nShield Security World v13.9.0 Release Notes
Introduction
These release notes apply to the release of version 13.9.0 of Security World for the nShield family of Hardware Security Modules (HSMs).
These release notes contain information specific to this release such as new features, defect fixes, and known issues. They may be updated with issues that have become known after this release has been made available. For the latest version, see https://nshieldsupport.entrust.com/hc/en-us/sections/360001115837-Release-Notes. Access to the Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.
We continuously improve the user documents and update them after the general availability (GA) release. Changes in the document set are recorded in these release notes and are published at https://nshielddocs.entrust.com.
Updated nShield Software Release Policy
Entrust has recently introduced an update to the nShield Software release policy to better define the type of release and the associated update and support policy. As part of this, the concept of Long Term Support (LTS) and Standard Term Support (STS) software releases has been introduced, with each software release being either a LTS or STS release.
For more information on the software release policy, see the nShield Security World Release Information. Alternatively contact https://nshieldsupport.entrust.com for more information.
Purpose of Security World v13.9
Security World version v13.9 introduces new features and enhancements as described in Features of Security World v13.9. It also corrects a number of defects that have been identified in earlier releases.
|
Security World 13.9.0 is a Standard-Term Supported (STS) release.
This release is designed to give early access to new nShield features and has a shorter support period. For long-term support (LTS), frequent stability updates and certified firmware, it is recommended to use the v13.6 Long-Term Support release. See the nShield Security World Release Information for details of the supported versions and the STS & LTS policy. |
This release contains updates to the following products:
-
Updated firmware for nShield 5s and Solo XC
-
Updated Connect images for nShield 5c and Connect XC
-
Updated Linux and Windows Security World and Codesafe ISOs
Versions of these Release Notes
| Revision | Date | Description |
|---|---|---|
1.1 |
2025-08-28 |
Clarification added to Unset module RTC upgrade issue on Connect 5c units on v13.9 images |
1.0 |
2025-08-22 |
Release notes for the release of v13.9.0, Security World v13.9 STS Release 1. |
Product versions
Security World software versions
| Version | Date | Description |
|---|---|---|
v13.9.0 |
2025-08-22 |
Full Release of the 13.9.0 Linux and Windows ISOs. |
CodeSafe Developer software versions
| Version | Date | Description |
|---|---|---|
v13.9.0 |
2025-08-22 |
Full Release of the 13.9.0 Codesafe Linux and Windows ISOs. |
Firmware and Connect ISO versions
| Version | Date | Description |
|---|---|---|
v13.9.0 |
2025-08-22 |
Full Release of the 13.9.0 FW ISO including the updated 13.9 Connect images and 13.8 firmware. |
Features of Security World v13.9
New v13.9.0 Connect Images
Refer to Connect images for more information on the new v13.9.0 Connect images.
Refer to Known and fixed issues for more information on fixed issues in the new v13.9.0 Connect images.
Unset module RTC upgrade issue on Connect 5c units
|
v13.9 images are unaffected by this issue as it is no longer possible to up to a v13.9 image with an unset RTC. An appropriate error will be displayed if the RTC is unset during the upgrade process and the nShield 5c RTC will need to be set to continue with the upgrade. |
|
Connect 5c only Due to NSE-69020 if the nShield 5c unit RTC is not set it will result in an upgrade failure. |
The following nShield 5c images are impacted by NSE-69020:
| Release | nShield 5c Version |
|---|---|
Security World v13.6.3 LTS Release |
v13.6.1 |
Security World v13.6.5 LTS Update 1 |
v13.6.4 |
Security World v13.6.8 LTS Update 2 |
v13.6.7 |
Security World v13.7.3 STS Release 1 |
v13.7.1 |
To determine if your nShield 5c unit has the RTC set correctly, execute the ncdate command against the target nShield 5c unit.
A nShield 5c with the correct RTC date and time set should display a variance of the following:
# ncdate -m1
Local time is 07:03:54.943 2025.03.12An nShield 5c with the the incorrect RTC date and time set will display a variance of the following:
# ncdate -m1
Local time is 07:03:54.943 1970.03.12Please contact nshield.support@entrust.com if the RTC for your nShield 5c unit is incorrectly set for more assistance.
nShield Connect (XC and 5c) hardening updates (NSE-72119)
Security world v13.9 introduces various hardening fixes for the Connect XC and Connect 5c units and updates to the Security Manual.
Codesafe 5 Firmware and SDK improvements (NSE-68686)
Security World v13.9 introduces firmware and SDK improvements for Codesafe 5.
These improvements include:
-
Removed the need to enter maintenance mode during Codesafe5 nShield 5c configuration.
-
Codesafe5 tooling support for repeatable image hashes.
-
Various other defect fixes, refer to Known and fixed issues for more information.
ML-KEM Post-Quantum Algorithm firmware support (NSE-48335)
Security World v13.9 introduces support for the FIPS-203 ML-KEM encryption/key establishment scheme Post Quantum Cryptographic algorithm.
The following operations are available using this new algorithm:
-
Key generation
-
Encapsulation
-
Decapsulation
This functionality is currently only available via nCore.
SLH-DSA Post-Quantum Algorithm firmware support (NSE-48338)
Security World v13.9 introduces support for the FIPS-205 SLH-DSA signature scheme Post Quantum Cryptographic algorithm.
The following operations are available using this new algorithm:
-
Key generation
-
Signature generation in pure and prehashed mode
-
Signature verification in pure and prehashed mode
This functionality is currently only available via nCore.
HashML-DSA Post-Quantum Algorithm firmware support (NSE-69041)
Security World v13.9 introduces support for the FIPS-204 Pre-Hash ML-DSA to the existing ML-DSA signature scheme. This allows the hash of (large) messages to be calculated externally.
The following operations are available using this new algorithm:
-
Signature generation
-
Signature verification
Key generation is as per the existing ML-DSA scheme.
