Version 12.6
What’s new in this release?
The following features were introduced or enhanced in Privileged Access Manager - Self-Hosted version 12.6.
LTS
This version is designated as Long Term Support Customers who install this version will continue receiving security updates and critical bug fixes per our policy.
For more details, please review our End-of-Life policy.
Shared Technology Platform
Support Microsoft Windows 2019 for Privilege Access Management components deployed in the cloud
We are extending our current support which already exists for Privilege Access Management components deployed on premise to their counterpart images that are deployed in the cloud (AWS and Azure).
Telemetry tool enhancements offer increased visibility into password management
New features and viewing options enable customers to gain better compliance visibility from CyberArk's Telemetry tool. Newly added password management policy-related attributes enable customers to analyze overall password security levels and gain actionable insights.
Newly added metrics include:
-
Platforms with periodic verify
-
Platforms with automatic reconcile
-
Platforms with periodic change
Vault
Continuous improvement of the compliance and secuirty of the Vault
Windows Server 2019 Hardening revised to follow CIS standards
CIS guidelines are used by many organizations as security standards and best practices for defending IT systems.
Accordingly, Digital Vault hardening has been revised to align with Center for Internet Security (CIS) guidelines specifically designed for the standalone server of the Digital Vault.
The new hardening achieves over 90% compliance with the January 2022 CIS report and provides additional hardening guidelines that are not covered or not secured to the Vault standard by the CIS report.
PAKeygen to support 64bit pkcs11 library and HSM that requires PIN integration
Expanding the Vault's ability to integrate with a broader range of Hardware Security Modules (HSM), the PAKeyGen utility is upgraded to support the 64bit PKCS#11 library when generating server keys with HSM integration. Additionally, HSM vendors that utilize a Personal Identification Number (PIN) are also supported.
Password Vault Web Access
Simplified Safe Management user interface
Password Vault Web Access 12.2 introduced the new Safes view that aligns with the cleaner and more modern look and feel. In this version we expanded the new Safes interface to offer a wizard-led workflow that provides simplification and better visibility that will improve the process of managing safes.
The new Safes view in the PVWA replaces the classic interface and offers extended management capabilities to:
-
Create and edit Safes within a new flexible workflow supported by wizard-led steps
-
Easily assign members to Safes thanks to enhanced user filtering capabilities
-
Manage Safe members and permissions as part of the Safe creation and editing flow. Permissions are easier to manage thanks to predefined permission sets (Read only, Approver, Accounts manager, Full, Customized).
Change password - set the next password value
Customers may need to specify the next password that will be used by the CPM to update an account's credentials.
In such cases Vault administrators can, straight from the default PVWA UI, change the password in the Vault, which will be reconciled on the remote machine by the CPM during the next CPM process. Until now, this option was only available in the classic UI.
Certificate issuer validation to PKI/PKIPN Authentication
PKI enables the use of certificates for servers and users to identify each other and establish a secure connection. Certificates contain encryption values, or keys, that are used for encrypting and ensuring the integrity of messages sent between the two parties.
When a user logs on to the PVWA using the PKI/PKIPN authentication method, the user and the Server establish an SSL (Secure Socket Layer) connection. During the SSL handshake, the parties exchange certificates and check their validity. They also check that the other party’s certificate was issued by a trusted CA (Certification Authority).
In this version we enhanced the authentication to validate that the certificate being used by the end user was issued only by that specific issuer. This will enable administrators to configure which issuer is the valid issuer for the PKI/PKIPN authentication.
REST API
User Management and Account management are the key elements in the organization's onboarding automated processes.
This release includes several improvements in our REST API Web services specifically around these areas for easier automation and usage.
The following new APIs were added:
-
Disable user - disables a user
-
Enable user - enables a user that was disabled
-
Get group details - retrieves the details of a single user group
In addition, we enhanced the Get accounts REST API to filter the returned list according to a set of views. These Saved Filters enable the developer to display accounts according to predefined criteria based on account and operation status, such as Deleted, DisabledPasswordByCPM and ScheduledForReconcile. We now also return the DeletedTimestamp per each of the returned accounts that are deleted, with the time when the account was deleted.
Improved PVWA application logger
CyberArk introduced in V11.4 the new application logger of the PVWA that improved and simplified the troubleshooting process. In this version we will complete the migration and it will become the main logger of the PVWA that will replace two of the existing logs.
