nShield Security World v12.40.2 Release Notes

nShield Connect XC

36-XC1234 E¹ and

46-XC1234 E¹

36-XC1234 F and

46-XC1234 F

nShield Connect+

36-MC1234 C² and

46-MC1234 C²

36-MC1234 D and

46-MC1234 D

nShield Connect nShield Connect+

nethsm-nShield firmware/12.40.2cam1/nCx3N.nff

29

N

12.40.0, won’t be FIPS certified^{1 2 3}

nShield Connect XC

nethsm-firmware/12.40.2cam1/nCx3N.nff

29

N

3.3.33, won’t be FIPS certified^{1 2 3}

nShield Solo nShield Solo+

Monitor: firmware/2-60-1/ldb_ncx3p-26.nff

Firmware: firmware/12-4000/ncx3p-28.nff

28

N

12.40.0 Won’t be FIPS certified^{1 2}

nShield Edge

Monitor: firmware/2-50-16/ldb_ncx1z-24.nff

Firmware: firmware/2-652/ncx1z-26.nff

26

Y

2.65.2 Won’t be FIPS certified¹

nShield Solo XC

firmware/3.3.33/ncx5e-36.nff

36

Y

3.3.33 Won’t be FIPS certified¹

nShield Connect nShield Connect+

nethsm-firmware/12.40.2cam1-fips/nCx3N.nff

29

N

2.61.2, FIPS certified

nShield Connect XC

nethsm-firmware/12.40.2cam1fips/nCx3N.nff

29

N

3.4.1, FIPS certified

nShield Solo nShield Solo+

Monitor: firmware/2-60-1/ldb_ncx3p-26.nff

26

Y

-

Firmware: firmware/2-61-2/ncx3p26.nff

2.61.2, FIPS certified

nShield Edge

Monitor: firmware/2-50-16/ldb_ncx1z24.nff

26

Y

-

Firmware: firmware/2-61-1/ncx1z26.nff

2.61.1, FIPS certified

nShield Solo XC

firmware/3.4.1/ncx5e-36.nff

36

Y

3.4.1, FIPS certified

Microsoft Windows Server 2016 Nano x64

Y

Y

Y

N

Microsoft Windows Server 2016 x64

Y

Y

Y

Y

Microsoft Windows Server 2012 R2 x64

Y

Y

Y

Y

Microsoft Windows Server 2008 R2 x64

Y

Y

Y

Y

Microsoft Windows 7 x64

Y

Y

Y

Y

Microsoft Windows 10 x64

Y

Y

Y

Y

Red Hat Enterprise Linux AS/ES 6 x86, x64

Y

Y(x64)

Y

Y

Red Hat Enterprise Linux AS/ES 7 x64

Y

Y

Y

Y

SUSE Enterprise Linux 11 x64 SP2

Y

Y

Y

Y

SUSE Enterprise Linux 12 x64

Y

Y

Y

Y

Oracle Enterprise Linux 6.8 x64

Y

Y

Y

Y

Oracle Enterprise Linux 7.1 x64

Y

Y

Y

Y

Linux AS/ES 5 x64 (libc6.5)

N

N

Y

N

Oracle Solaris 11 (SPARC)

Y

Y

Y

N

Oracle Solaris 11 (x64)

Y

Y

Y

N

IBM AIX 7.1 (Power 8)

N

N

Y

N

IBM AIX 7.1 (Power 6)

Y

N

Y

N

HPUX 11iv3

Y

N

Y

N

1

Triple-DES CBC/ECB 2 keys generation

(Triple-DES CBC/ECB 3 key generation is still allowed)

Decryption of ciphertext encrypted with legacy Triple-DES CBC/ECB 2 keys continues to be supported

2

RSA 1024 bit key pairs

(Keys must be ⇒ 2048 bits)

Verification of <2048 bit legacy signings continues to be supported. ¹

3

DSA 1024 bit key pairs

(Keys must be ⇒ 2048 bits)

Verification of <2048 bit legacy signings continues to be supported. ¹

4

ECDSA P-192, K-163, B-163

(Keys must be ⇒ 224 bits)

Verification of <224 bit legacy signings continues to be supported. ¹

5

DH 1024 bit key pairs

(Keys must be ⇒ 2048 bits)

Verification of <2048 bit legacy signings continues to be supported. ¹

6

ECDH P-192, K-163, B-163

(Keys must be ⇒ 224 bits)

Verification of <224 bit legacy signings continues to be supported. ¹

NSE-11352

Solo XC performance issue on Linux OS platforms affecting symmetric and asymmetric performance has been fixed in v12.40.2 that had regressed in v12.40.0 and v12.40.1

NSE-9584

Removing a physical card from the slot could cause PKCS#11 applications to crash. This has been corrected.