This functionality is currently only available via nCore and PKCS#11 (see: FIPS 204 ML-DSA support added to the nShield PKCS #11 API (NSE-63240)).
SHAKE128 and SHAKE25 mechanisms in nCore (NSE-70045)
Security World v13.9 introduces support for the SHAKE128 and SHAKE256 mechanisms in nCore.
The following commands support the SHAKE mechanisms: 1. Cmd_Hash supports the SHAKE mechanisms with a given IV where a non-zero output size is specified. 2. Cmd_ChannelUpdate supports the SHAKE mechanisms: - with a given IV similar to Cmd_Hash where a non-zero output size is specified - with a null IV where multiple final calls are allowed and each call returns a fragment of output
FIPS SP800-56Ar3 restrictions (NSE-35977)
Security World v13.9 introduces additional functionality for newly created FIPS Level 3 Security Worlds.
When using Security World v13.9:
-
All newly created FIPS Level 3 Security Worlds will have SP800-56Ar3 compliance enabled by default.
-
All pre-existing FIPS worlds have it disabled by default.
-
The new
edit-worldtool can be used to enable or disable compliance.
Allow multiple seeinteg options to generatekey (NSE-67975)
Security World v13.9 introduces support for multiple seeinteg options to the generatekey utility.
The generatekey seeintegname option can now accept multiple keys and generatekey and nfkmverify --trusted-certifier options can now accept multiple key hashes.
FIPS 204 ML-DSA support added to the nShield PKCS #11 API (NSE-63240)
Security World v13.9 introduces support for the FIPS-204 ML-DSA Post Quantum Cryptographic algorithm in PKCS #11.
It is now possible to generate ML-DSA keys using CKM_ML_DSA_KEY_PAIR_GEN, with the following set of mechanisms available for sign and verify operations:
-
CKM_ML_DSA -
CKM_HASH_ML_DSA -
CKM_HASH_ML_DSA_SHA256 -
CKM_HASH_ML_DSA_SHA512 -
CKM_HASH_ML_DSA_SHAKE128 -
CKM_HASH_ML_DSA_SHAKE256
All three parameter sets, as defined within FIPS 204, are supported: CKP_ML_DSA_44, CKP_ML_DSA_65 and CKP_ML_DSA_87.
Use of these mechanisms requires a firmware version of v13.8 or greater and the PostQuantum feature to be enabled, see the User Guide for your HSM for more information.
See the nShield PKCS #11 API Reference Guide for further information on these mechanisms.
NFKM engine now supports RSA OAEP decrytion (NSE-39427)
Security World v13.9 adds OAEP decryption algorithm support to openssl nfkmengine.
NFKM engine now supports all named EC curves (NSE-32127)
Security World v13.9 adds all the named EC curves supported by nCore to the NFKM engine.
Ed448 in nShield PKCS #11 (NSE-53750)
Security World v13.9 adds the Ed448 curve to the supported curves in PKCS#11. This includes key generation via CKM_EC_EDWARDS_KEY_PAIR_GEN and sign/verify with both Ed448 and Ed448ph signature schemes via CKM_EDDSA.
Ed448 in nShield Java (NSE-65603)
Security World v13.9 adds Ed448 support in JCE.
The following types have been added:
-
KeyGenerator.Ed448
-
Signature.Ed448
-
Signature.Ed448ph
generatekey import for ECC (NSE-50206)
Security World v13.9 introduces support for EC, ECDSA, ECDH, ECDHLax, Ed25519, and X25519 keys to be imported using generatekey.
CNG user and machine key namespacing and access control (NSE-9369)
Security World v13.9 introduces changes to CNG user and machine key namespacing.
The following changes have been made:
-
CNG User and Machine key access control is now by default restricted to the creating user (or the administrators group for machine keys) and is configurable.
-
CNG User keys now have namespacing is enabled by default to give visibility to the creator only and can be disabled to provide visibility to any application.
-
CNG User and Machine key access control and user key namespacing is configured in the CNG wizard, cngregister or by environment variables.
| When namespacing is enabled, user CNG keys generated by Security World v13.9 and later Security Worlds will not be seen by other users due to the new access control permissions. |
With Security World v13.9 other user’s CNG keys generated by earlier Security World versions will be seen in tools like nfkminfo, but will not be usable as they are tied to the user who created them.
|
Audit logging enabled by default in new Security World creation (NSE-71701)
Security World v13.9 changes Security World creation via the following interfaces to enable audit logging by default:
-
new-worldtool (can be explicitly disabled with--no-audit-loggingcommand-line option) -
nShield Connect front panel (enabled by default in the wizard, can select No to audit logging if necessary)
-
CNG configuration wizard (enabled by default in the wizard, can uncheck option. Option will be disabled if HSM Pool Mode is also selected.)
This only affects new Security Worlds and not existing ones.
It is recommended that audit logging be enabled when creating a new Security World in order to enable auditing of security-critical events.
By default, an audit logging world will create log entries for module startup and shutdown events, and for the presentation of credentials such as smartcards and softcards, but not for key usage.
Logging of key usage may be enabled when the key is generated (e.g. with the generatekey utility) and produces a higher volume of audit events, and so is recommended for high importance low-usage keys (such as Root CA keys).
Additional configuration will be required to offload audit logs and verify them (see nShield Audit Log Service in the User Guide).
HSM Pool Mode is not supported in audit logging worlds, and so if this feature is required, audit logging should not be enabled.