In addition, we are adding a new enhanced console log that will replace the old CyberArk.WebConsole.log console log.
These new logs will improve our logging capabilities by providing a clear log structure that enables faster troubleshooting and determines failures without the need to enable debug mode explicitly.
By the end of the year, we expect customers to complete their transition to the new application logger and therefore, the CyberArk.WebConsole.log, CyberArk.WebApplication.log and CyberArk.WebSession<sessionId>.log log files will be disabled by default on clean installations and upgrades of upcoming versions.
Central Policy Manager
AWS STS Connector
The Amazon Web Services Console is the main interface users leverage to make administrative changes to AWS services. This powerful tool is a prime target for abuse by attackers. It is critical that organizations secure AWS console access, ensuring that only appropriate users have access and only to the services required for their job function. The AWS recommended best practice for privileged console access is to restrict traffic to specific workstations, but this can be a challenge in large organizations.
We are happy to introduce a new Amazon Web Services (AWS) Console with STS for connecting via AWS STS that will replace our previous plugin and, based on the Web applications for PSM framework, is supported over Chrome and Internet Explorer.
This integration allows organizations to fully isolate and monitor AWS console sessions using Amazon Secure Token Service (STS), which provides temporary credentials.
To learn more, see AWS Cloud Services Management.
Privileged Session Manager
Taking access enforcement to the next level and improving the compliance control of the PSM path to the critical assets of the organization.
Network-based access control to ad hoc connections
With the changing of office perimeters and employees no longer being office-bound and on the go, it is essential to have better enforcement of their access to the organization's resources and to be able to apply compliance and access regulations globally.
In this version, customers can now apply subnet-based rules to control the access of end users to specific targets based on their location.
Rules may be created on an allowlist or denylist approach, depending on the organization's settings.
Dual Control timeframe enforcement on ongoing PSM sessions
Controlling the timeframe for end users' access to the organization's assets is important from an accountability and compliance perspective.
In this version, we've added the option to enforce the Dual Control request's timeframe that is associated with the session and trigger a session termination once that timeframe reaches its end.
PSM registration flexibility
When a new PSM instance is being registered to the Vault during the Registration stage of the installation, its IP address is being written in the PSM server connection data in the configuration options. In this release we have added the option to register PSM with its DNS name (FQDN), which provides flexibility in dynamically changing networks and makes it easier to secure the PSM connectivity with SSL certificates.
This option is toggled by a new parameter in the Registration stage configuration and is not available when installing PSM via the installation wizard.
Privileged Session Manager for SSH
Continuous improvement of the compliance and security offering of SSH based sessions
Enhanced auditing for file transfer sessions
We are increasing the compliance coverage of SFTP session recordings by adding audit capabilities and including user activities as well as file information in the monitoring page.
SSH tunneling in PSM for SSH integrated mode
PSM for SSH enables authorized users to initiate and use an SSH tunnel to access a target SSH server, while providing start/end tunnel session audit capabilities. Through this tunnel, users can launch GUI applications such as Web or SQL from their workstation, maintaining their existing workflow.
Using PSM for SSH, Security Managers can control access by determining which users can access different target systems.
In this version, PSM for SSH’s Integrated Mode provides the flexibility to configure SSH tunneling for specific systems, according to the access and security needs of the organization.
Privileged Threat Analytics
Simplified installation and upgrade
With today's high frequency of security vulnerabilities in various platforms and applications, it is important to give customers full control and alignment over package versioning and updates without requiring a PTA patch.
Starting this version, PTA installation and upgrade processes will only include updates for the following third parties:
-
apache-activemq
-
apache-tomcat
-
mongodb
-
mongodb_exporter
-
monit
-
node_exporter
-
Prometheus
-
Pushgateway
-
Azul Zulu OpenJDK
This will enable customers to react fast in case of a published vulnerability related to the packages that are no longer part of the PTA installation process.
The rest of the packages that used to be part of PTA installation and upgrade will be considered as prerequisites and their installation will be verified by the PTA before starting the installation and upgrade process.
When PTA is deployed from the disk image, the installation will still include all third-party packages. However, following the initial deployment and moving forward, customers should manage any future updates and security patches of these third party packages.
MongoDB version upgrade
The embedded MongoDB version used by PTA has been upgraded from version 3.6 to version 4.4.
