the appliance and the backup file, restoring does

not overwrite the managed object already on the appliance.

Known Hosts Validation for SCP Operations

Known hosts validation is a new option whereby the appliance checks that a remote host attempting SCP transfer

is on the known hosts list. This validation is an extra layer of security which protects against unauthorized

connections, and is disabled by default. When known hosts validation is enabled, the validation is performed when

SCP transfer is used for the following operations:

Backup and Restore

CRL export

CRL update

Importing a certificate as a managed object

Importing an SSL certificate

Importing a web certificate

Log transfer

Remote log rotation

Registering a Remote HSM or CloudHSM

Software license installation

Software upgrade

CAUTION If you attempt to perform SCP transfer to a remote host that is not on the known hosts list and known hosts validation is enabled, the transfer fails. After upgrade, we recommend adding any remote hosts in use for SCP transfer to the known host list, and then enabling known hosts validation. See the instructions below.

To set up known hosts validation after upgrade

1. Determine which remote hosts you would like to use for SCP transfer operations.

2. Obtain the remote hosts’ IP or hostname.

3. Navigate to the Known Hosts page (Device >> Known Hosts).

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 7 of 13

4. Add or import the remote hosts as described in the Known Hosts chapter in the Appliance Administration Guide.

5. In the Enable Known Hosts Validation section, click the Edit button.

6. Check the Enable Known Hosts Validation checkbox. Click Save.

7. If you want to make SCP connections to other remote hosts later, ensure that they are on the known hosts list before attempting SCP transfer.

SCP Key Authentication for Backup and Restore

You can now configure KeySecure to use key authentication instead of password authentication when performing

an SCP transfer for backup, restore, or importing a web admin certificate. See the SSH Public Key chapter of the

Appliance Administration Guide for configuration steps.

Web Certificate Import

KeySecure now supports importing your own web certificate for authentication during user logins to the

Management Console web interface.

The KeySecure generates its own self-signed Web Admin certificate during basic configuration. By default, this

certificate is used for authentication whenever a user logs into the Management Console web interface. You can

import your own web certificate using FTP, SCP password authentication, or SCP key authentication. If you want to

use SCP key authentication method, you must first perform some configuration. If you want to use FTP transfer or

SCP password authentication, go directly to the import the web certificate procedure.

To perform the required configuration for SCP key authentication

1. Log into the command line interface. You can connect directly at the serial console or remotely using SSH

on TCP port 22.

2. Compare the presented RSA or DSA key fingerprint with the corresponding key fingerprint displayed during

basic configuration.

3. Type config to enter configure mode.

4. Type display sshkey to display the KeySecure's public SSH key.

5. Copy the key to your remote host's authorized_keys file.

To import the web certificate

1. Log into the command line interface if you have not already. You can connect directly at the serial console

or remotely using SSH on TCP port 22.

2. If this is your first login, compare the presented RSA or DSA key fingerprint with the corresponding key

fingerprint displayed during basic configuration.

3. Type config to enter configure mode.

4. Type import webadmin certificate to import the certificate.

5. Select the transfer method: FTP, SCP password authentication, or SCP key authentication.

6. Enter the source host, username, password, source filename, and certificate password, if applicable.

The KeySecure imports the certificate.

7. Log into the Management Console web interface at https://[IP-address]:9443 (assuming you set the 9443

default as the port for web administration). Use the default username admin and the password you set

during basic configuration.

The browser presents the imported web admin certificate.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 8 of 13

Advisory Notes

Duplicate IP Address for Virtual Machines

When installing the KeySecure virtual machine, the system does not check to see if the IP Address you enter for

the new virtual machine already exists. Be sure to choose an IP Address that is not already in use.

Port Parameters on Virtual Machines

The virtual machine products do not support querying and setting Ethernet port parameters from either the

Management Console or the command line interface.

Initialization

After initializing the KeySecure, the command line prompt instructs you to press Return to continue. If you do not

press Return and end the console connection before seeing the login prompt, you will not be able to establish a

new console connection until you reboot the KeySecure.

Certificate Authorities

Certificate Authority (CA) certificates must be revoked individually. Chain revocation is not supported for Certificate Authority Certificates. If a CA certificate is revoked, the certificates signed by the CA certificate are not automatically revoked.

Before installing a known CA, consult the list of CAs on the KeySecure. Do not install duplicates. Installing a known CA certificate more than once on a KeySecure can render, under some circumstances, the Certificate Revocation List (CRL) information unreliable for that CA. In such cases, a certificate that was revoked by that CA actually appears as active.

Back up Local CAs after using them to issue certificates to avoid disrupting CRL operations. CAs issue serial numbers to the certificates they sign. Local CAs use a seed value to determine the serial number. Each time a certificate is signed, the seed value is incremented by one. If you back up a local CA with seed value x, and continue to issue certificates with that CA, the seed value becomes x + n, where n is the number of certificates signed by that local CA since the backup was created. If you then restore the backup, the seed value for the local CA will revert to x. After this restore, the local CA can possibly issue existing serial numbers to new certificates. Identical serial numbers on multiple certificates will interfere with CRL operations.

