New in Secret Server

Learn about the enhancements, and fixes for Secret Server, Version 10.7.

Version 10.7.1 ( 10.7.000059 )

Released: 7 January 2020

Download fix pack

New features

Data retention

Secret Server now allows administrators to permanently delete audit records for tables that either contain Personal Identifiable Information (PII) or tables that can grow large in enterprise environments. To configure these settings admins need to add the permission “Administer Data Retention” to the user’s role and then the user can navigate to Admin > Data Retention. See the “Data Retention” section in the Secret Server Administration Guide.

Manual rolling upgrades

A new “Manual Rolling Upgrade” feature is available when upgrading from Secret Server version 10.7.000059 or later. Using this process, clients that use clustered web nodes with a load balancer can experience little-to-no downtime during the upgrade process. However, this process requires an administrator to perform some manual steps with Web node and database access. See the Minimizing Upgrade Downtime KBA.

RMQ Failover

Updated Secret Server to support durable exchanges for RabbitMQ (RMQ). This allows clustered site connectors to fail over without impacting Secret Server processing. Distributed engines will auto-update after Secret Server upgrade to also support durable exchanges through RMQ.
Note: Older Advanced Session Recording Agents (ASRA) can be used with this version of Secret Server but ASRAs will not benefit from this change to failover handling. To include failover capability for ASRA an updated agent must be deployed. See the Secret Server Advanced Session-Recording Agent Installation KBA.

Technical Details: The ExchangeDeclare logic in MessageQueue client was altered to attempt to create durable exchanges with logging. A durable exchange is automatically re-created if RabbitMQ restarts for any reason. Non-durable exchanges disappear when RMQ goes down and can only be re-created by some external action. If the new logic detects that creating the durable queue failed, it will log an error and attempt to create a non-durable queue.

Time-Based One-Time Passwords (TOTP)

Added a feature where Secret Server can now generate time-based one-time passwords (TOTP) for web secrets. This allows users to implement TOTP on shared secrets. Configuring secrets for TOTP begins at the secret template level. See the Secret Server Administration Guide.

Truncated log data

Added the ability to truncate table logs for several types of data that log to the “Status Message” table. These messages can contribute to excessive log data and slow performance. The option to truncate each message type is called “Days to Keep Operational Logs” and is under the “Advanced” sections on the following list of configuration pages. Minimum message retention time is one day and the default is 30 days. The logs include:

  • AdminDiscovery.aspx (Admin > Discovery)

  • AdminSearchIndexer.aspx (Admin > Search Indexer)

  • ConfigurationActiveDirectory.aspx (Admin > Active Directory)

  • ConfigurationPasswordChanging.aspx (Admin > Remote Password Changing)

  • ConfigurationSshProxy.aspx (Admin > SSH Proxy)

  • ConnectWiseConfiguration.aspx (Admin > Folder Sync) Setting only available when using the “Database” Folder Synchronization Method on this page.

Go to the Secret Server Administration Guide and search for “Days to Keep Operational Logs” to see all the locations where this can be configured.

Technical details: A background task was added that scans the status message table every 12 hours and checks the status messages against configured values for how long they must be retained. These configured values were added to applicable UI pages.

Web browser extensions

The Web browser extensions for Secret Server have a new look and feel and now have added browser and site support. These new extensions are available for:

  • Google Chrome

  • Mozilla Firefox

These features from the old browser extensions are improved to allow more flexibility:

  • Create secrets

  • Select secret template

  • Generate complex password

Users can now authenticate to Secret Server directly from the Web extension, including support for 2FA options, such as DUO. Log in via Secret Server is also available for users with single sign-on, SAML, or other multi-factor authentication mechanisms. Web extensions automatically identify manual entry of new credentials in a Web page and offer to save the credentials as a secret. There is also improved support for sites that use multi-page login mechanisms.

See the Web Password Filler section of the Secret Server Administration Guide for more information.

Enhancements

Advanced session recording

Added a new setting to disable keystroke data from advanced session recording metadata. The new setting is called “Default Keystroke Recording Configuration” and can be configured under Admin > Configuration > Session Recording > Configure Advanced Session Recording. Click Collection name to edit individual collection settings or agent settings. By default, advanced session recording keystrokes are enabled. See the Secret Server Administration Guide.

Database SQL indexes

Added new SQL indexes for the following areas:

  • Column LauncherSessionGuid on the Launcher Session Video (tbLauncherSessionVideoSegment)
  • Event Queue Monitor (tbEventQueue)
  • Expired Secret Monitor (tbSecretDependency table)
  • Folders (tbFolder, tbFolderGroupPermissions)
  • General Navigation (tbUserSession)
  • Launcher Activities (tbSecretSession)
  • Log In (tbUser)
  • Node Activation Check (tbNodeLicenseActivation)
  • Secret Log table (tbSecretLog)
  • System Reports (tbAuditUser, tbAuditSecret)

Discovery

Added messaging for when computer or dependency scans do not run due to having no scanners configured for a discovery source.

Distributed Engine Offline Status

Updated the definition of distributed engines’ offline status to be the configured heartbeat interval times three. For instance, if your heartbeat interval is configured at 5 minutes, the engine will report offline if Secret Serverand the engine do not successfully communicate within a 15-minute time period. Engine online and offline states were also added to subscription actions to allow notification to admins when engine states change. See the Event Subscriptions section in the Secret Server Administration Guide.