Sensor connectivity indication on system health page
Improving on the visibility of PTA's health, in this version the system health page has been extended with information about the last time each sensor has last communicated with the PTA.
Cross-site request forgery (CSRF) Protection
The CSRF vulnerability is related to browser behavior. It uses existing session parameters to any request to same site, which enables an attacker to forge a modifying request and manipulate the user to trigger it.
With CSRF protection, each request holds a CSRF token that is unique to the current user session, which makes it impossible to forge a generic request.
In this version, we've added CSRF protection on the PTA classic UI.
Risky commands expansion to Google Cloud commands
The current default list of risky command has been extended to include commands that are relevant for Google Cloud.
Unmanaged Privileged Access (UPA) exclude list
Starting this version we are providing customers with the flexibility to exclude certain usernames which they find as irrelevant for the process of unmanaged privileged users detection.
Security Enhancements
TLS 1.2 Support
-
CPM
CPM supports the use of TLS 1.2 for incoming connections to the CPM and outgoing connections to targets. It is a security best practice to disable TLS 1.0 and 1.1 to ensure the use of the higher level encryption protocol.
Starting from this version, we will disable TLS 1.0 and 1.1 on the CPM server by default as part of CPM hardening. Customers who would like to use previous TLS versions can configure the system to allow these versions after the hardening phase is completed, or exclude this step from the hardening phase in advance. See Updates IIS SSL/TLS settings for more information.
-
PAM - Self-Hosted on cloud - Vault integration with Azure Key Vault
Microsoft has announced the deprecation of TLS 1.0 and TLS 1.1 starting May 31, 2022 when integrating with the Azure Key Vault service.
Since CyberArk Azure images integrate with Azure Key Vault to protect the server key, Cyberark Vault images have been accordingly updated to support TLS 1.2 for .NET Framework.
-
PTA - TLS 1.2 enforcement during installation
Following security best practices, starting this version new deployments of PTA will use TLS 1.2-based communication by default for incoming syslog ports.
Customers can change this configuration either during the installation process or manually through the system properties file.
This change is not applicable for existing deployments, although we strongly recommend that customers update manually and start using TLS 1.2 if they haven't done so by now.
PVWA internal components upgrade
Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PVWA Server. The PVWA hardening process was updated accordingly.
Released PAM - Self-Hosted components
Component |
Version |
Internal Build Number |
---|---|---|
Vault |
12.6 |
12.6.0.21 |
PVWA |
12.6 |
12.6.0.40 |
CPM |
12.6 |
12.6.0.4 |
PSM |
12.6 |
12.6.0.14 |
PSM for SSH |
12.6 |
12.6.0.26 |
PTA |
12.6 |
|
Who should install this version
We recommend that all customers upgrade to the latest version.
Installation and upgrade notes
For complete installation instructions for all components, see Install PAM - Self-Hosted. For complete upgrade instructions, see Upgrade.
Vault
Before upgrading CyberArk Digital Vault to this version, you must migrate all existing operating systems to Windows Server 2016 or Windows Server 2019. For more information, see Migrate the Vault Operating System.
CPM
Important: Make sure to complete and follow all installation and hardening steps according to the documentation.
Important: This CPM version contains GPO changes. You must import the hardening file that is supplied with the installation package and follow the Hardening CPM servers in a domain or Hardening CPM servers in a domain after upgrade instructions.
Due to the changes described below, we recommend disabling the CyberArk Password Manager service until you complete the following instructions.
As part of the upgrade, the following local Windows users are created on the CPM machine, in addition to the PasswordManagerUser:
-
PluginManagerUser – All plugins will run using this user by default.
-
ScannerUser – Scanner service will run using this user.
For more information regarding the installation changes, see Creates Local Windows Service users and configures permissions.
Due to this change, all PMTerminal-based plugins must be migrated to Terminal Plugin Controller (TPC) to work properly. In addition, as some of the custom plugins might also be affected, CyberArk recommends testing them to verify they work properly with their new user.
-
PMTerminal based plugins:
-
Follow Scan and review existing platforms to identify platforms working with PMTerminal-based plugins. If no platform was identified, skip to section 2 below.
-
If PMTerminal-based plugins are found, migrate all tested PMTerminal-based plugins and platforms to run using TPC by following Migrate platforms from PMTerminal to TPC.
For automatic migration of the platforms, use the PMTerminal to TPC tool (see Option 1 - Migrate all platforms from PMTerminal to TPC automatically). -
If a plugin cannot be migrated to TPC, or if you need to perform the migration gradually, refer to section 2.d. below.