NSE-9437

When retrieving information via SNMP about KeyGeneratingESN from the KeyAdminTable the system would erroneously return 'No Data Available'.

This has now been corrected so that the correct information is returned.

NSE-9428

In v12.30 temporary keys created during PKCS#11 key generation were not deleted from the module, potentially causing the module to run out of memory. This has been corrected.

NSE-9314

The conversion of the HP-UX PCI driver to be a dynamically loaded driver in v12.30 introduced an issue whereby the driver installation would fail if that HP-UX system had never had the static PCI driver installed. This issue has been resolved.

NSE-9289

Key generation was not thread-safe when the CKNFAST_ASSUME_SINGLE_PROCESS environment variable was explicitly set to 0 (or N).

The code intended to find keys generated by other processes could find a key created by another thread in the same process, before it had been properly recorded in the process’s internal records. This would confuse the records and result in some keys not being found. This problem has been corrected by expanding the scope of the lock used to protect the internal structures when CKNFAST_ASSUME_SINGLE_PROCESS is set to 0.

NSE-9276

In Security Wold v12.30 the behaviour of the CKNFAST_ASSUME_SINGLE_PROCESS variable changed, such that setting it to "off" would have no effect.

This change has been reverted.

NSE-9205

Under rare circumstances an uninitialised nCore M_Reply structure could be freed, sometimes causing a crash. Every reply structure is now initialised when the command is submitted.

NSE-8854

When the PKCS#11 mechanism CKM_WRAP_RSA_CRT_COMPONENTS was used with an

underlying block cipher mode with a block size greater than 64 bits, and also included padding, the mechanism would fail.

This has now been corrected.

NSE-8824

The implementation of the AESKeyUnwrap mechanism would fail with an error if the target keytype was a wrapped keytype.

This has been corrected so that the mechanism will now succeed.

NSE-8702

If a key is generated in POOL HSM mode then nfkmverify tool fails with the error message "unlimited make recovery blob permission". This error is related to nfkmverify tool and the key usage is not impaired.

NSE-8656

When the nShield SNMP agent was uninstalled from a Windows system the service entry was not removed leaving behind a false entry. This has been corrected so that the service entry is now removed when the SNMP agent is uninstalled.

NSE-8428

With autopush configured, enabling 'UI Lockout with OCS' from the Connect front panel did not update the config on the RFS. The lockout_mode in the RFS config file is now updated correctly.

NSE-7993

Our JCE provider always used the first module for key generation and loading public keys. This has been changed to the first usable module - if the first module becomes unavailable another will be used.

In the case of key generation this could potentially affect the OCS used to protect the key. If OCS protection is desired, customers are advised to only use cards from a single OCS in the modules used by JCE.

NSE-7748

Fixed a deadlock that could occur when multiple threads called getinfo or makeacl from nfpython concurrently.

NSE-7462

On a Windows system when retrieving information via SNMP the system.sysDesc value was not being set correctly and would return a value of 'unknown'. This has been corrected so that the correct information is now returned.

NSE-7454

Our JCE provider would only load public keys on the first available module, so that the use of public keys did not benefit from load sharing. Public keys are now loaded on all available modules.

The kmjava interface adds support for loading a public key on a list of modules, and for merging public keys.

NSE-6800

Installation of Remote Administration Client Tools on Asian versions of Microsoft Windows OS will now complete without error.

NSE-4032

Fixed a bug in the NFKM library which could cause a use limit to be omitted if random number generation failed but world or key creation otherwise succeeded.

NSE-3312

This Remote Administration on the Microsoft Windows Security World ISO now supports the Microsoft Server 2012R2 Operating System. The operating system needs to be restarted after installation.

NSE-3132

When generating a DSA Domain, the PKCS#11 library would erroneously set the pairwise check flag on the nCore command. This flag is no longer set when creating any Domains or Secret Keys. The flag is still set for asymmetric keypair generation.

NSE-2966

The Hardserver previously ran without reporting an error when nt_pipe_users or nt_privpipe_users config entries for restricting client connections contained unsupported syntax, such as a Domain-qualified user or group. The Hardserver service will now refuse to start if there are errors in the config file in order to fail-safe. User and group connection restrictions are supported only unqualified (e.g. to restrict privileged Hardserver connections to a user "alice" who is a domain user, on a machine that is a member of that domain, simply specify the unqualified user name "alice" in the config file for nt_privpipe_users).

