CipherTrust Manager is the center of the CipherTrust Data Security Platform. It serves as the central point for managing configuration, policy and key material for data discovery, encryption, on-premise and cloud based use cases. It is the successor to both the Thales eSecurity (formerly Vormetric) DSM and the Gemalto (formerly SafeNet) KeySecure platforms.
|CipherTrust Batch Data Transformation||BDT|
|CipherTrust Application Data Protection||CADP|
|CipherTrust Cloud Key Manager||CCKM|
|CipherTrust Database Protection (formerly known as ProtectDB)||CDP|
|CipherTrust Transparent Encryption||CTE|
|CipherTrust Transparent Encryption UserSpace (formerly known as ProtectFile FUSE)||CTE UserSpace|
|CipherTrust Teradata Protection||CTP|
|Data Protection on Demand||DPoD|
|CipherTrust Vaulted Tokenization||CT-V|
|CipherTrust Vaultless Tokenization||CT-VL|
CipherTrust Data Discovery and Classification (DDC) is unavailable for this release while we continuously improve its quality and add new features. DDC is available in CipherTrust Manager versions 2.2 and earlier, and will be returning later this year.
This release is available on the Customer Support Portal in the following formats:
An upgrade file for physical k570 and k470 CipherTrust Manager devices, and existing k170v Virtual CipherTrust Manager instances.
An upgrade file for KeySecure Classic k450 and k460 devices.
An OVA image file for deploying a new Virtual CipherTrust Manager on VMWare vSphere or Nutanix AHV.
A VHDX image file for deploying a new Virtual CipherTrust Manager on Microsoft Hyper-V.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager on OpenStack.
In addition, 2.3.0 Virtual CipherTrust Manager is available on the following public clouds:
Amazon Web Services: SafeNet Cloud Provisioning System
Microsoft Azure: Available as a BYOL image in the Microsoft Azure Marketplace
IBM Cloud (anticipated availability June 1st)
An OVA image file for deploying a new Virtual CipherTrust Manager on IBM Cloud VMWare.
A QCOW2 image file for deploying a new Virtual CipherTrust Manager IBM Cloud Virtual Private Cloud Gen2.
2.3.0 contains a number new features and enhancements. Refer to Release 2.3.0 for details. For the list of known issues, refer to Known Issues.
Features and Enhancements
Ability to configure the CipherTrust Manager with user-specified port.
Ability to configure IBM Cloud Hyper Protect Crypto Services (HPCS) HSM as a root of trust
CipherTrust Manager images available on IBM Cloud (anticipated date June 1st)
compatible OVA image to run in IBM Cloud VMWare
compatible QCOW2 image to run in IBM Cloud VPC Gen2
New Trusted Cyber Technologies (TCT) CipherTrust k570 appliance available. This appliance uses an embedded TCT Luna PCIe HSM.
Performance enhancements for user/client authentication.
OVA image is now directly deployable in VMWare ESXi 6.5 and above, without a decompression step.
Support for rotation of the Master Key Encryption Key (MKEK).
Ability to customize TLS ciphers for NAE/REST/KMIP ports.
Support for migration of KMIP managed objects from a Data Security Manager (DSM) to a CipherTrust Manager using the Client Utility (kmip-migration-utility-linux-amd64).
Ability to configure SMTP over TCP. CipherTrust Manager now supports both TLS and TCP based SMTP connections. The default is TLS.
Support for multi-domain Syslog server. Now, you can redirect Syslog messages of the current domain to the Syslog server configured in its parent domain.
Ability to configure system proxy. Now, you can set up HTTP proxy values through the GUI, CLI, and REST API.
Ability to download activity logs (NAE, KMIP).
Connection manager is updated to add support for DSM as a key source.
Ability to manage CIFS credentials for LDT over CIFS support in CTE. Credentials of CIFS/SMB file shares can be added to the connection manager. It is required in accessing files available on a CIFS/SMB share.
Ability to enable disabled capabilities (COS and LDT) during reregistration of clients
Ability to create all types of supported GuardPoints when adding clients manually
Ability to download and delete the Kernel Compatibility matrix
Support for HDFS client groups
Support for LDT GuardPoints on CIFS/SMB paths on a single node
GUI for the CTE reports
Splunk app for CTE log monitoring
Support for Data Security Manager (DSM) as a key source.