Connecting to Mainframe devices using WC3270 is not supported by TPC.
-
Go back to step 1.b. to complete the migration for all PMTerminal-based plugins to run using TPC.
-
-
Custom plugins:
-
Custom plugins may experience issues after the CPM version upgrade; therefore, we recommend that you test them after the upgrade or patch to verify they run properly.
-
To test a plugin, trigger a password Change / Verify task. If the task succeeds, no further action is required.
-
If the plugin fails to run, CyberArk strongly recommends modifying the plugin so it can run with the PluginManagerUser user.
-
As a temporary mitigation only, until the plugin is modified to run with the PluginManagerUser user, update the respective user permissions of the plugin files to least privilege according to Change permissions of plugin-related files, and enable the RunPluginWithHighPrivilege flag on the specific platform (see Enable higher user privileges on a specific platformfor more details).
-
PTA
PTA as a Software
-
The content of the PTA installation and upgrade packages has been changed and will only include updates to the following third-party packages:
-
apache-activemq
-
apache-tomcat
-
mongodb
-
mongodb_exporter
-
monit
-
node_exporter
-
Prometheus
-
Pushgateway
-
Azul Zulu OpenJDK
-
-
The following packages that used to be part of PTA installation and upgrade will be considered as prerequisites and their installation will be verified by the PTA before starting the installation and upgrade process:
-
libcgroup
-
yum-utils
-
wget
-
tcpdump
-
iptables-services
-
ntp rsync
-
net-tools
-
dos2unix
-
lsof
-
unzip
-
bc
-
libstdc++
-
sysstat
-
bind-utils
-
cyrus-sasl
-
cyrus-sasl-gssapi
-
cyrus-sasl-plain
-
hostname
-
lua
-
net-snmp
-
tcsh
-
tmpwatch
-
perl
-
open-vm-tools
-
sshpass
-
-
PTA installation wizard - An additional step will be added to notify the user about the changes in the installation for 12.6. The customer must acknowledge this step to proceed with the installation.
-
On the PTA upgrade to 12.6, an additional step will be added to validate that prerequisite OS packages and third-party software exist in the server.
-
On manual installation, an additional step will be added to validate that prerequisite OS packages and third-party software exist in the server.
TLS v1.2 enforcement
The PTA installation wizard will have an additional step enabling you to modify the default configuration for ports 512 and 11514 when selecting y:
Selecting n will skip this step and continue with the existing PTA installation wizard installation flow.
MongoDB version upgrade
MongoDB upgrade will be triggered from the PTA primary server upgrade and will perform the MongoDB upgrade in both the primary and secondary (DR) PTA servers.
An additional step will be added to the PTA primary upgrade to enter the root user password for the PTA secondary (DR) server.
PTA DR upgrade will not be affected and will be required as well.
UPA exclude list
A new property will be added to the Systemparm.properties file:
upa_excluded_account_list - A list of privileged account names that PTA will not alert UPA about, even if they are not stored in the Vault.
Bug fixes
Core PAM - Self-Hosted bug fixes
You can review the Core PAM - Self-Hosted bugs fixed in this release in our online community.
Note: Links for versions prior to 12.0 no longer work. If you click the link, you will go to https://cyberark-customers.force.com/s/search-results, and then you must apply the appropriate filters.
Note: To make your search easier, you can filter by product, component, status, and affected version. If you haven’t yet registered with the community, log in for self-registration using the relevant link:
Enhancement requests
The following enhancement requests were implemented in this release:
Enhancement Request ID |
Component |
Description |
---|---|---|
Vault |
Support SSL/TLS version enforcement in Vault hardening |
|
Vault |
CAVaultManager.exe CollectLogs to collect Archive logs folder |
|
PAKeyGen Utility |
PAKeyGen utility to support 64bit PKCS DLL |
|
Vault |
Vault images for Windows Server 2019 for Amazon AWS and Microsoft Azure |
|
PVWA |
Clarify in the documentation regarding .NET support |
|
PVWA |
On the Accounts Versions tab, Hide CPM temporary password versions doesn't refresh or display the other entries when the slider bar is triggered |
|
PVWA |
Role base permission safe management |
|
PVWA |
Add certificate issuer validation to PKI/PKIPN authentication |
|
14574 | PVWA | REST API - List deleted accounts |
Connector |
PSM-WebApp for AWS Console with STS (Chrome) |
|
PSM for SSH |
Supports auditing in SFTP session for upload (put) and download (get) of files |
|
PSM |
Terminate PSM session at end of request timeframe |
|
PSM |
Automatic deletion of PSM old application log files from the PSM server was added as an optional configuration |
Platform end of support
CyberArk may choose not to provide maintenance and support services for CyberArk’s Privileged Access Manager - Self-Hosted solution for platforms and systems that have reached their formal End-of-Life date, as published by their respective vendors.