Open Source Software Updates in the v13.9.0 STS Release 1
The following Open Source components have been updated as part of the v13.9.0 release:
Security World Software
| OSS Name | v13.7.3 STS Release 1 | v13.9.0 STS Release 1 |
|---|---|---|
Go |
1.23.7 |
1.23.10 |
OpenSSL |
3.0.16 |
3.0.17 |
Python |
3.11.11 |
3.11.13 |
SQLite |
3.49.0 |
3.49.2 |
tcl |
8.6.15 |
8.6.16 |
Security World Software Python Packages
| OSS Name | v13.7.3 STS Release 1 | v13.9.0 STS Release 1 |
|---|---|---|
setuptools (virtualenv)* |
75.8.0 |
78.1.1 |
urllib3 |
2.3.0 |
2.5.0 |
*The v13.9.0 STS Release 1 nShield Python contains more than one version of the setuptools package. The setuptools package labelled with nShield Python is the one primarily used by the v13.9.0 STS Release 1 nShield Python build, unless the other packages are directly used.
Deprecated and discontinued features
The following features are deprecated or discontinued in Security World v13.9. If you have been using these features, plan for a new configuration and workflow that does not make use of the feature:
-
KeySafe
This is the legacy Java application. KeySafe 5 continues to be supported in v13.9.
KeySafe information has been removed from the user documentation for v13.9 and later releases. Previous user documentation releases that cover KeySafe continue to be available at https://nshielddocs.entrust.com/.
Firmware images
nShield 5s firmware
The nShield 5s HSM firmware consists of 3 major components:
-
Primary Image
-
Recovery Image
-
Bootloader
The v13.9 release contains a new v13.8 firmware for the nShield 5s. This new firmware only updates the Primary image. The Recovery image and Bootloader can be kept at previously released versions.
The v13.8 firmware includes a VSN update for the nShield 5s from 4 to 5.
Details on what the components are used for and how to upgrade the different components are detailed in Upgrade nShield 5s HSM Firmware. Read this section prior to upgrading any nShield 5s.
Connect images
The nShield firmware and Connect Image ISO includes v13.9.0 Connect images that contain the Solo XC and nShield 5s firmware described in Firmware images.
Install a Connect image
As part of the Security World installation, the /opt/nfast/nethsm-firmware directory is created, but it is empty.
When the Connect image that needs to be installed has been chosen, the subdirectory and the image should be copied from the nShield firmware and Connect ISO into the /opt/nfast/nethsm-firmware directory and installed onto the Connect as usual.
nShield 5c images
| Type | Version | Description | Firmware included | Directory | VSN |
|---|---|---|---|---|---|
Latest |
13.9.0 |
13.9 nShield 5c image with latest 13.8 firmware |
13.8.0 |
|
33 |
|
For security reasons the Version Security Number (VSN) of the nShield 5c image has been increased to 33. Upon updating to the new images it will not be possible to downgrade to previous releases. The following releases can be updated to post this change:
|
Connect XC images
| Type | Version | Description | Firmware included | Directory | VSN |
|---|---|---|---|---|---|
Latest |
13.9.0 |
13.9 Connect XC image with latest 13.8 firmware |
13.8.0 |
|
33 |
|
For security reasons the Version Security Number (VSN) of the nShield Connect XC image has been increased to 33. Upon updating to the new images it will not be possible to downgrade to previous releases. The following releases can be updated to post this change:
|
Upgrade from previous releases
Install 13.9.0 Security World Software
Before installing this release, you must:
-
Confirm that you have a current maintenance contract that licenses you to deploy upgrades on each nShield HSM and corresponding client operating system.
-
Uninstall previous releases of Security World Software from the client machines.
For instructions, see the Installation Guide for your HSM.
Upgrade Solo XC firmware
The following are important notes to observe when upgrading the Solo XC firmware to the latest version:
If the Solo XC HSM is installed with the earlier 3.3.10 firmware it cannot be upgraded directly to the latest firmware and needs to be first upgraded to an intermediate version. Please contact nshield.support@entrust.com and request the firmware upgrade patch from 3.3.10 to 3.3.20.
If the Solo XC HSM is installed with firmware earlier than 12.50.7, 12.50.2, 3.4.2 or 3.3.41 it cannot be upgraded directly to the latest firmware and needs to be first upgraded to an intermediate version. Any of the firmware versions listed above can be used as an intermediate version. Please contact nshield.support@entrust.com for any other version of firmware.
| Whilst every effort is made to ensure Solo XC firmware compatibility with all mainstream hardware and virtualized environments as well as operating systems there may be occasions where a particular configuration is not compatible (either through current version or after upgrading to a newer version of the firmware). Please contact nshield.support@entrust.com if you experience any issues following an upgrade or during integration activity. |
Upgrade nShield 5s HSM Firmware
As detailed in the nShield v13.9.0 HSM User Guide, the nShield 5s HSM firmware consists of 3 major components:
-
Primary Image
-
Recovery Image
-
Bootloader
During normal operation, the nShield 5s is running firmware that is loaded from the Primary image. If required, the nShield 5s can be forced into recovery mode to run firmware loaded from the Recovery image. The main purpose of recovery mode is to allow essential maintenance activities that are not possible in when the nShield 5s is running the primary image firmware.
nShield 5s Firmware Version Check
Following the upgrade, the nShield 5s the primary image, recovery image and bootloader versions can be checked using the hsmadmin command:
hsmadmin status --json
As an example, following an upgrade, it should report as follows:
"mode": "primary",
"primary-version": "13.8.0-69-0e63150b",
"recovery-version": "13.5.0-0-e2ec16eefd",
"uboot-version": "1.4.1-0-edb84d6e",
Upgrading the nShield 5s Primary & Recovery Image
Upgrade packages may contain updates for any of these components. The same upgrade method is used in all cases. The system will automatically detect which components are included in the update package and will load the firmware to the correct location.
It is not recommended to upgrade both the Primary and Recovery images at the same time. The recommended procedure is to upgrade the Primary firmware first. Test that the system performs as expected and then upgrade the Recovery firmware at a later date.