Licensing

A second distributed engine is now available, by default, for the local site.

New user interface

  • Redesigned the Admin landing space. Click Admin > “See All” to explore the new layout.
  • Redesigned Doublelock. See the DoubleLock section in the Secret Server Administration Guide.
  • Added new “Recent Activity” section to the Home dashboard page to display recent activity at a glance.
  • Updated the Security Hardening tab in the Reports page.
  • Updated the IP Address Management pages under Admin.
  • Added custom logos. Added custom “full-sized” and “collapsed” logos for the new UI in Admin > Configuration under in the User Interface section.
  • Added dark mode theme option in the new UI. To change theme mode preferences, go to Account Settings > Color Mode. Options include Light Mode, Dark Mode, or Default (mode will update based on user’s OS color mode settings).
  • Added a new setting to configure the inactivity time before the new UI goes into dark screen “sleep mode.” To configure go to Admin > Configuration > User Experience > UI Inactivity Timeout.
  • Converted the Groups page to the new UI.
  • Updated error messaging in the new UI to display folder synchronization and deletion errors.
  • Updated the date picker to allow for future start dates and time selection without first adjusting the end date when requesting secret access. End dates are automatically adjusted to align with the start date +1 hour.
  • Updated grid downloads in the new UI to download according to new options. User options now include choices to download all data or specific rows of data, and specify date format. You can also choose time zone options of UTC, server time zones, or the local browser time zones.
    Note: For downloaded reports, user time zone options are limited to UTC or the server time zone.
  • Updated behavior of new UI so that clicking the “Select All” check box at the top of a secret grid selects all rows. Previously the check box selected only the items currently loaded on the page.
  • Added the “View Audit” button to the reports page of new UI.
  • Added the “Upgrade Available” banner to display in the new UI.
  • Added the ability to drag-and-drop child folders into the root folder. Folders will automatically re-order alphabetically in the left navigation pane.
    Note: This action is only allowed if users have the “Create root folder” permission and own folders that they are attempting to move.
  • Added folders to the “Shared With Me” page.
  • Added new inbox notifications including “getting started” notifications for new installs and administrator alerts when an instance is close to hitting licensing limits.
  • Added the ability to mark Inbox notifications as read or unread for most notification types.
  • Added the ability to browse by folder name using the URL format [SecretServerURL]/SecretServer/app/#/lookup?folderPath=[FolderName]. If multiple folders exist with the same name, this URL search schema only directs users to the first folder listed within the left navigation pane.
  • Updated Favorite star icons to remain in column view when the Name column is resized.
  • Expanded file-size allowance on file uploads. File uploads can now be up to 10 MB.
  • Grid results updated to auto-load 30 results instead of 15.

Remote Password Changing upon Regex-Defined Error

Added a new regex setting to automatically retry a remote password change (RPC) with a regenerated password if the original RPC failed due to a specific type of error.

Go to Admin > Remote Password Changing, click Advanced under the Configure Password Changers section. The new setting is Attempt Password Change with new password when error contains (regex). Edit it to provide the regex failure code that will trigger the automatic next password RPC. See the Secret Server Administration Guide.

Verbose logging

Added Verbose Logging for:

  • AWS password changers
  • AWS discovery scanner
  • ComPlus dependency scanner
  • PowerShell discovery scanner
  • Flat file discovery scanner
  • ODBC discovery scanner
  • SSH discovery scanner
  • ESX discovery scanner
Terminal
  • Added terminal instructions for how to view SSH proxy credentials in the new UI under Secret Options > Show SSH Terminal Details.
  • Removed restrictions from the allowed number of concurrent logins for SSH terminal. Previously, terminal logins were tied to the “Maximum concurrent logins per user” setting that establishes this number for UI-based users.
  • Added Unicode support for SSH command menu items (names and descriptions).
  • Added “clear” command to terminal.
Reports
  • Updated several reports to no longer show deleted secrets.
  • A new out-of-the-box report called “Secret Templates without an expiration field” was added to display any secret templates that have a password field but do not have an expiration field set.

Secret Template Import and Export

Updated secret template settings for import and export to include:
  • Is Required?
  • Edit Requires
  • Hide on View
  • Secret template icon
  • Keep Secret Name History
  • Validate Password Requirements on Create/Edit
  • Field Slug Name
  • Type Description
  • One Time Password settings

The secret template settings that do not transfer include:

  • Launcher settings
  • Password changing settings
  • Session recording enabled
  • Associated secrets

See the Can I import or export data between Secret Servers? KBA for more information.

SSH Proxy

  • Updated “connect as” to accept key-based SSH authentication without also requiring a manual password.

  • For SSH proxy sessions, added the option set:

    • Only record keystrokes
    • Only record video for sessions.

    By default new installs will only record keystrokes on SSH proxy sessions to preserve disk space. To configure this setting go to Admin > Configuration > Session Recording tab > SS Proxy Session Recording. Edit the SSH Proxy Session Recording Options list. The options include:

    • Record keystrokes and video

    • Record keystrokes only

    • Record video only

    • Do not record

See the Session Recording section in the Secret Server Administration Guide.

Unique Field Slug IDs

Added a new “Unique Field Slug” ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls. See the Secret Template Field Types section in the Secret Server Administration Guide.