Support for uploading keys to the AWS China cloud using the GUI.
AWS China cloud does not support creation of native asymmetric keys.
Support for restoring key backup to a different Azure key vault using the GUI.
New technical preview feature: Integration with Google Cloud External Key Manager (EKM) Service. CipherTrust Manager stores key encryption keys (KEKs) for use as wrapping keys for Google Cloud services, including BigQuery and Compute Engine. This feature is available in 2.3 for evaluation in non-production environments.
We cannot guarantee that EKM endpoint data will be retained when upgrading from the technical preview release to the full GA release.
Support for registration of CTE UserSpace clients with the CipherTrust Manager on user-specified REST ports.
Ability to skip encryption of existing files in the directory being migrated.
When configured, the existing files are skipped during encryption, and no encryption rule is applied to them. After migration, new files created in or moved to the migrated directory are encrypted and protected with the applied access policy.
The new features would be available with the CTE UserSpace 9.2 release.
Support for registration of ProtectFile clients with the CipherTrust Manager on user-specified REST ports.
Support for configuration of Syslog servers using hostnames. Now, you can configure a Syslog server using either the IP address or hostname in the linked client profile.
This table lists the issues resolved in 2.3.0.
|KY-27366, KY-27361||If a connection to the KMIP or NAE interface is left idle for more than 24 hours, client authentication fails. The following error message is logged: |
|KY-26914||External CAs do not allow you to use a comma |
Resolution: You can now use a backslash
|KY-26761||Upgrade to CipherTrust Manager 2.2.0 can sometimes cause login to fail for LDAP-authenticated users with the error "Ambiguous result, multiple users found using search filter." when group mapping is configured.|
|KY-25517||If you attempt to delete a certificate in the GUI, you are erroneously presented with a confirmation to delete the Certificate Authority (CA). Deleting a certificate and deleting a CA are two different operations. |
Note: Confirm deletion of the CA to proceed with deleting the certificate. This action does not actually delete a CA.
|KY-25395||NTP servers configured through DHCP overwrite local CipherTrust Manager NTP server configuration.|
|KY-24645||If you attempt to create a domain-scoped backup when any keys are in a "Destroyed" state, the backup fails.|
|KY-24503||CTE UserSpace license does not renew expired ProtectFile licenses.|
|KY-24292||Performance of crypto operations through the NAE-XML interface degrades over a long, continuous run (upwards of 6 hours).|
|KY-24102||Client can authenticate with expired password if the CipherTrust Manager is not restarted.|
|KY-23791||UI: All the Azure Key Vaults are not displayed while updating the scheduler for Azure.|
|KY-23790||UI: All the AWS KMS Accounts are not displayed while updating the scheduler for AWS.|
|KY-23732||CCKM Users cannot delete backup even if they are granted the "Delete Key Backup" permission on the Azure key vaults.|
|KY-23664||If you join a node into a cluster and then restart the joining node, you cannot list or access any backup keys on that node. Attempting to upload an existing backup key in this state results in |
|KY-23623||If you restore a previous version and then attempt to create a new cluster on the local node using the |
|KY-23569||Hadoop network connectivity issues cause the DDC ongoing scans to fail|
The DDC performs a connectivity test to PQS every minute, which can cause scan failures.
Note that, even though the scans are marked as FAILED, in fact they continue running and are consuming the Data Allowance.
|KY-23289||Luna HSM Connection Manager: Downloaded client certificate file is named incorrectly as, |
|KY-23056||HSM UI: Recently created Luna HSM keys are not visible.|
|KY-22668||NAE and KMIP crypto operations performance is affected with high CPU and memory utilization.|
|KY-22641||NAE: State changes of a key are not updated on the NAE tab.|
|KY-22639||NAE: State of an Active key is displayed as |
|KY-22569||Incorrect activation date and key state are set for pre-active keys after they are migrated from KeySecure Classic to the CipherTrust Manager.|
This section highlights important issues you should be aware of before deploying the CipherTrust Manager. There is also a full list of known issues associated with the release.