The primary and recovery images can be upgraded using the following command:
For primary:
hsmadmin upgrade nShield5s-13-8-0-vsn5.npkg --esn module-esn
and for recovery:
hsmadmin upgrade nshield5s-recovery-13-5-0.npkg --esn module-esn
Upgrading the nShield 5s Bootloader
The bootloader is the program that boots the HSM and loads the main application. The nShield 5s has a discrete bootloader that can be updated independently of the Primary and Recovery images.
Pre-Requisites
Whilst the bootloader is an independent part of the firmware, the capability to upgrade the bootloader on the nShield 5s was introduced as part of the Security World v13.4 firmware release. For earlier versions of firmware prior to v13.4, the nShield 5s firmware must be upgraded to v13.4 as a minimum to enable this bootloader upgrade to work. Contact nShield Support for details of obtaining the v13.4 version of firmware.
Upgrading bootloader
Once the primary firmware is at version v13.4 or later, the bootloader can be upgraded using the same hsmadmin upgrade command:
hsmadmin upgrade nShield5s-uboot-1-4-1.npkg --esn module-esn
| Note: Once the bootloader version is upgraded, it is not possible to downgrade the bootloader to the previous version. The Primary and Recovery images can still be downgraded and upgraded independent of this bootloader version. |
The v1.4.1 version of bootloader is not FIPS certified and should not be upgraded if a FIPS certified HSM is required.
Upgrade a Connect XC image
If the Connect XC HSM is installed with image earlier than 12.45, 12.46, 12.50.4, or 12.50.7 it cannot be upgraded directly to the latest Connect image and needs to be first upgraded to an intermediate version. Any of the Connect image versions listed above can be used as an intermediate version. Please contact nshield.support@entrust.com for any other version of Connect image.
Compatibility
Supported hardware
This release is targeted at deployments with any combination of the following nShield HSMs:
-
nShield 5s (Base, Mid, High)
-
Solo XC (Base, Mid, High)
-
nShield 5c (Base, Mid, High)
-
Connect XC (Base, Mid, High, Serial Console)
Supported operating systems
This release has been tested for compatibility with the following operating systems:
| Operating System | Solo XC | nShield 5s | Connect XC, nShield 5c |
|---|---|---|---|
Microsoft Windows 10 x64 |
Y |
Y |
Y |
Microsoft Windows 11 x64 |
Y |
Y |
Y |
Microsoft Windows Server 2019 x64 |
Y |
Y |
Y |
Microsoft Windows Server 2022 x64 |
Y |
Y |
Y |
Microsoft Windows Server 2022 Core x64 |
Y |
Y |
Y |
Microsoft Windows Server 2025 x64 |
Y |
Y |
Y |
Red Hat Enterprise Linux 8 x64 |
Y |
Y |
Y |
Red Hat Enterprise Linux 9 x64 |
Y |
Y |
Y |
SUSE Enterprise Linux 12 x64 |
Y |
Y |
Y |
SUSE Enterprise Linux 15 x64 |
N |
Y |
Y |
Oracle Enterprise Linux 8 x64 |
Y |
Y |
Y |
Oracle Enterprise Linux 9 x64 |
Y |
Y |
Y |
Security World v13.9.0 support is restricted to the x64 architecture. Additional mainstream x64-based Linux distributions other than those listed above may be compatible, however Entrust cannot guarantee this compatibility.
API support
Supported hypervisors and virtual environments
| Operating System | Solo XC | nShield 5s | Connect XC, nShield 5c |
|---|---|---|---|
Microsoft Hyper-V Server 2016 |
Y |
N |
Y |
Microsoft Hyper-V Server 2019 |
Y |
N |
Y |
Microsoft Hyper-V Server 2022 |
Y |
N |
Y |
VMWare ESXi 7.0 |
Y |
N |
Y |
VMWare ESXi 8.0 |
Y |
N |
Y |
Citrix XenServer 8.2 |
Y |
N |
Y |
Supported compilers for Microsoft Windows C developers
Security World v13.9.0 C libraries for Windows were built using Visual Studio 2022 and have been compiled with the SDL flag. This makes them incompatible with older versions of Visual Studio. This applies primarily to static libraries.
Microsoft Windows developers should upgrade to Visual Studio 2022.