Verbose logging

Added Verbose Logging for:

  • AWS password changers
  • AWS discovery scanner
  • ComPlus dependency scanner
  • PowerShell discovery scanner
  • Flat file discovery scanner
  • ODBC discovery scanner
  • SSH discovery scanner
  • ESX discovery scanner

Terminal

  • Added terminal instructions for how to view SSH proxy credentials in the new UI under Secret Options > Show SSH Terminal Details.
  • Removed restrictions from the allowed number of concurrent logins for SSH terminal. Previously, terminal logins were tied to the “Maximum concurrent logins per user” setting that establishes this number for UI-based users.
  • Added Unicode support for SSH command menu items (names and descriptions).
  • Added “clear” command to terminal.

Unique Field Slug IDs

Added a new “Unique Field Slug” ID column for secret templates to allow users to create secrets with duplicate field names without compromising the ability to target each field name with a unique identifier for API calls. See the Secret Template Field Types section in the Secret Server Administration Guide.

User variables for scripting

Added the following user-based script variables to be used in API calls as arguments:

  • $SECRETSERVERUSERID
  • $SECRETSERVERUSERNAME
  • $SECRETSERVERDISPLAYNAME
  • $SECRETSERVEREMAILADDRESS

This allows, for example, that when a specific user runs a check-out hook, they can pass a user email, ID, username, or display name as a parameter into the script to use a check-out hooks and related AD functionality in Secret Server through the API. See the “Checkout Hooks” section in the Secret Server Administration Guide.

API General
  • Added a setting that allows users with view permission on a secret to get the secret’s “autoChangeNextPassword” field in the API. This setting is enabled under Admin > Configuration > Permission Options. Set Allow View User To Retrieve Auto-Change Next Password to Yes.
  • Fixed issue with /api/v1/secret-templates/{id} to allow a user with AddSecret and global template permissions is allowed to call the service. Before this fix the AddSecret user was required to have specific access to a template.
New API Calls
  • Get one time password code and seconds: 
    GET
            /one-time-password-code/{id}
  • Search secrets by URL: 
    POST
            /secret-extensions/search-by-url
  • Get AutoFill values for URL by secret ID: 
    POST
            /secret-extensions/autofill-values
  • Update secret field: 
    PUT
            /secrets/{id}/fields/{slug}
  • Update secret: 
    PUT
            /secrets/{id}/restricted
  • Get SSH Terminal details: 
    POST
            /secrets/sshterminal
  • Get extended regex values by secret: 
    GET
            /extended-fields/regex/{secretId}
Removed API Calls
  • Search app clients: 
    GET
            /app-clients
Integrations Performance Improvements
  • Added server-side paging to reports in the new UI to address performance issues when attempting to load reports with large numbers of records.
  • The new user interface will no longer load the subfolders if a parent folder has more than 30 subfolders within it on the grid page. Instead, a folder picker will display above the folder’s secrets that will allow users to select a specific subfolder.
  • Applied enhanced SQL querying logic on the groups pages so that environments with large groups no longer experience page timeouts when processing group data.
  • Improved the shutdown performance in distributed engine.
  • Removed the welcome widget from the dashboard on the classic UI due to page load issues in large environments.
  • Enhanced SQL query for the unlimited admin report to improve performance for large environments.
  • Added a new “use database paging” setting for the custom reports page. Database paging allows the database to load large reports more quickly. We recommend database paging if the query is expected to pull large amounts of data for the report. Implementing database paging may not work if the SQL query uses some keywords, including TOP, OPTION, INSERT, UNION, WITH, or aliases containing the word FROM.

    Example queries:

    • Works using database paging: SELECT * FROM tbSecret WHERE NAME LIKE 'Test%'

    • Does not work using database paging: SELECT TOP 10 * FROM tbSecret WHERE SecretName LIKE 'Test%'

Security
  • Updated PuTTY to version 0.73. Updated version addresses several PuTTY vulnerabilities, including one critical and two high severity items. CVE-2019-17067, CVE-2019-17068, CVE-2019-17069
  • Addressed a vulnerability with the SDK client account handler.
  • Fixed a permissions issue in the new UI where password requirements did not obey the “administer custom password requirements” permission.
  • Added audits and event subscriptions for viewing passphrases and SSH keys.
  • Addressed a Remote Code Execution (RCE) vulnerability that allowed parameter changes for an action without validating user permissions.
  • Resolved an issue for SSH scripts and SSH remote password changers where sensitive information was being written to log files:
    • SSH remote password changers will now only log the comment for each command as it runs.
    • SSH scripts will only log that they ran because they have no comment for each command.
    Note: If you manually test an SSH script or password changer, the full output will still be shown for debugging purposes, because you just entered the credentials yourself.
  • Resolved a URL redirection vulnerability.
  • Added configurable parameter quoting for custom launchers.
  • Resolved three cross-site scripting (XSS) vulnerabilities.
  • Fixed an XML external entity (XXE) injection vulnerability.
  • Removed user information that was returned in an API call.
  • Added auditing for changes made to the session recording configuration page on the Admin > Configuration > Session Recording tab.
  • Added auditing for test script actions in the Custom Command Edits section in the Admin > Scripts pages.
  • Added auditing to the Admin > Configuration > Ticket System tab. Audits are logged under Admin > Configuration > General tab > View Audit.
  • Updated missing secure cookie attributes when “Force HTTPS” is enabled.
  • New installs running 10.7.000059 or later will now automatically apply zero information disclosure.
  • Added SHA1 and SHA256 hashes for protocol handler.
  • All Thycotic DLLs and EXEs are now signed with the Thycotic Software certificate including distributed engine, advanced session recording agent, and MemoryMQ applications.