Product |
Version |
Description |
---|---|---|
Vault, Replicate, Backup, Export Vault Data (EVD), PAKeyGen, Remote Control Client, PACLI, PVWA, CPM, PSM, PTA Agent |
12.6 |
CyberArk will not support these components installed on Windows 2012 R2 |
PVWA |
12.6 |
The following Web Services APIs will be deprecated as they already have improved replacements: Get users details - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} Add user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users Update user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} Delete user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} Activate user - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} Add member to group - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Groups/{GroupName}/Users Get Safe details - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName} Update Safe - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName} Update member - https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}/Members/{MemberName} Get Safe account groups - https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeName}/AccountGroups |
PVWA |
12.6 |
Oracle SSO and RSA SecurID authentications will no longer be provided out of the box and will no longer be supported. |
PVWA |
12.6 |
CyberArk introduced in V12.2 the improved solution for our Business Users via CyberArk Identity service. |
PVWA |
12.6 |
Internet Explorer versions 8.0, 9.0 and 10.0 will no longer be supported with PVWA Classic interface. |
Password Upload Utility |
12.6 |
Today our customer can add accounts to the Password Vault using either web services or using the PVWA itself by Add an account in V10 Interface, Add multiple accounts from a file in V10 Interface, or via the Accounts Feed by using the CPM to scan an organizational network and retrieve a list of accounts and their dependencies. Starting June 30, 2022, CyberArk ends the support for the Password Upload Utility, a tool that is based on an old technology and was used in the past to upload multiple accounts to the Password Vault. |
PSM |
12.6 |
CyberArk will no longer support ActiveX connections. We strongly advise our customers who are using ActiveX to transition to our built-in connection methods. |
PVWA |
Next version |
In our next version, CyberArk will remove the following old PVWA logs:
In addition, the CyberArk.WebConsole.log logger will remain but will be disabled by default on clean installations and upgrades. |
PVWA |
Next version |
We will remove the Resolve button from the Add Account, Edit Account, and Connect screens. The Resolve button resolves the remote machine’s domain automatically by populating the domain name in the Logon To field. This value must be specified manually. |
PSMP |
Next Version |
CyberArk will no longer support Custom Mode. We strongly recommend that customers use Integrated Mode instead, which is modern, reliable, and best practice. New features will be developed for Integrated Mode only. |
PSM for SSH |
Next Version |
CyberArk will no longer support Telnet-based connections. As a security best practice, SSH connection is highly recommended. |
System requirement changes
Review the following system requirement changes before installing or upgrading the components specified in Version 12.6.