| Version | Supported |
|---|---|
2022 |
Y |
Known and fixed issues
| Reference | Scope | Status | Description |
|---|---|---|---|
NSE-72532 |
Client-side |
Open |
Running perfcheck may result in a Issue first found in 13.9 |
NSE-72090 |
Connect 5c |
Resolved |
Addressed an issue where new remote client connections to a Connect or 5c would be rejected if the module failed after startup (this did not affect clients that were already connected when the failure occurred). This change supports remote recovery using a privileged client, using "nethsmadmin -r -m1" to reboot the appliance, or (in the case of 5c) using "nopclearfail -r -m1" to attempt to retry after an error (e.g. to clear an SOS code). Note that if an error is cleared without a reboot, it may be necessary to restart the client hardserver (or remove and re-import the 5c using nethsmenroll) in order to reflect the updated state of no longer being Failed. This is not required if the appliance is rebooted instead. Resolved in 13.9 client-side. |
NSE-71960 |
Client-side |
Resolved |
Addressed an issue where 'cnglist --show-sd' would not produce extra information correctly. Resolved in 13.9 client-side. |
NSE-71959 |
Client-side |
Resolved |
Addressed an issue where NTE_NOT_FOUND errors would appear when listing CNG keys verbosely. Resolved in 13.9 client-side. |
NSE-71927 |
Client-side |
Resolved |
Addressed an issue where csadmin image signing can fail when not all modules are usable within the current Security World. Resolved in 13.9 client-side. |
NSE-71923 |
Client-side |
Resolved |
Fixed various issues with Connect XC and Connect 5c units. Resolved in 13.9 client-side. |
NSE-71851 |
Client-side |
Resolved |
csadmin image signing subcommands now support specifying the application type (such as 'simple' or 'seeinteg') for Developer ID keys and Application Signing Keys. The previous default of 'simple' application type is retained for now for compatibility, but 'seeinteg' may be a more convenient choice for the Application Signing Key in order to support the use of the 'seeintegname' option in the 'generatekey' tool to generate keys that are restricted to the CodeSafe application. Resolved in 13.9 client-side. |
NSE-71838 |
Client-side |
Resolved |
Fixed various issues with Connect XC and Connect 5c units. Resolved in 13.9 client-side. |
NSE-71732 |
Client-side |
Resolved |
Fixed an issue where the automatic configuration of CodeSafe 5 via [codesafe] config section or the hsc_codesafe tool directly failed to stop existing applications on v13.4 firmware. [codesafe] configuration section and hsc_codesafe tool are now supported with v13.4 firmware when using the latest SecWorld and CodeSafe SDK. Resolved in 13.9 client-side. |
NSE-71688 |
Documentation |
Resolved |
The Security Manual has been updated to state the limitations of the Connect/5c tamper log, and to emphasize the recommendation that Audit Logging should be enabled in new Security World creation as the primary security log mechanism. Resolved in 13.9 documentation. |
NSE-71638 |
Documentation |
Resolved |
Updated the Security Manual to clarify the HSM form factors and the distinction between the Connect/5c appliance and the certified HSM inside it. Resolved in 13.9 documentation. |
NSE-71637 |
Documentation |
Resolved |
Updated the Security Manual to clarify HSM decommissioning steps, especially that factory state is recommended for Connect/5c/5s modules, not just erasure of the Security World. Resolved in 13.9 documentation. |
NSE-71635 |
Connect XC and 5c |
Resolved |
Fixed various issues with Connect XC and Connect 5c units. Resolved in 13.9 Connect Images. |
NSE-71617 |
Connect XC and 5c |
Resolved |
Fixed various issues with Connect XC and Connect 5c units. Resolved in 13.9 Connect Images. |
NSE-71565 |
Connect XC and 5c |
Resolved |
Fixed various issues with Connect XC and Connect 5c units. Resolved in 13.9 Connect Images. |
NSE-71493 |
Client-side |
Resolved |
Addressed an issue where _nfpython3.so in CodeSafe5 SDK is not stripped. Resolved in 13.9 client-side. |
NSE-71350 |
Connect |
Resolved |
Addressed an issue where the Connect unit cannot upgrade from v12.x Connect images. Resolved in 13.9 Connect images. |
NSE-71308 |
Connect |
Resolved |
Fixed an issue where client licenses for 4 clients would not be applied correctly on Connect XC/5c in v13.6 or v13.7 Connect images. This issue is fixed in v13.6.12 (latest v13.6 LTS) and in v13.9 Connect images. Resolved in 13.9 Connect images. |
NSE-71089 |
Firmware |
Resolved |
Addressed an issue to stop accepting elliptic curve domain parameters with certain types of unsupported fields. Resolved in 13.8 firmware. |
NSE-70686 |
Client-side |
Resolved |
Addressed an issue where the nShield 5s wouldn’t be available for several minutes after a reboot. Resolved in 13.9 client-side. |
NSE-70540 |
Firmware |
Resolved |
Addressed an issue where launcher does not check certificate policies for CS5 intermediate certs. Resolved in 13.8 firmware. |
NSE-70302 |
Client-side |
Resolved |
Addressed an issue where Resolved in 13.9 client-side. |
NSE-70283 |
Client-side |
Resolved |
Addressed an issue where 'signextra' with non-FIPS mechanisms gives StrictFIPS140 error on load. Resolved in 13.9 client-side. |
NSE-70194 |
Client-side |
Resolved |
Addressed an issue where harmless operations are not logged if a key has any restrictions. Resolved in 13.9 client-side. |
NSE-70105 |
Client-side |
Resolved |
Addressed an issue where the Codesafe XC NFKM libraries for GLIBC were missing from the Codesafe installer. Resolved in 13.9 client-side. |
NSE-70062 |
Client-side |
Resolved |
Fixed an issue where a CodeSafe 5 application would abort if more than 154 jobs were enqueued simultaneously. Resolved in 13.9 client-side. |
NSE-70007 |
Firmware |
Resolved |
Addressed an issue where KCDSA domain validation did not check parameters correctly. Resolved in 13.8 firmware. |
NSE-69976 |
Client-side |
Resolved |
Addressed an issue where generatekey was missing AES import. Resolved in 13.9 client-side. |
