Patch Releases
This sections lists released patches that are compatible with Release 5.9.1. Users can download any of these patch releases from the Thales Customer Support Portal. Refer to the following subsections:
Client Patch Releases
The following client patch releases are compatible with ProtectToolkit 5.9.1:
RHEL 8.7 Support Patch
To run ProtectToolkit 5.9.1 on an RHEL 8.7 system, users must download and install the RHEL 8.7 PCI HSM Access Provider Patch (630-000700-001_SW_PATCH_PTK_5.9.2_RHEL8_PCI_HSM_ACCESS_PROVIDER_RevA.tar).
KSP/CSP Library Patch
The KSP/CSP DLL files included in the ProtectToolkit 5.9.1 client package will expire in August 2021. The KSP/CSP Library Patch (630-000524-001_CSP_KSP_PTK_5.9.1.tar) includes freshly signed CSP/KSP libraries for users that would like to integrate SafeNet Cryptoki with Microsoft's Cryptography Next Generation (CNG) API and use CNG beyond August 2021.
This patch replaces the following files on 64-bit Windows clients:
KSP Files
>%SystemRoot%\system32\SafeNetKSP.dll
>C:\Program Files\Safenet\Protect Toolkit 5\KSP\kspcmd.exe
>C:\Program Files\Safenet\Protect Toolkit 5\KSP\KspConfig.exe
>C:\Program Files\Safenet\Protect Toolkit 5\KSP\ksputil.exe
CSP Files
>C:\Program Files\Safenet\Protect Toolkit 5\Protect Toolkit M\ptkmrsa.dll
For more information about installing this patch, see the README file included in 630-000524-001_CSP_KSP_PTK_5.9.1.tar.
For more information about the SafeNet KSP/CSP provided by Thales, see SafeNet KSP for CNG Registration Utilities.
Firmware Patch Releases
The following firmware patch releases are compatible with ProtectToolkit 5.9.1:
ProtectServer HSM Firmware 5.06.05
Firmware 5.06.05 supports the latest features from release 5.9.1 and recent changes to FIPS restrictions.
ProtectServer HSM Firmware 5.06.04
Firmware 5.06.04 supports the latest features from release 5.9.1, bug fixes as described in Known and Resolved Issues, and recent changes to FIPS restrictions. It also introduces security fixes for certain configurations along with the following new features and enhancements:
CKA_EXPORTABLE Attribute Value Can be Changed From False to True
The value of CKA_EXPORTABLE can be changed from FALSE to TRUE by using the ctkmu m command when the Weak PKCS#11 Mechanisms security flag is set.
See ctkmu and Weak PKCS#11 Mechanisms for more information.
RSA Encryption/Decryption in OAEP Mode No Longer Requires the Same Hashing Algorithm to be Specified for the hashAlg and MGF Parameters
RSA encryption/decryption can be performed in OAEP mode with different hashing algorithms specified for the hashAlg and mgf parameters.
See OAEP Mode for more information.
ProtectServer HSM Firmware 5.06.03
Firmware 5.06.03 supports the latest features from release 5.9.1 and recent changes to FIPS restrictions. It also introduces security fixes for certain configurations along with the following new features and enhancements:
Modification to C_DigestKey Function
The operation of C_DigestKey has been modified to improve overall security. This function now checks the CKA_MECHANISM_LIST attribute of an object. For more information, refer to CKA_MECHANISM_LIST.
Appliance Software Patch Releases
The following appliance software patch releases are compatible with ProtectToolkit 5.9.1:
ProtectServer Network HSM Appliance Freeze Fix Patch
This patch release ( 630-000195-006_SPKG_PSE_5.9.2_RevB.tar) includes a new secure package file for the ProtectServer External 2 and ProtectServer External 2 Plus that prevents the appliance from occasionally freezing when the HSM is operated under a moderate workload with the audittrace service and SMS enabled.
