22.3 Release Notes

This update includes the following features, fixes, and other changes.

Cause: The issue arises on the second reboot after installing the Microsoft update KB5022842 on Windows Server 2022 that is running on VMWare vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. IBM Security recommends the best practice is to create system restore points prior to doing any upgrades, patches or system changes.

New Features

Privilege Elevation with added group privileges (Windows)

• This enables users to run Elevated Privilege commands with the same user that is connected to the session with added local Administrator group privileges as opposed to running the command with a local <username>-priv user created just for this purpose.

Set-Based Unix Profile Role Mapping Settings

• This enables customers to expose PAS Roles as sets of enrolled Linux systems as compared to exposing such roles on all enrolled systems (which is the current behavior).

Granular Privilege Elevation Workflow Preview

• This enables users in the command line to request Privilege Elevation privileges to specific commands or command sets as compared to always requesting privileges to run ALL commands as Administrator/root.
• When adding a new Privilege Elevation command the users can add a local user to run any privilege command. The user has to append the Run As User field with @localhost (example: localuser@localhost).
• Database Account operations are now successful on a SAP ASE Database with SSL enabled port when the correct trusted file is provided.

Notice of Discontinuation

None.

Resolved Issues and Changes in 22.3

• Verify Privilege Cloud Suite features such as AgentAuth, AAPM, and DMC are now supported on Windows Workstations (Windows 10 and 11).

• Fixed an issue related to privilege elevation workflow activity, where the events in the Activity log showed that commands were run without an authentication challenge when in fact the user was challenged with additional authentication requests when they ran the command after the workflow request was approved. (388576)

• Fixed an issue where if you use the cenroll command with just the -Z option and no argument attached to it, that command combination now throws an appropriate error. (448531)

• When a user selects Email as an option to authenticate to PAS, the user won't see a URL link to authenticate in the email sent to the user. The user will need to manually enter the One Time Passcode where the user has initiated the login session.

• Fixed an issue where multiplexed accounts would not load properly for HSPAS users if there were a large number of them. (425943)
• Fixed an issue where RDP sessions could cause connectors to overload the CPU. (435461)
• Our previous version of Npgsql had a known issue of idle connections sometimes not getting cleaned up. We have updated the package to version 5.0.14 which fixes this issue. (450990)
• Fixed an issue related to SSH login slowness that happened when using the native ssh client on AWS tenants and large number of systems are enrolled. (453449)
• Added code to update clipboard permissions that were not working properly with the changes in the latest Chromium browser version. (456764)
• Fixed an issue where a slow target system caused 100% CPU in the FreeRDP library. (458050)
• Fixed an issue where discovery didn't find accounts on non-English language Windows systems. (443308)
• Fixed an RDP copy and paste issue caused by updates to chromium-based browsers. (463139)
• Fixed an issue where HSPAS would fail to install in a FIPS enabled environment. (467224)
• Fixed an issue where accessing the workflow screen did not load any of the UI components. (463070)
• Fixed an issue related to network latency when using WebRDP. (431794)

Resolved Issues and Changes in 22.3 HF1

• Support for additional ARN formats are now supported when managing AWS credentials. (ref:416069)

• Improved WebRDP experience related to network latency. (ref:431794)

Supported Platforms

Clients for Linux

Added support for Rocky Linux and Alma Linux:

• Rocky Linux 8.6

• Alma Linux 8.6

Clients for Microsoft Windows

• The Verify Privilege Cloud Suite agent allowed to be installed with all features enabled on Windows Workstations so that customers may log in with cloud brokered identities and perform MFA at login.
• Customers will also be able to perform tasks based on DMC and AAPM features.

Cloud Connector

• Windows Server 2012r2, Server 2016, Server 2019, Windows 2022

Hyper-Scalable Privileged Access Service

• Windows Server 2016, Server 2019, Windows 2022

Windows PAS Remote Access Kit

Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify App for Android

Android 5 (API level 21) and later

Centrify App for IOS

iOS 12 and above

Databases

• Microsoft SQL Server (versions 2008R2 and later)
• Oracle (versions 11.2.0.4, 12.1.0.1, 12.1.0.2)
• SAP ASE (version 16.0)

Network Devices and Appliances

• Check Point Gaia (versions R77.30, R80.10)
• Cisco AsyncOS (versions v10 and v11)
• Cisco IOS (versions IOS 12.1/IOS 15.0)
• Cisco NX-OS (version NX-OS 6.0)
• F5 Networks BIG-IP (versions v11, v12, v13)
• HP Nonstop OS (J06.19, H06.29)
• IBM i (versions IBM i 7.2, IBM i 7.3)
• Juniper Junos OS (version JunOS 12.3R6.6)
• Palo Alto Networks PAN-OS (versions 7.1, 8.0)
• VMware VMkernel (versions 5.5, 6.0, 6.5 and 6.7)
• Generic SSH

Desktop Apps

Privileged Access Service provides templates for the following Windows applications in the Desktop Apps feature. Privileged Access Service supports any versions of these applications that are compliant with the requirements for Windows Server 2012 R2 / 2016 Remote Desktop Services and RemoteApp. These applications must accept and process the command line strings pre-defined within the Desktop Apps templates. We have officially tested the following versions:

• SQL Server Management Studio (versions 13.0.15600.2, 2016 and 12.0.4522.0, 2012)
• TOAD for Oracle (version 13.0.0.80)
• VMware vSphere Client (version 6.0.0)

VMware vSphere Client supports VMware VMkernel systems with a VMkernel system version below 6.5

Custom user-defined templates are also available for additional desktop applications.

Known Issues

Client Known Issues

• When you log in to an enrolled system and your account is set up to use MFA redirection, the service prompts you for your password, not the password for the MFA redirect user. This feature is available on systems that have the Cloud Client installed and enrolled.

MFA Known Issues

• Ensure required data for each selected authentication factor is present When selecting the use of a secondary factor (SMS, phone, email, etc) you should ensure that the data is present in Active Directory for all users otherwise it is possible that users with missing data may be locked out. You can specify a preferred factor and if not present an alternative factor will be used. For example, if a user has no phone number in AD and SMS was the preferred factor, the IBM Security PAS will fall back to another selected factor (for example, email). If there is no phone number or email in AD in this case, the user would effectively be locked out.
• Email as an MFA mechanism is subject to spam / junk filters Be aware that using email as an MFA mechanism may be affected by users’ email providers’ spam or junk filters.
• SMS / phone are only attempted once a password is validated This prevents spam and billing issues if an attacker attempts to brute force passwords to gain entry.
• For FIDO2 and On-Device Authentication options you will need to login from the tenant specific URL .
• If you try to login to a system or check out a system's credentials using a workflow request, the request halts unexpectedly. However, you can still login or checkout if those rights are granted by policy.