Group Permissions and Certificates

Group permissions specified for groups of certificates do not have any effect.

Clock Synchronization

Synchronizing the time causes the Key Server to restart if the time change is greater than one minute. While

restarting, the Key Server is unavailable for up to 60 seconds. For more information on time synchronization, see

Chapter 5, “Date, Time and NTP” in the KeySecure Appliance Administration Guide.

Clustering, Backup, and Restore between Platforms

A virtual platform can only cluster with, backup to, or restore to another virtual platform. A physical platform can

only cluster with, backup to, or restore to another physical platform. As the physical platform has a higher level of

assurance than the virtual platform, clustering, backing up and restoring between the two platforms may

compromise key and certificate security.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 9 of 13

Key Management and Crypto Operation Failure after Remote HSM Disconnection

If a virtual KeySecure that has a remote HSM repeatedly fails key management and crypto operations, the remote

HSM may have disconnected and reconnected. If you suspect this has happened, back up your keys as a test. If

the backup does not contain any keys, the remote HSM has disconnected and reconnected. Log the crypto user

out and then log the crypto user in. If the virtual KeySecure is in a cluster, manually synchronize the virtual

KeySecure with the cluster.

Best Practices for High Availability Ethernet Connections on 460 and 450

If you enable High Availability on a KeySecure 460 or KeySecure 450, we recommend that you use only one

Ethernet port for all appliance functions. If you assign an Ethernet port for High Availability, and one or more other

ports for other functions, the Ethernet port designated for High Availability sometimes interferes with MAC address

assignment and routing on the other Ethernet port(s).

Disable SSL 3.0

We strongly recommend disabling SSL 3.0 at all times, based on CVE-2014-3566. See the National Vulnerability

Database for more details: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566. Ensure that your

internet browser does not use SSL 3.0 before disabling SSL 3.0 on KeySecure. We recommend using TLS 1.2 if

available on your Internet browser.

Backup protocols

Backup via FTP is not supported. This option will be deprecated in the future. We strongly recommend performing

backups via SCP instead.

Remote HSM Documentation

All material referring to “AWS CloudHSM” in the Appliance Administration Guide and Command Line Interface

Reference Guide also applies to Remote HSM for VMWare deployments. The VMWare Installation Guide contains

a chapter with procedures to set up the Remote HSM feature.

Hardware Advisory Note

Dell iDRAC Interface

KeySecure appliances support the iDRAC interface from Dell. The appliances ship with the default username and password from Dell. The default username is root, and the default password is calvin. For detailed information, see the "iDRAC Configuration Utility" sections in the Dell PowerEdge R320 Systems Owner's Manual that is available at

http://downloads.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_poweredge/poweredge-r320_Owner%27s%20Manual_en-us.pdf

Separate and more complete documentation is available as part of the Integrated Dell Remote Access Controller User Guide.

Best Practice: Change the default password to disable or limit usage, if the iDRAC interface poses a challenge to IT policy.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 10 of 13

Resolved and Known Issues

Issue Severity and Classification

The following table serves as a key to the severity and classification of the issues listed in the Resolved Issues

table and the Known Issues table, which can be found in the sections that follow.

Severity Classification Definition

C Critical No reasonable workaround exists

H High Reasonable workaround exists

M Medium Medium-level priority problems

L Low Low-level priority problems

Resolved Issues

Severity Issue Synopsis

M DS-39863 Summary: On the High Security page (Security >> High Security), the Security

Settings Configured Elsewhere only displays TLS 1.0, not TLS 1.1 or TLS 1.2. In

addition, some warnings reference older internet browsers not supporting TLS 1.0.

These are display issues in Management Console; all references to TLS 1.0 include

TLS 1.1 and TLS 1.2 as well.

Resolution: Fixed.

M DS-39846 Summary: You cannot query certificates using Object Name, Common Name, or

Issuer Name.

Resolution: Fixed.

M DS-39841 Summary: After scheduling a device backup with all keys selected, the Automated

Remote Backup Schedule page displays “Managed Objects: None” but all managed

objects selected for backup are still backed up. After the restore takes place, all

managed objects are still available.

Resolution: Fixed. The Automated Remote Backup Schedule page displays

“Managed Objects: All” in this case.

M DS-39701 Summary: Deleting the read-only attribute Compromise Date fails as intended, but

returns the result reason “Illegal operation” instead of “Permission Denied.”

Resolution: Fixed. The correct result reason is now returned.

M DS-39695 Summary: Creating a key pair without providing any payload fails as expected but

returns the result reason “Invalid Field” instead of “Invalid Message.”

