UKM Product Update
Release notes for UKM 4.1.0
Table of Contents
1. Release Highlights
2. New Features
3. Improvements and Bug Fixes
4. Bug Fixes
5. Deprecations
6. Known Issues
7. Further Information
1. Release Highlights
Universal SSH Key Manager (UKM) 4.1.0 includes new functionality, improvements, and bug fixes.
Most notably, this release introduces the ability to expand search locations of private SSH keys and to evaluate and report on the Post-Quantum readiness of the Tectia SSH server estate.
UKM 4.1.0 also introduces advanced alert management to focus on what matters, avoid alert fatigue, and improve data management.
2. New Features
This release introduces the following new capabilities:
- UKM adds the ability to assess your SSH client/server estate and report on your adoption of Quantum-Resistant Cryptographic algorithms such as NIST's finalist CRYSTALS-Kyber among others. UKM provides the ability to:
- transition away from insecure communication standards, such as SHA1-based algorithms, which are known to be insecure today
- implement the mixed use of Quantum-Resistant and Classical algorithms during a transition period from a centralized platform [UKM-2460]
- It is now possible to define custom locations where UKM will search for private SSH keys. User home directories are always scanned. [UKM-1448]
3. Improvements
This release includes the following improvements and continuity updates:
- UKM and User Portal can be now installed on Amazon Linux 2 [UKM-2348]
- Scheduled purging task will now delete all alerts that qualify, i.e. alerts older than the defined preservation period. This includes active alerts which, in prior versions, were explicitly omitted even if they were older then the defined preservation period [UKM-2373]
- Alerts issued by UKM can be now explicitly disabled [UKM-2373]
- Private SSH keys part of the Zero Trust authentication flow can now be rotated in UKM [UKM-2174]
4. Buf Fixes
- Addressed an issue that prevented modifying existing applications featuring domain user in the format domain\username. Application can now be edited and domain users can be successfully added to the include/exclude lists [UKM-2488]
- Address an issue that prevented successful scanning when user inquiry in a target server returned disabled users [UKM-2477]
- Change ticket fields in the User Portal are now properly validated. The value can consist of alphanumeric, dash, underscore and dot characters with a maximum length of 100 symbols [UKM-2489]
5. Deprecation warnings
Support for Postgre SQL database versions 9.9 and 10 will be deprecated in UKM version 4.2.
6. Known Issues
[43454] It is difficult to distinguish leading and trailing whitespaces in passphrases displayed by the Key Manager GUI.
[52702] Host Utility ssh-mgr-host-utility.exe does not detect Tectia keys properly if Tectia Server is configured to use openssh-authorized-keys-file only.
[58911] Custom logging settings inside localsettings.py file cause database migration to fail.
[59280] For access requests, the Key Path is not automatically cleared when Key Manager administrators change the source account/host. access-request jobs fail if the new source user is not in control of the specified Key Path.
[UKM-192] Key-activity scan may not log all failed login attempts on Red Hat and Tectia hosts.
[UKM-247] On AIX, offline scan with the scan-without-nfs option mounts all NFS home directories.
[UKM-389] If a Key Manager administrator tries to approve actions initiated by themselves, the approval is rejected as expected, but no error message is shown in the GUI.
[UKM-450] "Set Passphrase" operation fails for Attachmate private keys.
[UKM-463] GUI does not correctly display all key IDs affected by rollback actions. However, rollback actions are still performed correctly.
[UKM-734] In the global setting 'List of allowed application-owner roles' leading and trailing whitespaces in values are considered part of the names. For example, if the value is set to "role_1, role2, role_3", you will have roles named "role_1", "role_2", and " role_3".
CAUTION: Do not change the leading/trailing whitespaces! Doing so irrevocably removes all the application associations and delegations of the affected roles.
[UKM-898] Setting private-key passphrase on agent-based CentOS-7 hosts with SELinux enforcing fails with 'Permission denied' error
[UKM-1062] If the ssh-agent-monitor process is killed, the associated ssh-key-agent process is left alive.
Known workaround: Kill the orphaned ssh-key-agent process manually.
[UKM-2238] UKM incorrectly reports successfully completing remove action for private keys for which the ownership has been changed and the user no longer has appropriate permissions.
[UKM-2486] Tags submitted via CLI are not properly validated. It is possible to create tags which include invalid characters.
Further Information
More information, including end-user and administrative documentation, can be found in the Customer Download Center.