CipherTrust Data Discovery and Classification Unavailable for this Release
CipherTrust Data Discovery and Classification (DDC) is unavailable in the CipherTrust Manager web console, CLI, and REST API for this release while we continuously improve its quality and add new features. DDC is available in CipherTrust Manager versions 2.2 and earlier, and will be returning later this year.
System Upgrade and Downgrade Supported Releases
System upgrades have been tested from releases 2.0.0, 2.1.0, and 2.2.0.
Upgrades from other versions have not been tested and may not work correctly.
CipherTrust Manager 2.3.0 can be downgraded to 2.2.0. For release-specific upgrade/downgrade information, refer to the release notes for your release.
Refer to the System Upgrade page for instructions to perform an upgrade or downgrade on a single device.
Refer to the Cluster Upgrade section for instructions to perform an upgrade on a cluster of devices.
Restoring a backup from release 1.5.0 or later is supported; however, restoring a newer backup to an older version is never supported.
SSH Key Fingerprint Change After Upgrade
Upgrading to 2.3 introduces a new SSH server key, using the stronger ED25519 algorithm in comparison to the existing RSA key. If you upgrade the CipherTrust Manager and then SSH to the appliance as
ksadmin, you can be presented with a warning the fingerprint has changed. This warning is expected and can be safely disregarded.
If you want to verify the presented SSH key fingerprint, you can also log into the console through a serial cable (for physical appliances) or your virtual platform's console access tools. The console displays all of the SSH key fingerprints.
Default TLS Setting Can Cause Loss of KMIP/NAE/Web Connection After Upgrade
The 2.3 release introduces changes to the TLS ciphersuites associated with the KMIP, NAE, and web interfaces. When you upgrade, the existing TLS ciphersuites for these connections might not be included in the 2.3 default TLS ciphersuites, which results in a loss of connection to the interface. CBC-based ciphersuites, for example, are disabled upon upgrade to 2.3.
For security reasons, we recommend that you ensure clients to your KMIP, NAE, and web interfaces use one of the 2.3 default TLS ciphersuites before upgrade.
If you cannot change the TLS ciphersuites for your clients, plan for some downtime for the interface(s) after upgrade. After upgrade, you can manually enable the previous ciphersuites to restore the connection.
Clusters with a Large Number of Transactions
Clusters that support a large number of transactions should have audit logging disabled and only syslog should be used for capturing audit logs. This significantly reduces cluster wide traffic and disk usage. This is a cluster wide setting and needs to be set on only one node in the cluster. Use the ksctl properties command to disable audit logging.
To disable local audit logging
Set the property
ENABLE_RECORDS_DB_STORE to false using the ksctl command:
$ ksctl properties modify -n ENABLE_RECORDS_DB_STORE -p false
If configured, Audit logs will be still be sent to a syslog server.
Correct cluster synchronization relies on all nodes in a cluster having the same time. It is strongly advised to use NTP to set the time in a new node before it joins a cluster. NTP settings are not copied between nodes - they must be set individually for each CipherTrust Manager server.
Protect the ksadmin Private SSH Key
The private SSH key for the ksadmin account is critical to system security and must be carefully protected. Failure to do so could allow an attacker to compromise the system.
TLS/SSL Must be Enabled in a Production System
As it may be useful for troubleshooting, it is possible to disable TLS/SSL for the NAE interface. This will lead to an insecure system. Therefore, TLS/SSL should always be enabled for a production system.
This section documents known compatibility topics to be considered before deploying the CipherTrust Manager.
This table identifies the supported TLS versions for each of the CipherTrust Manager interfaces. The default minimum value reflects the default
minimum_tls_version setting. This setting controls the lowest acceptable TLS version allowed for connections to the interface.
|Interface||Minimum TLS version||Maximum TLS version||Default Minimum TLS version|
|Web UI||TLS 1.2||TLS 1.3||TLS 1.2|
|NAE||TLS 1.0||TLS 1.3||TLS 1.2|
|KMIP||TLS 1.0||TLS 1.3||TLS 1.2|
TLS 1.0 and TLS 1.1 support will be discontinued in a future release.