Resolution: Fixed. The correct result reason is now returned.

M DS-34552 Summary: The cipherspec priority command is not functional in the command line

interface.

Resolution: Fixed.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 11 of 13

Severity Issue Synopsis

L DS-39715 Summary: The Appliance Administration Guide states that the Disable Low Security

Ciphers button for SSL cipher order disables RC4-SHA1 and RC4-MD5 ciphers. This

button does not disable these ciphers.

Resolution: The option is now obsolete with the current available SSL ciphers, as

none of them are 64-bit or smaller. References to this option are removed from

documentation. The option will be formally deprecated in the future.

Known Issues

Severity Issue Synopsis

M DS-41037 Summary: Appliance Administration Guide and Command Line Interface Reference

guide do not show how to view statistics for certificate sign request operations in the

NAE-XML server.

Workaround: NAE-XML statistics show CSR Create and Certificate Request Sign

operations. To view these statistics in Management Console, navigate to Device >>

Statistics >> NAE-XML Statistics. To view these statistics in the CLI, run the show

statistics command.

M DS-41035 Summary: Occasionally, an NAE-XML request to generate an RSA-4096 key on a

KeySecure 250 fails with the result message “Unknown server error.”

Workaround: Retry the key generation request one or more times until the key is

successfully generated.

M DS-41034 Summary: You cannot perform a backup via FTP.

Workaround: Perform backups via SCP.

M DS-41030 Summary: SNMP does not report statistics for the CSR creation and certificate

request sign operations in the NAE-XML server. This means that the number of total

operations reported sometimes appears to be higher than sum of the individual

operations. The total is correct; it includes the unreported CSR creation and certificate

request sign operations.

Workaround: If the total operations reported in SNMP appears to be too high, verify

NAE-XML server statistics in the CLI with the command “show statistics” or in the

Management Console by navigating to the NAE-XML Statistics page (Device >>

Statistics >> NAE-XML Statistics).

M DS-40501 Summary: You cannot recreate or download a log signing certificate via Management

Console. The “Recreate Log Signing Cert” and “Download Log Signing Cert” buttons

are broken.

Workaround: To recreate a log signing certificate, log into the CLI and run the

command "recreate logsigning certificate <cert duration>".

To download a log signing certificate, log into Management Console, navigate to the

log configuration page (Device >> Log Configuration), select the desired log, and click

View Log Signing Cert. Copy the content of the certificate and paste it manually in a

text file.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 12 of 13

Severity Issue Synopsis

M DS-40459 Summary: You cannot upgrade a KeySecure 150’s software version via browser

upload.

Workaround: Use SCP to upgrade a KeySecure 150’s software version.

M DS-40091 Summary: If you restore a backup file that includes a managed object with the same

name as an existing object on the appliance, a warning appears that the backup

object will overwrite the existing object. This is not true when the “Only import new

managed objects” option is selected. In that case, restoring does not overwrite

existing objects with the same name. Only new objects only on the backup file are

imported.

Workaround: If you want to preserve existing managed objects, select the “Only

import new managed objects” option. Ignore the warning message.

L DS-41033 Summary: The Appliance Administration Guide incorrectly states that RSA-4096 keys

cannot be created in the NAE-XML interface. This is outdated information.

Workaround: RSA-4096 keys can be generated in the NAE-XML interface via the

KeyGenRequest tag. Specify KeySize of 4096.

Product Documentation

The following product documentation is associated with this release:

KeySecure Appliance Administration Guide (PN: 007-012893-001)

KeySecure Command Line Interface Reference Guide (PN: 007-012895-001)

KeySecure XML Development Guide (PN: 007-012894-001)

KeySecure VMWare Install Guide (PN: 007-012897-001)

KeySecure AWS Install Guide (PN: 007-012898-001)

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be

perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in

succeeding releases of the product.

Customer Release Notes: KeySecure, Version 8.1.0 PN: 007-012896-001, Rev. A, Copyright © 2015 SafeNet, Inc., All rights reserved.

Page 13 of 13

Technical Support Information

If you have questions or need additional assistance, contact Technical Support through the listings below:

Contact method Contact information

Address SafeNet, Inc.

4690 Millennium Drive

Belcamp, Maryland 21017

USA

Phone United States (800) 545-6608, (410) 931-7520

Australia and New Zealand +1 410-931-7520

China (86) 10 8851 9191

France 0825 341000

Germany 01803 7246269

India +1 410-931-7520

United Kingdom 0870 7529200, +1 410 931-7520

Web http://www.safenet-inc.com

Support and

Downloads

http://www.safenet-inc.com/Support

Provides access to the SafeNet Knowledge Base and quick downloads for various products.

Customer

Connection

Center

https://serviceportal.safenet-inc.com

Existing customers with a Technical Support Customer Portal account can log in to manage

incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.