Version 10.7.0

Released: 12 November 2019

Upgrade notes

  • IBM® Security Secret Server 10.7 and later no longer supports the use of Microsoft SQL Server 2008 R2 as the database for Secret Server.
  • Secret Server requires Microsoft SQL Server, and for the database be set to the collation SQL_Latin1_General_CP1_CI_AS. See Microsoft SQL collation requirements and check your server collation settings before upgrading.
  • Added a new system alert in Inbox. Administrators must set a custom URL at Admin Config > Secret Server Custom URL to prevent an issue where heartbeat failure emails include an incomplete link.
  • Enterprise customers using load balancing with RabbitMQ may want to delete queues after upgrading SS from versions earlier than 10.6. If customers using RabbitMQ do not delete their queues, they will not lose functionality, but old queues that were renamed in a 10.6 architectural update will continue to fill up with messages. See http://www.ibm.com/support/pages/node/1105395.

New features

AWS Discovery

Added discovery for AWS accounts. See "Password Management in AWS" in the Secret Server Admin Guide.

SSH Terminal

Added an SSH terminal to Secret Server that lets you connect to Secret Server through SSH to search for secrets, access secret data, and initiate proxied SSH connections. . For more information, see the Secret Server SSH Terminal Admin Guide.

Integrations

Updated ConnectWise API calls to pass in the ClientID object due to version updates by ConnectWise that requires a ClientID for all API calls. Updates released by ConnectWise in Aug 2019.

Architecture improvements

Note: No configuration changes are needed for these changes to take effect. See the Secret Server: Server Clustering Admin Guide for details.
  • Removed the need to designate a primary node within a Secret Server cluster.
    Note: Due to this change, the app setting ‘ValidPrimaryNode’ is now ignored. If you already use that setting, you do not need to change anything. The node that is primary upgrades to have its BackgroundWorker role enabled. All other role configurations stay the same. The node that was primary before and is now upgraded will have the BackgroundWorker role enabled after the upgrade. All other role configurations stay the same.
  • Migrated Secret Server’s background processes to Quartz.

    This enhancement is an improvement over manual thread management and eliminates the primary node concept. Quartz internally ensures that a particular scheduled job is run in only one location. Quartz is database-driven. As such, the previous and next run times are visible by querying the database.

Database deadlock

Improved the on-premises background locks for the database code to avoid deadlocks.

Server Roles

Note: No configuration changes are needed for these changes to take effect.

Updated the following server role to be able to run in maintenance mode:

  • Background Worker role

The following server roles do not run in maintenance mode:

  • Engine Worker role
  • Session Recording Worker role

Fixes

Rest API

  • Fixed a bug in REST API documentation for recorded session searching to properly detail URL array parameters and display the available values for searchTypes. Also updated the check for searchTypes to be case-insensitive for searching in the documentation.

    The check for searchTypes is now case-insensitive. Some work was done previously to return an error if no search types were provided. REST documentation was not properly detailing URL array parameters, they are now being displayed correctly and the available values for searchTypes are detailed in the documentation.

  • Fixed an issue where creating a folder through the REST API always set the permission inheritance to false on the folder, even when the parent folder was set for inheriting permissions. This meant that upon create, the folder itself inherited permissions from its parent folder but future objects created in the folder did not inherit permissions.

    The create-folder REST endpoint no longer always copies permissions from the parent folder down on to the sub-folder. Instead, if you set the inherit permissions property in the request to true, permissions will copy down from the parent on to the newly created folder. Should the user omit the inherit permissions property from the request body, the default value is also set to true. In order to not inherit permissions from the parent folder for a newly created folder thru the REST API, a user must set the inherit permissions property to false in the request body.

  • Fixed a REST API issue where the “View Secret Audit” permission was incorrectly required to access a secret summary through the API.

    During the permissions check for the REST API, a default route was being taken which included checking for View Secret Audit permissions. A more specific series of permissions checks are now being used which allows the View Secret Audit permission to be ignored.

  • Fixed an issue where the search results returned for InheritSecretPermissions in the REST API were not accurate.
  • Fixed a bug where REST API calls on systems using Windows Auth would fail after the first call due to logic that incorrectly flagged for cookie expiration.
  • Fixed a re-introduced issue where the “Webservice Password Displayed” audit was logged incorrectly when API calls to Get secret fields that were not password-related occurred. This issue was originally fixed in version 10.6.26 but reintroduced in version 10.6.27.

    The SecretGetQuery.SecretItemsViewed was not being forwarded to the actual GetSecret method which handled the auditing logic. By omitting it, it assumed all secret fields were being viewed by the user hence the password viewed audit was being recorded.

  • Fixed a bug where Oauth tokens were deleted for a current user when attempting to change the password of another user through the REST API.
  • Fixed a REST API bug where if enableInheritPermissions was set on FolderModel and UpdateFolder objects, updating secrets through the API in those folders did not respect the inherited permissions.
  • Fixed an issue where existing file attachments were removed when editing or saving secrets through the REST API.