NSE-2386

Authentication of the operator card didn’t indicate when the card might have come from another Security World.

This indication has now been added.

NSE-2355

oslpy was missing from the AIX distribution, causing the CodeSafe example "mk-preparsedcert.py" to fail. oslpy is now included.

NSE-1837

The nfdiag diagnostic tool’s log file has been renamed to avoid false-positives from e-mail virus scanners.

NSE-1718

Improved the logging of certain error cases in the Windows PCI driver.

NSE-1613 Modified the CNG Wizard application not to set "Prompt always" flag when user selected "Module protection" for OCS.

They were able to set at the same time, which was causing some tricky behaviour on our CNG provider.

NSE-1470

Addressed issues that prevented the "csee" example programs from building.

NSE-1410

Fixed CNG provider to select module or card set protection when it need to raise popup, respecting the result that user already decided on CNG wizard.

NSE-298

The Windows USB driver for the nShield Edge has been updated from 2.02.04 to version 2.12.24.

NSE-79

If a PKCS#11 session was incorrectly used by two or more threads at the same time a deadlock could occur. The lock handling has been revised to avoid deadlock, but this is still an application error and should be avoided.

NSE-11352

Connect XC performance issue affecting symmetric and asymmetric performance has been fixed in v12.40.2 that had regressed in v12.40.0 and v12.40.1

NSE-8632

If Remote Operator was used via the nShield Connect front panel to import a slot, an error was generated if an attempt was made to subsequently delete the slot. The slot can now be deleted successfully under these circumstances.

NSE-6952

In the v12.10 nShield Connect firmware image, the appliance’s secondary network interface is disabled by default; the installer does not check if the interface was enabled, it gets disabled regardless.

This is now fixed. If the nethsm_eth1_enable section is missing in the config and the eth1 interface has an IP address configured, the eth1 interface is enabled by default. Newer Connect images would be unaffected by this change as they would have the nethsm_eth1_enable section which would be by default switched off.

NSE-4563

If an nShield Connect has an exported slot configured, when attempting to remove this slot you are able to cancel out of the process before committing. Fixed an issue where cancelling caused an error message to be displayed.

NSE-3940

When retrieving information via SNMP from a system that had multiple nShield Connects, in which one of them was unresponsive, the system might fail to populate many of the netHSM SNMP values for Connects that could be contacted. This has been corrected so that information is now correctly returned from those Connects that are responding.

NSE-11177

Fixed an issue which prevented Connect client licences from being installed on the nShield Connect. The installation would fail with UnknownMechanism.

_Note: this issue affected v12.40.0 only and not previous releases. _

NSE-11352

XC performance issue has been fixed in 12.40.2 that had regressed in 12.40.0 and 12.40.1

NGSOL-2844

Connect XC units can enter a failure state with “HSM Failed” displayed on the front panel. The Connect XC fully recovers when power cycled.

NSE-11314

CodeSafe: Mismatched XC CodeSafe headers cause nCore commands to fail in SEE machines. Affects nShield Solo XC and Connect XC and versions v12.40.0 and 12.40.1

NGSOL-2743

RTC value is now persistent after powercycle

NGSOL-2655

The security world information is now cleared when the firmware is upgraded.

NGSOL-2736

Throttled key derivation operations according to product performance variant activation.

NGSOL-2763

CodeSafe example see-enquiry has "Version not understood" errors

NGSOL-2757

SNMP trap generation failing when close to max module memory usage

NGSOL-2751

KML updates for compliance with FIPS186-4

NGSOL-2149

CodeSafe: BufferFull error for messages from SEEMachine to firmware that are close to the max valid length of 256K

NGSOL-2487

CodeSafe: corrected failure to delete file from NVRAM

NGSOL-2723

CodeSafe: updated prebuilt NVRAM user data example sar file

NSE8427/NGSOL2690

Command Generate Random may result in SOS HRM

NGSOL-2564

The library libnfhwcrhk.a for CodeSafe applications was not built correctly due to incorrect endianness. This impacted OpenSSL CHIL functionality.

NGSOL-2721

Reconciled different SOS code reported by the status LED (SOS-HS), and enquiry’s ‘hardware status’ field (SOS-HRS). LED needs to be corrected to report HRS.

NGSOL-2771

Do not apply Solo XC configuration flags when a software update has failed.