NSE-69925 |
Client-side |
Resolved |
Addressed various memory leaks in RQCard library. Resolved in 13.9 client-side. |
NSE-69830 |
Client-side |
Resolved |
Addressed an issue where ch_checkkey() didn’t reject non-FIPS keys in FIPS mode. Resolved in 13.9 client-side. |
NSE-69623 |
Firmware |
Resolved |
Addressed RSA length inconsistencies. Resolved in 13.8 firmware. |
NSE-69523 |
Client-side |
Resolved |
Addressed small memory leaks in C_Initialize, when run against a FIPS level 3 enforced Security World. Resolved in 13.9 client-side. |
NSE-69520 |
Client-side |
Resolved |
Fixed an issue on Windows where perfcheck called the deprecated Windows wmic tool, which may no longer be installed, to query CPU information for its report. Resolved in 13.7 client-side. |
NSE-69503 |
Client-side |
Resolved |
Addressed an issue where the signers_transact() was broken in Codesafe 5 Developer examples. Resolved in 13.9 client-side. |
NSE-69326 |
Client-side |
Resolved |
Addressed an issue where sendcerts permits groups below the ciphersuite’s minimum. Resolved in 13.9 client-side. |
NSE-69076 |
Client-side |
Resolved |
Improved the CodeSafe 5 crash reporter so that some information would be provided even when a full backtrace was not available. Resolved in 13.7 client-side. |
NSE-69053 |
Client-side |
Resolved |
Addressed an issue where the nShield 5s driver failed to report the version in dmesg. Resolved in 13.9 client-side. |
NSE-69020 |
Connect |
Resolved |
Addressed an issue where the Connect 5c upgrade will fail to upgrade if the time is not set on the module. Refer to Unset module RTC upgrade issue on Connect 5c units for more information. Resolved in 13.9 Connect images. |
NSE-68919 |
Client-side |
Resolved |
The csadmin tool is now strict by default in requiring that the "launcher" service on the HSM has an attestation certificate. This certificate is only available in v13.5 and later firmware (and a factory state may be required to generate it if it is not present). If using a firmware version without support for attestation certificates (such as v13.4), the NC_SSH_ATTEST_CERT or NC_SSH_ATTEST_<esn> environment variables can be set in the environment of the csadmin tool to control the behaviour if there is a missing certificate. It can be set to IGNORE (connection proceeds silently), WARN (previous behavior prior to this change), or FAIL (connection will fail, new behavior). Setting NC_SSH_ATTEST_CERT=WARN or NC_SSH_ATTEST_CERT=IGNORE is suggested if using v13.4 firmware. It is recommended that factory state be done if necessary to generate the certificate if using v13.5 or later firmware if it is currently absent. Resolved in 13.9 client-side. |
NSE-68675 |
Client-side |
Resolved |
Addressed some performance and scheduling issues. Resolved in 13.9 clientside. |
NSE-68534 |
Firmware |
Resolved |
Addressed an issue where legacy key-migration mistakes could lead to an inability to carry out further key-migration. Resolved in 13.8 firmware. |
NSE-68179 |
Client-side |
Resolved |
Fixed an issue on Windows where an unwanted message box could appear relating to the TVD driver installation during a Security World software or Remote Administration software installation. Resolved in 13.7 client-side. |
NSE-68093 |
Firmware |
Resolved |
Addressed performance issues with Codesafe 5 administration operations. Resolved in 13.8 firmware. |
NSE-68044 |
Client-side |
Resolved |
Addressed an issue where the csadmin utility failed to include the scope ID when reporting link-local addresses. Resolved in 13.7 client-side. |
NSE-68007 |
Client-side |
Resolved |
Fixed an issue where incorrect parameters in client nCore commands (like wrong module number) were unnecessarily reported as errors in the hardserver log. Resolved in 13.7 client-side. |
NSE-67930 |
Client-side |
Resolved |
Fixed an issue where CodeSafe 5 CSEE (SEElib) applications could fail with SIGPIPE in some cases. Resolved in 13.7 client-side. |
NSE-67913 |
Firmware |
Resolved |
Addressed an issue with service restrictions and permissions. Resolved in 13.8 firmware. |
NSE-67846 |
Client-side |
Resolved |
Fixed an issue where the nShield Audit Service could fail to correctly resume handling the export and expiry of system logs where an interruption had occurred during export on a previous run. Resolved in 13.7 client-side. |
NSE-67839 |
Client-side |
Resolved |
Addressed an issue where DHPrivate 'xlength' checking is not exact. Resolved in 13.9 client-side. |
NSE-67776 |
Firmware |
Resolved |
Addressed an issue where the Resolved in 13.8 firmware. |
NSE-67758 |
Firmware |
Resolved |
Addressed an issue where the firmware would provide incomplete validation error messages in response to the Resolved in 13.8 firmware. |
NSE-67601 |
Firmware |
Resolved |
Addressed an issue where the incorrect BIOS code would be reported when the VCM would fail to start in single-tenant mode. Resolved in 13.7 firmware. |
NSE-67579 |
Client-side |
Resolved |
Fixed an issue where output from nshieldaudit when printing to stdout rather than to file was not in JSON format as intended. Resolved in 13.7 client-side. |
NSE-67248 |
Client-side |
Resolved |
Addressed an issue where the auditlog spooler service would log every 5 minutes when unconfigured. Resolved in 13.9 client-side. |
NSE-66905 |
Documentation |
Resolved |
The documented set of allowed CodeSafe 5 system calls now reflects the set of system calls allowed by seccomp. Resolved in 13.7 documentation. |
NSE-66800 |
Client-side |
Resolved |
Addressed an issue where some client-side Codesafe developer libraries were shipped as source code rather than built as libraries. Resolved in 13.9 client-side. |
NSE-66437 |
Connect |
Resolved |
Made the Connect CLI command Resolved in 13.7 Connect images. |
NSE-66432 |
Connect |
Resolved |
Addressed an issue with Resolved in 13.7 Connect images. |
NSE-66415 |
Open |
The appliance-cli gethsmstatus command returns a 'Failed to retrieve status' error when executed against Legacy FIPS Connect image. This means the version information for the Legacy FIPS Connect image cannot be retrieved at this time. Issue first found in 13.6 |