By default, CipherTrust Manager accepts the following ciphersuites for TLS 1.2+ connections:
TLS Deprecation Notices
Use of TLS 1.0 and 1.1 protocols is deprecated. This support will be discontinued in a future release. Upgrade all applications connecting to CipherTrust Manager interfaces to TLS 1.2 or higher as soon as feasible.
Use of the following CBC-based ciphersuites is deprecated, and support will be discontinued in a future release:
The following client Platforms are supported by the CipherTrust Manager.
Older versions of most client platforms (versions earlier than the minimum versions listed below) may have incompatible TLS clients. We recommend testing older versions of client platforms in a non-production environment to ensure proper functionality.
For the purpose of transitioning from SafeNet KeySecure Classic, you can temporarily connect to CipherTrust Manager with TLS/SSL disabled on the CipherTrust Manager NAE interface; however, this is recommended only in a non-production environment.
CipherTrust Application Data Protection
ProtectApp JCE: minimum version 8.6.1
ProtectApp .NET: minimum version 8.11.0
ProtectApp ICAPI: minimum version 8.10.0
ProtectApp Oracle TDE: minimum version 8.9.0
ProtectApp SQL EKM: minimum version 8.3.2
CipherTrust Cloud Key Manager
Minimum version 220.127.116.1132
CipherTrust Database Protection
ProtectDB Oracle: minimum version 8.8.0
ProtectDB SQL: minimum version 8.9.0
ProtectDB DB2: minimum version 8.7.0
Transformation Utility: minimum version 8.4.3
CipherTrust Transparent Encryption
Minimum version 7.0.0
CipherTrust Transparent Encryption UserSpace
Minimum version 9.0.0
CipherTrust Vaulted Tokenization
Tokenization Manager: minimum version 8.7.1
Vaultless Tokenization Manager: minimum version 8.8.0
CipherTrust Batch Data Transformation
Minimum version 18.104.22.16816
CipherTrust Vaultless Tokenization
Minimum version 22.214.171.124
CipherTrust Teradata Protection
Minimum version 126.96.36.199
Minimum version 8.10.11
Minimum version 4.7.3
This section lists the issues known to exist in the product at the time of release.
|KY-40418||Problem: After migrating local CAs from KeySecure to CipherTrust Manager, the connection between KMIP client and CipherTrust Manager could not be established. The same issue also occurs when there is serial number conflict in external CAs.|
Workaround: Add the migrated local CA as an external CA on the CipherTrust Manager.
|KY-19730||The CipherTrust Manager registers duplicate clients with KMIP auto registration enabled.|
|KY-29416||Problem: The UI displays either an error or warning popup message when the number of used licenses reaches 100% and exceeds 95% respectively. It should only display an error when the number of used licenses exceeds the allowed amount. |
Workaround: This message does not affect any functionalities and can be safely disregarded.
|KY-28934||Problem: Upgrading from 2.1 or earlier causes existing LDAP group maps to no longer apply. Users lose membership in groups that are LDAP mapped. |
Workaround: Modify the LDAP connection by setting the
Details: We recommend to leave the
Prior to CipherTrust Manager 2.2, LDAP connections ignored the
For example, if a user's LDAP entry has
|KY-28226||A system with multiple network interfaces may swap device names and MAC addresses between boots. For example, eth0 has MAC address a8:a1:59:0a:f5:01 and eth1 has MAC address a8:a1:59:0a:f5:02. On the next boot, eth0 has MAC address a8:a1:59:0a:f5:02 and eth1 has MAC address a8:a1:59:0a:f5:01. |
Workaround: Create or modify a NetworkManager connection profile to remove the network interface name and specify a MAC address so the connection follows the hardware MAC address instead of the kernel's name which may change under certain circumstances.