Mac Launcher

Note: To update your Mac launcher and apply this fix, you must first fully uninstall the Mac protocol handler. See http://www.ibm.com/support/pages/node/1105383.
  • Fixed an issue where copy actions in a launched session would drop the last letter in the copied string.
  • Resolved an issue where a Mac RDP session could crash if left open for a long, inactive period.
  • Fixed an issue where right-clicking within a PowerShell window terminated the Mac RDP session with the server.
  • Fixed an issue where turning off custom resolution in “Launcher Settings” caused a crash on next launch.
  • Added a check to ensure a non-zero height and width are used. If the width is set to 0, then a width of 1024 is used. If height is set to 0, then as height of 768 is used. These were the previous default settings.
  • Enhanced messaging when sessions are disconnected due to server-side tasks. The user now receives a dialog notification letting them know that the session was closed from the server.
  • Fixed an issue where pressing the Option key during a Mac RDP Launcher session malfunctioned as if the user was indefinitely holding down the key.
  • Added scrollbars to the FreeRDP window to improve mouse scrolling. The mouse wheel now scrolls windows inside the connected server but does not scroll the FreeRDP window. Users must drag the FreeRDP scrollbars to move the content.
  • Made window resizable down to 100×100 pixels and up to the specified dimensions.
  • Fixed a memory leak where leaving Mac launcher sessions open for an extended period consumed ever-increasing memory on the machine hosting the session.
  • Fixed a session recording issue in the Mac Launcher when multiple recorded sessions occurred at the same time. If a recorded session began while another session was already recording, the original recording would not be saved.
  • Fixed a Mac launcher issue where a launched session would hang if user attempted to scroll by using a mouse wheel or a track pad. This issue occurred because the 9-bit signed value for handling mouse wheel events was not properly parsed for “coarse-grained” mouse movements within FreeRDP.
  • Fixed an issue in the Mac Launcher Protocol Handler where FreeRDP was calling to re-sync specific modifiers (Caps Lock, Num Lock) and not the current pressed state of the other modifies on every key-down event during Mac launcher sessions. This caused the other modifiers (such as Shift and Ctrl) to reset back to their base state even when the keys were being pressed.

General

  • Fixed an issue where automatic password changes (including scheduled password rotations) did not run on environments with distributed engines.
    Note: Using Run Now (Admin > Remote Password Changing) to manually start the process is not affected.
  • Fixed an intermittent PuTTY crash with the RDP Launcher caused by PuTTY version updates in Secret Server not properly disposing named-pipe-related entities after the 10.7 release.
  • Fixed an issue where writing to the local CEF log file threw exception errors, causing deadlocks, due to a missing whitelist for local CEF logging.
  • Fixed an issue where the “Generate New SSH Key” button did not generate a public key when creating a new SSH key secret.
  • Fixed an issue where disabling two-factor authentication using the “Lost Phone” option did not trigger a “Two-Factor Changed” event, resulting in the event logs not recording the reset of the user’s two-factor authentication mechanism. Added two new events, one for a successful and one for an unsuccessful TOTP reset.
  • Fixed an issue where Secret Server could not correctly identify the state of a ServiceNow ticket. Ticket status in ServiceNow is indicated by both a state label (such as New, Open, WorkInProgress, ClosedComplete, ClosedIncomplete, ClosedSkipped, Assess, Authorize, Scheduled, Implement, and Review) and a state value. An update from ServiceNow changed both the labels and the values corresponding to each state, resulting in the issue.
  • Fixed an issue where heartbeat failed as a bulk operation on ESXi Servers. When a bulk operation ran, multiple threads would try to access the same file on the machine at the same time. A check whether the file was in use was added to resolve this issue.
  • Resolved an intermittent radius socket error that occurred during user logins:
    • Zero can now be used as a valid on-premise port. This will not use the port range and allows Windows to select a valid port to use.
    • The Port Bag (collection of ports) no longer accepts duplicates.
    • When you uncache a challenge request, the cached request will now get a new client port to use when you bind to the UDP client.
  • Fixed an issue where secret templates that contain custom fields caused an error when key management was enabled.
  • Fixed an issue on environments with multiple domains where the choices for users on the Active Directory synchronization page only displayed members from one domain instead of displaying all the users across all domains.
  • Resolved an issue with persistent TCP/STCP connections that close too quickly. Lost connections produce errors when sending syslog messages.

    To resolve this issue, caching for connection traffic over TCP/STCP was introduced and can be configured in the web-appsettings.config file by adding:

    <add key="DisableSyslogConnectionCaching" value="true" />

  • Fixed a bug where two-factor PIN emails were not sent on initial login if the user’s login, the local admin account, and another user were all configured to use the same email address.

    The SMTP client and application name are now resolved on the initial login page. That way the PIN Code page can read those values and send the e-mail even if the lifetime scope is lost before the PIN Code page is loaded.

  • Updated some instances where a browser’s built-in auto-complete feature would incorrectly enter data into fields when a Secret Server page was loaded.

    The root of this issue was that the mechanism for disabling a browser’s auto-population for username and password fields on page load changed across all browsers. The old mechanism added the attribute autocomplete=“off” to the target input or form field if you did not want the browser to auto-populate on page load with user credentials. The new way changed the value of the added attribute to be autocomplete=“new-password” for populated fields.