|
NSE-66256 |
Client-side |
Resolved |
Addressed an issue where the message "Failed to parse last log data from current log" would be displayed in the nshieldauditd logfile. Resolved in 13.7 client-side. |
NSE-66232 |
Firmware |
Resolved |
Addressed a firmware issue which prevented CodeSafe 5 CSEE machines built with 13.4 SDK from working on later versions of firmware. Applications built with 13.4 SDK will work on 13.7 and later firmware, but they cannot run on 13.5 firmware which does not have this fix. Resolved in 13.7 firmware. |
NSE-65799 |
Client-side |
Resolved |
Addressed an issue where a stack trace would be displayed during installation on SLES12 platforms. Resolved in 13.7 client-side. |
NSE-65310 |
Client-side |
Resolved |
Addressed an issue where encryption with CKM_AES_CTR in PKCS#11 failed if used with a token key that had not been loaded on the module.. Resolved in 13.9 client-side. |
NSE-65292 |
Firmware |
Resolved |
Addressed an issue where a Status_Failed message would occur instead of Status_DecryptFailed with RSAUnwrap and AES Key unwrapping under certain circumstances. Resolved in 13.7 firmware. |
NSE-65229 |
Firmware |
Resolved |
Addressed an issue where DeriveMech_PublicFromPrivate doesn’t work with Ed448Private. Resolved in 13.7 firmware. |
NSE-65109 |
Firmware |
Resolved |
Addressed an issue where the Solo XC was too enthusiastic to clear the module from the clear button. Resolved in 13.7 firmware. |
NSE-64885 |
Client-side |
Resolved |
Addressed an issue where the CONNECTION ERROR: Unable to connect to 'monitor' failure would occur when multiple clients were attempting to connect to the monitor service. Resolved in 13.7 client-side. |
NSE-64885 |
Documentation |
Resolved |
Addressed an issue where the M_AESmGCM HTML docs omitted the ciphertext format. Resolved in 13.7 documentation. |
NSE-64625 |
Client-side |
Resolved |
Addressed an issue where HSM Pool Mode would not work in PKCS #11 with a v13 client-side and older v12 firmwares. Resolved in 13.9 client-side. |
NSE-64525 |
Client-side |
Resolved |
Addressed an issue where nfkmverify didn’t accept keys which could perform ECIES unwrapping. Resolved in 13.9 client-side. |
NSE-64438 |
Firmware |
Resolved |
Addressed an NVMWearLevel issue for Solo XC and nShield 5s units. Resolved in 13.7 firmware. |
NSE-64409 |
Client-side |
Resolved |
Fixed an issue which prevented later CodeSafe SDKs from running on v13.4 firmware. Rebuilding application with the latest CodeSafe SDK will enable it to run on v13.4 firmware. This re-enables support for applications written in C. For Python support, the v13.4 CodeSafe SDK must continue to be used with v13.4 firmware. Newer CodeSafe SDK is supported on v13.5 and later firmware in all cases. Resolved in 13.9 client-side. |
NSE-64304 |
Client-side |
Resolved |
Addressed an issue where D3S certificates appear in ncoreapi’s stderr. Resolved in 13.9 client-side. |
NSE-63892 |
Client-side |
Resolved |
Addressed an issue where generated nCore HTML pages could be missing. Resolved in 13.7 client-side. |
NSE-63502 |
Open |
When using KeySafe5 with the agent on the Connect the following error will populate the logs 'Command failed: monitor codesafestats get-all'. Users should increase the codesafe_update_interval using the ks5agent command via the Connect CLI. ks5agent cfg codesafe_update_interval=48h If you wish the logs to be cleared then enabling the Audit tooling will expire the system logs containing the above error. Issue first found in 13.6 |
|
NSE-63449 |
Client-side |
Resolved |
Addressed an issue in PKCS#11 where the following error would be reported: 'Key generation certificate with no private/secret key?' Resolved in 13.7 client-side. |
NSE-63444 |
Client-side |
Resolved |
Addressed an issue in PKCS#11 where a mixing up of key type enums cause a 'NFBER_Encode_Octet_BitStr_Key failed for len' error. Resolved in 13.7 client-side. |
NSE-63091 |
Client-side |
Resolved |
Fixed an issue where the C_GetAttributeValue return value could be overwritten. Resolved in 13.9 client-side. |
NSE-62533 |
Client-side |
Resolved |
Addressed an issue in PKCS#11 where SELinux would prevent CodeSafe 5 SEE Machines from binding on some ports. Resolved in 13.7 client-side. |
NSE-62267 |
Client-side |
Resolved |
Addressed and issue where multiple hardware failures on Edge units would occur. Resolved in 13.9 client-side. |
NSE-61967 |
Client-side |
Resolved |
Addressed an issue where the tar utility would be killed by seccomp when used within a CodeSafe 5 application. Resolved in 13.7 client-side. |
NSE-61966 |
Client-side |
Resolved |
An issue has been fixed where, if a CodeSafe 5 machine created files on its local disk, 'csadmin destroy' reported an error when trying to remove those files. Resolved in 13.9 client-side. |
NSE-61540 |
Client-side |
Resolved |
Addressed an issue where the CS5 Compatibility Layer would not stay listening for incoming connections. Resolved in 13.7 client-side. |
NSE-61148 |
Firmware |
Resolved |
Addressed an issue where the init log is not created by replacement Python code as it should be. Resolved in 13.7 firmware. |
NSE-61033 |
Firmware (5s only) |
Resolved |
Addressed an issue where deprecated options were reported in the nShield 5s system logs. Resolved in 13.7 nShield 5s firmware. |
NSE-60936 |
Firmware |
Resolved |
Addressed an issue where Codesafe can lose trace data. Resolved in 13.7 firmware. |
NSE-60554 |
Client-side |
Resolved |
Addressed an issue where TUAK and Milenage session key generation performance had decreased due to the need to generate key generation certificates at the point of key generation. This has been resolved by adding a new PKCS#11 environment variable: CKNFAST_SESSION_TO_TOKEN, this is enabled by default. The default behaviour is to generate session keys without Key Generation Certificates. This can be disabled by setting CKNFAST_SESSION_TO_TOKEN=0. Resolved in 13.7 client-side. |