Example that creates a new connection that follows the MAC address using DHCP:
Example that modifies an existing connection "cluster" so it removes the interface name and follows the MAC address instead:
|KY-28221||If CipherTrust Manager loses connection to its root of trust HSM, no alarms are raised and nothing is recorded on the syslog. The loss of connection means that if you reboot the CipherTrust Manager or restart its services, all CipherTrust Manager services become unavailable. |
Workaround: If you notice that CipherTrust Manager services are unavailable, examine the network connectivity to the HSM and resolve any issues. Once connectivity is restored, CipherTrust Manager detects the HSM and restarts services automatically.
|KY-28010||Internal server error occurs when creating GuardPoints with a resource set of the type "classification".|
Workaround: Use resources of the type "directory". Resources of the "classification" type will be supported with DDC in a future release.
|KY-27984||The PQS Services page does not fetch resource information on the CipherTrust Manager GUI.|
The PQS service will be available with DDC in a future release.
|KY-27889||If you upgrade from 2.2 to 2.3, an error is displayed: |
Workaround: SSH access to the appliance is unaffected. This error can be safely ignored.
|KY-27805, KY-28689||Problem: SNMPv3 requests fail with the error security service 3 error parsing ScopedPDU for users configured with AES-192 or AES-256 privacy protocol. This error is seen with SNMP applications, including SolarWinds Network Performance Manager, which use the nonstandard Cisco AES key extension implementation for 192 and 256 bit key length. CipherTrust Manager 2.7 and below only supports the Blumenthal implementation for these key lengths. |
Workaround: Set SNMP users to AES-128 privacy protocol instead. In CipherTrust Manager CLI and API, this value is called
|KY-27450||Local Certificate Authorities (CAs) do not allow commas |
Workaround: Configure an External CA instead. Use a backslash
All other printable characters are allowed, as per RFC 5280 definition of PrintableString.
|KY-25152||You cannot pass in a custom SSH key via cloud init on Oracle Cloud instances for initial launch. You also cannot use cloud-init to auto-generate an initial password for the |
Workaround: Login to the GUI to enter the SSH public key on initial access. You can also change the password for the
|KY-22633||When certificate authorities are migrated from KeySecure Classic, the revoked certificate fields do not update.|
Workaround: If an externally imported CA and its certificate are used in the NAE interface of KeySecure Classic, the CA is migrated as an External CA but the certificate is not migrated to the CipherTrust Manager.
To use the same certificate for the NAE interface on the CipherTrust Manager:
1. Select the migrated external CA.
2. Upload the CA certificate manually by editing the NAE interface.
|KY-20310||When setting up a new DPoD Luna Cloud HSM Service as root of trust, the command succeeds but sometimes returns a timeout error. |
Workaround: Disregard the timeout error.
|KY-17662||In-place cluster upgrade does not enforce upgrading only one version.|
|KY-17338||KMIP: LDAP users cannot be set in the KMIP profile.|
Workaround: To use LDAP authentication, use the KMIP auto registration.
|KY-13617||Domain scoped backup fails to restore on another domain when a key with the same name and version already exists.|
Workaround: To handle this issue, try either of the following:
|KY-13343||Uploading an existing backup results in error but is displayed in the list with status "Uploading".|
Workaround: Delete the backup using the "uploadID" as backup ID.
|KY-12602||Manual page refresh is required to show the Pending CAs list.|
|KY-11517||[ProtectApp Application] The Invalid algorithm string error occurs when signing data with SHA384withRSA/PSSPadding.|
|KY-11498||When a CipherTrust Manager has a large number (for example, more than 10K) of local users, an ldap user cannot log on to it.|
|KY-7289||When migrating a KMIP application from KeySecure Classic to CipherTrust Manager, for encrypt/decrypt operations, the KMIP server always uses the ECB mode regardless of the provided mode.|
Workaround: For migration use cases, if Cryptographic Usage Mask is specified with the CBC mode on KeySecure Classic:
|KY-7288||When migrating from KeySecure Classic to CipherTrust Manager, AES-GCM encrypt/decrypt operations, AuthenticatedEncryptionTag is returned appended to CipherText.|
Workaround: For migration use cases, when using AES-GCM with KeySecure Classic:
|KY-7258||NAE and KMIP might not be connectable after cluster join.|
Workaround: Restart the newly joined node or at a minimum restart the KeySecure service. Restart the service either from the UI or by running ksctl services restart.
|KY-7193||Sub-domain System Defined Groups do not show "Domain Admins", "ProtectApp Users", and "ProtectDB Users" groups.|
Workaround: Manually create missing groups in sub-domains. Policies for the groups are automatically created.
|KY-6383||Users with a pipe in their user names (for example, |
|KY-3670||Cluster join operation can fail, but rarely, leaving joining node in a bad state.|
Workaround: If a cluster join fails, verify that you can still log in to the joining node. If you cannot, restart the node before reattempting the join.