NGSOL-2799

Resolve Solo XC detection issues with Fujitsu M10-1 Solaris Sparc server

NGSOL-2792

CodeSafe: corrected timeout for the select() calls. Now it times out as per the timeout value specified in the select() parameters.

NGSOL-2789

Updated key derivation throttling coefficients to consider latest Solo XC performance. Improvement to NGSOL-2736.

NGSOL-2770

Patches for eglibc vulnerabilities CVE-2015-8982 & CVE-2015-8983

NGSOL-2762

Addition of the EMV feature in Solo XC for SafeSign.

NGSOL-2758

Patch for integer overflow vulnerability in Shadow package - CVE-2016-6252

NGSOL-2759

Added AIS-31 to Solo XC

NGSOL-2797

Fixed SOS-HRS seen while running test_interactive.py

NSE-6195

Attempting to install a warrant on a SoloXC in pre-maintenance mode returns with an incorrect error.

The workaround is to install the warrant while the module is in operational mode.

NGSOL-2606

The csddoc directory with HTML documentation for the nCore/NFKM APIs inside the module is not installed along with the CodeSafe Developer Toolkit.

The directory can be found in the document directory on the installation media. If desired, the user may copy the directory to the document directory under the software installation point, and be prepared to manually remove it upon uninstallation of the CodeSafe Developer Toolkit.

NSE-9230

The installer on Windows often gives a prompt to find setup.exe during installation. Click ‘OK’ at the prompt to accept the default location and installation completes successfully.

NSE-12118

A regression in v12.40.2 results in nTokens with part number NC2021E-000, identifiable as those without a blue nCipher heatsink, not being detected automatically by the hardserver.

Prior to v12.40.2 nTokens would appear automatically in the hardserver’s enquiry output.

As a work-around, set serial_dtpp_devices=COM7 (or whatever COM port) in the hardserver server_startup section. Note some trial and error may be required as the nToken actually uses two COM ports, and only one is provided to the hardserver. If the wrong port is specified, it will appear as Failed in enquiry.

NGSOL-2494

Remote mode change does not work from a virtual machine that imports the nShield Solo XC board. Remote mode change should be done on the VM that directly communicates with nShield Solo XC board.

NGSOL-2551

Interrupting the “new-world –program” command may require the nShield Solo XC board to be power cycled.

NGSOL-2744

If a Solo XC is powered up and the power supply is then removed within 20 seconds the unit may enter a state where the internal back-up battery is being discharged at a higher rate than normal.

Similarly, if a Connect XC is powered up and the mains supply is then removed (via the rear rocker switches or removing both mains cables) within 20 seconds the unit may enter a state where the internal back-up battery is being discharged at a higher rate than normal.

If left in this condition for an extended period, the Solo XC /Connect XC will enter a failed state, indicated by an SOS-B morse error code on the status LED. To avoid this occurrence, should a Solo XC or Connect XC be turned off under such conditions, power should be reapplied as soon as possible and the unit left powered until it has successfully booted into an operational mode.

Note that some electrical safety tests such as leakage current testing may create these conditions, so it is recommended that the unit is booted into an operational mode after any safety testing, as described above.

Note: This will not affect Connect XC units with serial number 36-XC0384 and above and Solo XC units with serial number 36-X00527 and above. This issue will be fixed for any units within the affected range in a forthcoming release.

NSE-10137

When upgrading the Solo XC firmware if there is a security processor update

then the VM host needs to be rebooted. It is not sufficient to just reboot the VM.

NSE-11669

Solo XC/ Connect XC enquiry output reports incorrect HSM product code. Presently reports: product name nC3025E/nC4035E/nC4035N. Should be product name nC3025E/nC4035E/nC4335N as stated in the FIPS certificates.

NSE-7618

When an SEE (restricted) feature certificate is applied at the front panel of the Connect, it will apply successfully, but will not be reported when running the feature enable tool fet on a client of the Connect.

NSE-10779

It is not possible to downgrade a v12.40.x non-FIPS nShield Connect+ image file (containing non-FIPS firmware) to an image file containing FIPS certified firmware, despite the upgrade appearing successful. The nShield Connect image file Version Security Number (VSN) is the same for both FIPS and nonFIPS - VSN36) enabling a downgrade. However v12.40.x non-FIPS firmware (VSN 29) is higher than the 12.40.x FIPS firmware (VSN 28) and this prevents a successful downgrade to the FIPS firmware. There is presently no work around for this issue.

This does not affect upgrades to v12.40.x from v12.30 or earlier Connect+ images. This issue does not affect nShield Connect XC units.