NSE-59598 |
Client-side |
Resolved |
Fixed an issue where RQCard used in conjunction with nflog could cause a segmentation fault. Resolved in 13.9 client-side. |
NSE-57030 |
Client-side |
Resolved |
On Linux, the sshadmin client key for nShield 5s is now backed-up automatically to /root/.ssh/id_nshield5_sshadmin as a precaution against /opt/nfast/services/client directory being deleted. This backup is restricted to the local machine by default. It is recommended on both Windows and Linux to backup the sshadmin key if using nShield 5s. If it may be necessary to move the HSM to a different machine (or to reinstall the OS) at a later stage, the key should be backed up with the "hsmadmin keys backup --passphrase" option so that it is protected by a passphrase rather than being restricted to the local machine and OS installation. Resolved in 13.9 client-side. |
NSE-55780 |
Open |
Starting a CodeSafe 5 SEE machine on an nShield 5c mentions "Could not find nshield network interfaces for service discovery" in the verbose output. Issue first found in 13.4 |
|
NSE-55428 |
Open |
Building classic Codesafe examples fails with older compiler. Issue first found in 13.4 |
|
NSE-55425 |
Firmware |
Resolved |
Addressed an issue where 'Unable to perform operation due to service interdependency lock' was reported when using the Resolved in 13.7 firmware. |
NSE-55378 |
Open |
Minor inconsistency when enabling autostart via csadmin config. |
|
NSE-55142 |
Open |
From 13.4 keys generated using ckrsagen will now produce a warning using nfkmverify, this is due to stricter policy enforce on unwrap permissions. To overcome this use CKA_UNWRAP_TEMPLATE when generating PKCS#11 keys. Issue first found 13.4 |
|
NSE-55136 |
Client-side |
Resolved |
Fixed an issue where offline produced Codesafe 5 image signatures would fail CreateSEEConnection. Resolved in 13.9 client-side. |
NSE-52456 |
Firmware (5s only) |
Resolved |
Addressed an issue where hsmadmin settime would leave the module around 2 seconds behind the host. Resolved in 13.7 nShield 5s firmware. |
NSE-50848 |
Client-side |
Resolved |
Fixed an issue where Resolved in 13.9 client-side. |
NSE-50050 |
Client-side |
Resolved |
Fixed an issue where the Resolved in 13.9 client-side. |
NSE-49263 |
Client-side |
Resolved |
Fixed an issue where Resolved in 13.9 client-side. |
NSE-48991 |
Client-side |
Resolved |
Addressed an issue where nfkmutils.loadkey did not support softcards. Resolved in 13.7 client-side. |
NSE-43472 |
Client-side |
Resolved |
Addressed various issues with nfkmutils.loadkey. Resolved in 13.7 client-side. |
NSE-42031 |
Firmware (XC only) |
Resolved |
Addressed a gradual increase in memory usage on nShield Solo XC modules. Resolved in 13.7 nShield Solo XC firmware. |
NSE-41205 |
Firmware (XC only) |
Resolved |
An issue has been fixed that can cause a Solo XC or Connect XC HSM to enter an SOS state after many days of running. The issue would have generally manifested as an SOS-HV or SOS-HRTP, but other SOS codes are possible. A number of "SpiRetries" as reported by stattree utility may precede the failure. Resolved in 13.7 nShield Solo XC firmware. |
NSE-48073 |
Open |
Connect+ models running software earlier than v12 must first be upgraded to a v12 version before being upgraded to v13. See section Upgrade from previous releases for more details. Issue first found in 13.3 |
|
NSE-42017 |
Connect |
Resolved |
Fixed various issues with Connect XC and Connect 5c units. Resolved in 13.9 Connect images. |
NSE-39031 |
Open |
In Security World v12.10 a compliance mode was added to the Connect to allow compliance with USGv6 or IPv6 Ready requirements. Issue first found in 12.80 |
|
NSE-36086 |
Client-side |
Resolved |
Addressed an issue where OpenSSH did not enable TCP_NODELAY resulting in latency spikes in CodeSafe 5 communication. Resolved in 13.7 client-side. |
NSE-35974 |
Firmware |
Resolved |
Addressed an issue where Resolved in 13.8 firmware. |
NSE-35520 |
Client-side |
Resolved |
Addressed an issue where the Resolved in 13.9 client-side. |
NSE-28606 |
Open |
Entrust do not recommend migrating keys to non-recoverable worlds since it would then be impossible to migrate the keys in future should the need arise. If keys are migrated into a non-recoverable world then it is not possible to verify OCS and softcard protected keys directly with nfkmverify. The OCS or softcards must be preloaded prior to attempting to verify the keys. |
|
NSE-25401 |
Open |
When installing 12.60 on a Dell XPS 8930 PC, a "Files in Use" screen may be displayed where it prompts to close down and restart Dell, Intel and NVIDIA applications. This can be ignored. Issue first found in 12.60 |
|
NSE-24335 |
Open |
This issue applies to 12.50.11 XC firmware only. As a result of work to improve the upgrade experience with Solo XC it is necessary to add the following lines to /etc/vmware/passthru.map for successful operation of Solo XC in an ESXi environment: # Solo XC 1957 082c link false Issue first found in 12.50 |
|
NSE-23982 |
Open |
While resetting password if user enters incorrect password, cli prompt prints lone "I". This is where login handler program would print "Incorrect password for cli" message. Only "I" gets through the wire in time due to slow baud rate of the connection. This error is trivial and is only seen at the first log in during password reset. Issue first found in 12.50 |
|
NSE-22692 |
Client-side |
Resolved |
Addressed an issue where the Resolved in 13.9 client-side. |
NSE-22484 |
Client-side |
Resolved |
Addressed an issue where the Resolved in 13.9 client-side. |
NSE-14406 |
Open |
In the Connect config file the remote_sys_log config entry implies multiple entries can be defined but only one remote syslog server can be configured. Issue first found in 12.50 |
|
NSE-8568 |
Client-side |
Resolved |
Addressed an issue on Linux platforms where the Resolved in 13.9 client-side. |
NSE-4551 |
Client-side |
Resolved |
Addressed an issue where unregistering the CNG providers using the Resolved in 13.9 client-side. |