    Note: Clear browser history cache after upgrading to apply these fixes.

  • Fixed a bug where changes were saved even after canceling on the Admin > Configuration > Login tab.

  • Fixed an issue where checkout and check-in hooks caused an exception error for a user if they only had list permissions on a privileged account when attempting checkout.

    This issue occurred when attempting to load the privileged secret with the user’s permissions, which would fail unless the user had view or greater permissions on the privileged secret. A change was made to load the privileged secret using the system identity to prevent access issues.

  • Updated extensible discovery for the PowerShell scanner to automatically fill in an AdGuid and DistinguishedName when those values are not present on the scan item for OU/Host Ranges and Machines.

    If scanning Active Directory, adding DistinguishedName to the scan item is recommended. In this instance, you must remove the domain portion of the DistinguishedName.

  • Fixed an issue where saving a secret policy on a new secret template did not allow the latest password changer templates to be selected for password rotation. This prevented secrets of the latest template types to be assigned as a privileged account for the password rotation.
  • Updated the group picker for editing users in groups so that users are now sorted consistently via alphabetical ordering. Before this update, usernames in the two sides of the group picker were sorted differently.

    Updated all of these, Group Create, Edit and View pages, to sort by the “Known As” field. If DomainId is null, the field returns DisplayName. Otherwise, it returns DomainName\DisplayName.

  • Fixed an issue where Thycotic One (T1) users were unable to login to Secret Server through the mobile and desktop app when Thycotic One was enabled for Secret Server.

    There’s a new configuration option “Enable Thycotic One Integraton” in Secret Server to do API authentication against Thycotic One (the old way) or not (the new way). This is under Configuration > Login. When checked, the mobile app should accept Thycotic One credentials. When unchecked, the mobile app should accept local account credentials. If T1 is turned off, or if the user doesn’t have a T1 mapping, it will always accept local account credentials.

  • Fixed a bug that blocked workflows from being enabled on a secret in the new UI for Cloud Professional users if no approvers were defined on the workflow.

    When no approvers were defined for a workflow step an error was thrown trying to retrieve the max number that could be set for required approvers at that step.

  • Fixed an issue where custom reports that contain “Permissions” as a field name were not successfully created.
  • Fixed a bug where the “Last Scanned Date” for AWS and domain accounts were not properly updated on the Discovery Network View.

    Updated the Last Polled Date for the Domain Accounts to use the LastDiscoveryCompletedDate from the tbDiscoveryConfiguration table.

  • Updated error messaging when Secret Server is unable to connect for heartbeat status. Added exception handling for Socket timeouts and errors to be treated as unable to connect instead of as an Unknown error.
  • Fixed an issue where users synchronized from Active Directory through Distributed Engine did not have their UserPrincipalName populated.
  • Fixed a bug where disabling users for an event subscription blocked the event subscription from being saved.

    This issue was related to a Linq expression which used Single instead of SingleOrDefault, which caused the respective exception when no elements were returned from collection.

  • Fixed an issue where rotating secret keys broke in a clustered environment.
  • Fixed an issue where creating sub-folders from the folder menu did not use “No Policy” default settings when set to not inherit a policy.
  • Resolved an application error that occurred when the expiration interval was set too high on a Secret Template.

    When the expiration was set to a large number the date calculation would overflow causing both secret search and secret view to break since they both tried to calculate it. Now both cap the expiration days at 9999 as the UI currently limits expiration to that maximum.

  • Fixed an issue in the new UI where deleted secrets remained on display on the Favorites page after a page refresh.
  • Fixed an issue in the new UI that occurred when fields in a column in a secret grid view could appear blank if a secret template had multiple fields with the same name.
  • Fixed an issue in the new UI where folder breadcrumbs were incorrectly sorted by Folder ID instead of by the location in the folder tree.

    Folder breadcrumbs were being incorrectly sorted by ID on the server before the API response was generated, which only works if no folders have ever been moved. That ordering was removed and now the folder order is returned properly from the API.

  • Updated tooltip messaging for the user interface configuration options.
  • Fixed an issue in the new UI where users were not always directed to the All Secrets page upon login.

    When a user was logged out in angular, the ReturnUrl was not always set. The ReturnUrl query string is used after logging in to know where to redirect a user.

  • Updated the new UI to hide reports under admin options when a basic user does not have the “View User Audit Report” permission.
  • Fixed a Firefox browser issue for versions 60.0 and greater where search prompted errors in the new UI.

    A nonstandard JS property was being used that isn’t supported in all browsers. Property was replaced with its standard equivalent to ensure support in all browsers.

  • Fixed an issue where the password field did not re-appear after removing the “hide launcher password” policy on a secret.
  • Fixed an issue in the new UI where Danish Characters did not display correctly in the Folder list.
  • Fixed an issue where the Heartbeat Status column did not always display on page load in the new UI.
  • Fixed a bug where whitelisted launcher options did not properly populate in the new UI.
  • Fixed a bug where the password history for a secret did not display the correct password if the password included a less than symbol (<).
  • Fixed an issue in the new UI where Approval, Access Request, and Checkout secrets incorrectly blocked access from administrators when Unlimited Admin Mode was enabled.

    State service was returning state values without considering unlimited admin mode.

