22.1 Release Notes

This update includes the following features, fixes, and other changes.

New Features

Ability to Deploy user.ignore and group.ignore Files to Multiple Systems

You can deploy the user.ignore and group.ignore configuration files to one or more enrolled Linux systems. You can deploy these files to individual systems or all systems in a set, and to no more than 500 systems at a time.

For details, see Deploying the user.ignore and group.ignore Configuration Files.

More Support for Local Linux Group Mapping

You can now map roles in Privileged Access Service to either new or existing Linux local groups. Previously you could map roles to just new local groups.

For details, see Specifying UNIX Profile Information.

Cloud Client Automatic Update Activity

When the Cloud Client attempts to do an automatic update, it will send the auto-update results to the target system's Activity tab. This will be available when the current version of the client (22.1) is automatically updated to a newer version.

Notice of Discontinuation

None

Resolved Issues and Changes

Here are the resolved issues and behavior changes in this release:

  • Fixed an issue where in some cases the connector would not automatically restart after automatically upgrading to a new version.

  • Fixed the issue where if you tried to elevate privileges for a user whose account name has 16 or more characters in it, privilege elevation failed with an error.

  • Fixed an issue that might cause heavy database CPU usage intermittently.

  • Fixed an issue where a user was prompted for user credentials twice when logging in to a system remotely using the "Enter Account" action.

  • Fixed an issue that caused inconsistent Dark Mode behavior.

  • Fixed an issue where running the report “User MFA Challenge Setup Status” might result in a query error.

  • Fixed an issue where “Bulk Delete” might not delete some service accounts.

  • Fixed an issue where the service didn't send Radius configuration information on connector startup.

  • There are new reports related to privilege elevation activities; you can find these reports in the Resource Reports group.

  • Fixed an issue where, under certain circumstances, if you tried to reset your password in the PAS Admin Portal by way of the Forgot Password option and there were multiple authentication challenges set up, the second required authentication challenge immediately skipped to the next step and failed.

Supported Platforms

IBM Security Connector

  • Windows Server 2012r2, Server 2016, Server 2019

Hyper-scalable IBM Security Privileged Access Service

  • Windows Server 2016, Server 2019, Windows Server 2022

Clients for Linux

Client for Red Hat

  • Red Hat Enterprise Linux 7.9, 8.3
  • CentOS 7.9, 8.3
  • Fedora 33, 34
  • Oracle Linux 7.9, 8.3
  • Amazon Linux 2 Latest Version

Client for Red Hat (ARM architecture):

  • 7.9, 8.3

Client for SUSE

  • SUSE15-SP3

Client for Debian

  • Debian 9.13, 10.9, 11.2
  • Ubuntu 18.04LTS, 20.04LTS, 21.04

Client for Alpine Linux

  • Alpine Linux 3.14

    Before you uninstall the IBM Security Client for Linux from an Alpine Linux system, you must unenroll the system first. The Alpine Linux package manager doesn't allow the service to verify that the client is unenrolled from IBM Security PAS before uninstalling. If you uninstall the client without unenrolling first, you won't be able to log in to the system anymore.

Clients for Microsoft Windows

Windows 10 LTSB/LTSC, Windows Server 2012r2, 2016, 2019 LTSC, Windows 2022

Windows PAS Remote Access Kit

Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify App for Android

Android 5 (API level 21) and later

Centrify App for iOS

iOS 12 and above

Databases

  • Microsoft SQL Server (versions 2008R2 and later)
  • Oracle (versions 11.2.0.4, 12.1.0.1, 12.1.0.2)
  • SAP ASE (version 16.0)

Network Devices and Appliances

  • Check Point Gaia (versions R77.30, R80.10)
  • Cisco AsyncOS (versions v10 and v11)
  • Cisco IOS (versions IOS 12.1/IOS 15.0)
  • Cisco NX-OS (version NX-OS 6.0)
  • F5 Networks BIG-IP (versions v11, v12, v13)
  • HP Nonstop OS (J06.19, H06.29)
  • IBM i (versions IBM i 7.2, IBM i 7.3)
  • Juniper Junos OS (version JunOS 12.3R6.6)
  • Palo Alto Networks PAN-OS (versions 7.1, 8.0)
  • VMware VMkernel (versions 5.5, 6.0, 6.5 and 6.7)
  • Generic SSH

Desktop Apps

Privileged Access Service provides templates for the following Windows applications in the Desktop Apps feature. Privileged Access Service supports any versions of these applications that are compliant with the requirements for Windows Server 2012 R2 / 2016 Remote Desktop Services and RemoteApp. These applications must accept and process the command line strings pre-defined within the Desktop Apps templates. We have officially tested the following versions:

  • SQL Server Management Studio (versions 13.0.15600.2, 2016 and 12.0.4522.0, 2012)
  • TOAD for Oracle (version 13.0.0.80)
  • VMware vSphere Client (version 6.0.0)
VMware vSphere Client supports VMware VMkernel systems with a VMkernel system version below 6.5
Custom user-defined templates are also available for additional desktop applications.

Known Issues

Client Known Issues

  • When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the IBM Security Client installed and enrolled.

  • For privilege elevation workflow activity, the events in the Activity log show that commands were run without an authentication challenge when in fact the user was challenged with additional authentication requests when running the command after the workflow request is approved.

MFA Known Issues

  • Ensure required data for each selected authentication factor is present When selecting the use of a secondary factor (SMS, phone, email, etc) you should ensure that the data is present in Active Directory for all users otherwise it is possible that users with missing data may be locked out. You can specify a preferred factor and if not present an alternative factor will be used. For example, if a user has no phone number in AD and SMS was the preferred factor, the IBM Security PAS will fall back to another selected factor (for example, email). If there is no phone number or email in AD in this case, the user would effectively be locked out.

  • Email as an MFA mechanism is subject to spam / junk filters Be aware that using email as an MFA mechanism may be affected by users' email providers' spam or junk filters.

  • SMS / phone are only attempted once a password is validated This prevents spam and billing issues if an attacker attempts to brute force passwords to gain entry.

  • For FIDO2 and On-Device Authentication options you will need to login from the tenant specific URL .