22.3 Release Notes

This update includes the following features, fixes, and other changes. Please also read the 22.3 Release Notes.

New Features

  • Database Account operations are now successful on a SAP ASE Database with SSL enabled port when the correct trusted file is provided.

Documentation

Notice of Discontinuation

Resolved Issues and Changes in 22.3

  • Fixed an issue where multiplexed accounts would not load properly for HSPAS users if there were a large number of them. (ref:425943)
  • Fixed an issue where RDP sessions could cause connectors to overload the CPU. (ref:435461)
  • Our previous version of Npgsql had a known issue of idle connections sometimes not getting cleaned up. We have updated the package to version 5.0.14 which fixes this issue. (ref:450990)
  • Fixed an issue related to SSH login slowness that happened when using the native ssh client on AWS tenants and large number of systems are enrolled. (ref:453449)
  • Added code to update clipboard permissions that were not working properly with the changes in the latest Chromium browser version. (ref:456764)
  • Fixed an issue where a slow target system caused 100% CPU in the FreeRDP library. (ref:458050)
  • Fixed an issue where discovery didn't find accounts on non-English language Windows systems. (ref:443308)
  • Fixed an RDP copy and paste issue caused by updates to chromium-based browsers. (ref:463139)
  • Fixed an issue where HSPAS would fail to install in a FIPS enabled environment. (ref:467224)
  • Fixed an issue where accessing the workflow screen did not load any of the UI components. (ref:463070)
  • Fixed an issue related to network latency when using WebRDP. (ref: 431794)

Supported Platforms

Cloud Connector

  • Windows Server 2012r2, Server 2016, Server 2019, Windows 2022

Hyper-Scalable Privileged Access Service

  • Windows Server 2016, Server 2019, Windows 2022

Windows PAS Remote Access Kit

Windows 10, Server 2012r2, Server 2016, Server 2019

Centrify App for Android

Android 5 (API level 21) and later

Centrify App for IOS

iOS 12 and above

Databases

  • Microsoft SQL Server (versions 2008R2 and later)
  • Oracle (versions 11.2.0.4, 12.1.0.1, 12.1.0.2)
  • SAP ASE (version 16.0)

Network Devices and Appliances

  • Check Point Gaia (versions R77.30, R80.10)
  • Cisco AsyncOS (versions v10 and v11)
  • Cisco IOS (versions IOS 12.1/IOS 15.0)
  • Cisco NX-OS (version NX-OS 6.0)
  • F5 Networks BIG-IP (versions v11, v12, v13)
  • HP Nonstop OS (J06.19, H06.29)
  • IBM i (versions IBM i 7.2, IBM i 7.3)
  • Juniper Junos OS (version JunOS 12.3R6.6)
  • Palo Alto Networks PAN-OS (versions 7.1, 8.0)
  • VMware VMkernel (versions 5.5, 6.0, 6.5 and 6.7)
  • Generic SSH

Desktop Apps

Privileged Access Service provides templates for the following Windows applications in the Desktop Apps feature. Privileged Access Service supports any versions of these applications that are compliant with the requirements for Windows Server 2012 R2 / 2016 Remote Desktop Services and RemoteApp. These applications must accept and process the command line strings pre-defined within the Desktop Apps templates. We have officially tested the following versions:

  • SQL Server Management Studio (versions 13.0.15600.2, 2016 and 12.0.4522.0, 2012)
  • TOAD for Oracle (version 13.0.0.80)
  • VMware vSphere Client (version 6.0.0)

VMware vSphere Client supports VMware VMkernel systems with a VMkernel system version below 6.5

Custom user-defined templates are also available for additional desktop applications.

Known Issues

MFA Known Issues

  • Ensure required data for each selected authentication factor is present When selecting the use of a secondary factor (SMS, phone, email, etc) you should ensure that the data is present in Active Directory for all users otherwise it is possible that users with missing data may be locked out. You can specify a preferred factor and if not present an alternative factor will be used. For example, if a user has no phone number in AD and SMS was the preferred factor, the IBM Security PAS will fall back to another selected factor (for example, email). If there is no phone number or email in AD in this case, the user would effectively be locked out.
  • Email as an MFA mechanism is subject to spam / junk filters Be aware that using email as an MFA mechanism may be affected by users’ email providers’ spam or junk filters.
  • SMS / phone are only attempted once a password is validated This prevents spam and billing issues if an attacker attempts to brute force passwords to gain entry.
  • For FIDO2 and On-Device Authentication options you will need to login from the tenant specific URL
  • If you try to login to a system or check out a system's credentials using a workflow request, the request halts unexpectedly. However, you can still login or checkout if those rights are granted by policy.

Additional Information and Support

In addition to the documentation provided with this package, see the IBM Security Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone.

The IBM Security Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of IBM Security products. For more information, see the IBM Security Resources web site.

You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone. To contact IBM Security Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating IBM Security products, send email to info@delinea.com.