  • Fixed an issue where read-only mode was set as default in the new UI until the interface fully loaded, resulting in brief displays of the Read-Only mode notification if a user’s browser experienced slow load times.
  • Fixed an issue where editing a secret policy would throw a null ref error in the new UI if the policy applied to a folder but was not enforced.
  • Fixed an issue where discovery was unable to recognize special characters (such as Ã, ‡, ƒ, and ±) in organizational unit (OU) objects when scanning an entire domain.
  • Fixed an issue with Active Directory synchronization where using the SynchronizeNow group flag could cause users not in that group to be disabled when AD sync was set to “Mirror AD.”
  • Fixed an issue where the Active Directory credential cache was not checked when using a distributed engine due to LDAPProviders bypassing exception handling.
  • Optimized SQL query used to process large result sets in the tbSecretPasswordResetSecrets table. This addresses an issue where expired secrets failed to process due to large volumes of secrets.
  • Fixed a bug where domains listed with friendly names did not adequately check for uniqueness of Fully Qualified Domain Names (FQDNs) therefore allowing FQDN duplication. If FQDN duplication occurred, AD Synchronization domain mismatch failures resulted when running AD Sync.
  • Fixed a bug in environments with Integrated Windows Authentication (IWA) enabled where Google two-factor authentication users who clicked the “Lost my Phone” link received an error.
  • Enhanced performance for discovery when one endpoint returns large numbers of accounts (20k+).
  • Fixed an issue with search in the new UI where searches were locally cached instead of cleared on route navigation within the app.
  • Updated the new UI to accept non-ASCII usernames.
  • Fixed an issue where the Reports page in the new UI did not process HTML-encoded data, leading to special characters like “é” not displaying correctly on the page.
  • Fixed an issue in the new UI where the “Save to File” option on tables was not created in a download method that Internet Explorer 11 supported.
  • Fixed an issue where copy and convert actions on a secret template could apply parent folder policies to the new secret rather than applying the original secret’s policy. This occurred due to using a cached version of the secret template instead of the updated version.
  • Fixed an issue where non-standard UTF8 characters were not saving properly when saving reports to file in the new UI.
  • Fixed an ordering issue when querying reports where the audit to identify the user who runs the query ran after the query rather than before.
  • Fixed an ordering issue when querying reports where the user-identification audit ran after the report query instead of before.
  • Fixed an issue where live view-session videos did not work in the Internet Explorer 11.
  • Fixed an issue where outbound queue messages overloaded in some environments. Added expiration time to outbound discovery and Active Directory sync messages. AD sync and discovery scan messages now expire based on their configured interval.
  • Fixed an issue where the bulk conversions for secret templates did not populate the target template list.
  • Fixed an issue where naming patterns were not properly enforced in the new UI when creating secrets.
  • Fixed an issue where the approval-request expiration time did not properly handle time zone differences. We changed validation to compare minutes instead of days.
  • Fixed a bug where the “confirm action” button did not activate on bulk actions when assigning the “inheriting permissions” action.
  • Fixed an issue where changed fields on the edit page for assigning secret auto-schedules could block a schedule from saving.
  • Resolved issue with SSH key password rotation for some versions of Unix and specific templates.
  • Fixed issue with IAM Token rotation over distributed engines.
  • Fixed a bug where custom launchers that passed the port field from a secret as a launcher argument would fail because the launcher was using the port value from the secret template launcher configuration instead of the port value from the secret. For non-proxied custom launchers, this caused the port argument to always be zero.

Enhancements

Security

  • IBM Security Secret Server 10.7 uses jQuery 3.2.1, which is listed as vulnerable to the jQuery CVE-2019-11358. Updated IBM Security Secret Server to resolve this jQuery vulnerability. See Secret Server: jQuery CVE-2019-11358.
  • Updated PuTTY version 0.71 in the IBM Security Secret Server protocol handler to support the elliptic curve cipher for handling keys during the SSH connection process.
  • Addressed a security issue where reusing Active Directory usernames could expose secret data.
  • Resolved an issue affecting FIDO2 authentication. Security issue discovered by Vladimir Skuratovich.
  • Two cross-site scripting vulnerabilities were fixed in Secret Server. One of these security issues was discovered by Adriaan Schuitmaker.
  • Removed a server-side request forgery issue in the legacy Web launcher. Issue was discovered by Adriaan Schuitmaker.
  • Addressed a security issue that could result in folder name disclosure.
  • Addressed a security issue with dual control where an approver could approve their own access.
  • Resolved a URL Redirection issue.

New user interface

Drag and Drop Folders

You can now drag and drop folders in the left navigation pane into other folders. You must have “Owner” permissions on both folders.

Note: You cannot drag and drop folders to the root folder. To move folders back to the root folder level, right-click a child folder, select “Move Folder” and select Root from the option list.
Updated search
Special characters (percent signs, brackets, and underscores) are no longer treated as wildcards.
Password Strength Indicator
Redesigned the password strength indicator.
Column Resizing
You can now re-size columns on secret grids in the new UI. Column re-sizing is sticky per page across user sessions. Column resizing is not available in Internet Explorer.
Duo Push Notifications

Added option to send secret access request notifications as DUO push notifications instead of emails. For more information, see “Duo Push Notifications” in the Secret Server Administration Guide.