NSE-5662

nShield Connect can occasional get stuck in POST when powering on, performing a reboot or initiating a front panel/remote upgrade. Work around is to power off/power on nShield Connect using the PSU rocker switches. Note a remote reboot using the netHSMadmin utility will not resolve this issue.

NSE-11886

CNG Wizard does not allow the creation of a Security World when a nToken is present, as this requires the operator to put all the modules into "Initialisation Mode".

NSE-11885

Hardserver ignores settings for nt_pipe_users if Java ports are open

NSE-11911

Solo and Solo+ behave differently to the SoloXC when restarting the hardserver in premaintenance mode. When clearing the modules while in pre-maintenance using \{\{nopclearfail c -m1}} they all (Solo, Solo+ and SoloXC) return to operational mode.

NSE-8463

When enrolling an nShield Connect into a security world or creating a new security world you must ensure that the world and module files are propagated to client machines and afterwards ensure that hsc_configurepoolmodule -mN is run on each machine enrolled as a client where N is the newly enrolled module number.

NSE-7575

The user won’t see the max exported modules being updated when running enquiry after remotely enabling the client licences dynamic feature due to the enquiry cache not being cleared for imported modules. User should restart the client-side hardserver to work around this issue.

NSE-7456

The nShield PKCS#11 client library can only read FIPS Authorization from operator cards, not from Administrator Cards. When used with a Strict FIPS 140-2 Level 3 compliant Security World, an Operator Card Set must be created for the PKCS#11 to be able to present FIPS Authorization to the module(s).

NSE-7025

The nShield Remote Administration Client is not supported on SLES 11.

NSE-6391

On Solaris systems, the system path /usr/sbin must be in the PATH environment variable when executing /opt/nfast/sbin/install and /opt/nfast/sbin/init.d-ncipher. Suggested usage: PATH=/usr/bin:/usr/sbin /opt/nfast/sbin/install

NSE-6610

Security World applications which write to log files lock the log files when writing log messages. This includes the hardserver when writing to /opt/nfast/log/hardserver.log. If another application, such as a backup application, holds a lock on the log file for an extended period, the Security World application will be blocked for that time. It is recommended that either log files should not be locked whilst applications are running, or that they be locked only briefly whilst copying the file.

NSE-3827

The pathname of Codesafe executable files should only contain ASCII characters. If non-ASCII characters are included in the pathname StatusMalformed will be returned when a connection is made through the Generic Stub.

NSE-2115

Log files produced by the Security World software on 32-bit Linux systems are limited to 2 GB. This includes the hardserver log in /opt/nfast/log/hardserver.log. Applications, such as the hardserver, will not start if their log files exceed this size. The user should delete log files periodically (backing up first if required) to avoid this problem. This issues does not affect 64-bit Linux systems.

NSE-4099

Windows Platforms Only

If nShield logging is enabled, the file specified by NFLOG_FILE must be writable by the user running the 'nShield Service Agent' or the agent will not be able to process dialogs from a CNG service in Session 0.

NSE-4094

Windows Platforms Only

Having run the CNG installation wizard or cngregister, it is necessary to log off and log in to start the nShield Service Agent. The Agent can be started explicitly by executing either nShieldServiceagent.exe or nShieldServiceAgent64.exe from the %NFAST_HOME%\bin folder.

MEI-4046

nShield Solo is not supported in AIX Power8 hardware Architecture

NSE-2671

Codesafe SEELib "nvram" example SEE machine crashes on startup.

NSE-1361

Microsoft Windows: Set path before running "HTTPSD with client authentication" example

Under Microsoft Windows ensure that %NFAST_HOME%\bin has been added to the system PATH environment variable before running the CodeSafe example "HTTPSD with client authentication"

NSE-2899

CNG Wizard says "There was an error reading the card" when it means "card not in Authorized Card List".

MEI-4304

nfwarrant claims the module is in pre-initialization mode if the module is uninitialized. Switch to Initialization mode and run initunit, then put the module back in Operational mode, before running nfwarrant.

MEI-4249

The Remote Administration Service does not abort associations when a dynamic slot is unavailable due to CrossModule#NetworkError. Break and remake the association from the Remote Administration Client.

MEI-4463

Applications that call NFKM_checkconsistency display "nfkmcheck: warning: World kmdata entry E0x199=E409 unexpected"

MEI-4386

The [slot_imports] and [slot_exports] sections of the hardserver config file is misleading in stating "This cannot be configured alongside dynamic slots." The restriction is dynamic slots cannot be exported hence cannot be imported.