If you still cannot log on to the node:
|KY-2482||(was NC-3480) Signing with EC keys does not work via the REST API.|
|KY-2423||(was NC-2318) KMIP: Result Reason may not be accurate or have enough detail.|
|KY-2418||(was NC-1780) NAE: Users cannot do a UserInfoRequest about themselves.|
|KY-1397||(was NC-2253) Last Login and Logins count are not updated for global user.|
|KY-1396||(was NC-2256) Group membership change for yourself does not take effect until after re-login.|
|KY-1394||(was NC-2260) Trying to mark a shared key deletable or exportable by non-admin user returns: |
|KY-1373||(was NC-2391) Encrypt operation only generates a GetKey record. There's no indication the key was used.|
|KY-1270||(was NC-3567) User Admin should not have authority to manage system groups.|
|KY-1199||(was NC-3904) Trimming of audit table (at 10 million records) takes significant time and causes temporary performance issues|
Workaround: Disable audit table logging for a very active cluster.
|KY-1166||(was NC-4098) NAE/KMIP multiport iptables rules are not replicated.|
Workaround: Perform NAE restart on each node.
|KY-504||Integration with CloudHSM Cluster: Fail-over is not supported between different ENI IPs within an AWS CloudHSM cluster.|
|NC-3573||Migration: Active keys from KeySecure Classic will become Pre-Active on the CipherTrust Manager if the time zone is behind GMT.|
Workaround: Change the state of the keys in Pre-Active state to active from REST API or KMIP interface.
|NC-3572||Migration: Keys in Pre-Active state on KeySecure Classic cannot be used for Crypto operations on the CipherTrust Manager.|
Workaround: Change the state of the keys in Pre-Active state to Active using KeySecure Classic's Console (UI) or KMIP interface before taking the backup for migration.
Alternatively, after migration, change the state of the keys in Pre-Active state to Active from the CipherTrust Manager REST API or KMIP interface.
|NC-2063||If a user is deleted (or LDAP connection name changes), they fail to display in the keys table.|
CipherTrust Cloud Key Manager
|KY-27583||CCKM Scheduler: A key rotation or key refresh process remains stuck, and all new scheduled processes go into the scheduled state.|
This happens when the scheduler expires due to some network issues or reboot of the CipherTrust Manager. The scheduled job remains in the running state.
Workaround: Delete the running and scheduled jobs from the API playground, and retry.
|KY-27499||If you update the hostname for a Google Cloud EKM endpoint, the URI format is invalid, and Google KMS cannot use the URI to perform wrap or unwrap operations. |
Workaround: Manually update the URI in Google Cloud KMS to the following format:
|KY-17446||When rotating a key using the GUI, a new version of an existing CipherTrust Manager key cannot be created. The key can only be rotated to an existing version.|
Workaround: Manually create a new version of the key and rotate the key. To do so:
|KY-17213||When a CipherTrust Manager key is created using an auto rotation schedule on AWS cloud native key, its owner is set to "Global".|
Workaround: A CipherTrust Manager administrator can assign the ownership of the key to a desired user in the CCKM Users group.
|KY-42033||Unable to use the key version created through CCKM for Azure SQL EKM.|
This issue will be resolved in CipherTrust Manager v2.8.0.
CipherTrust Database Protection
|KSCH-573||Encryption rules cannot be modified to reset values for include and exclude extension parameters.|
|KSCH-568||Encryption rules do not prevent specifying both include and exclude extension parameters simultaneously.|
|KSCH-567||Modifying a file level encryption rule to set the “isRecursive” flag does not return error.|
|KSCH-564||Non-encryptor clients cannot be removed from a Linux cluster while a cryptographic operation on an encryption rule is in progress.|