Release Notes
Introduction
These release notes apply to version 1.6.1 of the nShield KeySafe 5 for Security World. They contain information specific to this release, such as new features, defect fixes, and known issues.
The release notes might be updated with issues that have been discovered after this release has been made available. Check the Support Portal for the most up to date version of this document.
Access to the Support Portal is available to customers under maintenance. Contact Entrust nShield Technical Support at nshield.support@entrust.com to request an account.
Purpose of this release
KeySafe 5 provides a centralized means to securely manage a distributed nShield HSM estate. The v1.6.1 release delivers new functionality to monitor nShield HSM estate operations by allowing access to live and historical metrics as well as the ability to create customizable system alerts. These new features are enabled through the purchase of a license. Please contact your Entrust account manager for licensing and pricing information.
KeySafe 5 v1.6.1 is intended to replace the functionality previously provided by the discontinued product, nShield Monitor.
Please see the Release Package section of the KeySafe 5 Installation and Upgrade Guide for details on the new APIs, helm charts and services.
The KeySafe 5 Installation and Upgrade Guide provides details of how to install, upgrade and use the platform. Read this document before installing the platform.
Features of nShield KeySafe 5 v1.6.1
The following sections in these release notes detail the specific key features of the 1.6.1 version of nShield KeySafe 5.
Monitoring and Alerting of nShield HSM estates
KeySafe 5 v1.6.1 provides new capabilities of monitoring HSMs enrolled to KeySafe 5. This feature provides real time metrics collection to be able to create custom alerting triggers for Security World environments with HSMs installed or enrolled, such as fan failure, max temperature levels, capacity throughput, memory usage, client licenses, and HSM/host states. Also provides historical graphs of the collected metric data.
KeySafe 5 v1.6.1 Estate Monitoring provides Open metrics format when accessing KeySafe 5 v1.6.1 rest API. Custom Alerting notifications can be sent out using email and using Webhooks.
KeySafe 5 v1.6.1 is the new way to monitor your HSM estate. It supports several features that were part of nShield Monitor, which has reached end-of-life.
Important information
Before deploying KeySafe 5 v1.6.1, consider the following points.
KeySafe 5 v1.6.1 Estate Monitoring License
To enable the new feature of Estate Monitoring a license needs to be applied. To be able to request a license, a unique identifier is required to associate the license with the installation instance. This unique identifier is created during system installation. For details on where to find it, see the Licence management section of the Estate management using the KeySafe 5 WebUI page in the KeySafe 5 User Guide. For further information about licenses and pricing information, please contact Entrust nShield Technical Support at nshield.support@entrust.com.
nShield KeySafe 5 Agent
nShield KeySafe 5 v1.6.1 requires that all agents are upgraded to v1.6.1. Differing versions between the central platform and agent is not supported.
Key Management Data Synchronization
KeySafe 5 takes ownership over certain kmdata synchronization (world, module certs, Card Sets and Softcards), and as such might conflict with existing methods.
Since KeySafe 5 v1.3 if a Card Set or Softcard is removed locally on an nShield Security World host machine, it will no longer be re-synced to that host machine by KeySafe 5.
If there is clock skew between hosts being managed by KeySafe 5 and the central platform then the behavior of the kmdata synchronization will be impacted. KeySafe 5 Host Management will highlight issues of clock skew in the health of a Host resource.
nShield Edge
KeySafe 5 can not change the mode of an nShield Edge HSM. For HSM pools that contain an nShield Edge, you must manually set the HSM mode when you are creating or loading security worlds. Loading worlds on an Edge should be done from the command line. For further details, see Known issues from earlier nShield KeySafe 5 releases.
Remote Administration Authorized Card List
In local management of nShield Security World software the use of nShield Remote Administration smart cards is controlled by an Authorized Card List located at %NFAST_KMDATA%\config\cardlist
.
In this release of KeySafe 5, no restrictions are enforced on which smart cards may be presented to HSMs via KeySafe 5, regardless of the contents of any existing cardlist files.
Upgrade information
Upgrading from v1.4 to v1.6.1 is supported. Please see the Upgrade section of the KeySafe 5 Installation and Upgrade Guide for more information.
Centralized platform compatibility
KeySafe 5 agent compatibility
Supported hardware
This release targets deployments with any combination of the following nShield HSMs:
-
nShield 5s (Base, Mid, High)
-
nShield Solo XC (Base, Mid, High)
-
nShield Solo PCI Express (500+, and 6000+)
-
nShield Connect (500+, 1500+, and 6000+)
-
nShield Connect XC (Base, Mid, High, Serial Console)
-
nShield Connect CLX (Base, Mid, High)
-
nShield 5c (Base, Mid, High)
-
nShield Edge
Supported operating systems
This release has been tested for compatibility with the following operating systems:
-
Microsoft Windows Server 2016 x64
-
Microsoft Windows Server 2019 x64
-
Microsoft Windows Server 2022 x64
-
Microsoft Windows Server 2022 Core x64
-
Microsoft Windows Server 2025
-
Microsoft Windows 10 x64
-
Microsoft Windows 11 x64
-
Red Hat Enterprise Linux 7 x64
-
Red Hat Enterprise Linux 8 x64
-
Red Hat Enterprise Linux 9 x64
-
SUSE Enterprise Linux 12 x64
-
SUSE Enterprise Linux 15 x64
-
Oracle Enterprise Linux 7 x64
-
Oracle Enterprise Linux 8 x64
-
Oracle Enterprise Linux 9 x64
For further details on supported hardware and platform combinations, refer to the nShield Security World software release notes.
Supported Security World versions
This release is compatible with the following nShield Security World software installations:
-
Security World v12.80
-
Security World v13.6 LTS
Firmware versions supported by the listed releases are also supported by KeySafe 5 v1.6.1. For further details on Security World and firmware support, refer to the nShield Security World software release notes.
