Release Notes

NSE-70413

When using 32-bit Firefox in alert configuration and Alert Type is selected, static text is no longer highlighted as the mouse is moved over the page.

NSE-72656

When selecting cipher suites from the drop down list in the Agent configuration page no longer results in an invalid agent.

NSE-73506

Prometheus and alert manager can now be deployed using local registries as well as external registries

NSE-73951

KeySafe 5 Windows installers no longer show as a random filename during the User Account Control pop-up; this now shows the standard MSI installer name

NSE-74101

KeySafe 5 Agent install on Linux now creates the required folder structure and files for you, providing the necessary certificate request to get the Agent certificate setup.

NSE-73087

When managing Tenant system logs on 5c 10g you are unable to use a separate network profile.

NSE-75788

When generating a FIPS-140-level3 security world through KeySafe 5 and then loading this world on a 13.6.x client the Security World will not be usable. To overcome this issue, edit the world to disable StrictKeyAgreement SP800-56Ar3 flag. In the KeySafe 5 UI.

1. World → Actions → Update World

2. Toggle "Require the enabling of SP800-56Ar3 restrictions" to disabled in the world settings in the world file

3. Authorize the operation by presenting the admin card.

At this point, the world will start working on the 13.6.x host side as the world kmdata file has been updated on the host. A second step is required to re-load the security world enabling SP800-56Ar3 restrictions. This will re-enable SP800-56Ar3 at world loading time to be fully FIPS-140-level3 compliant in a 13.6.x client setup.

4. Unauthorize the Security World from the pool so that it can be re-loaded.

5. Authorize the world into the pool and make sure to toggle "SP800-56Ar3 Compliance" to ON for the modules being loaded in the world.

For further information, please contact Entrust support. See also https://nshielddocs.entrust.com/security-world-docs/secworld-admin/security-worlds.html#_nist_sp800_56ar3

NSE-76520

There is an issue where module fan metrics are not available for Solo+ devices. This also means that fan speed visuals are not available in the UI for Solo+ devices.

NSE-76521

There is an issue where module temperature metrics are not available for Solo+ devices. This also means that current temperature percentage visuals are not available in the UI for Solo+ devices.

NSE-76177

When configuring the 5c 10g through Keysafe 5, it is not possible to use TCP ports with syslog. Use UDP for syslog output instead.

NSE-77444

When allocating a Security World to another pool, clicking CONFIRM executes the operation but does not update the page beyond displaying "Operation successful" at the top. Navigate to another top menu item, then return to confirm that the Security World is now in the new pool.

NSE-77082

Revealing metadata on EC and KCDSA keys requires the corresponding feature to be enabled on all HSMs in the Pool.

NSE-77215

When reporting HSM information on SoloXC and 5s, remaining client licenses are shown. Solo XC and 5s do not have client licenses so this should be ignored.

NSE-77334

The Agent can stop sending kmdata updates after a recent Security World deallocation operation. This issue occurs occasionally and can be resolved by restarting the Agent.

NSE-37786

When creating/loading/unloading a Security World on an HSM Pool that contains an nShield Edge HSM, you must manually change the mode of the nShield Edge to Initialization before sending the request.

You should also ensure the HTTP server write timeout in the keysafe5-backend Helm chart is configured to a value that exceeds the time expected to write/read a card on an nShield Edge.

NSE-46785

On Windows machines, any kmdata file created by the nShield KeySafe 5 agent service (for example, a softcard created by KeySafe 5) will not automatically have file permissions to be modified by non-Administrator user accounts.

This means when a local Windows user tries to do an action that wants to overwrite that kmdata file (such as locally changing a softcard passphrase) they will not have permission to rewrite the file in kmdata.

The workaround is for an Administrator user to manually modify the permissions on the kmdata files created by keysafe5-agent to allow local users to modify them.

NSE-51100

KeySafe 5 does not enforce the Remote Administration authorized card list.

Further information can be found in the Release Notes.

NSE-51114

When running the deploy.sh script with DOCKER_REGISTRY set, Docker images can not be pulled from an authenticated Docker registry.

The workaround is to not set DOCKER_REGISTRY and the deploy script will spin up its own registry for use.

NSE-52265

KeySafe 5 can not disable SEE Activation (Restricted) unless all hosts in the HSM Pool are healthy at the time of the disable action.

The workaround is to manually remove the feature enablement certificate files from the host machine.

NSE-56419

KeySafe 5 allows the creation of an SP800-56Ar3 Securirty World using v1.0 Java cards.

Security World creation will complete, but the ACS will be unusable for future operations. Ensure use of v1.1 Java cards prior to creating a Security World with SP800-56Ar3 enabled.

NSE-56722

The FPUI on an nShield 5c does not accurately reflect the HSM mode and the mode banner is not displayed when the HSM mode is changed via KeySafe 5.

NSE-57196

Deletion of a Security World via KeySafe 5 will not persist in the case where a KeySafe 5 agent is enabled on an nShield 5c and that nShield 5c has had world kmdata files synced.

The workaround is to ensure that the nShield 5c kmdata is deleted prior to removing from KeySafe 5.

NSE-64712

As the number of secrets grows in the KeySafe 5 database, operations such as obtaining counts and distinct values can start to fail depending on the CPU & memory resource available to the database server and timeout value set on the connection.

If this occurs the recommendation is to increase the resources available to the database server and increase the database.mongo.socketTimeout value in the backend helm chart.

NSE-69741

When many (tens of thousands of) files are added to the kmdata/local directory at once, a 'queue or buffer overflow' error may appear in KeySafe 5 agent logs. Restart the KeySafe 5 agent and if the problem persists, remove these files from kmdata/local and introduce files to the kmdata/local directory in smaller batches.

NSE-69761

Occasionally Security World operations may fail partway through the authorization process; if this happens, please try again.

NSE-70502

Upgrading firmware on multiple HSMs at the same time can occasionally cause an 'error storing upgrade image'. If this occurs, please try again once other firmware upgrades have finished.

NSE-71678

The loading of security worlds onto a large number of HSMs can time out. If this happens, either go back to the previous page and try again or reduce the number of HSMs for each load request.

NSE-73268

A 500 error can occur when downloading the Agent logs, if this happens, please try again.

NSE-73274

A 500 error can occur when downloading the System logs, if this happens, please try again.

NSE-73318

Duplicate slots can be added to an HSM’s 'Slot Export' section.