Venafi Trust Protection Platform 14.4 Released


Venafi Trust Protection Platform 14.4

Whats New?

- Integrated Windows Authentication. Users can automatically log into web consoles with their current windows session credentials.
- RSA SecurID Authentication. Customers can enforce strong two factor authentication with RSA SecurID.
- Agent Registration Improvements: From Aperture, a server thumbprint can now be used during agent registration instead of manually creating a trust bundle and registration password.

- New CA Driver: Xolphin
- CA Driver Enhancements (SHA2): GeoTrust Enterprise, GeoTrust Reseller, GlobalSign
- New Application Driver: BlueCoat SSL Visibility Appliance

- Various statistics and violations are now calculated on the fly as keys get discovered, created, updated, removed or rotated, without needing to wait until nightly calculation or restart VED service.
- Automatic retry after agent shutdown. In the event where unexpected errors have occurred on the agent while doing key rotations or other key operations, TPP will retry commands automatically once agent is restarted.
- The SSH Dashboard has been enhanced with new SSH Network Discovery Summary and Key Length widgets, allowing selection of the minimum key length on the Critical Alerts widget, improved representation of violations on the SSH Policy Violations widget, and additional statistics being logged in the SSH Trends Report and displayed in the SSH Trends widget.

Issues Resolved:

 1) Aperture searches that take longer than 15 seconds to return data should not timeout in high latency environments. (#13310, @8524)
 2) Filtering on Agent version is now available in the Agents view. (#14959, @10022)
 3) Improved security of the Aperture framework, decreasing the likelihood of XFS occurrences. (#14462)
 4) A user without the 'Rename' permission trying to move a certificate to a new policy will now be presented with an appropriate error message. (#15292, @10121)
 5) If a user has insufficient permissions the 'Create New Keyset' button is now grayed out. (#14972, @10036)

Certificate Authority
 1) A certificate that was imported from a Microsoft Certificate Authority (MSCA) can now be revoked on the MSCA. (#9895, @6423)
 2) Enhanced the error handling for a Symantec MPKI - Error 105 to suggest possible problems. (#15279, @3751)
 3) The Symantec MPKI certificate option will now use the suggested policy values. (#15307, @10166)
 4) The Thawte CA driver has been updated to support the Thawte after the CA web site received major updates in September 2014. There is now an option to support SHA2 certificate chains. (#14068, @8999)
 5) The SAN Enabled option for the Symantec MPKI CA now properly enforces whether SANs are permitted. (#15107, @10128)

Certificate Manager
 1) When a certificate is pushed to an application, the logging has been improved to clarify that the push operation has been completed. (#14741, @9886)
 2) Root and intermediate certificates will be excluded from certificate chains if the certificate is put into the 'Roots' tree and then blacklisted. (#6748, @9460)

 1) Dashboard navigation buttons will only be displayed for the products (Certificate or SSH management) that are installed. (#15232, @10150)
 2) The dashboard will load after importing a Root CA into the roots tree with a new install. (#14642, @9763)
 1) Large discovery jobs (> 3 million ports) no longer hang and will finish the discovery job. (#14744, @9690)
 2) Hostnames with a '-' (dash) are allowed in a discovery job as long as the name used is a valid DNS host name. (#14904)

 1) The LDAP Identity wizard now includes the naming contexts in the wizard's progress window. (#15423)

 1) Fixed the owner in the Oracle upgrade scripts to be DIRECTOR instead of TPP. (#14841, @9974)

Log Server
 1) Splunk channel configuration can now be configured without a credential. (#15249, #10175)
 2) Cleaned up excessive logging that was deemed repetitive or unnecessary by customers. (#14971, #15141, @10073, @10073)
 3) The message "Certificate Monitor - Concurrent Process" is now a debug message instead of an info message. (#14530, @9647)
 4) Fixed the SNMP trap generated by TPP so it is not detected as malformed by some SNMP monitors. (#14543, @8905)

 1) Certificate Expiration Reports are now using the policy assigned values for 'Certificate Management type.' (#14902, @10050)
 2) Added the 'Revoke' column to the Entitlement Report on CSV and PDF reports. (#11447, @7176)

 1) Corrected SSH key rotations so they do not stay in a 'Provisioning' state. (#14043, @9228)
 2) Rotating SSH keysets of 5X type no longer generate 'Could not open file' errors at stage 10210. (#12291)
 3) Properties filter no longer has duplicated values in Device list view. (#14581)
 4) Known_host orphans are now correctly identified. (#12288)
 5) Canceling of key additions no longer generates 'HTTP 500' errors and deletes the row properly. (#13315)
 6) Creating keyset no longer gives a 'HTTP 500' error if a user does not have sufficient permissions. (#14972)

 1) When several applications are running on the same device, the validation will now run successfully for all applications on the device. (#14798, @8150)

Web Administration Console
 1) Web Admin can now export up to 100,000 entries from the log channels in CSV, Tab Delimited, HTML, and XML formats. (#14536, @9532)
 2) Performing a drag and drop object move will now prompt for a confirmation before the move is performed. (#15219, @9828)
 3) Sorting of the 'Description' column of the Default SQL Channel object is no longer allowed. As a generated data column, this should not have been allowed. (#13960, @9261)
 4) A 'Support' tab has been added for user objects to allow reseting user preferences. It is not available to user group objects. (#14905, @9694)
 5) Fixed inconsistent key store paths on an application. (#12660, @7824)
 6) When a certificate and key is mismatched (e.g. a workflow was rejected), the policy value is now saved and enforced. (#15227, @10147)
 7) Policy objects now have a suggested value that was set at a parent policy. (#14099, @9301)
 8) The F5 Driver now uses the suggested bundle name specified in the UI if the suggested name is not changed. (#14796, @9949)

 1) Workflows are no longer applied if they are blocked or not directly associated with an object. (#13363, @8667)
 2) Improved feedback when an Application workflow does not have an approver specified. (#14529, @9677)
 3) Ticket approver email link resolves correctly when the the email is set via policy. (#15241, @10161)
 4) Eliminated duplicate workflow tickets when a newer workflow supersedes a prior flow. (#5886, @9741)


Was this article helpful?
0 out of 0 found this helpful