Component |
Description |
---|---|
Vault, Replicate, Backup, Export Vault Data (EVD), PAKeyGen, Remote Control Client, PACLI, PVWA, CPM, PSM, PTA Agent |
CyberArk will not support installation on Windows 2012 R2
|
Vault |
Starting this version, Visual Studio C++ Distribution installation executable requirement as a prerequisite of the Vault installation is no longer part of the Vault installation package. The Vault installation validates that the C++ Distribution requirement is installed before allowing you to continue with the installation. |
PVWA - ServiceNow Ticketing System |
Integrating privileged accounts workflow with ServiceNow Incident Management and Change Management is now supported for Rome and San Diego versions. ServiceNow is now available in the CyberArk Marketplace. |
PVWA |
Please note that Microsoft has announced that the Internet Explorer (IE) 11 desktop application will end support for certain operating systems starting June 15, 2022. Customers are encouraged to move to Microsoft Edge with IE mode or other browsers. Starting June 15, 2022, CyberArk will no longer support PVWA (all its versions) on IE 8.0, 9.0, 10.0 and 11. |
PVWA | Starting this version, we added RHEL 7.9, RHEL 8.2, and CentOS 7 to the list of target machines that can be scanned using the Accounts feed discovery. |
PVWA |
CyberArk will not support the PVWA on Windows 2012 R2. |
CPM |
CyberArk will not support the CPM on Windows 2012 R2. |
PSM for SSH | Support installation on RHEL 8.6. |
PTA |
PTA as a software - The following third-party packages will be considered as prerequisites for the PTA installation and will be verified by the PTA before installation and upgrade:
|
Behavior change notes
# |
Component |
Area |
Description |
---|---|---|---|
1 |
Vault |
CAVaultManager Utility |
CollectLogs parameter in CAVaultManager now supports the collection of the Archive folder of logs located in /Server/Logs/Archive when specifying /Archive flag. |
2 |
Vault |
deployment on Azure |
When deploying the Vault in Azure using CyberArk images, TLS 1.2 will be used to communicate with Azure Key Vault (AKV) and Azure Storage. |
3 |
Vault |
Logging |
Default logging of the Vault is now set to have archiving enabled. The TraceArchiveMaxSize parameter is set to the default value of 5120 MB. |
4 |
Vault |
Logging |
Italog.log is now set to be rolled to Archive. The ItalogRetentionSize parameter is set to the default value of 150MB. |
5 |
Vault |
Hardening |
The Vault hardening on Windows Server 2016 command has changed. |
6 |
Vault |
Hardening |
Vault Hardening disables by default weak protocols (TLS 1.0, TLS 1.1, SSL 1.0, SSL 2.0, SSL 3.0) and cipher suites. Customer who would like to use older versions can enable them after performing the Vault hardening. |
7 |
PVWA |
PVWA Logger |
The following logs of the PVWA will be disabled by default on clean installations and upgrades:
|
8 |
PVWA |
Business Users |
As previously announced, the Business Users solution in the PVWA will no longer be available starting this version. We encourage you to move to the Identity solution and gain enhanced capabilities. For all questions regarding Business Users deployment, please contact your customer success representative. |
9 |
CPM |
Hardening |
Starting from this version, we will disable TLS 1.0 and 1.1 on the CPM server by default as part of CPM hardening. Customers who would like to use previous TLS versions can configure the system to allow these versions after the hardening phase is completed, or exclude this step from the hardening phase in advance. See Updates IIS SSL/TLS settings for more information. |
10 |
CPM |
Upgrade |
As part of the upgrade, the following local Windows users are created on the CPM machine, in addition to the PasswordManagerUser: PluginManagerUser – All plugins will run using this user by default. ScannerUser – Scanner service will run using this user. For more information regarding the installation changes, see Creates Local Windows Service users and configures permissions. |
11 |
PSMP |
SSH Keys, Smart Card or MFA caching in Integrated
|
Support for SSH-RSA was deprecated in OpenSSH v8.8 This will cause SSH key authentication to the target with the specific private key type matching ssh-rsa to fail. To support this key type, add the specific algorithm back to the ssh configuration file. For more information, see https://www.openssh.com/txt/release-8.8 To enable usage of this deprecated public key algorithm: Add PubkeyAcceptedKeyTypes +ssh-rsa to your SSH configuration file, in the following locations:
|
12 |
PSM |
Applocker DLL policy |
Applocker hardening now uses the allowlist model by default to create DLL file rules, meaning that all DLLs are blocked by default from execution by PSM-related users except those that are listed in the Applocker configuration or those that are automatically detected as being required by allowed applications, such as PSM connection clients. |
13 | PVWA | API support |
In this version, the legacy 1st generation version of the following APIs are no longer supportedVersion 12.6 The replacing 2nd generation APIs remain under support. https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Users/{UserID} https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users replaced with https://<IIS_Server_Ip>/PasswordVault/API/Users https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Users/{userID}/ https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Users/{UserID}/ https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Users/{UserName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Users/{UserID}/Activate https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Groups/{GroupName}/Users replaced with https://<IIS_Server_Ip>/PasswordVault/API/UserGroups/{id}/Members https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeUrlId}/ https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeUrlId}/ https://<IIS_Server_Ip>/PasswordVault/WebServices/PIMServices.svc/Safes/{SafeName}/Members/{MemberName} replaced with https://<IIS_Server_Ip>/PasswordVault/API/Safes/{SafeUrlId}/Members/{MemberName}/ See REST APIs for APIs supported in this version. |
Known issues
For all known issues and limitations, see