Supported identity providers
This release has been tested against the following identity providers:
-
Entrust Identity as a Service v5.33
-
Microsoft Server 2019 AD FS
Other OIDC and OAuth 2.0 providers might be supported. |
Issues fixed in nShield KeySafe 5 v1.6.1
Reference | Description |
---|---|
NSE-62577 |
The KeySafe 5 UI incorrectly provides an option to disable static module features. |
NSE-62874 |
If an error occurs during a Min-VSN update the HSM mode is not reverted to its original value. |
NSE-64436 |
The KeySafe 5 UI can not browse directly to a certificate using the URL. |
Known issues in nShield KeySafe 5 v1.6.1
Reference | Description |
---|---|
NSE-72709 |
When adding Webhook alert methods to a Trigger via the search, an error may happen when trying to find a match if an existing Webhook is pasted in completely. Instead the value should be entered in manually and then the appropriate suggestion can be selected. |
NSE-72656 |
When trying to save an Agent configuration file, selecting certain cipher suites from the drop down list will result in an invalid agent. This is currently not configurable. |
NSE-72609 |
If a large clock skew event occurs and is corrected, UI visualizations can fail to render. They should reappear once the system has progressed farther than the incorrectly skewed time value. |
NSE-72525 |
The Object Count Alert Type uses the difference between two different OpenMetrics counters. The counters can independently wrap around when they overflow and if this happens, it can fire a false positive alert. When both counters have wrapped around, the difference calculation will be as expected and the false positive alert will be resolved. |
NSE-72181 |
The Transactions graph for HSMs and Hosts can display an anomalous spike. This can be caused by irregular data, perhaps from a resource reset. The graph will return to expected values when the irregular data is outside the scope of the request, either by refreshing the graph or changing the time interval. |
NSE-71687 |
The nShield Edge is not supported in KeySafe 5 for World loading or Upgrade management. |
NSE-71678 |
The loading of security worlds onto a large number of multiple HSMs can time out. If this happens, either go back to the previous page and try again or reduce the number of HSMs for each load request. |
NSE-71588 |
Notifications for resolved Alerts can get missed if a Trigger is edited at precisely the wrong time. This only affects the notifications of resolved and there are no issues with the firing of new Alerts. |
NSE-70413 |
When using 32 bit Firefox in alert configuration and Alert Type is selected all static text is highlighted as mouse is moved over the page. This does not effect the functionality of the page. |
NSE-69741 |
When many (tens of thousands of) files are added to the kmdata/local directory at once, a 'queue or buffer overflow' error may appear in KeySafe 5 agent logs. Restart the KeySafe 5 agent and if the problem persists, remove these files fromm kmdata/local and introduce files to the kmdata/local directory in smaller batches. |
Known issues from earlier nShield KeySafe 5 releases
These issues are still present in v1.6.1.
Reference | Description |
---|---|
NSE-37786 |
When creating/loading/unloading a Security World on an HSM Pool that contains an nShield Edge HSM, you must manually change the mode of the nShield Edge to Initialization before sending the request. You should also ensure the HTTP server write timeout in the keysafe5-backend Helm chart is configured to a value that exceeds the time expected to write/read a card on an nShield Edge. |
NSE-46785 |
On Windows machines, any kmdata file created by the nShield KeySafe 5 agent service (for example, a softcard created by KeySafe 5) will not automatically have file permissions to be modified by non-Administrator user accounts. This means when a local Windows user tries to do an action that wants to overwrite that kmdata file (such as locally changing a softcard passphrase) they will not have permission to rewrite the file in kmdata. The workaround is for an Administrator user to manually modify the permissions on the kmdata files created by keysafe5-agent to allow local users to modify them. |
NSE-51100 |
KeySafe 5 does not enforce the Remote Administration authorized card list. Further information can be found in the Release Notes. |
NSE-51114 |
When running the deploy.sh script with DOCKER_REGISTRY set, Docker images can not be pulled from an authenticated Docker registry. The workaround is to not set DOCKER_REGISTRY and the deploy script will spin up its own registry for use. |
NSE-52265 |
KeySafe 5 can not disable SEE Activation (Restricted) unless all hosts in the HSM Pool are healthy at the time of the disable action. The workaround is to manually remove the feature enablement certificate files from the host machine. |
NSE-56419 |
KeySafe 5 allows the creation of an SP800-56Ar3 Securirty World using v1.0 Java cards. Security World creation will complete, but the ACS will be unusable for future operations. Ensure use of v1.1 Java cards prior to creating a Security World with SP800-56Ar3 enabled. |
NSE-56722 |
The FPUI on an nShield 5c does not accurately reflect the HSM mode and the mode banner is not displayed when the HSM mode is changed via KeySafe 5. |
NSE-57196 |
Deletion of a Security World via KeySafe 5 will not persist in the case where a KeySafe 5 agent is enabled on an nShield 5c and that nShield 5c has had world kmdata files synced. The workaround is to ensure that the nShield 5c kmdata is deleted prior to removing from KeySafe 5. |
NSE-64712 |
As the number of secrets grows in the KeySafe 5 database, operations such as obtaining counts and distinct values can start to fail depending on the CPU & memory resource available to the database server and timeout value set on the connection. If this occurs the recommendation is to increase the resources available to the database server and increase the database.mongo.socketTimeout value in the backend helm chart. |
NSE-65357 |
When the user is configuring KCM on the KeySafe5 UI, on the token or key selection page, starting on the default 5 items per page and clicking the next button and changing the items per page to a different number causes number of key doesn’t not match to the same items per page. This can be reset by going back to the first page and setting you items back to default. |