MEI-4306

Connect UI login using OCS displays UnlistedCard for Remote Administration smart cards if card is already inserted. Removing and reinserting the card is required.

MEI-3934

Running enquiry on an nShield Edge results in hardware status being reported as "unsupported driver." This is normal behaviour; SOS error reporting is not available on an nShield Edge.

NSE-2857

Failed to start nFast service error message seen occasionally after installing on Windows. If services are running error can be ignored.

MEI-4569

Display World Info on nShield Connect front panel may show a valid Remote Administration smart card as 'Unidentified'. Use slotinfo to confirm smart card is valid.

MEI-2149 /NSE-3426

nShield Connect front panel UI appears to run slow after a Connect image upgrade. The workaround is to reboot the Connect after the upgrade after which the front panel will behave correctly.

MEI-4587

If the environment variables NFAST_SERVER_PORT and NFAST_SERVER_PRIVPORT are set to non-standard values, e.g. 9100 and 9101 respectively then the Remote Administration Service will not start.

MEI-4559

‘nethsmadmin –-reboot’ option does not time out or return when a module has been marked as failed. You should check your Windows event viewer to check for time outs and then terminate the ‘nethsmadmin’ application.

MEI-4572

Generatekey ignores slot choices and will use an OCS in any available slot of the chosen module.

MEI-4586

The nShield Connect can sometimes hang on start up after performing a tamper. Please contact Support for further information on this issue.

15318

It is not possible to recover PKCS #11 keys using the nShield Connect or netHSM unit’s front panel. You must use the rocs client-side utility to do this.

MEI-3265

When upgrading from any previous installation the hardserver configuration file will not be populated with the new remote administration sections, resulting in default behaviours. A new default configuration file can be made by running "cfg-mkdefault -r", remember to back up your existing configuration file before running this operation.

MEI-4418

When creating a Security World on a Windows client host, the new-world utility can fail with TokenMessageError until the module is cleared. If this happens, clear the module (using nopclearfail -c, the clear button on the Edge or the Solo Board, or the menu command on the Connect) before re-attempting to create a Security World.

NSE-11849

Hardware error reporting and MOI changes do not work in HPUX

MEI-3390

When using Ubuntu 12.04 and later then the jpeg compatibility library package libjpeg62 must be installed for the Remote Administration Client.

NSE-2861

Multiple Remote Administration GUI clients on a PC can use the same card reader to connect to multiple dynamic slots, causing one or both to work incorrectly, eg reporting UnknownCard. Avoid doing this.

MEI-2801 MEI-2805

You are recommended to not use more than four TVDs or standard card readers on a single Remote Administration Client system as it can run out of resources if an excessive number of card readers are used.

NSE-2853

RHEL 7 Smart Card Manager can cause Unknown Card due to Sharing Violation; the smart card manager needs to be turned off to prevent the sharing violation.

MEI-2481

RSA token card services prevent the Remote Administration Client from working on Microsoft

Windows OS (e.g. RAC hangs displaying "reading…"); these need to be disabled in the

Windows Task Manager services table to allow Remote Administration smart cards to work with both the TVD and other smart card readers.

MEI-4480

On rare occasions, leaving a Remote Administration smart card in a dynamic slot for a prolonged period can result in SecureChannelFailed.

MEI-4412

Using the Remote Administration Client on the same machine as Microsoft ADCS may result in the smart card service crashing, causing the RAC to fail.

NSE-2860

Switching to Maintenance mode while an Association with a dynamic slot exists causes an UnknownCommand error

MEI-3940

Remote Administration Support Client Tools Setup can pause for up to 2 minutes with no feedback to user (Windows)

MEI-4029

Running racgui on SUSE 12 shows GTK assertions from wxpy

MEI-4401 MEI-3383

Any previous nShield Security World Software must be uninstalled before installing the Remote Administration Client software. If you want the Remote Administration Client software installed alongside your Security World Software it is available (and installed by default) via the Security World Software installer.

NSE-6939

On OS-X the Tab key does not navigate between controls on the wizard pages and the Return key does not perform the default action. All operations can be accomplished with either a mouse or touchpad.

NSE-7088

Installing the RAC on OS X for the current user will not recognize the TVD. This is due to the TVD driver not being installed in this scenario. It is necessary to install separately the TVD driver for all users to allow the TVD to be recognized.

MEI-4557

Occasionally TokenSecureChannelError reported when creating/loading a security world using a Remote Administration smart card. Remove and re-insert the card.