Duo User Preferences
Duo login now remembers user preferences and and auto-initiates them (after initial login).
Secret Grid Top-Row Anchors
Added top-row anchors for secret grids.
Home Dashboard Redesign
Redesigned the Home Dashboard page.
Alert Improvements
Redesigned the Inbox and added more alert types (Approvals and Requests, System Alerts, Subscription Alerts).
Domain name searches
Added searching for users by domain name.
Secret Audit Access
Audit-only users can now view secret audits on secrets that require checkout or are setup for request access without needing to go through the checkout or access approval workflows.
WEBSERVICES Naming Prefix
Removed the redundant “WEBSERVICES” naming schema from secret audits where the service is also used by the new UI. “WEBSERVICES” still appears in audit reports where the service is not also used by New UI.
Messaging for Permission Changes When Moving Folders
Updated messaging when moving folders so that users are aware of permission changes.
New and Classic UI Feature Sync
We are incrementally porting features from the classic to the new UI. In this upgrade the new UI added support for:
  • NATO Phonetics.
  • Deleting dependency groups. [
  • Scrolling for the groups and users picker.
  • Secret checkout hooks and corresponding REST API endpoints.
  • Showing proxy SSH login credentials information on SSH secrets.
  • Setting custom password requirements per secret to override secret template requirements as needed.
  • Launcher preferences on the secret-level to override launcher template requirements as needed.
  • SSH command restrictions option.
  • Launcher settings for SSH launchers to the new UI. Settings not yet implemented include mapped Web launchers, non-mapped Web launchers, and form filler.
  • Added a “Save to File” option for audit history and secret grids.

Webservices REST API

  • The webservices API is now enabled by default for all new Secret Server installs, regardless of licensing. Existing customer settings will not change on upgrade.
  • Added a safeguard to the API to prevent license activation attempts when licenses are already activated.
  • Added a new REST call to favorite a secret through the API.

    Favorite a secret by running a POST request to <secret_server_url>/api/v1/secrets/<secretId>/favorite by setting isFavorite: Boolean. If left without a value, the favorite status will be toggled. If set to true or false, the favorite status reflects the value of isFavorite.

  • Added a new REST call to get current user’s favorite secrets through the API.

    Get the current user’s favorite secrets by running a GET request to <secret_server_url>/api/v1/secrets/favorite

    An array of secret-related information is returned: 
    {id=1; folderId=4;
              folderPath=\FavoriteTest; secretid=test1}
  • Added refresh tokens for the REST API. Refresh tokens allow users to continue using tools like the Web plugin beyond the normal timeout internal, as long as they remain active.

    Refresh token expiration is set to “session timeout” value plus 15 minutes. By default, three refreshes are allowed before re-authentication. Enable refresh tokens for Web services under General Configuration. See Secret Server: How to Use Tokens

  • Added new API Calls:
    • Create Domain: POST /active-directory/domains
    • Create Script: POST /userscripts
    • Create Secret Dependency Group: 
      POST
                /secret-dependencies/groups/<secretId>
    • Create Secret Hook: 
      POST
                /secret-detail/<secretId>/hook
    • Delete Secret Hook: 
      DELETE
                /secret-detail/<secretId>/hook/<secretHookId>
    • Export Report: 
      POST
                /reports/export
    • Favorite a Secret: 
      POST
                /secrets/<secretId>/favorite
    • Get Domain: 
      GET
                /active-directory/domains/<id>
    • Get Domains: 
      GET
              /domains
    • Get Script: GET /userscripts/<id>
    • Get Secret Hook Details: 
      GET
              /secret-detail/<secretId>/hook/get/<secretHookId>
    • Get Secret Hooks: GET /secret-detail/<secretId>/hooks
    • Get Secret Launcher Details: GET /launchers/secret
    • Get SSH Proxy Information: 
      POST
                /secrets/sshproxy
    • Launch a Secret: 
      POST
                /launchers/secret
    • List a User’s Favorite Secrets: 
      GET
                /secrets/favorite
    • Search Domains: 
      GET
                /active-directory/domains
    • Search Scripts: 
      GET
                /userscripts
    • Stub Hook: 
      GET
                /secret-detail/<secretId>/hook/stub/<scriptId>
    • Update Secret Hook: PUT /secret-detail/<secretId>/hook/<secretHookId>
  • Updated API calls:
    • Update Secret Field : 
      PUT
              /secrets/<id>/restricted/fields/<slug>
    • Update Secret : 
      PUT
                /secrets/<id>

Verbose logging

Enhanced verbose logging for diagnostics to increase clarity and support troubleshooting. This ongoing project began in 10.6.26. Added additional logging for:

  • Protocol Handler: Thycotic.ProtocolHandler.
  • SAML Response Processor: SAML.SamlResponseProcessor.
  • SAML Legacy Configuration: SAML.LegacySamlConfiguration.
  • Secret Notification Emailer: SecretNotiificationEmailer.
  • Event Subscriptions: EventSubscriptions.

General

  • Enabled the setting “Enable Local User Password History” to be enabled by default for new Secret Server installs. This blocks a user from re-using an old password when setting a new password.

  • Added a configuration option to automatically disable inactive users if they have been inactive for a minimum of one month.

    Enable this setting if your environment is setup for AD Synchronization. Go to Admin > Active Directory in the Active Directory User Synchronization section. Click Advanced (not required) > Set Automatic User Management and select yes. See “Active Directory Synchronization” in the Secret Server Administration Guide.